Check or Attack Name: scheduler permissions

The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule key controls the Schedule service. Server Operators have permission to write to this registry key that would allow them to manually schedule jobs to be run by the Schedule service. Since the Schedule service normally executes under the system user context, this vulnerability can be used to raise the Server OperatorÆs access level to Administrator.

Remove Server operator write access to the schedule key in the NT registry.

To remove write access, follow these steps:

1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Remove Server Operator write access.