1

I have a windows service with a TCP/IP server built in. Clients and connect and some information is distributed etc. Typically the service is installed to log on as Network Service.

There is some data that is stored in a folder under ProgramData and read/write access to that folder is therefor granted to the service during installation. However, access is thus typically granted to all services using the Network Service account. I understand that it is possible to add a specific service SID using ChangeServiceConfig2 with SERVICE_CONFIG_SERVICE_SID_INFO. From there it is however not at all clear how to proceed and if this is even a solution to my problem.

Any help would be much appreciated!

SpaghettiCook
  • 673
  • 4
  • 14
  • 2
    This is called Service Isolation. Specifying [SERVICE_SID_TYPE_UNRESTRICTED](http://msdn.microsoft.com/en-us/library/windows/desktop/ms685987(v=vs.85).aspx) as the SID type instructs the SCM to add the service SID to the service's process token, thus allowing the service to gain access to resources that you may have configured to allow access only to your specific service. – Serg Jan 07 '13 at 19:25
  • Thank you for your comment! - I am new to this; why is it not an answer? So as I understand it now, the SCM adds the specific service SID to the process when the service starts. I can use the SID's name 'NT SERVICE\' to construct a SID data structure. Some things are still unclear: 1) Can I use the SID before the service starts? I.e. can I grant this SID access to a specific folder? 2) When I configure the service to log on a the built in network service, does it still inherit rights from that account? – SpaghettiCook Jan 08 '13 at 09:47
  • 1) Why not? 2)Yes 3)Service SIDs are implemented it the group SIDs part of th token for any process hosting a service. – Serg Jan 08 '13 at 11:57

1 Answers1

3

This is called Service Isolation. Specifying with SERVICE_CONFIG_SERVICE_SID_INFO parameter with SERVICE_SID_INFO structure with the SID type instructs the SCM to add the service SID to the service's process token, thus allowing the service to gain access to resources that you may have configured to allow access only to your specific service. Also you may use sc command

sc <server> sidtype [service name] [type]

OPTIONS:
 type = <none|unrestricted|restricted>

sc <server> qsidtype [service name]
Serg
  • 2,140
  • 1
  • 12
  • 14
  • Thank you Sergmat! The term 'service isolation' was clearly missing in my vocabulary. Now it's much easier to find documentation. Also, it is clear which SID to use when I want to add an ACE to an object's ACL. I have not read in any documentation how this will be visible in the GUI of an object's advanced security settings, but I guess I will find out when I change the settings programmatically. – SpaghettiCook Jan 10 '13 at 08:10