Announcement

Collapse
No announcement yet.

W2K Pro and XP (Urgent) administer services without admin access!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • W2K Pro and XP (Urgent) administer services without admin access!

    Greetings Ladies and Gentlemen,

    I have a somewhat perplexing and (of course...lol) urgent issue that I need to resolve and I am (inspite of expertise and experience) at a loss re. how to get around this issue. We have a single NT based domain (outdated... I know...lol) and numerous programmers that presently have local administrative rights (o/s = XP Pro SP2) to install programs and more importantly to start/stop services. The program install is no issue, since we can merely remove them from the admin group. The services on the other hand are critical, since these developers frequently need to start and stop SQL and Oracle services on their machines when they are testing code, etc... Is there any way to secure the laptop/pc (i.e. remove them from the local admin groups) and still allow them to start/stop services in general and certaiin specific services in particular? P.S. It has to be a local policy or setting since we are not yet (soon) Active Directory, also because the laptops are taken offsite and are not always connected to the domain re. policy inheritance, etc... PLEASE HELP!
    Steve

  • #2
    Never mind I figured it out myself!

    Comment


    • #3
      Re: W2K Pro and XP (Urgent) administer services without admin access!

      A bit tricky, but can be done.
      You will need to alter the ACL of the services on the developer's workstations. this can be done with sc.exe util, but you will need to learn what SDDL is and how to use SDDL to describe ACL entries.

      i.e.: to query the ACL of the "netlogon" service:
      Code:
      C:\>sc sdshow netlogon
      
      D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA
      ;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
      ( replace "netlogon" with the name of the service you want to delegate )

      Code:
       
      (A;;CCLCSWLOCRRC;;;AU)      <== ACE for Authenticated Users 
      (A;;CCLCSWRPLOCRRC;;;PU)  <== ACE for Power Users
      (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)  <== ACE for Builtin Administrators
      (A;;CCLCSWRPWPDTLOCRRC;;;SY) <== ACE for SYSTEM
      Depending on your knowledge of SDDL, you can do one of:

      1) Easy one (but much less secure):
      Replace either Power Users or Authenticated Users's entry with:
      Code:
      (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)  <== if granting Full Control over the service to Auth Users
      (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;PU) <== if granting Full Control over the service to Power Users (you will need to add the Developers to Power Users if choosing this one)
      and skip to the last step of the second choice ( sc sdset <SDDL> )

      To be continued....
      Last edited by guyt; 3rd November 2005, 20:38.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: W2K Pro and XP (Urgent) administer services without admin access!

        2) Hard one - you will grant permissions to a specific security group
        obtain the SID of the developer's user account or group that will be used to control access and use the following convention:

        Acquire the SID of group named DEVELOPERS:
        You can use the adfind tool (which can be found at http://www.joeware.net/win32/zips/Adfind.zip) and execute:
        Code:
        Z:\>adfind -b dc=domain,dc=com -f "sAMAccountName=DEVELOPERS" objectSid
        AdFind V01.12.00cpp Joe Richards ([email protected]) May 2003
        Using server: dc.domain.com
        
        dn:CN=DEVELOPERS,OU=Groups,DC=domain,DC=com
        >objectSid: S-1-5-21-1238550558-3237777817-3345890334-1609
        
        1 Objects returned
        
        Write down the groupís SID (in our case it is S-1-5-21-1238550558-3237777817-3345890334-1609). We will need it later.
        To the existing SDDL string (from the output of "sc sdshow netlogon") prepend:
        Code:
        (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1238550558-3237777817-3345890334-1609)
        The new SDDL string becomes:
        Code:
        D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1238550558-3237777817-3345890334-1609)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        run:

        Code:
        sc sdset netlogon D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1238550558-3237777817-3345890334-1609)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        ( replace "netlogon" with the name of the service you want to delegate )

        Now the Developers group will be able to fully administer the service you have modified.
        Last edited by guyt; 3rd November 2005, 20:38.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment

        Working...
        X