Let's say you want your local restricted users to be able to restart specific services. On linux you'd probably type visudo. In Windows I found, you have to dig a little deeper into the system and really do your research. I needed several sites, programs and articles. So I thought it might be useful to others if I'd bundle all the required information in one place. Here it is.
Warning
This was tested on a Windows 2003 Server STD. It may not work on other versions. Also, this is serious stuff. You can seriously mess up your system using these pointers. Study before implementing anything. I warned you.
Prerequisite: Resource Kit Tools
In this article we're going to change SDDL properties of certain objects. We can do this with a tool called: sc.exe. It's distributed with the Windows Server 2003 Resource Kit Tools.
So first we need to:
- Download the Windows Server 2003 Resource Kit Tools
- Install it
- Open a command prompt (
cmd.exe) - Change to installation directory (
cd "C:\Program Files\Windows Resource Kits\Tools")
Prerequisite: Access to SC Manager
Your users need to be able to access this service as a prerequisite. If you want your changes to be user specific, you might first want to determine the SID of a user. This might return:
S-1-5-21-151122097-1987018581-353216475-1003
We can optionally use this SID later on.
Lookup Current Scmanager SDDL
The security descriptor definition language (SDDL) defines who is allowed to do what. If we are going to change that (in this case for the scmanager), we first want to see what the original SDDL is. So in the Resource Kit Tools directory execute:
$ sc sdshow scmanagerAnd that might return:
D:(A;;CC;;;AU)*(A;;CCLCRPRC;;;IU)*(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)(without the linebreaks)
Change Scmanager SDDL
Now based on the original SDDL of scmanager, we're going to create a new one that includes our user (determine the SID of a user) by following these rules:
- Copy the Interactive User ACE string
(A;;CCLCRPRC;;;IU) - Change the IU to the SID of the user or group that you wish to grant access
(A;;CCLCRPRC;;;*S-1-5-21-151122097-1987018581-353216475-1003*) - Insert the new ACE string before the S: like so
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
*(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)*
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)(without the linebreaks)
Set New Scmanager SDDL
In the Resource Kit Tools directory execute:
$ sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
_(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)_
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"(without the linebreaks)
Your user now has remote access to the scmanager.
Access to Your Service
Now we must grant users the right to start and stop your service. Let's take Tomcat for example.
Lookup Key Name
First we must lookup the internal service key. This is not always what is displayed in the user interface. To find this key, in the Resource Kit Tools directory execute:
$ sc GetKeyName "Apache Tomcat"And that might return: Tomcat5
Allow All Authenticated Users to Restart Service
We've already seen how to isolate a specific user. In the next example let's allow all Authenticated Users (a.k.a. everyone / world) to start, stop & query. In the Resource Kit Tools directory execute:
$ sc sdset Tomcat5 "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;LCRPWP;;;AU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"(without the linebreaks)
Voila! Your users have permission to start and stop the service, even though they are just restricted users. Why not test it by logging in as a restricted user and restarting your service?
More Options
If my examples do not cut it for you, then you'll have to familiarize yourself with the Security Descriptor Definition Language (SDDL), here are some useful sources to get you going.
Sources
As always, if I overlooked something, you know better ways or find errors, please let me know!