Windows Service - UnauthorizedAccessException - windows-services

I have a Windows Service created in .NET 4.
I need to access a file from antoher server and I get an exception:
"UnauthorizedAccessException was caught" - "Access to the path '(path)' is denied."
If I make a new Windows Forms application which accessed that file, it works. The Windows Service runs as Local System.

Apparently your machine account does not have permissions to access remote file share. You have to grant rights to the machine account <DOMAIN>\<machine_name>$ on both file share level as well as file system level. For share permissions use fsmgmt.msc, for file system you can do it using cacls command.
Alternative solution is to impersonate a valid user account that already has permission to this directory.

Related

Windows service - use domain account and run with admin privileges

I'm trying to set up a Windows service with the following requirements:
Runs as a domain account - this account has access to other shares that the process will touch
Has full administrative rights on the machine, past UAC - specifically needs to be able to take ownership of folders
The problem is that the process needs to take ownership of folders at some points, which is done by calling takeown /A /F <file>. This works on the command line, but only when it's explicitly Run as Administrator - being a local admin on the machine does not give full admin rights, and the account still has to go through the UAC prompt, so when running as a service we just get ERROR: The current logged on user does not have administrative privileges.. It seems like the standard way to get around UAC for a service account is to use the Local System account, but that isn't an option because then we can't access the other servers.
Is there any way to set up the service and say "Run as this account, in the context of a full administrator on the machine"? As another potential solution, is there a way to exclude a domain account from UAC on a machine? Any other solution could work as long as it runs as a service, can set folder ownership, and using a domain account. Ideally this is done without opening up big security holes, like fully disabling UAC on the machine.
I am not able to reproduce your problem. Here is how I tested.
Part 1: Create sample directory with non-administrator owner
Create directory C:\TestDir
Disable permission inheritance and copy inherited permissions into explicit permissions
Grant NT SERVICE\TrustedInstaller full control access
Set owner of directory to NT SERVICE\TrustedInstaller
Set Administrators and SYSTEM accounts to have read access
Remove access for all other accounts
After complete, verify that, logged on as elevated administrator, I am not able to create a file in that directory.
Part 2: Create a service that takes ownership of the directory
I did this using nssm (https://nssm.cc):
Create a short batch file, C:\scripts\TestService.cmd, containing the takeown command:
takeown /F C:\TestDir /A
Run nssm install and specify:
Application path: C:\Windows\System32\cmd.exe
Arguments: /C C:\scripts\TestService.cmd
Restart action: Stop service (oneshot mode)
Log on: Specify username and password of an account that's a member of the local Administrators group
stdout redirection: C:\scripts\TestService-stdout.log
stderr redirection: C:\scripts\TestService-stderr.log
I started the service, which executed the C:\scripts\TestService.cmd batch file. (The service stopped immediately after starting, which is expected in this case.) The standard output file C:\scripts\TestService-stdout.log contained the following lines:
C:\Windows\System32>takeown /F C:\TestDir /A
SUCCESS: The file (or folder): "C:\TestDir" now owned by the administrators group.
This experiment demonstrates that a service running using an account that's a member of the local Administrators group runs elevated (i.e., with full administrative privileges).

Visual studio project in samba network drive results in IIS express permission denied

I have created a ASP.NET Web Application project. When I click the "IIS express" button in Visual Studio I get the following in the browser:
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'H:\mypath'.
If I move my project to somewhere on C: then everything works as expected.
H: is mapped to a samba share on a Linux host.
I believe that IIS express is expected to run as the current user when started like this, so in that case the samba credentials should not be the problem.
So...how do I solve this problem?

TFS Release, running PowerShell, cannot create DtlDownloads

I am trying to get some automatic deployments up and running using TFS 15 (on-premise). I have a powershell script on the deployment target to call.
The deployments starts fine by downloading the artifact. But when the agent runs the script it wants to create a folder C:\Windows\DtlDownloads (thats not part of my script but part of preparing things for TFS I guess). That fails:
##[debug]System.AggregateException: Failed to install 'VisualStudioRemoteDeployer20597940-38b2-4ba8-9a4d-fcc894308730' from service executable path VisualStudioRemoteDeployer.exe . Consult the logs below:
Access to the path 'DtlDownloads' is denied.
CategoryInfo :PermissionDenied: (C:\Windows\DtlDownloads:String) [New-Item], UnauthorizedAccessException
FullyQualifiedErrorId :CreateDirectoryUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand
The user used to logon is a server-local user named deploy who is also a local administrator on that machine. I also checked the effective access for that user on the windows folder and it should be able to create directories.
Something similar happens with the copy step. Robocopy signals two errors:
2017/03/16 08:57:21 ERROR 5 (0x00000005) Getting File System Type of Destination \\server.domain.com\c$\abc\def\
Access is denied.
and
2017/03/16 08:57:21 ERROR 5 (0x00000005) Creating Destination Directory \\server.domain.com\c$\abc\def\
Access is denied.
The second is a bit unexpected as the folder def already exists but I guess it is a follow up because getting the type failed beforehand.
The user itself must have been recognized because I get different errors when using invalid credentials. I have enabled WinRM using Enable-PSRemoting and ConfigureWinRM.ps1 from WinRM-Http-Https-Without-Makecert.
What could still restrict the permissions?
Update: Using a domain user instead of a local one of that server solves the issue. But I do not understand why. Can someone explain or even provide information how to make it work with a local user?
The username of either a domain or a local administrative account on
the target host(s).
Formats such as username, domain\username, machine-name\username, and .\username are supported.
UPN formats such as username#domain.com and built-in system accounts such as NT Authority\System are not supported.
Source Link
Both the domain account and local admin should be work. Please double check your format and give a try with another format.
One problem could be if that you have the agent as a service, that service has not the proper privileges, like being on Network Account. Try to change that to the user account which has administrative privileges.
Running "winrm quickconfig" fixed this problem for me
winrm quickconfig
https://learn.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management

Directory permission shared between Windows Service and console application

I'm not sure if this is proper place for such question (maybe should be placed on SuperUser?), but I'll try.
I have one C# console application and one Windows service. Both does the same, but console app was created before and is kept for backward compatibility. Each of these is running WCF service, whose methods operates on files in C:\ProgramData\MyApp. Console app is run as limited user (non-admin), Windows service runs as NT AUTHORITY\NETWORK SERVICE. When app creates some dirs/files, service cannot delete it and vice versa.
I would like to have it secured. My question is: should I grant full permissions on C:\ProgramData\MyApp to NETWORK SERVICE and current user? Or should I create dedicated user for running service/app?
Assuming your application does not set explicit security permission on newly created files, granting Network Service account Delete permissions on the folder would solve your immediate problem.
This command will do the work:
icacls c:\ProgramData\MyApp /t /grant "NETWORK SERVICE":(OI)(CI)(IO)D
Repeat the same for your other user service account.

copy files from network via windows service

I have batch files, its copy some files from network to local disk. When try to run it from a windows service I get an error like "Access Denied".
I already try run windows service as LocalSystem , LocalService and NetworkService. All these types get same error.
Have any idea ?
Thanks
NetworkService is the only one that is going to include network credentials here, and that will be the local machine's identity. Does the machine account have access to the share? If this isn't correct, you'll need to run the service as a dedicated, specific user account.
What version of windows is this ? And have you checked the effective ACL settings of the shared files/folders ?
Try changing the ACL on the shared resource to allow everyone access...
If that works you need to give DOMAIN\networkservice the correct permissions. In this case both machines would need to be in the correct domain.

Resources