How To – Allow non-admins to start and stop system services


Jump down to Step 1 to skip the blurb

Any Microsoft Windows operating system has services. These are little programs that run in the background of the OS to keep things ticking over. They’re really fundamental to servers as it means that programs can run in the background without any user being logged. In fact Windows servers are fine-tuned to give better performance to background services rather than any app running on the screen.

It’s always the best principle to log on with the least amount of privileges on any PC, i.e. you shouldn’t log on to a desktop or server with full admin rights. You should log on as a normal user and only elevate the  programmes authority to admin level if absolutely necessary.

Some System Administrators may want an easy life and just let everything “run as admin” as it cuts back on a lot of problems, especially when using old software. Obviously this greatly widens the security attack vector, as any user who can gain access to the machine can do anything they want on it.

However, one of the issues of running as a standard user is that you are not allowed to stop or start Windows services. That is by design, you wouldn’t really want a non-admin to stop a critical service. The problem is when you have a Service Account running (as good practice dictates) as a lowly user. To get around this you can give the Service Account permission to do whatever you want to a particular service you want. Unfortunately, this is a bit more convoluted than setting file permissions. This article will explain how to achieve this. It applies to all versions of Windows from Windows 2000 or newer. My screenshots are from the Windows 8 Developer Preview.

Scenario

A server on our network runs some aging but critical telephony software. The services run under a Service Account with a username of Svc-Phones. The Svc-Phones account also logs on to the server interactively to view any messages from the application or stop & start the services if there is an issue (avoiding a whole server reboot). The IT manager wants the Svc-Phones account to be removed from the local Administrators group to help secure the server. This means we will need to change the security permissions for the telephony program’s service.

Step 1 – Create the Console

We need to open a hidden console snap-in

  1. Click Start > Run (or press WIN + R) and type “mmc.exe
  2. This opens an empty Microsoft Management Console. Click File > Add/Remove Snap-in… (Ctrl+ M)
  3. Add or Remove Snap-insScroll down the list of available Snap-ins and select Security Configuration and Analysis
  4. Click Add
  5. Next select Security Templates
  6. Click Add
  7. Click OK

Step 2 – Create a blank Security Template

In Windows Server 2003 and below you can store these files anywhere but later versions have tougher restrictions so we will be creating everything in D:\Securtiy\

  1. Right-click Security Templates from the console tree and select New Template Search Path …
  2. Browse to D:\Security, or other local path, and click OK
  3. Right-click D:\Security from the console tree and select New Template …
  4. Console1 - [Console RootSecurity TemplatesDSecurity]Give the new template a name, e.g. Custom Services. It doesn’t matter what you use.
  5. The Description is optional but may be useful if you want to re-use it
  6. Click OK and you will see the new template appear in the console

The point of these templates are to lock-down servers using the Windows Security Configuration Wizard but we are only using them for a simple permission change

Step 3 – Create a Security Database

  1. Right-click Security Configuration and Analysis from the console tree and select Open Database…
  2. Browse to D:\Security, or other local path, and type a name in the File name: box e.g Security
  3. Click OK. This creates an Security.sdb file that is used to apply the changes
  4. An Import Template window appears. Browse to D:\Security/Custom Services.inf and select Open. This applies the template with all the local services to the database
  5. If you get the error “The database you are attempting to open does not exist.” then you need to choose a different path i.e. on a local disk
  6. Console1 - [Console RootSecurity Configuration and Analysis]Right-click Security Configuration and Analysis from the console tree and select Analyze Computer …
  7. Click OK to accept the default log file path
  8. You will then be presented with something that looks very similar to the Group Policy Editor or Local Security Policy Console

Step 4 Change Service Permissions

  1. Fax PropertiesDouble-Click System Services
  2. Scroll down to find the service you need to change, e.g. Fax
  3. Double-Click the service
  4. Tick the box Define this policy in the database:
  5. Click the Edit Security … button
  6. Click Add
  7. Type in the user name of the Service account e.g. Svc-Phones, and click OK
  8. With the Svc-Phones account selected, check the Allow permissions for Start, stop and pause
  9. Click OK
  10. Click OK on the Service Properties to bring you back to the console
  11. Console1 - [Console RootSecurity Configuration and AnalysisSystem Services]You’ll notice the Service now has an ‘x’ on it and  Investigate message on the Permission column. This is because the new permissions we’ve chosen conflict with what is on the local computer

