[There are two types of service permissions,permission used by the service an permissions set to
control the service. This post deals with permissions that apply when manipulating a service]
In my opinion, messing around with the permissions of a specific service is not a good idea,
solving the problem you are dealing with in a different manner might be a better idea.
In some cases, and since it is possible, you can set permissions on specific services. This might
come handy when you have to allow someone control of a specific service.
Setting permissions on specific services can be achieved by using the sc command (if you read on,
you will notice that it is not a simple task). The sc command has two parameters for this task:
- sdshow – Displays the security descriptor for a specific service
- sdset – Changes the security descriptor for a service
Viewing the security descriptor of a service
To view a security descriptor of a service use the following syntax:
sc sdshow serviceName
In the following example I am viewing the security descriptor of the DHCP service on my server:
Sounds simple enough, yet as you can see the security descriptor is not as friendly as we would like it to be.
Deciphering the security descriptor
The security descriptor, as displayed by sc sdshow, is formatted according the Security Descriptor Definition
Language (SDDL).
The descriptor will usually be divided into two parts:
- Prefix of S: – System Access Control List (SACL),controls auditing (not covered in this post)
- Prefix of D: – Discretionary ACL (DACL),controls permissions
Each section, inside the parenthesis, represent a specific entry (security/auditing).
Inside the parenthesis, the user account and the correct permissions are specified.
(A;;CCLCSWLOCRRC;;;AU)
The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).
Each pair of letters represents a specific permission:
CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status
SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services
LO – SERVICE_INTERROGATE – ask the service its current status
CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
RC – READ_CONTROL – read the security descriptor on this service.
Additional permissions:
RP – SERVICE_START – start the service
WP – SERVICE_STOP – stop the service
DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
The last two letters define the security principal assigned with these permissions (a SID or well known
aliases:
AU – Authenticated Users
Possible aliases:
“AO” Account operators
“RU” Alias to allow previous Windows 2000
“AN” Anonymous logon
“AU” Authenticated users
“BA” Built-in administrators
“BG” Built-in guests
“BO” Backup operators
“BU” Built-in users
“CA” Certificate server administrators
“CG” Creator group
“CO” Creator owner
“DA” Domain administrators
“DC” Domain computers
“DD” Domain controllers
“DG” Domain guests
“DU” Domain users
“EA” Enterprise administrators
“ED” Enterprise domain controllers
“WD” Everyone
“PA” Group Policy administrators
“IU” Interactively logged-on user
“LA” Local administrator
“LG” Local guest
“LS” Local service account
“SY” Local system
“NU” Network logon user
“NO” Network configuration operators
“NS” Network service account
“PO” Printer operators
“PS” Personal self
“PU” Power users
“RS” RAS servers group
“RD” Terminal server users
“RE” Replicator
“RC” Restricted code
“SA” Schema administrators
“SO” Server operators
“SU” Service logon user
Lets look at another example:
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
A – Allow
CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
DC – Delete All Child Objects
LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status
SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services
RP – Read all properites
WP – SERVICE_STOP – stop the service
DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
LO – SERVICE_INTERROGATE – ask the service its current status
CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
SD – Delete
RC – READ_CONTROL – read the security descriptor on this service.
WD – Modify permissions
WO – Modify owner
BA- Built-in administrators
Wow-that wasn’t simple,not to mention somewhat boring…
Setting permissions
To set permissions use the following syntax:
sc <server> sdset <service name> <SD in SDDL format>
There two parts that may be somewhat problematic here, using the correct SDDL syntax and obtaining the SID
for the security principal who is to be awarded the permissions.
In the following example, I would like to allow a user (erozman) to be able to start and stop the DHCP service.The following
steps will be taken:
- Obtain the user’s SID (using a short script)
- Format the SDDL correctly
- Apply the permissions
- Verify the process
As you can see in the following screenshot, I have opened CMD running as ‘erozman@lab.ad’ ,and when I attempt
to stop the DHCP service I am denied since I do not have permissions.
