Steve Harris

Some pictures, the odd grumble and a bit of IT
Twitter
Follow me on Twitter
Flickr
View my Photostream

Setting permissions on Windows Service Accounts

Permissions to start, stop and query the status of windows services can be set using group policy, however if you want to set permissions on a specific service on a specific server and not mess about with group policy filtering the following can be done.

The first thing to remember is that not all services are the same so the process will not always be the same, furthermore it appears that certain services will not allow domain groups to be specified whereas other will.

Secondly you will need to download a copy of sc.exe from microsoft.com.

Now the boring stuff. Setting permissions on services is done using security descriptors and is formatted according to Security Descriptor Definition Language (SDDL). More information regarding this can be found by following the links in this post.

The current security descriptor of a service can be viewed using sc sdshow “service name” e.g. sc sdshow “GFI NSM 7 Engine”.

The output of this is pretty unreadable however an explanation of the output can be found here http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx.

The link above contains a great deal of useful information however in my case I found that the section which described setting the descriptor to allow a user to start and stop a service only allowed for the service to be stopped. I found a good tip on this site http://www.ravenreport.com/blog/post/Allowing-Remote-Users-to-StartStop-Services.aspx, the approach suggested here is to copy the descriptor from either the User Interface (UI) or Authenticated User (AU) section and modify who it applies to.

For me the following worked:-

  1. Obtain the SID of the user or group, in this case I used a group;
  2. Obtain the current descriptor using the sc sdshow command above, copy the output to the clipboard, paste in to notepad and correct the word wrapping;
  3. Save this as your original descriptor so that you can go back to it in the future;
  4. Enter the first part of the command but do not press enter sc sdset “service name”
  5. Now copy and paste the contents of your notepad to the end of the line, but still do not press enter;
  6. The descriptors to allow a service to be started, stopped and queried are usually LC, CR, RP and WP. But try and get away with the bare minimum or use the suggestion above i.e. copy the AU or UI descriptor.
  7. So add the following to the end of the command line (A;;LCCRRPWP;;;<insert SID>) e.g. (A;;LCCRRPWP;;;S-1-5-21-2964678487-1243059729-2897732695-7012)
  8. Now press enter;
  9. All being well you will receive a successful message.

As the entire command can be quite long a further example showing it all together is here….

sc sdset “GFI NSM 7 Engine” D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
(A;;LCCRRPWP;;;S-1-5-21-2964678487-1243059729-2897732695-7012)

If this is a one time change and you do not intend this change to apply to more than a couple of services on a server this is a perfect solution to allow ‘normal’ users to start and stop services remotely using SC stop and SC start. However if you have a requirement to do this for more servers then go the GPO route, its easier to manage.