Advertisements

Having fun with SC.exe

So the first thing you must know about SC.exe is that it REPLACES PERMISSIONS with what every you specify!

So, I was trying to figure out how to grant a user the right to start and stop a service. After reading this post

http://serverfault.com/questions/166641/how-to-give-rights-to-one-user-for-the-restart-of-a-service

I figured you could just get the sid of the current user. Using

whoami /all

And the using

Sc sdset myservice D:(A;;RPWP;;;place-sid-here)

unfortunately  I didn’t know that this command will replace the current permissions on the service… so basically I was unable to see the service anymore…. oops. To get it back I opened up regedit and went to

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services

and found the service and deleted the security key. When I rebooted it reset the security and then I was able to use the SC.exe command correctly.

The correct way to use it, is to first list the current permissions (sometimes you need to run an admin console)  using

sc sdshow yourservice

then take that security gooblyguk and then add your security goobly guk to it and then you are good to go. This post explains it pretty good, you just have to pay attention!

http://serverfault.com/questions/15147/how-do-i-give-a-domain-user-permission-to-start-and-stop-a-tomcat-service

1) Downloaded the Tomcat 5.5.27 Windows Service installer and installed it.

2) Dumped the TomCat5 service security descriptor using “sc sdshow tomcat5”, which showed me:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) 

This is a pretty common security descriptor for services. I’ve seen it verbatim on some Microsoft services. The SYSTEM and built-in Administrators have “full control”, “Power Users” can stop, start, and pause the service, and “Authenticated Users” can query properties of the service (I’m glossing over a bit here).

3) I created a limited user called “bob” on my box, opened a “RUNAS” command-prompt as him, and got his SID from “WHOAMI /ALL” (a command that’s on Windows Server 2003 but not on XP… don’t know about Vista and Windows 7 off the top of my head). I verified that Bob could not stop / start the Tomcat service (using “NET STOP tomcat5”). I received the same error you report in your post.

4) From my regular administrator command-prompt, ran the following:

sc sdset tomcat5 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWPDT;;;S-1-5-21-1409082233-484763869-854245398-1009) 

This SDDL string gives Bob’s SID (S-1-5-21-1409082233-484763869-854245398-1009) rights to stop, start, and pause the service (RP, WP, and DT, respectively).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: