Hi Guys,
Been sometime. Have been working for a project for a close friend of mine. (Yea I am doing some consulting finally). And there have been a plethora of things I did for the project which I wanted to blog on but then time is always against us.
I found this topic interesting and challenging and the work done (after a lot of reading and understanding) was pretty simple. So mentioning the same in today's blog.
We are going to change the permission of a user(local user) to restart a service in a non-domain controlled server. i.e. not connected to an Active directory.
By default a local user will not have permissions to restart a service. If a user goes to the services console(services.msc) he/she will see the start and stop functions to a service being grayed out.
Now to grant him the permissions we can use a lot of ways which is described quite well in the blog
I did not want to use any third party software and complete the activity using simple pwershell commands. I am assuming the service name to be "Somefoobarservice" and the local user to be "tushar" (just for the name sake).
We need to open an powershell window as an admin. (just right click on the powershell and click on run as admin). Once you have the powershell opened use the command "sc.exe" . This utility is used to communicate with Service Control Manager and Services. You can just type sc.exe to give a help on the utility.
We need to first understand which user has what permissions on the service. We will use the sdshow option for sc.exe utility which will display the service security options.
example : sc.exe sdshow "Somefoobarservice"
you will get an output like the below
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
Now it may seem a lot gibberish but it will make sense once we discuss the output.
The first letter in the beginning of the output
S: — System Access Control List (SACL)
D: — Discretionary ACL (DACL)
The first letter after brackets means: allow (A) or deny (D).
The next set of symbols is assignable rights.
CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE
The last 2 characters are objects (user group or SID) that are granted permissions. There is a list of predefined groups.
AU Authenticated Users
AO Account operators
Been sometime. Have been working for a project for a close friend of mine. (Yea I am doing some consulting finally). And there have been a plethora of things I did for the project which I wanted to blog on but then time is always against us.
I found this topic interesting and challenging and the work done (after a lot of reading and understanding) was pretty simple. So mentioning the same in today's blog.
We are going to change the permission of a user(local user) to restart a service in a non-domain controlled server. i.e. not connected to an Active directory.
By default a local user will not have permissions to restart a service. If a user goes to the services console(services.msc) he/she will see the start and stop functions to a service being grayed out.
Now to grant him the permissions we can use a lot of ways which is described quite well in the blog
I did not want to use any third party software and complete the activity using simple pwershell commands. I am assuming the service name to be "Somefoobarservice" and the local user to be "tushar" (just for the name sake).
We need to open an powershell window as an admin. (just right click on the powershell and click on run as admin). Once you have the powershell opened use the command "sc.exe" . This utility is used to communicate with Service Control Manager and Services. You can just type sc.exe to give a help on the utility.
We need to first understand which user has what permissions on the service. We will use the sdshow option for sc.exe utility which will display the service security options.
example : sc.exe sdshow "Somefoobarservice"
you will get an output like the below
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
Now it may seem a lot gibberish but it will make sense once we discuss the output.
The first letter in the beginning of the output
S: — System Access Control List (SACL)
D: — Discretionary ACL (DACL)
The first letter after brackets means: allow (A) or deny (D).
The next set of symbols is assignable rights.
CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE
The last 2 characters are objects (user group or SID) that are granted permissions. There is a list of predefined groups.
AU Authenticated Users
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user
Now I hope the gibberish statement makes much sense. Now is the task to identify the user SID. This is the unique id for which the user has to be granted permissions. Now we can do it a lot of ways. I am trying to pen down the easiest.
You just type the below command using WMIC ( Windows Management Interface Command).
wmic useraccount get name,sid
This will list the users and the SID for all the users. you need to copy the SID of the user you want to grant permission to the service.
Guest S-1-5-21-2719496566-3729557865-1934094733-501
tushar S-1-5-21-2719496566-3729557865-1934094733-1011
Something like the above. Now we use the SID of tushar and then update the service "Somefoobarservice" using the utility sc.exe again. This time we will use the utility sdset which sets a service's security descriptor.
Before that we will have to prepare the new security descriptor for the service. Here we will append the new descriptor of the service for tushar to the orignal one( this will help retain the previous user permissions on the service).
The original descriptor
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
The new descriptor for tushar. Here we are granting permissions to read the service, start, stop, restart and pause the service.
(A;;CCLCSWLOCRRCRPWTDT;;;S-1-5-21-2719496566-3729557865-1934094733-1011)
So the new descriptor is (augmenting the new one for tushar to the orignal one, ensure there is no space)
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRCRPWTDT;;;S-1-5-21-2719496566-3729557865-1934094733-1011)
Now time to update the service(remember the powershell should be running as admin)
sc.exe sdset "Somefoobarservice" "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRCRPWTDT;;;S-1-5-21-2719496566-3729557865-1934094733-1011)"
Once done you will get a message like "[SC] SetServiceObjectSecurity SUCCESS".
Viola !!! Now the local user has permissions to start, stop, restart and pause the service like an admin. This is one of the ways you can have controlled permissions for a user on a particular service rather than granting him admin permissions on the server.
Thanks,
Tushar
