How to change DACL of a Windows Service in C#?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

The question is straightforward: How can I change Access Control List of a
windows Service programmatically using C#. My goal is that a regular “Userâ€
should be able to start a windows service written in .NET.
 
Hi,

Currently I am researching the issue and we will reply here with more
information as soon as possible.
If you have any more concerns on it, please feel free to post here.

Thanks for your understanding!

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi gzinger1,

Sorry for letting you wait.

..Net Windows Service encapsulates the Win32 service model. So this type of
operation obeys Windows security model.

There are 2 types of security regarding the Windows Service: the access
rights for the SCM and the access rights for service object.

The access rights for SCM is used to install the service, that is calling
CreateService API to install the service into the SCM.(This CreateService
API is encapsulated in ServiceInstaller.Install() method)

The access rights for service is used to controll who can start/stop the
installed service.

The official document regarding these 2 security access rights is listed in
the link below:
"Service Security and Access Rights"
http://windowssdk.msdn.microsoft.com/en-us/library/ms685981.aspx

As you can see "Only processes with Administrator privileges are able to
open handles to the SCM that can be used by the CreateService and
LockServiceDatabase functions.", so only administrator can use
ServiceInstaller to install the service.

Per your request, you want to allow a specific user to be able to
start/stop a service. I assume you have used administrator account to
install this service. So the task requires to change the DACL of the
service object. Normally, we can first use QueryServiceObjectSecurity
andGetSecurityDescriptorDacl to query the DACL of the service object, then
use SetServiceObjectSecurity to assign a modified DACL to the service
object. The change to the Service object is persistent until the Service is
removed from the system.

Microsoft has released a KB for this task:
"How To Control Access to a Windows NT, Windows 2000, and Windows XP
Service"
http://support.microsoft.com/?kbid=180116

The code is written in C/C++, to use it in .Net, you have to p/invoke these
Win32 APIs. If you meet any further p/invoke problems, I recommend you post
in microsoft.public.dotnet.framework.interop newsgroup to get more
professional help.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Dear Jeffrey Tan,

Thank you for your reply.
From your post I understand that there is no way to accomplish what I want
by Managed code alone (without p/invoke), is that correct?

Thanks.
--
http://www.zbitinc.com


"Jeffrey Tan[MSFT]" said:
Hi gzinger1,

Sorry for letting you wait.

.Net Windows Service encapsulates the Win32 service model. So this type of
operation obeys Windows security model.

There are 2 types of security regarding the Windows Service: the access
rights for the SCM and the access rights for service object.

The access rights for SCM is used to install the service, that is calling
CreateService API to install the service into the SCM.(This CreateService
API is encapsulated in ServiceInstaller.Install() method)

The access rights for service is used to controll who can start/stop the
installed service.

The official document regarding these 2 security access rights is listed in
the link below:
"Service Security and Access Rights"
http://windowssdk.msdn.microsoft.com/en-us/library/ms685981.aspx

As you can see "Only processes with Administrator privileges are able to
open handles to the SCM that can be used by the CreateService and
LockServiceDatabase functions.", so only administrator can use
ServiceInstaller to install the service.

Per your request, you want to allow a specific user to be able to
start/stop a service. I assume you have used administrator account to
install this service. So the task requires to change the DACL of the
service object. Normally, we can first use QueryServiceObjectSecurity
andGetSecurityDescriptorDacl to query the DACL of the service object, then
use SetServiceObjectSecurity to assign a modified DACL to the service
object. The change to the Service object is persistent until the Service is
removed from the system.

Microsoft has released a KB for this task:
"How To Control Access to a Windows NT, Windows 2000, and Windows XP
Service"
http://support.microsoft.com/?kbid=180116

The code is written in C/C++, to use it in .Net, you have to p/invoke these
Win32 APIs. If you meet any further p/invoke problems, I recommend you post
in microsoft.public.dotnet.framework.interop newsgroup to get more
professional help.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...
 
Hi Greg,

Thanks for your feedback.

Yes, .Net1.1 does not provide DACL Windows Security support in Framework
Class Library.

In .Net2.0, .Net encapsulates some the kernel objects DACL security in
System.Security.AccessControl namespace, such as FileSecurity,
RegistrySecurity etc.., however, it still does not encapsulate the Windows
Service object DACL manipulation.

So you have to p/invoke the DACL Win32 API to complete this task. The
following KB article provided a sample code snippet of granting the Guest
account start, stop, delete and READ_CONTROL access to the specified
Service:
http://support.microsoft.com/?kbid=180116

Thanks!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top