Jump down to Step 1 to skip the blurb
Any Microsoft Windows operating system has services. These are little programs that run in the background of the OS to keep things ticking over. They’re really fundamental to servers as it means that programs can run in the background without any user being logged. In fact Windows servers are fine-tuned to give better performance to background services rather than any app running on the screen.
It’s always the best principle to log on with the least amount of privileges on any PC, i.e. you shouldn’t log on to a desktop or server with full admin rights. You should log on as a normal user and only elevate the programmes authority to admin level if absolutely necessary.
Some System Administrators may want an easy life and just let everything “run as admin” as it cuts back on a lot of problems, especially when using old software. Obviously this greatly widens the security attack vector, as any user who can gain access to the machine can do anything they want on it.
However, one of the issues of running as a standard user is that you are not allowed to stop or start Windows services. That is by design, you wouldn’t really want a non-admin to stop a critical service. The problem is when you have a Service Account running (as good practice dictates) as a lowly user. To get around this you can give the Service Account permission to do whatever you want to a particular service you want. Unfortunately, this is a bit more convoluted than setting file permissions. This article will explain how to achieve this. It applies to all versions of Windows from Windows 2000 or newer. My screenshots are from the Windows 8 Developer Preview.
Scenario
A server on our network runs some aging but critical telephony software. The services run under a Service Account with a username of Svc-Phones. The Svc-Phones account also logs on to the server interactively to view any messages from the application or stop & start the services if there is an issue (avoiding a whole server reboot). The IT manager wants the Svc-Phones account to be removed from the local Administrators group to help secure the server. This means we will need to change the security permissions for the telephony program’s service.
Step 1 – Create the Console
We need to open a hidden console snap-in
- Click Start > Run (or press WIN + R) and type “mmc.exe”
- This opens an empty Microsoft Management Console. Click File > Add/Remove Snap-in… (Ctrl+ M)
- Scroll down the list of available Snap-ins and select Security Configuration and Analysis
- Click Add
- Next select Security Templates
- Click Add
- Click OK
Step 2 – Create a blank Security Template
In Windows Server 2003 and below you can store these files anywhere but later versions have tougher restrictions so we will be creating everything in D:\Securtiy\
- Right-click Security Templates from the console tree and select New Template Search Path …
- Browse to D:\Security, or other local path, and click OK
- Right-click D:\Security from the console tree and select New Template …
- Give the new template a name, e.g. Custom Services. It doesn’t matter what you use.
- The Description is optional but may be useful if you want to re-use it
- Click OK and you will see the new template appear in the console
The point of these templates are to lock-down servers using the Windows Security Configuration Wizard but we are only using them for a simple permission change
Step 3 – Create a Security Database
- Right-click Security Configuration and Analysis from the console tree and select Open Database…
- Browse to D:\Security, or other local path, and type a name in the File name: box e.g Security
- Click OK. This creates an Security.sdb file that is used to apply the changes
- An Import Template window appears. Browse to D:\Security/Custom Services.inf and select Open. This applies the template with all the local services to the database
- If you get the error “The database you are attempting to open does not exist.” then you need to choose a different path i.e. on a local disk
- Right-click Security Configuration and Analysis from the console tree and select Analyze Computer …
- Click OK to accept the default log file path
- You will then be presented with something that looks very similar to the Group Policy Editor or Local Security Policy Console
Step 4 Change Service Permissions
- Double-Click System Services
- Scroll down to find the service you need to change, e.g. Fax
- Double-Click the service
- Tick the box Define this policy in the database:
- Click the Edit Security … button
- Click Add
- Type in the user name of the Service account e.g. Svc-Phones, and click OK
- With the Svc-Phones account selected, check the Allow permissions for Start, stop and pause
- Click OK
- Click OK on the Service Properties to bring you back to the console
- You’ll notice the Service now has an ‘x’ on it and Investigate message on the Permission column. This is because the new permissions we’ve chosen conflict with what is on the local computer
Step 5 – Apply new Security Permissions
- Right-click Security Configuration and Analysis from the console tree and select Configure Computer …
- Click OK to accept the default log file path
- This will apply the new custom permissions to the local computer
- You can now test it out on the server with the Svc-Phones account and test it works
You can see that this is rather long-winded just to configure permissions on a service. thankfully, you can save everything and it will be quick to re-use in the future or as part of a batch process across servers. If you want to change the permissions on a default Microsoft Service you can use the Security section of Group Policy to achieve the same results
Related Reading:
- Microsoft Support article: How to grant users rights to manage services in Windows Server 2003
- Windows Server Tech Center: Security and Protection
This is an excellent breakdown of setting up service permissions natively. I’ve created a tool for granting permissions more easily using a web based UI. It’s called System Frontier. One of the coolest things is that the users who need access don’t have to have ANY rights on the target systems. It’s not free, but it’s worth a look. Thanks!
