Fixing Vulnerabilities - SubInACL:

WARNING: Incorrect use of the commands shown could damage your system. No guarantees are expressed or implied. Use this procedure at your own risk.

To fix these vulnerabilities, we can use a free utility program available from Microsoft named SubInACL. This administrative utility allows us to examine and change the security settings for Windows services, as well as other objects in Windows. To use this utility, it is best to be logged in as an administrator.

Using the vulnerability information found by Srvcheck2, here is an example on how to fix the Adobe License Manager Service. The same procedure can be repeated on any vulnerable service by substituting it's name in the following commands.

First, to view the current access rights issue, the following command. If you understand the meaning of these security settings, this will give you an idea of why the services are vulnerable. In most cases you will see that the service has no security settings at all, leaving it wide open to anyone...
subinacl /service "Adobe LM Service" /display

Next, grant full access to the Administrators group....
subinacl /service "Adobe LM Service" /grant=Administrators

Erase the current access right for the Everyone group...
subinacl /service "Adobe LM Service" /suppresssid=Everyone

Give the Everyone group the following rights...
Q = Query Service Configuration
S = Query Service Status
E = Enumerate Dependent Services
I = Interrogate Service
L = Read control
subinacl /service "Adobe LM Service" /grant=Everyone=QSEIL

Give the Users group the same rights as the Everyone group, and also...
T = Start Service
subinacl /service "Adobe LM Service" /grant=Users=QSEILT

Repeat this procedure for all the vulnerable services, then restart the services and test again using a normal user account. In the special case mentioned earlier with DComLaunch, the /display command showed that the normal user group already had the proper security settings, but the power users group had the additional setting to change the service configuration. Since power users are also a member of the normal users group, all that was needed was to delete all the power users security settings for DComLaunch by issuing this command...
subinacl /service DComLaunch /suppresssid="power users"

If everything is configured correctly, the output of srvcheck2 should look like this...

>srvcheck2 -l
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - atarasco@gmail.com

[+] Trying to enumerate local resources
[+] Username: johndoe
[+] Listing Vulnerable Services...

[+] Analyzed 309 Services in your system
[+] Your system is secure! Great! :/