0

We have some Windows servers that run various services and we have a situation where sometimes those services just stop. To monitor these services I have written a Windows service that uses the ServiceController to look at the suspect services and check their current status. This works fine when I configure the new service to run under an account which has local admin permissions to the servers in question, but that's not ideal from a security point of view as it grants privileges other than sight of the services on those machines. Ideally, I would like to have an AD account created that can "see" and interrogate the services across all servers (the servers in scope is a list that is bound to widen in future) but have no other privileges on those servers - is this even possible, and if so what are the settings for such an account?

I apologise if this description is a bit vague, so let's say that the service I have written will be installed on ServerA and needs to be able to use the ServiceController to interrogate service "MSSQLSERVER" on ServerB, service "MSSQL$OTHERINSTANCE" on ServerC and services "SOMEOTHERSERVICE" and "RUNNINGOUTOFIDEAS" on ServerD. In addition to this, the list of services to interrogate is held in an MS SQL Server database on ServerZ so the account would need to be able to be connected to that database on that server, so it would need, for my purposes, to be a standard AD account, visible as a user in SQL Server security.

Does anyone have any ideas? Thanks in advance for any suggestions, and thanks for taking the time to read this. Please note: a frame challenge such as "why are you even doing this? You should be doing that" would be just as welcome as a direct answer as I'm not convinced there isn't a better way and I am always happy to learn.

Spratty
  • 103
  • 1
  • You could locally create a group on each server with just the privileges you need and then add an AD account (or group) to it for the monitoring service. – Zac67 Aug 04 '21 at 12:45
  • @Zac67 - Do you know what privileges they would be? That's the thing I'm most stuck with - I'm no network admin so any pointers to any documentation regarding those rights or roles would be very, very much appreciated. – Spratty Aug 04 '21 at 13:43

1 Answers1

2

The account will need the following access on scmanager to remotely monitor all of a machines services:

This String that would need to be injected into the current scmanager ACL: (A;;CCLCRPRC;;;<AccountSID>)

A: Allow
CC - SC_MANAGER_CONNECT - remotely connect
LC - SC_MANAGER_ENUMERATE_SERVICE - list all services
RP - SC_MANAGER_QUERY_LOCK_STATUS - interogate the status of each
RC - STANDARD_RIGHTS_READ - read the permissions of scmanager and services

The ACL is stored at HKLM:\SYSTEM\CurrentControlset\Control\ServiceGroupOrder\Security

You will want to determine what the current ACL is on scmanager, and include the above string in the appropriate location -- which is somewhere in the middle, at the end of the Discretionary ACL and before the System ACL, like so:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx)(A;;CCLCRPRC;;;<SID goes Here>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Depending upon how you deploy it and what your system for automated deployment is, you may find it easier to leverage the sc.exe command. The "service" that you manage with sc.exe isn't really a service, its the service control manager (scmanager):

sc.exe sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx)(A;;CCLCRPRC;;;<SID goes Here>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

This is technically excessive access, as it grants the account the permission to query the status and permissions of any service, not just a handful.

Semicolon
  • 1,775
  • 8
  • 7
  • Thank you - that looks (to my inexpert eye) like a very workable solution; I'll pass it on to the Network Admin team and see what they say, but I have high hopes. Thank you again - I'll be back to accept this answer as soon as I hear back. – Spratty Aug 05 '21 at 07:52
  • 1
    Just so you know, our NA team have agreed to go this way as it's a whole load better than any alternative we can come up with. You note: `This is technically excessive access, as it grants the account the permission to query the status and permissions of any service, not just a handful.` - we're happy with that; the monitoring service will almost certainly be expanded to watch lots of other services on demand, so being able to see all the services will, for us, be a feature and not a bug. Thanks for your time and your answer - you've made things a whole lot easier for me. – Spratty Aug 09 '21 at 08:38