There are many ways to customize security of non-volatile objects (files, folders, services, registry keys etc.) on Windows systems. However when it comes to volatile Windows kernel objects which are created mainly by drivers and services (allowing them to be contacted via these objects) and recreated every time the creator driver/process starts the situation is much worse.
There are some GUI tools (e.g. WinObj and WinObjEx) which can change access permissions (DACLs) of these objects, but tools for automated securing of them seem to be pretty rare. This is what WDevSec does.

WDevSec is a command line utility able to view and change access permissions (DACLs) on Windows kernel objects. It can be used with Task Scheduler or Group Policy startup scripts to automate execution of it and set appropriate access permissions on every system startup. WDevSec can process devices, named pipes, files, sections, events, mutants (mutexes), semaphores, timers, event pairs, I/O completion ports, registry keys, directory objects, folders, symbolic links and other objects (including LPC ports) with /A option.
WDevSec can also run in background and automatically set DACLs when it receives device change notification or on specified time intervals.
With WDevSec comes with another utility - WDevList. This utility can list Windows kernel objects and (optionally) execute WDevSec on them. WDevList can be used in situations where several objects with similar names exist and they all need to be secured. WDevList can also provide bare listing as output for processing by other programs (such as batch scripts).
WDevSec uses SDDL strings containing only DACL. All account names in these strings are automatically resolved to SIDs.
WDevSec may be a great solution to customize access to some Windows features as well as to third party software components. Almost every software which provides some kind of services to other programs accepts communication via some Windows kernel objects. Drivers normally create device objects, user mode software usually uses named pipes (objects in \??\PIPE\ device), Windows components often uses LPC ports. To determine what software components uses which objects for communication Windows built in auditing facility (by enabling Audit: Audit the access of global system objects and Audit object access security policy settings) can be used. Also third party software such as Filemon, Process Explorer and WinObjEx can be used for this purpose.
WDevSec requires at least Windows 2000. /A option currently is not supported on 64-bit Windows.
Some examples of its usage may be:

• Securing WinPcap NPF driver interfaces to disallow non-administrative users raw access to network.
  

  net start npf wdevlist \Device NPF_* /E D:(A;;FA;;;SY)(A;;FA;;;BA)

• Changing permissions of Win32 TAP driver and also Windows TCP/IP driver devices, so OpenVPN can successfully run in non-administrative account named vpnd afterwards.
  

  wdevlist \Device {*}.tap /E D:(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;vpnd) wdevsec \Device\Ip D+(A;;FRFW;;;vpnd) wdevsec \Device\Tcp D+(A;;FRFW;;;vpnd)

• Prevent group limited to start processes under alternate credentials (using run as) on Windows XP.
  

  wdevsec "\RPC Control\SECLOGON" D+(D;;GA;;;limited) /A

Download WDevSec:    File: WDevSec.zip    Version: 1.2    Size: 14698    MD5: f0f68e9c8da54c4daf04dc28d40774f5    SHA256: 800e521c9a3cd5f845e1e28c988a80f37d77b9fb75a92efd33566cff5b27ccc0    PGP signature: WDevSec.zip.sig