1

I was wondering what privileges I needed to let a user start a service on our server.

The situation is as follows, some people on our website can start a certain service on the server (Windows 2008 and IIS7). The way that worked so far with me was specifying the application pool I created with my user account (the impersonate method from msdn doens't work for some reason). Now however I want to change that user account to a user account who only has the priviliges to start and stop a service (and everything that is needed to get him to do that).

The website is written in ASP.NET and C#. I use the ServiceController to start and stop my services.

Which privileges should I assign to that user?

EDIT: I just want to clear some things up here. I managed to get this thing working through the Application pool (although it doesn't work through debugger). But it only works with a user that is part of the Administrators group which isn't what I want. I want to specify a special user that will only be able to start and stop the service through the website. So what privileges do I need? Please be specific.

EDIT 2: I found out why my service wouldn't start in the debugger. I didn't run Visual Studio with administrator rights. I feel so stupid right now.. Anyway the question still stands as I still need my special user with the correct permissions.

Any comment will be appreciated! Kind regards, Floris Devriendt

Floris Devriendt
  • 2,044
  • 4
  • 24
  • 34
  • http://stackoverflow.com/questions/6070295/starting-a-service-in-asp-net-c-with-the-right-permissions/6070671#6070671 – Massimiliano Peluso May 31 '11 at 08:23
  • @Massimiliano Peluso, this question is different from the one I asked there. First of all, in that question ended about using either Impersonate (which as you can see never worked) or an AppPool. That did it in the end. But that way still doesn't work in the debugger. And I still didn't got the answer to what privileges I need to start a service. You said this: "You should create an user that can only start the service and execute you web app but it should not be into the Administrator group". Where do you set these privileges? Is it in the Local Security Policy or somewhere else? – Floris Devriendt May 31 '11 at 08:44

3 Answers3

0

You have to set identity impersonate to true in your web.config and if you are using windows authentication then need to set that up in IIS. if you are using a WCF service in between you may have to look at Impersonation in WCF.

Aravind
  • 4,125
  • 1
  • 28
  • 39
  • I'm afraid you did not understand my question. It works through an Application Pool. I managed to set that one up. But only if I use an account that is part of the Administrator group. Another account doens't work, so I need to give that user the correct privileges in order to be able to start the service. – Floris Devriendt May 31 '11 at 08:49
  • IF you want the Application Pools to load the user profile then set the "LoadUserProfile" attribute to "true". Hope this is helpful. – Aravind May 31 '11 at 09:08
  • It did not help, I didn't needed to do that with the account I use now (which is part of the administrators group). I just need to get it working with a different user. I've set it as the _identity_ from the AppPool but then it still doesn't work. – Floris Devriendt May 31 '11 at 12:28
  • It turned out there was another setting in IIS7 I needed to set. In the IIS Manager Users and IIS Manager Permissions. – Floris Devriendt Jun 08 '11 at 12:43
0

(Terminology gripe) - you shouldn't be looking at privileges, since those apply across a machine as a whole. You should be looking at permissions.

There's an answer here about allowing remote users to start and stop a service. You may need to run the same steps to allow the account your website is under the specific permissions, that is:

  • Copy the IA users permissions on the scmanager, to allow a non-interactive user to access the service controller, and
  • Add appropriate permissions for your user against the specific service.

Both of these actions use the sc command line tool. Hopefully, you can crib enough together for your specific circumstances. Something like:

sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

where S-1-5-3-3127463467463 is the SID for the website account, and:

sc sdset Alerter D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;S-1-5-3-3127463467463)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

whwere Alerter is the name of the specific service, and S-1-5-3-3127463467463 is again the SID for the website account.

(Not sure whether to break up these commands to make them more readable on SO - they need to have no line-breaks when running in the command line)

Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • I managed to do the first step and grant it acces to the service controller. But in the second step I face a problem. First of all I don't have the _Authenticated Users ACE_ for my service and secondly when still trying the second step I get the line "The device is not ready". – Floris Devriendt May 31 '11 at 10:57
0

you have to give the right for strating your service to the user that you are using for the application pool.

  • Click Start, point to Settings, click Control Panel, and then double-click Administrative Tools.
  • Double-click Services
  • On the Log On tab, click Local System Account, and then click Apply.
  • On the General tab, click Start to restart the service.
  • Quit the Services tool.
Massimiliano Peluso
  • 26,379
  • 6
  • 61
  • 70
  • Well I already did that, my question was about the needed permissions in order to start a service. But for a user that is not part of the Administrators group. I know when applying a user to the service it gets the "Logon as service" permission but that isn't enough appearantly to do the trick. – Floris Devriendt May 31 '11 at 12:23
  • the only way you have to give right to a user for starting a service is the one showed above: there is not a special group that have this right unless you create it yourself. Probabily you are missin something. what I can suggest is to run the application pool with the default user - disable the anonymous access and try the solution explained at this link to impersonate a user. The user that you impersonate must be the same you have to specified ad service level(logon tab) http://weblogs.asp.net/kaushal/archive/2011/02/28/start-stop-window-service-from-asp-net-page.aspx – Massimiliano Peluso May 31 '11 at 12:44
  • Ok, as explained in my other question I already tried that. You can see when I edited and which code I used. But as I wanted to give it another go I followed your suggestion. However, the same error "Acces is denied" is still there. I followed every step apart from the disabling of the anonymous acces. This is because of I disable it I get the "HTTP Error 401.2 - Unauthorized acces" error. This I cannot not change, not because I don't want but because this is made by a third party company who is still working on it. My only concern in the small time I have left is getting this service to run. – Floris Devriendt May 31 '11 at 14:17
  • If I can get it working with the AppPool then I prefer it like that. How nice the impersonation may seem it doesn't work in my case. Obviously I'm doing something wrong but I cannot seem to put my finger on it. It's weird one of my accounts can start it and the other can't while they have almost the same rights. I'll have to dig in that some deeper or find another way. – Floris Devriendt May 31 '11 at 14:19