Step 5 – Apply new Security Permissions

  1. Right-click Security Configuration and Analysis from the console tree and select Configure Computer …
  2. Click OK to accept the default log file path
  3. This will apply the new custom permissions to the local computer
  4. You can now test it out on the server with the Svc-Phones account and test it works

You can see that this is rather long-winded just to configure permissions on a service. thankfully, you can save everything and it will be quick to re-use in the future or as part of a batch process across servers. If you want to change the permissions on a default Microsoft Service you can use the Security section of Group Policy to achieve the same results

Related Reading:

Advertisements

24 thoughts on “How To – Allow non-admins to start and stop system services

  1. This is an excellent breakdown of setting up service permissions natively. I’ve created a tool for granting permissions more easily using a web based UI. It’s called System Frontier. One of the coolest things is that the users who need access don’t have to have ANY rights on the target systems. It’s not free, but it’s worth a look. Thanks!

  2. Excelente artículo, me sirvió muchísimo para dar permisos a un usuario limitado, solo al servicio que necesitaba. Muchas Gracias!!!!

  3. Thank you for this information. I am running Windows 2003 R2 however after I am done I do not see any options to apply the new settings. When I right click on the Security Configuration and Analysis from the console tree there is no option for Configure computer.

    1. Can you give me a bit more info please.
      Did all of the other steps work properly?
      At step 5, does it have “Configure Computer Now” greyed out or not there at all?
      Make sure you click “Security Configuration and Analysis” with a left-click first before you right-click it

      1. Yes I followed all the steps. There is no option to Configure computer. However what I had to do was when I did the right click on “Security Configuration and Analysis” it made me open a database. I selected the D:\Security folder and then the security inf we had created earlier. Once I did this then I had the option for “Configure Computer”. The security setting is working now.
        Thank you

  4. I followed and set permissions and now the service has disappeared. I have logged in via the local system account and ran services as the user i assigned permissions to but the service does not exist. any thoughts??

  5. I was looking for exactly the title of this post. Followed the instructions and found it works great! Thanks you very much 🙂

  6. I followed the instructions to the T and it worked as charmed but like marni said the service disappeard from System services in mmc-Security Templates as well as services.msc.
    I tried installing custom service again but I got access denied message Error 1073. Any thoughts?

    1. When I log in as the user for whom permission has been granted I am able to see the service, but not a local/admin user as I have to launch the exe which restarts windows time service from local user with run as different user option by shift-click.

  7. Hi my friends…:)
    I tried to set permission for user with limited acces. I need to stop/start services “Internet Connection Sharing”. I followed your manual step by step with success, but when I type command for start services “net start SharedAccess”, I received error message “Error 1079: The account specified for this service is different from the account specified for other services running in the same process.”. Please, could you give some advice, what to do?
    Thank so much

    1. My problem was solved. I have had set another user for run this services directly from services.msc…
      Thank you so much for this, it will help in many cases..;)

  8. Is there programmatic way to do this? i need to set permissions to one of service so non admin client can use it. but not really finding way to do it in c/ c++. any help greatly appriciated

  9. When trying to import the security template and choosing custom services.inf I get an error message: access denied. import failed

  10. I followed the same instruction as above and set permissions and now the service has disappeared. I have logged in via the local system account and ran services as the user i assigned permissions to but the service does not exist. any solution for the same??.

  11. How can this be applied to all users? I did the change under my domain account; but when i went to restart the service under other users and they still cant restart the services.

  12. Very useful article, it fits perfectly my customer’s needs to let some unprivileged users restart services on a network server.
    Thanks a lot!

  13. Alright – to solve this – if your service dissapears :

    1. Regedit – find the service you changed permissions on:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[ServiceName] and delete the Security subfolder
    2. Go back to the mmc with the security snap ins
    3. Delete the security template you just created under Console Root – Security Templates
    4. Close the mmc
    5. Find the physical location of the security templates you just deleted (example : c:\SEC
    6. Delete the folder with the security template
    7. Restart the server / workstation
    8. The service is now available again.

    1. I have been able to setup exactly you laid out and with a non-admin, if I give them RDP access to the server they can then open services.msc and only have access to start/stop/pause the service I applied the security to. I want them to be able to connect remotely with services.msc from their local PC but I get an access denied. Do you know how to do it t his way?

      those of you who said it worked, how are your users access services.msc?

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s