LikeLike
Excelente artículo, me sirvió muchísimo para dar permisos a un usuario limitado, solo al servicio que necesitaba. Muchas Gracias!!!!
LikeLike
Thank you for this information. I am running Windows 2003 R2 however after I am done I do not see any options to apply the new settings. When I right click on the Security Configuration and Analysis from the console tree there is no option for Configure computer.
LikeLike
Can you give me a bit more info please.
Did all of the other steps work properly?
At step 5, does it have “Configure Computer Now” greyed out or not there at all?
Make sure you click “Security Configuration and Analysis” with a left-click first before you right-click it
LikeLike
Yes I followed all the steps. There is no option to Configure computer. However what I had to do was when I did the right click on “Security Configuration and Analysis” it made me open a database. I selected the D:\Security folder and then the security inf we had created earlier. Once I did this then I had the option for “Configure Computer”. The security setting is working now.
Thank you
LikeLike
I followed and set permissions and now the service has disappeared. I have logged in via the local system account and ran services as the user i assigned permissions to but the service does not exist. any thoughts??
LikeLike
I was looking for exactly the title of this post. Followed the instructions and found it works great! Thanks you very much 🙂
LikeLike
Thanks! It works perfect, good explanation.
LikeLike
I followed the instructions to the T and it worked as charmed but like marni said the service disappeard from System services in mmc-Security Templates as well as services.msc.
I tried installing custom service again but I got access denied message Error 1073. Any thoughts?
LikeLike
When I log in as the user for whom permission has been granted I am able to see the service, but not a local/admin user as I have to launch the exe which restarts windows time service from local user with run as different user option by shift-click.
LikeLike
Hi my friends…:)
I tried to set permission for user with limited acces. I need to stop/start services “Internet Connection Sharing”. I followed your manual step by step with success, but when I type command for start services “net start SharedAccess”, I received error message “Error 1079: The account specified for this service is different from the account specified for other services running in the same process.”. Please, could you give some advice, what to do?
Thank so much
LikeLike
My problem was solved. I have had set another user for run this services directly from services.msc…
Thank you so much for this, it will help in many cases..;)
LikeLike
Is there programmatic way to do this? i need to set permissions to one of service so non admin client can use it. but not really finding way to do it in c/ c++. any help greatly appriciated
LikeLike
When trying to import the security template and choosing custom services.inf I get an error message: access denied. import failed
LikeLike
Fixed. admin rights on the server
LikeLike
I followed the same instruction as above and set permissions and now the service has disappeared. I have logged in via the local system account and ran services as the user i assigned permissions to but the service does not exist. any solution for the same??.
LikeLike
Did you get this resolved?
LikeLike
How can this be applied to all users? I did the change under my domain account; but when i went to restart the service under other users and they still cant restart the services.
LikeLike
nice work… very helpful
LikeLike
I did this – and now the service is gone – how do I get it back?!
LikeLike
Very useful article, it fits perfectly my customer’s needs to let some unprivileged users restart services on a network server.
Thanks a lot!
LikeLike
Alright – to solve this – if your service dissapears :
1. Regedit – find the service you changed permissions on:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[ServiceName] and delete the Security subfolder
2. Go back to the mmc with the security snap ins
3. Delete the security template you just created under Console Root – Security Templates
4. Close the mmc
5. Find the physical location of the security templates you just deleted (example : c:\SEC
6. Delete the folder with the security template
7. Restart the server / workstation
8. The service is now available again.
LikeLike
I have been able to setup exactly you laid out and with a non-admin, if I give them RDP access to the server they can then open services.msc and only have access to start/stop/pause the service I applied the security to. I want them to be able to connect remotely with services.msc from their local PC but I get an access denied. Do you know how to do it t his way?
those of you who said it worked, how are your users access services.msc?
LikeLike
Well detailed steps. Its not working in windows server 2016 . Any help appreciated . I want to grant service start/stop permission to local user .
LikeLike