Sunday, August 27, 2017

Persistent way to allow a user to restart a service




There is a windows service that gets reinstalled sometimes.



I need a user to be able to start/stop/restart this service. This user is not an administrator and shouldn't be.



If I use setacl.exe than it works, or even I can use sc sdset, but after the service gets reinstalled setacl needs to be called again, but the process that reinstalls the service has no rights to run setacl.



Is there a way to grant a specific user the right to restart a service with a specific name, or even all services, that persists through a service reinstall?



If I'm able to give a user some general permissions to "manage services" that would also be fine, but I'm unable to pinpoint the exact rights needed for this (if I add the user to the admin group, he can start/stop services, but can -obviously- do a lot more than that).


Answer




Since you've already know about SetACL, and how to use it to allow a user to control a service, you could simply use Scheduled Tasks to regularly run SetACL.



Configure the task to repeat in an interval as small, as the longest acceptable time the user cannot control the service, after a re-installation.



Edit



As you say, it is kind of hacky ;).



Another option, as Adam mentions, is to use GPO's to enforce your ACL.




For a non-standard Windows services, you will have to install and run the Group Management Console, on the computer where the service is installed. Then do the following:




  1. Launch GPMC.msc on the computer

  2. Edit an existing GPO, or create a new, that applies to the computer in question

  3. Expand Policies, Windows Settings, Security Settings, System Services

  4. Open the properties of the service in question

  5. Define startup mode and edit permission as desired


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...