To obtain a specific user’s SID I use the following script(replace the account and domain with your own):
——————————————-
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)
Set objAccount = objWMIService.Get _
(“Win32_UserAccount.Name=’erozman’,Domain=’lab'”)
Wscript.Echo objAccount.SID
————————————————–
I find it comfortable to receive the SID at the command prompt and not in a window as it is easier to copy and paste
– this is achieved by changing the default script host to cscript:
After obtaining the user’s SID we can format the SDDL correctly:
(A;;RPWP;;;S-1-5-21-3778091102-209736168-4156975864-1108)
Then we run the SC command:
Several things to note here: you need to make sure to prefix the SDDL entries with (D:) which sets the DACL and
you need to make sure that you include all entries that you want in the DACL since the whole DACL will be replaced.
This last point is extremely important, if you only use the “new” entry you might actually “lock” yourself out as the
current entries in the DACL will be wiped out.
Now,lets see if ‘erozman’ can stop the DHCP service:
As you can see from the screenshot we have successfully provided ‘erozman’ with the permissions to stop and start
the services. The screenshot also shows that he can not pause the service (we have not provided him with the permission
to do so…).
Simpler ways to do this (alternatives)
There are a couple of alternatives that can be used to change permissions on services:
- Security Templates
- SWSC – http://www.xs4all.nl/~fstaal01/swsc-us.html (check out the ACL switch)
In my opinion there should be a simpler (intuitive) method through which permissions for a specific service could be set. The
alternatives are a possible solution, yet they aren’t as simple as they should be(and why should there be alternatives,why
shouldn’t the original resolve the problems?).
I tried using subinacl from the resource kit, but I can’t get it to work… sc / Security Templates here I come…
While I have successfully been able to delegate permissions to individual Users directly to services on a Windows 2003 member server, What I would like to do (and this item indicates its posible) is to use a local group (the same way builtin Groups are used) to manage access/permissions.
Is it posible to Grant access to Groups, and if so, how do you go about retrieving the group’s SID?
I’ve managed to locate the SID for a security group in AD by using the ADfind tool, which can be found here: <http://www.joeware.net/freetools/tools/adfind/index.htm>. Thanks Joe!
this is perfect! I was able to resolve a major issue with these instructions. Thanks for writing this up!
Thanks for the solution. Worked well for me. One thing I had to do first was to grant access to service control manager (sc sdset SCMANAGER.
Great post. You can also use DSQUERY to retrieve SID without scripting.
dsquery user -samid |dsget user -sid
Awesome instructions. Saved me hours of reading.
For those who can’t read the screen shots, the security descriptors in the SDSET command is a concatenation of
o all the security descriptors following the prefix D:
o none of the security descriptors following the prefix S:
o the additional descriptors formed using the SID
The script can be run with the command:
cscript getSID.vbs
which uses the cscript interpreter.
Thanks again
exited ganim snapshot themis practically predispose dual vital marxist jais pans
ambisoltersos makalavertonicos
Thanks, this was extremely helpful! you’re a champ, i had to set permissions for Printspooler service. Service name is spooler and you have to set the TCP/IP print server service too as they are dependent, its name is LPDSVC. Hope that helps someone 🙂
This screenshot is illegible: http://msmvps.com/blogs/erikr/WindowsLiveWriter/SetpermissionsonaspecificserviceWindows_CC90/image_4.png
I agree that Group Policy might be a better way to do this. However, in Server 2008 R2, they appear to have moved the services somewhere else than before, so all searches on how to do this via GPO fail. Thus, this web page appears to be the *ONLY* method I can find right now. TEDIOUS…
Excellent article!!! You made my day :p
This is all good but how do you just display what the permission are already? sort of like what accesschk on a remote computer? for some reason using Psexec and accesschk does not work on my systems at home for at work? any other ideas?
This is painfully close to being of use. But since i can’t enlarge the Pictures i can’t get it to work
i just get failed 87 the parameter is incorrect. I have no idea what to do now.
Great explanation, it really helped me a lot!
One thing though, like Tony Ridge mentioned. The user must be given rights to the (fake) service ‘scmanager’ as well.
I found that part here:
http://kevin.vanzonneveld.net/techblog/article/allow_windows_users_to_restart_service/
Thanks for the article!
