Let's say you want your local restricted users to be able to restart specific services. On linux you'd probably type visudo. In Windows I found, you have to dig a little deeper into the system and really do your research. I needed several sites, programs and articles. So I thought it might be useful to others if I'd bundle all the required information in one place. Here it is.

Warning

This was tested on a Windows 2003 Server STD. It may not work on other versions. Also, this is serious stuff. You can seriously mess up your system using these pointers. Study before implementing anything. I warned you.

Prerequisite: Resource Kit Tools

In this article we're going to change SDDL properties of certain objects. We can do this with a tool called: sc.exe. It's distributed with the Windows Server 2003 Resource Kit Tools.

So first we need to:

Download the Windows Server 2003 Resource Kit Tools
Install it
Open a command prompt
(cmd.exe)
Change to installation directory
(cd "C:\Program Files\Windows Resource Kits\Tools")

Prerequisite: access to SC Manager

Your users need to be able to access this service as a prerequisite. If you want your changes to be user specific, you might first want to determine the SID of a user. This might return:
S-1-5-21-151122097-1987018581-353216475-1003

We can optionally use this SID later on.

Lookup current scmanager SDDL

The security descriptor definition language (SDDL) defines who is allowed to do what. If we are going to change that (in this case for the scmanager), we first want to see what the original SDDL is. So in the Resource Kit Tools directory execute:

sc sdshow scmanager

And that might return:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
^{(without the linebreaks)}

Change scmanager SDDL

Now based on the original SDDL of scmanager, we're going to create a new one that includes our user (determine the SID of a user) by following these rules:

Copy the Interactive User ACE string
(A;;CCLCRPRC;;;IU)
Change the IU to the SID of the user or group that you wish to grant access
(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)
Insert the new ACE string before the S: like so

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
^{(without the linebreaks)}

Set new scmanager SDDL

In the Resource Kit Tools directory execute:

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

^{(without the linebreaks)}

Your user now has remote access to the scmanager.

Access to your service

Now we must grant users the right to start and stop your service. Let's take Tomcat for example.

Lookup Key Name

First we must lookup the internal service key. This is not always what is displayed in the user interface. To find this key, in the Resource Kit Tools directory execute:

sc GetKeyName "Apache Tomcat"

And that might return:

Tomcat5

Allow all Authenticated Users to restart service

We've already seen how to isolate a specific user. In the next example let's allow all Authenticated Users (a.k.a. everyone / world) to start, stop & query. In the Resource Kit Tools directory execute:

sc sdset Tomcat5 "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;LCRPWP;;;AU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

^{(without the linebreaks)}

Voila! Your users have permission to start and stop the service, even though they are just restricted users. Why not test it by logging in as a restricted user and restarting your service?

More Options

If my examples do not cut it for you, then you'll have to familiarize yourself with the Security Descriptor Definition Language (SDDL), here are some useful sources to get you going.

Sources

As always, if I overlooked something, you know better ways or find errors, please let me know!

Stay up to date

You can track my blog articles and comments. You may also find my bookmarks interesting. Or twitter Follow me on Twitter

Like this Article?

Your money is no good here, but
you can boost morale by spreading the word! : )

Articles like this one

» Determine SID of Windows user
» Block brute force attacks with iptables
» Schedule automatic updates on Ubuntu
» Delete files securely with shred
» Access MySQL without Password

tags: windows, security, SID, SDDL
category: Howto - Windows
read: 21,237 times

Add Comment

Comments have been automatically closed because of the age of the article. If you need to, you can still contact me on the subject.

Comments

#11. Kevin on 06 December 2009

@ Matthew JLCIT: Thanks a lot for sharing, I'm sure it will help others who come by.

#10. Matthew JLCIT on 19 November 2009

Hi, old thread but i kinda know how to do this so thought id share. The easy way to restart remote service with admin priviledge ( i will give the steps, google each step for specifics as cant rmember off top of my head) ->
1. Create batch file to restart service on remote machine using sc command
2. Create scheduled task to run the above batch file, which does not run on any schedule. Set task to run as admin and enter credentials.
3. Create shortcut to scheduled task
e.g shortcut
... [more] C:\Windows\System32\schtasks.exe /run /tn "\MyTaskSchedulerFolder\Task1"
4. Place shorcut on desktop

#9. Kevin on 25 November 2008

@ Olof Sanner: Some great ideas, Olof. Thank you for sharing

#8. Olof Sanner on 24 November 2008

To Jason:
Try PSService, part of PSTools, make a batchfile to restart the service. U still need the permissions to restart it as stated in the article, but that together would make it work for you.
Even better if you grant acces to SCManager for a securitygroup (domain local) called SCManagerAccessSERVERNAME then you could easy add usergroups or users to that groups later.
You can also make a securitygroup called RestartServiceSERVICENAME-SERVERNAME(domain local) run gpmc from SERVERNAME, change the scope to $Servername and edit the gpo CompConf/WinSet/SecSet/SysServ/SERVICENAME
Add acces read and restart to the securitygroup: RestartServiceSERVICENAME-SERVERNAME
... [more] Also remember to add the other securitygroups that should have access to the service (otherwise theservice will stop working).
Then you just add the wanted users to the two groups. This way its lot easier to change users that you want to be able to reastart a service.

#7. Good Stuff on 27 October 2008

Thanks for the guidance! This was a great help to me. Hard to believe what you have to go through to change service security these days...

#6. go-gulf on 17 September 2008

How could you come with a brilliant idea. God must have faith in you and give you special brain then others.
http://www.go-gulf.com

#5. Kevin on 05 September 2008

@ Milan: Not that I've tried it, but wouldn't it be possible to lookup all the SIDs and repeat the steps?

#4. Milan on 02 September 2008

Kevin,
Thanks for a great tip, it helped us a lot.
Now we would like to allow more than one security group to access scmanager. Can you give us a hint?

#3. Dimm on 31 July 2008

Default avatar:Dimm Biggest thanks Kevin, this is the only one real solution ever!

#2. Kevin on 11 June 2008

@ Jason Benway: This was for local use only and I couldn't tell you how this would translate through MMC. I lack the experience, time & will for that ;)
Though let me tell you, if I had to make something like that, I would probably either:
1. call a real MS expert
2. fly another route: code something that's running on the server and has enough privileges to restart the service. And have it accept commands from your user. Either by custom socket connection (of course this would require developing a GUI as well), web interface, or something like that. Hope it helps :)

#1. Jason Benway on 11 June 2008

Default avatar:Jason Benway Thanks for this great information, but I need a user to restart the printer spooler on a server. I don't want them to terminal into the server, just use the services mmc and connect to the server to restart the service. He gets an access denied trying to connect to the server. Any ideas?
Thanks,jb