Title: RE: [OT] SCM SDDL on Windows 2003 SP1
Hi Brandon. I am wondering if I was indirectly responsible
for your task. Did it happen to come up some time after the last time I saw you
guys for lunch? I had a brief parking lot conversation with someone when he
mentioned SP1 deployment that day...
So anyway, what is Read Control used for... It has been a
bit, so I am taking this off the top of my head, but I believe that is used
within the SCM for enumerating the actual Security Descriptor of the SCM or
services. The thing about the SDDL format is that it is generic and the fields
can mean slightly different things for different securable objects. You can find
a definitive answer in the docs for OpenSCManager. Look for a link on SP1
changes or Service Security or something like that and it will take you to a
page with a ton of info about the security requirements for various calls which
is where I learned about most of that stuff.
How SC and other programs work when they open up the SCM is
that they request the perms they need, usually the easiest way is to ask for
everything you could possibly need versus trying to figure out what specific
pieces you need. That is why so many service manipulation tools broke when
that SCM ACL was changed. In actuality, if you know the actual service name you
want to manage AND you have permissions on that service directly, you can manage
it without changing the SCM permissions. However, the tool you are using has to
know to connect directly to that service AND NOT request enumeration privileges
from the SCM. That is a change I had to make to my SVCUTL utility and a change
MSFT had to make to SC for the SP1 version.
joe
Ok…..The SCM also needs RPWPRC
(thought I got away from having to do that, since compmgmt.msc works), which is
stop,start and RCtl (what does this mean??) for sc.exe to work…So that piece is
figured out, but I'm still miffed by what sc.exe is trying to do when it stops a
service and what RCtl is. Comments are appreciated.
-Brandon
_____________________________________________
From: Bernier, Brandon (.)
Sent: Tuesday, May 02,
2006 9:15 AM
To: [email protected]
Subject: [OT] SCM SDDL on Windows 2003 SP1
I'm having this issue when I ACL the SCM for Windows
2003 SP1. I want certain groups to start/stop their own services…so I add this
ACE to (A;;CCLC;;;GroupObjectSID) to the SCM, this allows them to query config
and query service status (so compmgmt.msc can enum services/status, then
stop/start) and then I add an ACE to the services for RPWP (start, stop). This
works via compmgmt.msc, but I get access denied with sc.exe….
If I change the ACE I put on the SCM to pretty much
what System has it works fine, so I'm going over each perm and trying to figure
it out which one I must be missing. I figured if anything sc.exe would be the
one not to give me trouble. Any ideas?
-Brandon
