How to grant permission to domain account to manage windows service

Domain account would need  some special permission to interact with windows service if web application is setup to run under domain or service account and web application needs to interact with windows service.  We usually give administrative rights to domain account to solve all issues but that would open up all security issues and strictly not recommended .  We should grant least permission domain account requires to do some of things like get the status of windows service, start/stop/restart the windows service.  I have found that it is not very straight forward to grant least permission to domain account.  Here are the steps to follow.

  1. First get security descriptor, SDDL, which would provide you the details about who currently has the permission to interact with a given windows service.  Run below command to get SDDL and copy the result in notepad.

    Sc.exe sdshow “windowsservicename”

    Result would look like this

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

  2. Get SID of a domain account.

    wmic useraccount where (name=’domainaccountname’ and domain=’us’)

  3. Replace bold/Italic text with your SID in below string.

    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-2-16-1234567697-1234567890-123456789-1234567)

    String representation above is very complex and not easy to understand.  “A” means Allow.  Then each two-letter pair represents some specific rights or permission.  Here are some of the example.                                                     CC – SERVICE_QUERY_CONFIG – get the service’s current configuration
    LC – SERVICE_QUERY_STATUS – get current status of service
    SW – SERVICE_ENUMERATE_DEPENDENTS – get the list of dependent services
    RP – SERVICE_START – start the service
    WP – SERVICE_STOP – stop the service
    DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
    LO – SERVICE_INTERROGATE – get the service current status
    CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
    RC – READ_CONTROL – read the security descriptor on this service.  You can read this MS Article to get more details of security description.  String representation which I gave you will give domain account full control to interact with windows service.  You can give only permission which you require by choosing the appropriate two-letter pair from the list.

  4. Append below string to SDDL string which you got in step# 1.  Final string would look like this

    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-2-16-1234567697-1234567890-123456789-1234567) (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

  5. Run below command to grant a permission to domain account.

    Sc.exe sdset “windowsservicename” “D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-2-16-1234567697-1234567890-123456789-1234567) (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)”

     

There is also another alternative to above solution.  You can use Subinacl.exe tool which simplified the above process.  That tool is provided by Microsoft but it says it only supports in Windows Server 2003.  I have tested it in Windows Server 2012 and works fine but if your IT team would not allow you to install this old tool, then you can follow all manual steps which I have provided.  You can create PowerShell script to automate those steps.

Hope this helps!

Posted in Microsoft Technology Tagged with:

Ads