RE: How do I restrict access from starting/stopping services?

Isn't there an account right which would control this? I thought the right
"act as part of the operating system" was the right you need to start/stop
services. If so, couldn't I just make sure I don't grant that right for the
account I want to restrict access to? If so, then the problem is that I also
want this account to have access to the $ shares (c$, d$, etc.). I believe
the account is currently in the administrators group. So I was thinking I
could remove it from the administrators group, somehow restrict its access so
that it can't start/stop services, and somehow give it access to the $ shares.
--
Thanks,
Nick

nicknospamdu@xxxxxxxxxxxxxxxx
remove "nospam" change community. to msn.com


""Jeffrey Tan[MSFT]"" wrote:

Hi Nick,

There are 2 types of security associated with Windows service: access
rights for SCM(Service Control Manager) and access rights for Service
object. The first security controlls which account can perform the SCM
database operations, such as create service, enumerate service etc.. The
second security controls which account can perform the start/stop and other
operations on a specific service. These 2 security types are documented in
the MSDN link below:
"Service Security and Access Rights"
http://msdn2.microsoft.com/en-us/library/ms685981.aspx

So if you want to restrict an account's starting/stopping operation over
service, you should modify the second type of security. More specific, you
should remove SERVICE_STOP and SERVICE_START access rights for this
account.

Unfortunately, the CreateService API does not allow you to pass a
SECURITY_ATTRIBUTES or SECURITY_DESCRIPTOR structure, which means you can
not specify the customized service security in CreateService API. However,
the DACL associated with a Service object can be obtained via the
QueryServiceObjectSecurity API and can be set via the
SetServiceObjectSecurity API. Any changes made to the SECURITY_DESCRIPTOR
associated with the Service object are persistent until the Service is
removed from the system.

The KB article below contains the sample code of granting Guest account
start, stop, delete and READ_CONTROL access right. The idea is the same for
removing start, stop access rights, you may modify for your own need:
"How To Control Access to a Windows NT, Windows 2000, and Windows XP
Service"
http://support.microsoft.com/kb/180116/en-us

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: Parent Control Software
    ... I have heard that the new McAfee Security Suite has Parent Control. ... You can create a very STRONG and COMPLEX administrator password by ... With this account, a child can access anything you ... Probably the most important part is taking GOOD control of the Administrator ...
    (microsoft.public.security)
  • Re: I cant access windows updates - Error number: 0x800A0046
    ... Start a free Windows Update support incident request: ... Support for Windows Update: ... When you call, clearly state that your problem is related to a Security Update and cite the update's KB number. ... Verify the Local Administrator and Service account are added to the ...
    (microsoft.public.windowsupdate)
  • RE: folder virtualisation
    ... I do not think this security problem can be resolved ... account security configuration. ... LocalSystem account created the named pipe with CreateNamedPipe API, ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • RE: folder virtualisation
    ... looks like it is working now after adding security attribute. ... account security configuration. ... LocalSystem account created the named pipe with CreateNamedPipe API, ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • Re: Taking control of users desktops
    ... > My client's help desk requests for support is ... > service) that will permit the technicians to take ... > control of the user's desktop for support ... > Is the latest version of VNC sufficient (security ...
    (Security-Basics)