GetServices permissions error with Windows2003 SP1
-
I have been using the following code for a long time to retrieve service information from WinNT 4 server SP6a, Windows2000 (most service packs) and Windows 2003 : ServiceController[] AvailableServices; AvailableServices = ServiceController.GetServices("ServerName"); We have recently just installed SP1 for Windows 2003 on a number of servers and now I get an acces denied/permissions error come back when running the code I have tried most combinations of putting the the network account running the application with the code in to the built in local groups on the remote server and the only combination that works is if i add the network account to the local admin group. Does anyone know if there is a way to allow this to work with out the need for having the network account in the local admin group (we dont really want this on all our servers) Thanks for any help
-
I have been using the following code for a long time to retrieve service information from WinNT 4 server SP6a, Windows2000 (most service packs) and Windows 2003 : ServiceController[] AvailableServices; AvailableServices = ServiceController.GetServices("ServerName"); We have recently just installed SP1 for Windows 2003 on a number of servers and now I get an acces denied/permissions error come back when running the code I have tried most combinations of putting the the network account running the application with the code in to the built in local groups on the remote server and the only combination that works is if i add the network account to the local admin group. Does anyone know if there is a way to allow this to work with out the need for having the network account in the local admin group (we dont really want this on all our servers) Thanks for any help
This is a very annoying security "enhancement" foisted upon you by SP1. We had the same issue. Fortunately, although our software might not be running as the administrator user, it does know the account and password of the administrator user. Given that, we check if the OS we are running on is Windows 2003 SP1. If so, we impersonate the administrator user and then run the following program. Sorry that the formatting is gone from the code below, but I don't know how to avoid that on code project.
// This program, which must be run as an Administrator, gives a specified non-Administrator user // start and stop capabilities on a specified service. It is intended to be run on systems like // Windows 2003 SP1 that restrict non-Administrator users from doing things with services. // Note that the changes to the services' ACLs only last as long as the service is installed. If // you uninstall and reinstall a service, you must rerun this program. // This program is a modified version of software provided by Microsoft at // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/modifying_the_dacl_for_a_service.asp #include #include #include #include void DisplayError(DWORD dwError, LPTSTR pszAPI) { char szMessageBuffer[2048]; FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), szMessageBuffer, sizeof(szMessageBuffer), NULL); // Display the string. _tprintf(TEXT("ERROR: API = %s.\n"), pszAPI); _tprintf(TEXT(" error code = %u.\n"), dwError); _tprintf(TEXT(" message = %s.\n"), szMessageBuffer); ExitProcess(dwError); } void _tmain(int argc, TCHAR *argv[]) { BOOL bDaclPresent = FALSE; BOOL bDaclDefaulted = FALSE; DWORD dwError = 0; DWORD dwSize = 0; EXPLICIT_ACCESS ea; PACL pacl = NULL; PACL pNewAcl = NULL; SC_HANDLE schManager = NULL; SC_HANDLE schService = NULL; SECURITY_DESCRIPTOR sd; // If you do not allocate some memory for psd before calling QueryServiceObjectSecurity(), you // will get a runtime error that you are using an uninitialized pointer. If you set it to NULL // instead, QueryServiceObjectSecurity() will return a NULL pointer error. The me -
This is a very annoying security "enhancement" foisted upon you by SP1. We had the same issue. Fortunately, although our software might not be running as the administrator user, it does know the account and password of the administrator user. Given that, we check if the OS we are running on is Windows 2003 SP1. If so, we impersonate the administrator user and then run the following program. Sorry that the formatting is gone from the code below, but I don't know how to avoid that on code project.
// This program, which must be run as an Administrator, gives a specified non-Administrator user // start and stop capabilities on a specified service. It is intended to be run on systems like // Windows 2003 SP1 that restrict non-Administrator users from doing things with services. // Note that the changes to the services' ACLs only last as long as the service is installed. If // you uninstall and reinstall a service, you must rerun this program. // This program is a modified version of software provided by Microsoft at // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/modifying_the_dacl_for_a_service.asp #include #include #include #include void DisplayError(DWORD dwError, LPTSTR pszAPI) { char szMessageBuffer[2048]; FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), szMessageBuffer, sizeof(szMessageBuffer), NULL); // Display the string. _tprintf(TEXT("ERROR: API = %s.\n"), pszAPI); _tprintf(TEXT(" error code = %u.\n"), dwError); _tprintf(TEXT(" message = %s.\n"), szMessageBuffer); ExitProcess(dwError); } void _tmain(int argc, TCHAR *argv[]) { BOOL bDaclPresent = FALSE; BOOL bDaclDefaulted = FALSE; DWORD dwError = 0; DWORD dwSize = 0; EXPLICIT_ACCESS ea; PACL pacl = NULL; PACL pNewAcl = NULL; SC_HANDLE schManager = NULL; SC_HANDLE schService = NULL; SECURITY_DESCRIPTOR sd; // If you do not allocate some memory for psd before calling QueryServiceObjectSecurity(), you // will get a runtime error that you are using an uninitialized pointer. If you set it to NULL // instead, QueryServiceObjectSecurity() will return a NULL pointer error. The meHi, Thank you very much for your reply (and code) It sounds like the only way is to access as a local admin, but we do not want to do this by any method, we are monitoring service status on 80+ servers (not all windows 2003 sp1) and do not want 1 (or any application) knowing local admin password to any of the servers let alone all of our servers Maybe creating a service that runs as system on each of the servers, so that the application asks the service on each server for the status of the required services on that server and the service then queries the services. Did not really want to install any compenent on the servers though. Do you know if running as system would be able to access service information? Thanks for your help
-
Hi, Thank you very much for your reply (and code) It sounds like the only way is to access as a local admin, but we do not want to do this by any method, we are monitoring service status on 80+ servers (not all windows 2003 sp1) and do not want 1 (or any application) knowing local admin password to any of the servers let alone all of our servers Maybe creating a service that runs as system on each of the servers, so that the application asks the service on each server for the status of the required services on that server and the service then queries the services. Did not really want to install any compenent on the servers though. Do you know if running as system would be able to access service information? Thanks for your help
Rendili wrote:
Do you know if running as system would be able to access service information?
Yes, that is actually the preferred method.
-
Rendili wrote:
Do you know if running as system would be able to access service information?
Yes, that is actually the preferred method.