I'm not sure if this is proper place for such question (maybe should be placed on SuperUser?), but I'll try.
I have one C# console application and one Windows service. Both does the same, but console app was created before and is kept for backward compatibility. Each of these is running WCF service, whose methods operates on files in C:\ProgramData\MyApp. Console app is run as limited user (non-admin), Windows service runs as NT AUTHORITY\NETWORK SERVICE. When app creates some dirs/files, service cannot delete it and vice versa.
I would like to have it secured. My question is: should I grant full permissions on C:\ProgramData\MyApp to NETWORK SERVICE and current user? Or should I create dedicated user for running service/app?
Assuming your application does not set explicit security permission on newly created files, granting Network Service account Delete permissions on the folder would solve your immediate problem.
This command will do the work:
icacls c:\ProgramData\MyApp /t /grant "NETWORK SERVICE":(OI)(CI)(IO)D
Repeat the same for your other user service account.
Related
I'm trying to set up a Windows service with the following requirements:
Runs as a domain account - this account has access to other shares that the process will touch
Has full administrative rights on the machine, past UAC - specifically needs to be able to take ownership of folders
The problem is that the process needs to take ownership of folders at some points, which is done by calling takeown /A /F <file>. This works on the command line, but only when it's explicitly Run as Administrator - being a local admin on the machine does not give full admin rights, and the account still has to go through the UAC prompt, so when running as a service we just get ERROR: The current logged on user does not have administrative privileges.. It seems like the standard way to get around UAC for a service account is to use the Local System account, but that isn't an option because then we can't access the other servers.
Is there any way to set up the service and say "Run as this account, in the context of a full administrator on the machine"? As another potential solution, is there a way to exclude a domain account from UAC on a machine? Any other solution could work as long as it runs as a service, can set folder ownership, and using a domain account. Ideally this is done without opening up big security holes, like fully disabling UAC on the machine.
I am not able to reproduce your problem. Here is how I tested.
Part 1: Create sample directory with non-administrator owner
Create directory C:\TestDir
Disable permission inheritance and copy inherited permissions into explicit permissions
Grant NT SERVICE\TrustedInstaller full control access
Set owner of directory to NT SERVICE\TrustedInstaller
Set Administrators and SYSTEM accounts to have read access
Remove access for all other accounts
After complete, verify that, logged on as elevated administrator, I am not able to create a file in that directory.
Part 2: Create a service that takes ownership of the directory
I did this using nssm (https://nssm.cc):
Create a short batch file, C:\scripts\TestService.cmd, containing the takeown command:
takeown /F C:\TestDir /A
Run nssm install and specify:
Application path: C:\Windows\System32\cmd.exe
Arguments: /C C:\scripts\TestService.cmd
Restart action: Stop service (oneshot mode)
Log on: Specify username and password of an account that's a member of the local Administrators group
stdout redirection: C:\scripts\TestService-stdout.log
stderr redirection: C:\scripts\TestService-stderr.log
I started the service, which executed the C:\scripts\TestService.cmd batch file. (The service stopped immediately after starting, which is expected in this case.) The standard output file C:\scripts\TestService-stdout.log contained the following lines:
C:\Windows\System32>takeown /F C:\TestDir /A
SUCCESS: The file (or folder): "C:\TestDir" now owned by the administrators group.
This experiment demonstrates that a service running using an account that's a member of the local Administrators group runs elevated (i.e., with full administrative privileges).
We have a legacy service running which is responsible for monitoring another service, but also starts a console application (written in C) which continues running in the background. If we start the console application from the cmd prompt, it works fine. If we also start the service under the Network Service account, it also starts the console app fine, but in that case it cannot start the other service.
So since the service has to monitor (start/stop) another service, it must be started under Local System account to get the necessary privileges - but the problem is that the console application started by this service then cannot read its configuration from the appdata folder.
I can see that the console app gets the APPDATA folder as C:\Windows\System32\config\systemprofile\AppData\Roaming, but the app states that the configuration file inside this folder cannot be found so it closes itself. When I start it from a normal user account, it goes to this users' appdata folder and works properly. I even tried giving the Users group additional permissions for its folder inside the systemprofile\AppData\Roaming folder (which doesn't make sense, since the app is running as Local System), but it didn't help.
What is the best way to make this console app read settings from the Local System appdata folder?
Or, alternatively, is it possible to grant this single service permissions to start other services, without starting it as Local System?
If we start the console application from the cmd prompt, it works fine.
This means that the account you are logged in to has sufficient rights to do everything you need. Specify that account on the service's "Log On" tab and you should be good to go!
I created one service which is running in one server and I need to copy directory from another server to directory in this server through this service. The service is failed when finding directory specified in another server. Like If DirectoryExists("\\ServerName\DirectoryName"). It is not working even, I set up the service with Network Authority.
Please give solution for this. It will be helpful.
Mallik.
A possible explanation is that the service runs as a user that does not have read rights to the other server's volumes. Authenticating with NETWORKSERVICE does not help you. That's just a user that has access to TCP etc.
What you need to do is to run your service as a user which has read access to the other server's volumes. As a test try your personal login, but in the longer run you may wish to use a dedicated user just for this task.
I'd like to write a service (that starts up and runs whenever the machine is on) that queries Active directory since the user IIS uses does not have permission to query AD. How do I determine if A) my workstation where I have local admin rights, and B) a shared team workstation will allow me to do this?
Anything you can do as an interactive user can be done by a service with appropriate permissions and configuration, so it isn't so much an issue of determining if you can, but rather configuring the service so that it can.
Your installation package should request an appropriate set of credentials (and of course must be run by a user with privileges to install such a service). The service itself should simply catch and log any permission exceptions.
As an example - look at the SQL Server installation process. Early on it requests that you specify accounts with the required privileges.
I have an application that runs as a service, and dynamically creates and publishes windows performance (perfmon) counters.
When I run the application under my own account (as a service) which has administrative privileges, I get the following error:
714: The specified registry key is referenced by a predefined handle.
When I run the application from the command line, no error is produced.
I believe that this is a result of UAC, but I don't particularly want to disable UAC altogether.
Any ideas?
It is not enough just to be logged in as an administrator. The service needs to have an embedded manifest that sets the requestedExecutionLevel to requireAdministrator.