|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to change DACL of a Windows Service in C#?The question is straightforward: How can I change Access Control List of a
windows Service programmatically using C#. My goal is that a regular “User†should be able to start a windows service written in .NET. Hi,
Currently I am researching the issue and we will reply here with more information as soon as possible. If you have any more concerns on it, please feel free to post here. Thanks for your understanding! Best regards, Peter Huang Microsoft Online Partner Support Get Secure! - www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights. Hi gzinger1,
Sorry for letting you wait. .Net Windows Service encapsulates the Win32 service model. So this type of operation obeys Windows security model. There are 2 types of security regarding the Windows Service: the access rights for the SCM and the access rights for service object. The access rights for SCM is used to install the service, that is calling CreateService API to install the service into the SCM.(This CreateService API is encapsulated in ServiceInstaller.Install() method) The access rights for service is used to controll who can start/stop the installed service. The official document regarding these 2 security access rights is listed in the link below: "Service Security and Access Rights" http://windowssdk.msdn.microsoft.com/en-us/library/ms685981.aspx As you can see "Only processes with Administrator privileges are able to open handles to the SCM that can be used by the CreateService and LockServiceDatabase functions.", so only administrator can use ServiceInstaller to install the service. Per your request, you want to allow a specific user to be able to start/stop a service. I assume you have used administrator account to install this service. So the task requires to change the DACL of the service object. Normally, we can first use QueryServiceObjectSecurity andGetSecurityDescriptorDacl to query the DACL of the service object, then use SetServiceObjectSecurity to assign a modified DACL to the service object. The change to the Service object is persistent until the Service is removed from the system. Microsoft has released a KB for this task: "How To Control Access to a Windows NT, Windows 2000, and Windows XP Service" http://support.microsoft.com/?kbid=180116 The code is written in C/C++, to use it in .Net, you have to p/invoke these Win32 APIs. If you meet any further p/invoke problems, I recommend you post in microsoft.public.dotnet.framework.interop newsgroup to get more professional help. Hope this helps. Best regards, Jeffrey Tan Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Dear Jeffrey Tan,
Thank you for your reply. From your post I understand that there is no way to accomplish what I want by Managed code alone (without p/invoke), is that correct? Thanks. Show quote > Hi gzinger1, > > Sorry for letting you wait. > > .Net Windows Service encapsulates the Win32 service model. So this type of > operation obeys Windows security model. > > There are 2 types of security regarding the Windows Service: the access > rights for the SCM and the access rights for service object. > > The access rights for SCM is used to install the service, that is calling > CreateService API to install the service into the SCM.(This CreateService > API is encapsulated in ServiceInstaller.Install() method) > > The access rights for service is used to controll who can start/stop the > installed service. > > The official document regarding these 2 security access rights is listed in > the link below: > "Service Security and Access Rights" > http://windowssdk.msdn.microsoft.com/en-us/library/ms685981.aspx > > As you can see "Only processes with Administrator privileges are able to > open handles to the SCM that can be used by the CreateService and > LockServiceDatabase functions.", so only administrator can use > ServiceInstaller to install the service. > > Per your request, you want to allow a specific user to be able to > start/stop a service. I assume you have used administrator account to > install this service. So the task requires to change the DACL of the > service object. Normally, we can first use QueryServiceObjectSecurity > andGetSecurityDescriptorDacl to query the DACL of the service object, then > use SetServiceObjectSecurity to assign a modified DACL to the service > object. The change to the Service object is persistent until the Service is > removed from the system. > > Microsoft has released a KB for this task: > "How To Control Access to a Windows NT, Windows 2000, and Windows XP > Service" > http://support.microsoft.com/?kbid=180116 > > The code is written in C/C++, to use it in .Net, you have to p/invoke these > Win32 APIs. If you meet any further p/invoke problems, I recommend you post > in microsoft.public.dotnet.framework.interop newsgroup to get more > professional help. > > Hope this helps. > > Best regards, > Jeffrey Tan > Microsoft Online Community Support > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/subscriptions/support/default.aspx. > ================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > Hi Greg,
Thanks for your feedback. Yes, .Net1.1 does not provide DACL Windows Security support in Framework Class Library. In .Net2.0, .Net encapsulates some the kernel objects DACL security in System.Security.AccessControl namespace, such as FileSecurity, RegistrySecurity etc.., however, it still does not encapsulate the Windows Service object DACL manipulation. So you have to p/invoke the DACL Win32 API to complete this task. The following KB article provided a sample code snippet of granting the Guest account start, stop, delete and READ_CONTROL access to the specified Service: http://support.microsoft.com/?kbid=180116 Thanks! Best regards, Jeffrey Tan Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.  |
|||||||||||||||||||||||
Other interesting topics