Setting SACLs on Services

  • Article

Have you ever wanted a record of admin activity regarding service management? For example, who stopped one of your services?

Did you know that you can do this through auditing?

It's actually really easy. The "Security Templates" MMC snap-in allows you to author security templates which will set security descriptors (permissions and auditing) on service objects, as well as file system & registry objects.

The bad part is that if you only want to adjust auditing, and not permissions, you'll have to fine-tune the template file by hand. The good news is, it's easy.

Templates store security descriptors as SDDL. Service- and SCM-specific ACES are described here. The SDDL specific to service objects is described here.

Here's what a service security template looks like. I built this template by choosing Alerter in the list of services, adding it to my template, then I opened the template with notepad. The templates are stored in %windir%\security\templates.

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
Alerter,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:AR(AU;SA;DCRPWPDTCRSDWDWO;;;WD)"

The DACL is shown in blue and the SACL is shown in Red. We'll make three changes. First, we'll make it apply to all services, not just alerter. Then, we'll remove the DACL so we can adjust the SACL without changing permissions. Finally, we'll adjust the accesses that are audited to only include accesses which actually change something. Here's the resulting template:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
*,4,"S:AR(AU;SA;DCRPWPDTCRSDWDWO;;;WD)"

After you finish your template, you can test it using secedit from the command line. If it gives you the results that you want you can import it into a group policy object using gpedit.msc.

As an added bonus, on Windows Server 2003 SP1 you can actually set the security descriptor on the Service Control Manager itself. As far as I know, you can only do this through script, not through security templates. Setting the SACL on the SCM would allow you to know, for instance, who is remotely managing services.

The command is:

sc sdset SCMANAGER <SDDL to assign>

You can display the security descriptor on the Service Control Manager with:

sd sdshow SCMANAGER

More detail is available here.

This won't work on Windows XP or Windows 2000, even if you copy the SC.EXE tool down.

Best regards,

Eric

 

2005-12-14 UPDATE: JBM pointed out that the ability to set the SACL on the Service Control Manager is an SP1 feature. Also note that most services have everyone:all accesses:failure SACLs by default since NT 4.0.