What SIDS need permisions to start my service?

TheMSsForum.com: The Microsoft Software Forum

Here is the short version. I have an application which has a service
component. It is a requirement that the service component be running only
when the application is running, so AutoStart is not an option.

I want to grant the following permissions on my service
READ_CONTROL |
SERVICE_QUERY_CONFIG |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS |
SERVICE_START |
SERVICE_STOP |
SERVICE_PAUSE_CONTINUE |
SERVICE_INTERROGATE
to all users on the local machine. Currently I am granting this access to
Everyone, Users, and Guest. This approach definitely gives permisions to the
accounts i need.. but is this a securty risk (I am only concerned about
security risks involving remote attacks, not ones that originate from the
local machine). Should i be granting access to just "Guest and Users" or
maybe "Guests and Authenticated Users"? Also note, the machines may or may
not be on a domain.. the target os is 2k,xp,vista(32/64). This may be
deployed on a large number of laptops (and i mean laaarrrggge).

Can anyone shed some light on this issue?
Top

Re: What SIDS need permisions to start my service? by Roger

Roger
Tue May 08 20:11:40 CDT 2007

Typically in such circumstances grants are made to
Administrators, System, the account used to run the
service if different from System, and Interactive.
Those would seem sufficient by what you have stated,
as Interactive represents the locally logged in account.


"John S" <JohnS@discussions.microsoft.com> wrote in message
news:E73D2AF0-FD62-4186-A730-BFDF329FA676@microsoft.com...
> Here is the short version. I have an application which has a service
> component. It is a requirement that the service component be running only
> when the application is running, so AutoStart is not an option.
>
> I want to grant the following permissions on my service
> READ_CONTROL |
> SERVICE_QUERY_CONFIG |
> SERVICE_QUERY_STATUS |
> SERVICE_ENUMERATE_DEPENDENTS |
> SERVICE_START |
> SERVICE_STOP |
> SERVICE_PAUSE_CONTINUE |
> SERVICE_INTERROGATE
> to all users on the local machine. Currently I am granting this access to
> Everyone, Users, and Guest. This approach definitely gives permisions to
> the
> accounts i need.. but is this a securty risk (I am only concerned about
> security risks involving remote attacks, not ones that originate from the
> local machine). Should i be granting access to just "Guest and Users" or
> maybe "Guests and Authenticated Users"? Also note, the machines may or
> may
> not be on a domain.. the target os is 2k,xp,vista(32/64). This may be
> deployed on a large number of laptops (and i mean laaarrrggge).
>
> Can anyone shed some light on this issue?


Top