How do I grant users the ability to install windows services?

windows-server-2003 windows-service permissions
11,173

Solution 1

Delegated permission to install services is going to be a little bit tough. There is a "SC_MANAGER_CREATE_SERVICE" right that can be granted to users on the service control manager (SCM) object in the global object manager.

In Windows versions up to Windows Server 2003, the rights could not be changed on the SCM. Starting in W2K3 SP1, you could change the rights on the SCM.

The API to change the security is SetServiceObjectSecurity, and more information is available here: http://msdn.microsoft.com/en-us/library/aa379589(VS.85).aspx

Some more reference re: the rights that can be granted to the SCM and the default DACL set on the SCM is available here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx

In short, there's no way to do this w/o writing code. There's no magic registry setting, etc. If you can get somebody to write the code for you, though, it's totally feasible.

Solution 2

I think the bigger problem is letting the dev team access a server they don't administer. Rather than trying to grant the rights to the users (SC_MANAGER_CREATE_SERVICE) think really hard about giving them their own box- even just a VM to test on, once they say it's ready an actual admin should install the services into the production system.

Share:
11,173

Related videos on Youtube

Robin M
Author by

Robin M

I'm a developer/technical architect working for ByBox, a supply chain technology company in the UK. I'm passionate about development, continuous improvement and all things security. With one foot in Dev and another in Ops, I'm as happy in C# as in PowerShell, in Visual Studio or Hyper-V, in Javascript or Docker. Other passions include snowboarding, cycling and gin (but not together).

Updated on September 17, 2022

Comments

  • Robin M
    Robin M almost 2 years

    I'd like to be able to allow the development team to install services on a Win2003 server. They can already connect via RDP/FTP with limited accounts but I'd like to be able to grant installation privileges.

    How do I do that without granting admin rights?

    (The services are created using the .NET framework so we're installing with C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe)

  • Spence
    Spence about 15 years
    That's granting users rights to manage existing services, which is different than what the poster is looking for. The poster is looking for rights being granted on the service control manager object itself. It would be a bit of a "hack" to "pre-create" several services and have the users substitute in their binaries, but I suppose you could do that.
  • John Rennie
    John Rennie about 15 years
    Using "pre-created" services is all I could come up with. I have to say it seems a slightly odd question. If developers need to create services this sounds like a development environment. Would you let developers loose on your live servers? I think the best answer might be to give the developers their own server!
  • Spence
    Spence almost 15 years
    I agree. There is a built-in mechanism for doing this, but it's really not something that I'd advise in practice. I'm one of those "Answer the question literally" kind of people, for the most part. I'd agree, though, that it's compromising the production server's integrity to let developers go wild on them creating services. That's a really major change to be allowing unprivileged accounts to perform.
  • Robin M
    Robin M almost 15 years
    Great, thanks. The server is SP2 and I can write the code so this may be the way forward.
  • Robin M
    Robin M almost 15 years
    The services will be tested both on the dev's box and in VMs by the time they get to production. I'm confident enough in the dev team to grant them admin access but I'm going for least privilege. The actual admin is me but I'd like to delegate this function.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows 7 loses access to network drives
Running a Windows service under a domain account from a non-member server
How do I grant local administrator rights, but not Domain Administrator Rights?
Is stopping IIS the same as stopping the World Wide Web Publishing service?
What is the difference between a console and non-console terminal session?
Robocopy and permissions
Print spooler service does not restart
Change Windows Service Priority
Grant access for users on a separate domain to SharePoint
Exact extent / meaning of "Log on as a service" permission (W2K, W2K3)?