» Allow Windows users to restart service
Let's say you want your local restricted users to be able to restart specific services. On linux you'd probably type visudo. In Windows I found, you have to dig a little deeper into the system and really do your research. I needed several sites, programs and articles. So I thought it might be useful to others if I'd bundle all the required information in one place. Here it is.
Warning
This was tested on a Windows 2003 Server STD. It may not work on other versions. Also, this is serious stuff. You can seriously mess up your system using these pointers. Study before implementing anything. I warned you.
Prerequisite: Resource Kit Tools
In this article we're going to change SDDL properties of certain objects. We can do this with a tool called: sc.exe. It's distributed with the Windows Server 2003 Resource Kit Tools.
So first we need to:
- Download the Windows Server 2003 Resource Kit Tools
- Install it
- Open a command prompt
(cmd.exe) - Change to installation directory
(cd "C:Program FilesWindows Resource KitsTools")
Prerequisite: access to SC Manager
Your users need to be able to access this service as a prerequisite. If you want your changes to be user specific, you might first want to determine the SID of a user. This might return:
S-1-5-21-151122097-1987018581-353216475-1003
We can optionally use this SID later on.
Lookup current scmanager SDDL
The security descriptor definition language (SDDL) defines who is allowed to do what. If we are going to change that (in this case for the scmanager), we first want to see what the original SDDL is. So in the Resource Kit Tools directory execute:
sc sdshow scmanager
And that might return:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
(without the linebreaks)
Change scmanager SDDL
Now based on the original SDDL of scmanager, we're going to create a new one that includes our user (determine the SID of a user) by following these rules:
- Copy the Interactive User ACE string
(A;;CCLCRPRC;;;IU) - Change the IU to the SID of the user or group that you wish to grant access
(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003) - Insert the new ACE string before the S: like so
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
(without the linebreaks)
Set new scmanager SDDL
In the Resource Kit Tools directory execute:
sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
(without the linebreaks)
Your user now has remote access to the scmanager.
Access to your service
Now we must grant users the right to start and stop your service. Let's take Tomcat for example.
Lookup Key Name
First we must lookup the internal service key. This is not always what is displayed in the user interface. To find this key, in the Resource Kit Tools directory execute:
sc GetKeyName "Apache Tomcat"
And that might return:
Tomcat5
Allow all Authenticated Users to restart service
We've already seen how to isolate a specific user. In the next example let's allow all Authenticated Users (a.k.a. everyone / world) to start, stop & query. In the Resource Kit Tools directory execute:
sc sdset Tomcat5 "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;LCRPWP;;;AU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
(without the linebreaks)
Voila! Your users have permission to start and stop the service, even though they are just restricted users. Why not test it by logging in as a restricted user and restarting your service?
More Options
If my examples do not cut it for you, then you'll have to familiarize yourself with the Security Descriptor Definition Language (SDDL), here are some useful sources to get you going.
Sources
As always, if I overlooked something, you know better ways or find errors, please let me know!
You probably shouldn't follow me
blog articlesLike this Article?
| I'd appreciate it if you leave a comment, spread the word, or consider a small donation |
RelatedArticles like this one» Determine SID of Windows user |
tags: windows, security, SID, SDDL
category: Howto - Webserver
read: 42,316 times
Add Comment
Comments have been automatically closed because of the age of the article. If you need to, you can still contact me on the subject.
Comments
About kvz
I'm Kevin, author of several open source projects, lead developer at a hosting firm in Amsterdam, and cofounder of Transloadit. On this techblog I share ideas & tutorials on exciting technology I encounter on the way.
Blog
tagcloudSearch
Recent Posts
Keep an eye on
Top Posts
Comments
"What inputs am I all..."
"[CODE="Javascri..."
"I have to agree with..."
"Hi, I am facing p..."
")"
"Could you give an ex..."
"Hello, thanks for yo..."
"Do you think this co..."
"Great article. A no..."
"Thanks for this, fri..."
"Found the problem. ..."
"Janis, it's a netcat..."
"class ShortId {..."
"Hi there, many thank..."
"thanks a lot for pro..."
"The first time I inv..."
Archives
Categories
Stats
since July 16th, 2007:
posted 544 articles
with 4,229 comments
read 6,806,134 times
#11. Kevin on 06 December 2009
#10. Matthew JLCIT on 19 November 2009
1. Create batch file to restart service on remote machine using sc command
2. Create scheduled task to run the above batch file, which does not run on any schedule. Set task to run as admin and enter credentials.
3. Create shortcut to scheduled task
e.g shortcut
... [more] C:\Windows\System32\schtasks.exe /run /tn "\MyTaskSchedulerFolder\Task1"
4. Place shorcut on desktop
#9. Kevin on 25 November 2008
#8. Olof Sanner on 24 November 2008
Try PSService, part of PSTools, make a batchfile to restart the service. U still need the permissions to restart it as stated in the article, but that together would make it work for you.
Even better if you grant acces to SCManager for a securitygroup (domain local) called SCManagerAccessSERVERNAME then you could easy add usergroups or users to that groups later.
You can also make a securitygroup called RestartServiceSERVICENAME-SERVERNAME(domain local) run gpmc from SERVERNAME, change the scope to $Servername and edit the gpo CompConf/WinSet/SecSet/SysServ/SERVICENAME
Add acces read and restart to the securitygroup: RestartServiceSERVICENAME-SERVERNAME
... [more] Also remember to add the other securitygroups that should have access to the service (otherwise theservice will stop working).
Then you just add the wanted users to the two groups. This way its lot easier to change users that you want to be able to reastart a service.
#7. Good Stuff on 27 October 2008
#6. go-gulf on 17 September 2008
http://www.go-gulf.com
#5. Kevin on 05 September 2008
#4. Milan on 02 September 2008
Thanks for a great tip, it helped us a lot.
Now we would like to allow more than one security group to access scmanager. Can you give us a hint?
#3. Dimm on 31 July 2008
#2. Kevin on 11 June 2008
Though let me tell you, if I had to make something like that, I would probably either:
1. call a real MS expert
2. fly another route: code something that's running on the server and has enough privileges to restart the service. And have it accept commands from your user. Either by custom socket connection (of course this would require developing a GUI as well), web interface, or something like that. Hope it helps :)
#1. Jason Benway on 11 June 2008
Thanks,jb