Set permissions on a specific service (Windows)

[There are two types of service permissions,permission used by the service an permissions set to
control the service. This post deals with permissions that apply when manipulating a service]

In my opinion, messing around with the permissions of a specific service is not a good idea,
solving the problem you are dealing with in a different manner might be a better idea.

In some cases, and since it is possible, you can set permissions on specific services. This might
come handy when you have to allow someone control of a specific service.

Setting permissions on specific services can be achieved by using the sc command (if you read on,
you will notice that it is not a simple task). The sc command has two parameters for this task:

  1. sdshow – Displays the security descriptor for a specific service
  2. sdset – Changes the security descriptor for a service

Viewing the security descriptor of a service

To view a security descriptor of a service use the following syntax:

sc sdshow serviceName

In the following example I am viewing the security descriptor of the DHCP service on my server:
image

Sounds simple enough, yet as you can see the security descriptor is not as friendly as we would like it to be.

 

Deciphering the security descriptor

The security descriptor, as displayed by sc sdshow, is formatted according the Security Descriptor Definition
Language (SDDL).

The descriptor will usually be divided into two parts:

  1. Prefix of S: – System Access Control List (SACL),controls auditing (not covered in this post)
  2. Prefix of D: – Discretionary ACL (DACL),controls permissions

image

Each section, inside the parenthesis, represent a specific entry (security/auditing).
Inside the parenthesis, the user account and the correct permissions are specified.

(A;;CCLCSWLOCRRC;;;AU)

The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).
Each pair of letters represents a specific permission:
CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status
SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services
LO – SERVICE_INTERROGATE – ask the service its current status
CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
RC – READ_CONTROL – read the security descriptor on this service.

Additional permissions:
RP – SERVICE_START – start the service
WP – SERVICE_STOP – stop the service
DT – SERVICE_PAUSE_CONTINUE – pause / continue the service

The last two letters define the security principal assigned with these permissions (a SID or well known
aliases:
AU – Authenticated Users

Possible aliases:

“AO” Account operators
“RU” Alias to allow previous Windows 2000
“AN” Anonymous logon
“AU” Authenticated users
“BA” Built-in administrators
“BG” Built-in guests
“BO” Backup operators
“BU” Built-in users
“CA” Certificate server administrators
“CG” Creator group
“CO” Creator owner
“DA” Domain administrators
“DC” Domain computers
“DD” Domain controllers
“DG” Domain guests
“DU” Domain users
“EA” Enterprise administrators
“ED” Enterprise domain controllers
“WD” Everyone
“PA” Group Policy administrators
“IU” Interactively logged-on user
“LA” Local administrator
“LG” Local guest
“LS” Local service account
“SY” Local system
“NU” Network logon user
“NO” Network configuration operators
“NS” Network service account
“PO” Printer operators
“PS” Personal self
“PU” Power users
“RS” RAS servers group
“RD” Terminal server users
“RE” Replicator
“RC” Restricted code
“SA” Schema administrators
“SO” Server operators
“SU” Service logon user

Lets look at another example:
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

A – Allow
CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
DC – Delete All Child Objects
LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status
SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services
RP – Read all properites
WP – SERVICE_STOP – stop the service
DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
LO – SERVICE_INTERROGATE – ask the service its current status
CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
SD – Delete
RC – READ_CONTROL – read the security descriptor on this service.
WD – Modify permissions
WO – Modify owner
BA- Built-in administrators

Wow-that wasn’t simple,not to mention somewhat boring…

 

Setting permissions

To set permissions use the following syntax:
sc <server> sdset <service name> <SD in SDDL format>

There two parts that may be somewhat problematic here, using the correct SDDL syntax and obtaining the SID
for the security principal who is to be awarded the permissions.

In the following example, I would like to allow a user (erozman) to be able to start and stop the DHCP service.The following
steps will be taken:

  1. Obtain the user’s SID (using a short script)
  2. Format the SDDL correctly
  3. Apply the permissions
  4. Verify the process

As you can see in the following screenshot, I have opened CMD running as ‘erozman@lab.ad’ ,and when I attempt
to stop the DHCP service I am denied since I do not have permissions.

image

To obtain a specific user’s SID I use the following script(replace the account and domain with your own):
——————————————-
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″)

Set objAccount = objWMIService.Get _
    (“Win32_UserAccount.Name=’erozman’,Domain=’lab'”)
Wscript.Echo objAccount.SID

————————————————–
I find it comfortable to receive the SID at the command prompt and not in a window as it is easier to copy and paste
- this is achieved by changing the default script host to cscript:

image 

After obtaining the user’s SID we can format the SDDL correctly:
(A;;RPWP;;;S-1-5-21-3778091102-209736168-4156975864-1108)

Then we run the SC command:
image

Several things to note here: you need to make sure to prefix the SDDL entries with (D:) which sets the DACL and
you need to make sure that you include all entries that you want in the DACL since the whole DACL will be replaced.
This last point is extremely important, if you only use the “new” entry you might actually “lock” yourself out as the
current entries in the DACL will be wiped out.

Now,lets see if ‘erozman’ can stop the DHCP service:

image

As you can see from the screenshot we have successfully provided ‘erozman’ with the permissions to stop and start
the services. The screenshot also shows that he can not pause the service (we have not provided him with the permission
to do so…).

 

Simpler ways to do this (alternatives)

There are a couple of alternatives that can be used to change permissions on services:

  1. Security Templates
  2. SWSC – http://www.xs4all.nl/~fstaal01/swsc-us.html (check out the ACL switch)

In my opinion there should be a simpler (intuitive) method through which permissions for a specific service could be set. The
alternatives are a possible solution, yet they aren’t as simple as they should be(and why should there be alternatives,why
shouldn’t the original resolve the problems?).

