Many times as System Engineer I have been challenged with potential security issue to allow non-administrators to control system services states (including custom ones). Because of many “solutions” I’ve encountered on field, I feel the urge to state that giving non-admin administrative credentials is never a right solution, not even remotely! If you are presented with similar request, please spend more time designing rather than repairing solution which will never pass any audit.
To make this solution a bit more challenging I will use this article to describe process of allowing non-administrators custom service (not built-in windows service) service control rights. To make it even more challenging I have chosen service which doesn’t have same Service and Display name.
You wish to allow operators in your company right to start/stop several services also giving them rights to query for their state. Furthermore, they don’t necessarily have to possess knowledge to operate services on remote systems (servers) from their workstations and you want to automate process (create script) to minimize human errors, giving them current service state and allowing them to start/restart it.
We have a BGDIT01SQL01 SQL server running CentralizedAafService service which Operators need to maintain in their daily routine.
You need to have appropriate objects organized in your domain environment nested using AGDLP strategy, which is always my recommendation. In my Test Environment I have already created Operators OU with user accounts of all operators all nested in Global group G_Operators.
I always like creating dedicated OU as container for objects used for service manipulation. So if you wish, go ahead and create Service Manipulation OU. Inside that OU create logically named Global group (e.g. SG_servername_servicename) for every service you need to delegate and always use narrative description (I speak from personal experience) because sooner or later you will be asked to change configuration. I’ve created SG_BGDIT01SQL01_CentralizedAafService group, nesting G_Operators group inside it. Since you’re gonna be testing this include your domain user account for the Testing period inside it too.
It is pretty straightforward solution, once you break it down into these steps:
- Create group of users. We will be giving service control rights to that group.
Now, if you want to control standard Windows (built-in) service:
- On domain controller, start Group Policy Management Console (GPMC) and set needed right(s) to that service(s) via Group Policy Object (GPO).
- Continue to solution approach step 4.
Note: This solution will not be presented in this post.
If you want to control custom Windows service:
- Log in to the server hosting service and install GPMC appropriate to that specific server and your domain forest functional level. For example, if you wish to control service hosted on Windows Server 2003 and your domain forest function level and domain controller operating system is Windows Server 2008 R2 you will need to download this GPMC and install it on server hosting service (Windows Server 2003 in this example). Google for GPMC you need in your environment (i.e. you just need to enable GPMC in Windows Server 2008, no need for download).
- Start GPMC on server hosting service you wish to manage and set needed rights to that specific service via Group Policy Object (GPO).
- Create a script for users who need service control.
- Test it from users’ workstation.
- Download the appropriate GPMC and install it on server hosting service you wish to configure access to.
- Run GPMC on that server and find container where server (Computer Object) that hosts that service reside in (since we will use GPO Computer Configuration) or some top level OU, depending on your OU structure (I mainly use Group Policy Type-Based Model design in my environments). See note below.
Note: In my Production Environment in have several sub OU’s (treelike structure) designed to host just server accounts. I always apply this GPO on top level OU hosting server accounts and then use Security Filtering to apply GPO only to Computer Object(s) I need to (e.g. BGDIT01SQL01 server).
- Right click on that OU and choose Create a GPO in this domain, and Link it here… option.
- Give it descriptive name, like BGDIT01SQL01 Service Management.
- Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → System Services section and double click service you wish to setup access to:
- Click Define this policy setting and select Service startup mode equal to that services’ default startup type setting (i.e. you can find out services’ default startup type setting by running services.msc console and inspecting Startup Type column).
- Click the Edit Security… button:
- Add created SG_BGDIT01SQL01_CentralizedAafService group containing users that need access to the following service and
- give them the needed rights (e.g. Full Control):
- Confirm and close all windows by pressing OK buttons.
Now it’s time to write script for our Operators to minimize human errors. We will use simple batch file to control installed services through Service Control Manager (SCM) via Service Controller (SC) program.
Before we proceed, I would like to state few very important facts:
- SC control services via their Service Name (if you use services’ Display Name in SC syntax it will result in error). To find out service name use services.msc console and look under Properties of specified service (i.e. in this example we have service with CentralizedAafService Display Name and CentralizedWorkflowService Service Name).
- If you have spaces in Service Name parameter you are required to use quotation marks in your SC syntax (e.g. “service name with spaces“).
- Also, SC command is case sensitive and it is important to mind letter capitalization in Service Name parameter (e.g. “service name with spaces” is not same service as “Service Name with spaces“, those are two different services).
For example, to query for service state run following command and look under STATE output:
SC \\server_name query "Service Name with spaces"
Same syntax is for start or stop service commands.
Now we will write the following code in notepad and save it as “QUERY BGDIT01SQL01 CentralizedAafService.BAT” file:
TITLE BGDIT01SQL01 CentralizedAafService QUERY
SC \\BGDIT01SQL01 query CentralizedWorkflowService
We will use same syntax for start and stop batch files and give them to Operators. Now they can control specified service running on remote server by double clicking batch file as tested:
There are a lot of guides on internet to achieve the same goal by using the Security Descriptor Definition Language but – as a con – I like centralized and easily managed solutions and SDDL does not meet such requirements but – as a pro – it has much more granulated service management.
- MSDN: Security Descriptor String Format
- University of Washington: Understanding SDDL Syntax
- NetworkAdminKB: How to Read a SDDL String
- NetworkAdminKB: Understanding the SDDL permissions in the ACE_String