Windows: Set permissions on a service

Hi,

when it is necessary that normal user needs the ability to do some operations on a service, such as starting or stopping, multiple ways exists to grant these permissions. Windows has no GUI or (easy to use) command line tool on board to set these access rights. I will show you 3 ways to set them.

  • Sysinternals Process Explorer
  • sc.exe (Service controller)
  • subinacl.exe (The security swiss knife)

For the following examples I will use the OpenVPN Service with its Service Name openvpnservice and assign the start and stop permissions to a user or group. But its the same procedure for all other services.

The easiest way is to use the sysinternals Process Explorer. It provides a graphical user interface but  has the dependency that the service must be in the running state before process explorer is started. If you already have a valid openvpn configuration start the service:

sc start openvpnservice

Then start the process explorer as administrator and locate the openvpn service process openvpnserv.exe.

Openvpn Process

Openvpn Process



Right click, choose properties from the menu and select the service tab.

Openvpn permissions for Buitin Users Group

Openvpn permissions for Buitin Users Group

Press the permissions button and open the advanced settings. You can grant the various permissions to every User or Group. For example the start/stop/restart rights for the BuiltIn Users Group.

Openvpn permissions for Buitin Users Group

Openvpn permissions for Buitin Users Group

The permissions can also granted at command line with sc.exe (Service Controller) or the subinacl.exe (Command line ACL editor) .  sc.exe is on board  since Windows Vista , subinacl is part of the resource kit for Windows Server 2003 and is only available in a 32Bit version but already works for Windows Vista/7/8/8.1.

With sc.exe you have to edit or set the acls in sddl format. The sdshow option prints out the current persmissions. Editing the sddl is difficult but possible. See MSDN.

C:\>sc sdshow openvpnservice

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

There is an easy way to get an valid sddl string :-).  Open a management console mmc.exe and add the snapin  “Security Templates”.

Add Security Template SnapIn

Add Security Template SnapIn

Create a new Template

Add Security Template SnapIn

Add Security Template SnapIn

Locate the service

Locate the openvpn service in list

Locate the openvpn service in list

Name it “OpenVPN Service Permissions”

Define a name

Define a name

Define Startup Mode

Service Startup Mode

Service Startup Mode

and permissions

Define service permissions

Define service permissions

save the template and open the inf file, in my case the file C:\Users\loadm\Documents\Security\Templates\OpenVPN Service Permissions.inf. This should contains something like that:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"OpenVPNService",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Note: The template editor does not set the permissions itself, it only builts a inf file which can be imported by secedit. But we only need the sddl string:-)

This sddl string can be set by the sc.exe command:

sc.exe sdset openvpnservice D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;BU)S:AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

[SC] SetServiceObjectSecurity SUCCESS

The 3rd way is to use subinacl.exe. This tool must be downloaded at microsoft. When downloaded, install the msi package.

msiexec /i subinacl.msi

You only have to install it one times. Than copy the subinacl.exe file to the hosts on which you want to use it.

The advantage against sc.exe is that you can modify an existing set of permissions.First of all ensure you have the correct version of subinacl.exe. The original version from the resource kit has many bugs. Check the version. This is the correct one.

D:\tmp>subinacl /?
SubInAcl version 5.2.3790.1180

This shows the currently defined permissions on the openvpnservice

D:\tmp>subinacl /service openvpnservice


========================
+Service openvpnservice
========================
/control=0x0
/owner             =system
/primary group     =system
/audit ace count   =1
/aace =everyone         SYSTEM_AUDIT_ACE_TYPE-0x2
FAILED_ACCESS_ACE_FLAG-0x80    FAILED_ACCESS_ACE_FLAG-0x0x80
SERVICE_ALL_ACCESS
/perm. ace count   =4
/pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =interactive      ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1           SERVICE_QUERY_STATUS-0x4           SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_INTERROGATE-0x80           READ_CONTROL-0x20000               SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\users    ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_START-0x10                 SERVICE_STOP-0x20                  SERVICE_PAUSE_CONTINUE-0x40
READ_CONTROL-0x20000

Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : openvpnservice

You can get the full help text of subinacl with

subinacl /help /full

This command line adds the builtin Users group and grants the Query Service Configuration,Query Service Status,Start Service, Stop Service, Pause, Continue Service rights:

subinacl /service openvpnservice /grant=Users=QSTOP

Possible rights are
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute

OR
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

Michael

Advertisment to support michlstechblog.info

Add a comment »3 comments to this article

  1. If you want to centrally manage Windows service permissions without having to modify SDDL permissions on every machine, give System Frontier a try: http://systemfrontier.com/windows-services

    Reply

  2. Thanks 🙂

    Reply

  3. Wow,
    Amazing. I fighted for 2 years nearly with subinacl / sc / other tools to setup this, and I already used Process Explorer for other purposes. I didn’t know this functionnality, you made my day mate 😉

    Thanks again

    Reply

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress