In my example I have a service that needs administrative permissions to start, restart and stop, I need to be able to do this as a normal user, without elevate myself, is there any way to do this?

Sure you say why don’t you use the “Computer Configuration\Policies\Windows Settings\Security Settings\System Services” Group policy settings for that? Well, in my case I just can’t, so how do I do?

First we will use the command SC.exe and the parameter SDSHOW and SDSET and we also need some knowledge to SDDL.

SC is a command line program used for communicating with the Service Control Manager and services. And the parameters SDSHOW will display the security descriptor of a service and SDSET will help to set a new one.

We will use the service BITS, Background Intelligent Transfer Service, as an example. As you understand you should not change these permissions in any production environment, this is only used for educational purpose.

First to demonstrate the error message the occurs

And now run the command SC.exe SDSHOW bits to get the current security descriptor.

This looks like a foreign language to most people, what is this? This is the SDDL, Security Descriptor Definition Language, simply explained by what permissions a certain user/group/system will have and is explained on MSDN: http://msdn.microsoft.com/en-us/library/aa379567(v=vs.85).aspx

Let’s try to break this down a bit. The format of the SDDL is described like this

(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute))

So if we look at the first paragraph (A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

The first is explained by ACE type

  • And A means SDDL_ACCESS_ALLOWED

The second two letters is the ACE flags

  • CI means SDDL_CONTAINER_INHERIT

CCDCLCSWRPWPDTLOCRSDRCWDWO indicates what specific rights that will be delegated and needs to break down a little bit more

  • CC = SDDL_CREATE_CHILD
  • DC = SDDL_DELETE_CHILD
  • LC = SDDL_LIST_CHILDREN

Etcetera, look at the rights table at this page: http://msdn.microsoft.com/en-us/library/aa374928(v=vs.85).aspx and for explanations

The last SY is a SID String and means SDDL_LOCAL_SYSTEM and corresponding RID is SECURITY_LOCAL_SYSTEM_RID

This wasn’t that hard, right? So let’s find out how to build this string for us. We need permissions somewhere between what an interactive user (IU) and the built in administrators (BA)

Built in Administrators = (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

Interactive Users = (A;;CCLCSWLOCRRC;;;IU)

That gives me something like (A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU) where BU stands for Built in Users.

We will add this string to the original string before the S: in the end. This means

To this string D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;SAFA;WDWO;;;BA) add (A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)

Equals this command to set the permission

SC.exe SDSET bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)S:(AU;SAFA;WDWO;;;BA)

Verify the settings

And finally try to start and stop the service with normal user permission and it works like a charm

Advertisements