Set permissions on a specific service (Windows)
[There are two types of service permissions,permission used by the service an permissions set to
control the service. This post deals with permissions that apply when manipulating a service]
In my opinion, messing around with the permissions of a specific service is not a good idea,
solving the problem you are dealing with in a different manner might be a better idea.
In some cases, and since it is possible, you can set permissions on specific services. This might
come handy when you have to allow someone control of a specific service.
Setting permissions on specific services can be achieved by using the sc command (if you read on,
you will notice that it is not a simple task). The sc command has two parameters for this task:
- sdshow - Displays the security descriptor for a specific service
- sdset - Changes the security descriptor for a service
Viewing the security descriptor of a service
To view a security descriptor of a service use the following syntax:
sc sdshow serviceName
In the following example I am viewing the security descriptor of the DHCP service on my server:
Sounds simple enough, yet as you can see the security descriptor is not as friendly as we would like it to be.
Deciphering the security descriptor
The security descriptor, as displayed by sc sdshow, is formatted according the Security Descriptor Definition
Language (SDDL).
The descriptor will usually be divided into two parts:
- Prefix of S: - System Access Control List (SACL),controls auditing (not covered in this post)
- Prefix of D: - Discretionary ACL (DACL),controls permissions
Each section, inside the parenthesis, represent a specific entry (security/auditing).
Inside the parenthesis, the user account and the correct permissions are specified.
(A;;CCLCSWLOCRRC;;;AU)
The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).
Each pair of letters represents a specific permission:
CC - SERVICE_QUERY_CONFIG - ask the SCM for the service's current configuration
LC - SERVICE_QUERY_STATUS - ask the SCM for the service's current status
SW - SERVICE_ENUMERATE_DEPENDENTS - list dependent services
LO - SERVICE_INTERROGATE - ask the service its current status
CR - SERVICE_USER_DEFINED_CONTROL - send a service control defined by the service's authors
RC - READ_CONTROL - read the security descriptor on this service.
Additional permissions:
RP - SERVICE_START - start the service
WP - SERVICE_STOP - stop the service
DT - SERVICE_PAUSE_CONTINUE - pause / continue the service
The last two letters define the security principal assigned with these permissions (a SID or well known
aliases:
AU - Authenticated Users
Possible aliases:
"AO" Account operators
"RU" Alias to allow previous Windows 2000
"AN" Anonymous logon
"AU" Authenticated users
"BA" Built-in administrators
"BG" Built-in guests
"BO" Backup operators
"BU" Built-in users
"CA" Certificate server administrators
"CG" Creator group
"CO" Creator owner
"DA" Domain administrators
"DC" Domain computers
"DD" Domain controllers
"DG" Domain guests
"DU" Domain users
"EA" Enterprise administrators
"ED" Enterprise domain controllers
"WD" Everyone
"PA" Group Policy administrators
"IU" Interactively logged-on user
"LA" Local administrator
"LG" Local guest
"LS" Local service account
"SY" Local system
"NU" Network logon user
"NO" Network configuration operators
"NS" Network service account
"PO" Printer operators
"PS" Personal self
"PU" Power users
"RS" RAS servers group
"RD" Terminal server users
"RE" Replicator
"RC" Restricted code
"SA" Schema administrators
"SO" Server operators
"SU" Service logon user
Lets look at another example:
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
A - Allow
CC - SERVICE_QUERY_CONFIG - ask the SCM for the service's current configuration
DC - Delete All Child Objects
LC - SERVICE_QUERY_STATUS - ask the SCM for the service's current status
SW - SERVICE_ENUMERATE_DEPENDENTS - list dependent services
RP - Read all properites
WP - SERVICE_STOP - stop the service
DT - SERVICE_PAUSE_CONTINUE - pause / continue the service
LO - SERVICE_INTERROGATE - ask the service its current status
CR - SERVICE_USER_DEFINED_CONTROL - send a service control defined by the service's authors
SD - Delete
RC - READ_CONTROL - read the security descriptor on this service.
WD - Modify permissions
WO - Modify owner
BA- Built-in administrators
Wow-that wasn't simple,not to mention somewhat boring...
Setting permissions
To set permissions use the following syntax:
sc <server> sdset <service name> <SD in SDDL format>
There two parts that may be somewhat problematic here, using the correct SDDL syntax and obtaining the SID
for the security principal who is to be awarded the permissions.
In the following example, I would like to allow a user (erozman) to be able to start and stop the DHCP service.The following
steps will be taken:
- Obtain the user's SID (using a short script)
- Format the SDDL correctly
- Apply the permissions
- Verify the process
As you can see in the following screenshot, I have opened CMD running as 'erozman@lab.ad' ,and when I attempt
to stop the DHCP service I am denied since I do not have permissions.
To obtain a specific user's SID I use the following script(replace the account and domain with your own):
-------------------------------------------
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name='erozman',Domain='lab'")
Wscript.Echo objAccount.SID
--------------------------------------------------
I find it comfortable to receive the SID at the command prompt and not in a window as it is easier to copy and paste
- this is achieved by changing the default script host to cscript:
After obtaining the user's SID we can format the SDDL correctly:
(A;;RPWP;;;S-1-5-21-3778091102-209736168-4156975864-1108)
Then we run the SC command:
Several things to note here: you need to make sure to prefix the SDDL entries with (D:) which sets the DACL and
you need to make sure that you include all entries that you want in the DACL since the whole DACL will be replaced.
This last point is extremely important, if you only use the "new" entry you might actually "lock" yourself out as the
current entries in the DACL will be wiped out.
Now,lets see if 'erozman' can stop the DHCP service:
As you can see from the screenshot we have successfully provided 'erozman' with the permissions to stop and start
the services. The screenshot also shows that he can not pause the service (we have not provided him with the permission
to do so...).
Simpler ways to do this (alternatives)
There are a couple of alternatives that can be used to change permissions on services:
- Security Templates
- SWSC - http://www.xs4all.nl/~fstaal01/swsc-us.html (check out the ACL switch)
In my opinion there should be a simpler (intuitive) method through which permissions for a specific service could be set. The
alternatives are a possible solution, yet they aren't as simple as they should be(and why should there be alternatives,why
shouldn't the original resolve the problems?).