Get SID:
REGEDIT
HKLM>>Software>>Microsoft>>WinNT>>CurrentVersion
/profile list
(select each SID, and look for user name)
Many thanks,
really clear explanation
working like a charm.
How about building up a GUI having as entries :
– “service name”
– “hostname”
– “user” or “group” to be allowed
– “predefined access levels” as radio buttons
…
did anyone ever took the time to do this ?
Very well-written tutorial. Thanks for the work you’ve done.
VERY well-written tutorial. Thank you for the assistance.
Based from your last note:
This last point is extremely important, if you only use the “new” entry you might actually “lock” yourself out as the current entries in the DACL will be wiped out.
What would you do if you “lock” yourself out? How can you revert the process?
Hi All,
here is our situation we have Windows Server 2008 Standard OS (64 bit) and logged in as an administrator and we have installed a windows service service with another account which belongs to Administrator group.
So OS is running under and administrator group and the windows service running on a different user which is in administrator group.
Shortly what this windows service does is using Crystal Reports template and sening to a network printer. During this process we get the error message “Invalid Printer Spcecified”. When we remove the template
just try to send it to the printer, this time we get error message “invalid handle”. When we reboot/restart the server, it work both ways however we want to be successfully without rebooting/restarting the server.
Note: the printer driver is OK.
Shortly is there any way to accomplish without rebooting the server. We used some tools like PSEXEC but did not help.
Remember if we reboot everything ok .
Thanks and regards,
Selami Ozlu
selamiozlu@hotmail.com
Great explanation and worth to be the number one on google search results for this.
BTW: Does anyone know how i can recover my W32Time-Service i only set (A;;RPWP;;… without preserving the existing ACL 🙁
Hi, thanks for providing guidance through these murky waters! We recently created a GUI alternative that you may find useful too:
http://www.coretechnologies.com/products/ServiceSecurityEditor/
excellent !!! i solved many things with this, thank you, keep up the good work brother !!!
This is exactly what I needed. Cut my all nighter down to a few hours.
Thanks,
Patrick Hoban
http://patrickhoban.wordpress.com
Good article
Thanks man! This was great, exactly what I was looking for to manage service permissions on xenapp servers.
This works! It would help of the image_4 was “full size” so it was more obvious what the command looks like.
I took the “SY” entry already in place for the service I needed, made a copy of it, put that just before the “S:” stuff and now any user can start/stop the service.
Nice explanation.
Great article, very clear.
Thank you.
I have messed up my service, locked it for admins, is there any way to restore rights.
I have added – changed rights for user like this:
sc \\myserver sdset myService D:(A;;RPWP;;;S-1-5-21-…non admin user SID)
but that user also cant see the service.
I have vmware clone of that server for backup. Is there some way to restore that service for admins?
Please HELP.
THNKS
I have messed up my service, locked it for admins, is there any way to restore rights.
I have added – changed rights for user like this:
sc \\myserver sdset myService D:(A;;RPWP;;;S-1-5-21-…non admin user SID)
but that user also cant see the service.
I have vmware clone of that server for backup. Is there some way to restore that service for admins?
Please HELP.
THNKS.
subinacl is the way to achieve this without having to decode SDDLs. First list the permissions that already exist on the service – use spooler as an example
subinacl /service /spooler /display=DACL
Next grant a domain group to have permissions to query status, stop, start and pause the service – this command replaces any permissions that this group had previously, but leaves all other groups/users entries intact
subinacl /service spooler /grant=DOMAIN\group=TSOPI
You can see the full help from subinacl – the permissions for services are as below – this is where we get TSOPI from:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
System Frontier allows you to control granular access to specific Windows services for non-administrators. The web interface is very easy to use and all permissions are role based and centrally managed.
Thank you very much for providing this writeup!
wmic useraccount get name,sid
useful one line to list user SIDs
hi, I need to remove Everyone user rights from the NetMan service, how do I go about this?
Use the ServiceSecurityEditor:
http://www.coretechnologies.com/products/ServiceSecurityEditor/
It’s a bit more easy, and it’s FREE 😉