How do I grant users the ability to install windows services?
Solution 1
Delegated permission to install services is going to be a little bit tough. There is a "SC_MANAGER_CREATE_SERVICE" right that can be granted to users on the service control manager (SCM) object in the global object manager.
In Windows versions up to Windows Server 2003, the rights could not be changed on the SCM. Starting in W2K3 SP1, you could change the rights on the SCM.
The API to change the security is SetServiceObjectSecurity, and more information is available here: http://msdn.microsoft.com/en-us/library/aa379589(VS.85).aspx
Some more reference re: the rights that can be granted to the SCM and the default DACL set on the SCM is available here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
In short, there's no way to do this w/o writing code. There's no magic registry setting, etc. If you can get somebody to write the code for you, though, it's totally feasible.
Solution 2
I think the bigger problem is letting the dev team access a server they don't administer. Rather than trying to grant the rights to the users (SC_MANAGER_CREATE_SERVICE) think really hard about giving them their own box- even just a VM to test on, once they say it's ready an actual admin should install the services into the production system.
Related videos on Youtube
Robin M
I'm a developer/technical architect working for ByBox, a supply chain technology company in the UK. I'm passionate about development, continuous improvement and all things security. With one foot in Dev and another in Ops, I'm as happy in C# as in PowerShell, in Visual Studio or Hyper-V, in Javascript or Docker. Other passions include snowboarding, cycling and gin (but not together).
Updated on September 17, 2022Comments
-
Robin M almost 2 years
I'd like to be able to allow the development team to install services on a Win2003 server. They can already connect via RDP/FTP with limited accounts but I'd like to be able to grant installation privileges.
How do I do that without granting admin rights?
(The services are created using the .NET framework so we're installing with C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe)
-
Spence about 15 yearsThat's granting users rights to manage existing services, which is different than what the poster is looking for. The poster is looking for rights being granted on the service control manager object itself. It would be a bit of a "hack" to "pre-create" several services and have the users substitute in their binaries, but I suppose you could do that.
-
John Rennie about 15 yearsUsing "pre-created" services is all I could come up with. I have to say it seems a slightly odd question. If developers need to create services this sounds like a development environment. Would you let developers loose on your live servers? I think the best answer might be to give the developers their own server!
-
Spence almost 15 yearsI agree. There is a built-in mechanism for doing this, but it's really not something that I'd advise in practice. I'm one of those "Answer the question literally" kind of people, for the most part. I'd agree, though, that it's compromising the production server's integrity to let developers go wild on them creating services. That's a really major change to be allowing unprivileged accounts to perform.
-
Robin M almost 15 yearsGreat, thanks. The server is SP2 and I can write the code so this may be the way forward.
-
Robin M almost 15 yearsThe services will be tested both on the dev's box and in VMs by the time they get to production. I'm confident enough in the dev team to grant them admin access but I'm going for least privilege. The actual admin is me but I'd like to delegate this function.