37 thoughts on “Set permissions on a specific service (Windows)”

  1. I tried using subinacl from the resource kit, but I can’t get it to work… sc / Security Templates here I come…

  2. While I have successfully been able to delegate permissions to individual Users directly to services on a Windows 2003 member server, What I would like to do (and this item indicates its posible) is to use a local group (the same way builtin Groups are used) to manage access/permissions.

    Is it posible to Grant access to Groups, and if so, how do you go about retrieving the group’s SID?

  3. Thanks for the solution. Worked well for me. One thing I had to do first was to grant access to service control manager (sc sdset SCMANAGER.

  4. Awesome instructions. Saved me hours of reading.

    For those who can’t read the screen shots, the security descriptors in the SDSET command is a concatenation of
    o all the security descriptors following the prefix D:
    o none of the security descriptors following the prefix S:
    o the additional descriptors formed using the SID

    The script can be run with the command:
    cscript getSID.vbs
    which uses the cscript interpreter.

    Thanks again

  5. Thanks, this was extremely helpful! you’re a champ, i had to set permissions for Printspooler service. Service name is spooler and you have to set the TCP/IP print server service too as they are dependent, its name is LPDSVC. Hope that helps someone :)

  6. I agree that Group Policy might be a better way to do this. However, in Server 2008 R2, they appear to have moved the services somewhere else than before, so all searches on how to do this via GPO fail. Thus, this web page appears to be the *ONLY* method I can find right now. TEDIOUS…

  7. This is all good but how do you just display what the permission are already? sort of like what accesschk on a remote computer? for some reason using Psexec and accesschk does not work on my systems at home for at work? any other ideas?

  8. This is painfully close to being of use. But since i can’t enlarge the Pictures i can’t get it to work
    i just get failed 87 the parameter is incorrect. I have no idea what to do now.

  9. Many thanks,
    really clear explanation
    working like a charm.

    How about building up a GUI having as entries :
    – “service name”
    – “hostname”
    – “user” or “group” to be allowed
    – “predefined access levels” as radio buttons

    did anyone ever took the time to do this ?

  10. Based from your last note:

    This last point is extremely important, if you only use the “new” entry you might actually “lock” yourself out as the current entries in the DACL will be wiped out.

    What would you do if you “lock” yourself out? How can you revert the process?

  11. Hi All,
    here is our situation we have Windows Server 2008 Standard OS (64 bit) and logged in as an administrator and we have installed a windows service service with another account which belongs to Administrator group.
    So OS is running under and administrator group and the windows service running on a different user which is in administrator group.
    Shortly what this windows service does is using Crystal Reports template and sening to a network printer. During this process we get the error message “Invalid Printer Spcecified”. When we remove the template
    just try to send it to the printer, this time we get error message “invalid handle”. When we reboot/restart the server, it work both ways however we want to be successfully without rebooting/restarting the server.
    Note: the printer driver is OK.
    Shortly is there any way to accomplish without rebooting the server. We used some tools like PSEXEC but did not help.
    Remember if we reboot everything ok .
    Thanks and regards,
    Selami Ozlu
    selamiozlu@hotmail.com

  12. Great explanation and worth to be the number one on google search results for this.

    BTW: Does anyone know how i can recover my W32Time-Service i only set (A;;RPWP;;… without preserving the existing ACL :(

  13. excellent !!! i solved many things with this, thank you, keep up the good work brother !!!

  14. Thanks man! This was great, exactly what I was looking for to manage service permissions on xenapp servers.

  15. This works! It would help of the image_4 was “full size” so it was more obvious what the command looks like.

    I took the “SY” entry already in place for the service I needed, made a copy of it, put that just before the “S:” stuff and now any user can start/stop the service.

    Nice explanation.

  16. I have messed up my service, locked it for admins, is there any way to restore rights.

    I have added – changed rights for user like this:

    sc \\myserver sdset myService D:(A;;RPWP;;;S-1-5-21-…non admin user SID)

    but that user also cant see the service.

    I have vmware clone of that server for backup. Is there some way to restore that service for admins?

    Please HELP.

    THNKS

  17. I have messed up my service, locked it for admins, is there any way to restore rights.

    I have added – changed rights for user like this:

    sc \\myserver sdset myService D:(A;;RPWP;;;S-1-5-21-…non admin user SID)

    but that user also cant see the service.

    I have vmware clone of that server for backup. Is there some way to restore that service for admins?

    Please HELP.

    THNKS.

  18. subinacl is the way to achieve this without having to decode SDDLs. First list the permissions that already exist on the service – use spooler as an example

    subinacl /service /spooler /display=DACL

    Next grant a domain group to have permissions to query status, stop, start and pause the service – this command replaces any permissions that this group had previously, but leaves all other groups/users entries intact

    subinacl /service spooler /grant=DOMAIN\group=TSOPI

    You can see the full help from subinacl – the permissions for services are as below – this is where we get TSOPI from:
    F : Full Control
    R : Generic Read
    W : Generic Write
    X : Generic eXecute
    L : Read controL
    Q : Query Service Configuration
    S : Query Service Status
    E : Enumerate Dependent Services
    C : Service Change Configuration
    T : Start Service
    O : Stop Service
    P : Pause/Continue Service
    I : Interrogate Service
    U : Service User-Defined Control Commands

  19. System Frontier allows you to control granular access to specific Windows services for non-administrators. The web interface is very easy to use and all permissions are role based and centrally managed.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>