Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-02-26) Delegating Monitoring/Stopping/Starting Services On Servers

Posted by Jorge on 2008-02-26


Delegating permissions to manage services on servers is not the easiest thing to do. You can do it from the command line or through a GPO in the "System Services" node. Either way you MUST take the current configured permissions into account, otherwise you might/will experience issues!

I do not like to use a GPO to do this and prefer to use command line tools in scripts. I’m not going to post a script, but I’m going to provide the information for the delegation of the permissions required and how to achieve that. For the scripting part, what you need to do is retrieve the current SDDL, add what you want to add and write the complete new SDDL back.

Monitoring of Services on Servers (W2K3/W2K8)

  • ACE on SCM object for "<AD group>" –> **ADD** SDDL part "(A;;CCLCRPRC;;;<AD group>)" to existing SDDL
  • ACE on service object for "<AD group>" –> **ADD** SDDL part "(A;;GR;;;<AD group>)" to existing SDDL

REMARK: This can be done with: SC SDSHOW <Service | SCMANAGER> & SC SDSET <Service | SCMANAGER> <SDDL>
REMARK: also see
http://support.microsoft.com/?kbid=914392

Monitoring of Services on Servers (W2K)

  • All users, local and remote, are allowed to monitor all services on W2K

Stopping/starting of Services on Servers (W2K3)

  • ACE on service object for "<AD group>" –> **ADD** SDDL part "(A;;RPWP;;;<AD group>)" to existing SDDL

REMARK: This can be done with: SC SDSHOW <Service | SCMANAGER> & SC SDSET <Service | SCMANAGER> <SDDL>
REMARK: also see
http://support.microsoft.com/?kbid=914392

Stopping/starting of Services on Servers (W2K)

  • ACE on SCM object for "<AD group>" –> SUBINACL /service "\<SERVER><SERVICE>" /grant="<DOMAIN><AD GROUP>"=TO

REMARK: T = right to start a service & O = right to stop a service
REMARK: Always use the latest version of SUBINACL!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2008-02-26) Delegating Monitoring/Stopping/Starting Services On Servers”

  1. I have been looking at these things a year ago and at that time I aslo wanted to delegate the right to read the Eventlogs.
    Heres how you can do that:

    5. Event Viewer
    This show how you can delegated the rights to the Eventlogs.
    5.1 Windows 2000
    By default domain users have the right to read the Application and System-Log on a Window 2000 Server. This works by default.

    5.2 Windows Server 2003
    By default this is the security for the Application event log:
    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
    Entry Meaning
    O:BA Object owner is Built-in Admin (BA).
    G:SY Primary group is System (SY).
    D: This is a DACL, rather than an audit entry or SACL.
    (D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
    (D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
    (A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
    (A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
    (A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
    (A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
    (A;;0x3;;;SU) Allow Service accounts READ and WRITE.

    By default this is the security for the System event log:
    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)
    Entry Meaning
    O:BA Object owner is Built-in Admin (BA).
    G:SY Primary group is System (SY).
    D: This is a DACL, rather than an audit entry or SACL.
    (D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
    (D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
    (A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
    (A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
    (A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
    (A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
    (A;;0x2;;;LS) Allow Local Service WRITE.
    (A;;0x2;;;NS) Allow Network Service WRITE.

    To give the group rights to read the Application and System event log you have to modify the security of each log. This is configured locally through the values in the following registry key:
    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog
    For example the Application log Security Descriptor is configured through the following registry value:
    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD
    And the System log Security Descriptor is configured through the following:
    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogSystemCustomSD
    Reference:
    How to set event log security locally or by using Group Policy in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;323076

    So, for example to give your group read permissions add the following to the CustomSD value (A;;0x1;;; [Your Group Name] ) at the end of the current string.

    Regards
    Robin G

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: