RE: How do I restrict access from starting/stopping services?
- From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
- Date: Mon, 04 Dec 2006 08:07:38 GMT
Hi Nick,
Thanks for your feedback.
"act as part of the operating system" is not the access right setting on
service object. It is the privilege of an account. By default, only "Local
System" account is granted the privilege of "act as part of the operating
system", not any other user accounts. This privilege will only play role in
some other API calling, such as LogonUser API in Win2000.
While stop/start a service, it is the SERVICE_STOP and SERVICE_START access
rights setting on the service object(in DACL) that are used to control
which account can perform these 2 operations on service object. The
privilege does not play any role here.
Can you tell me what user group the account is in? The first reply I
provided can be used to modify the DACL of a service object to grant/deny
any account certain operation right(such as start/stop service). Sure, you
should run this code in any account in Administrators group. However, just
as "Vladimir (Windows SDK MVP)" pointed out, if the account you want to
deny access is in Administrators group, we are out of lucky, because this
account is in Administrators group, he can also write some other code to
change the DACL of service object again and grant himself SERVICE_STOP and
SERVICE_START access rights. The principle here is that the Administrators
group can do whatever he can on the machine. So if you want to restrict an
account in Administrators group, the makes sense way is removing it from
Administratros group and modify the service object DACL to restrict his
access rights.
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- References:
- RE: How do I restrict access from starting/stopping services?
- From: "Jeffrey Tan[MSFT]"
- RE: How do I restrict access from starting/stopping services?
- From: nickdu
- RE: How do I restrict access from starting/stopping services?
- Prev by Date: Re: How Do I Programmatically Detecting Security Patches
- Next by Date: Re: How do I restrict access from starting/stopping services?
- Previous by thread: RE: How do I restrict access from starting/stopping services?
- Next by thread: RE: How do I restrict access from starting/stopping services?
- Index(es):
Relevant Pages
|
