What permissions are needed to start a service through ASP.NET?

Question

I was wondering what privileges I needed to let a user start a service on our server.

The situation is as follows, some people on our website can start a certain service on the server (Windows 2008 and IIS7). The way that worked so far with me was specifying the application pool I created with my user account (the impersonate method from msdn doens't work for some reason). Now however I want to change that user account to a user account who only has the priviliges to start and stop a service (and everything that is needed to get him to do that).

The website is written in ASP.NET and C#. I use the ServiceController to start and stop my services.

Which privileges should I assign to that user?

EDIT: I just want to clear some things up here. I managed to get this thing working through the Application pool (although it doesn't work through debugger) . But it only works with a user that is part of the Administrators group which isn't what I want. I want to specify a special user that will only be able to start and stop the service through the website. So what privileges do I need? Please be specific.

EDIT 2: I found out why my service wouldn't start in the debugger. I didn't run Visual Studio with administrator rights. I feel so stupid right now.. Anyway the question still stands as I still need my special user with the correct permissions.

Any comment will be appreciated, Kind regards, Floris Devriendt

Answer 1

You have to set identity impersonate to true in your web.config and if you are using windows authentication then need to set that up in IIS. if you are using a WCF service in between you may have to look at Impersonation in WCF.

Answer 2

(Terminology gripe) - you shouldn't be looking at privileges , since those apply across a machine as a whole. You should be looking at permissions .

There's an answer here about allowing remote users to start and stop a service. You may need to run the same steps to allow the account your website is under the specific permissions, that is:

• Copy the IA users permissions on the scmanager , to allow a non-interactive user to access the service controller, and
• Add appropriate permissions for your user against the specific service.

Both of these actions use the sc command line tool. Hopefully, you can crib enough together for your specific circumstances. Something like:

sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

where S-1-5-3-3127463467463 is the SID for the website account, and:

sc sdset Alerter D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;S-1-5-3-3127463467463)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

whwere Alerter is the name of the specific service, and S-1-5-3-3127463467463 is again the SID for the website account.

(Not sure whether to break up these commands to make them more readable on SO - they need to have no line-breaks when running in the command line)

Answer 3

you have to give the right for strating your service to the user that you are using for the application pool.

• Click Start, point to Settings, click Control Panel, and then double-click Administrative Tools.
• Double-click Services
• On the Log On tab, click Local System Account, and then click Apply.
• On the General tab, click Start to restart the service.
• Quit the Services tool.