Re: What SIDS need permisions to start my service?



Typically in such circumstances grants are made to
Administrators, System, the account used to run the
service if different from System, and Interactive.
Those would seem sufficient by what you have stated,
as Interactive represents the locally logged in account.


"John S" <JohnS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E73D2AF0-FD62-4186-A730-BFDF329FA676@xxxxxxxxxxxxxxxx
Here is the short version. I have an application which has a service
component. It is a requirement that the service component be running only
when the application is running, so AutoStart is not an option.

I want to grant the following permissions on my service
READ_CONTROL |
SERVICE_QUERY_CONFIG |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS |
SERVICE_START |
SERVICE_STOP |
SERVICE_PAUSE_CONTINUE |
SERVICE_INTERROGATE
to all users on the local machine. Currently I am granting this access to
Everyone, Users, and Guest. This approach definitely gives permisions to
the
accounts i need.. but is this a securty risk (I am only concerned about
security risks involving remote attacks, not ones that originate from the
local machine). Should i be granting access to just "Guest and Users" or
maybe "Guests and Authenticated Users"? Also note, the machines may or
may
not be on a domain.. the target os is 2k,xp,vista(32/64). This may be
deployed on a large number of laptops (and i mean laaarrrggge).

Can anyone shed some light on this issue?


.



Relevant Pages

  • Re: Help with Guest account
    ... Account and created a new User Account. ... Same thing in the Guest ... problem accessing the internet with it as it uses that same network ... enable the Guest Account is "an" administrator account. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Bypass Traverse Checking?
    ... Authenticated Users, because they are significantly different (different ... account without that SID in its token would not be able to access the ... you are affecting Anonymous Logon and the _builtin_ Guest ... account. ...
    (Focus-Microsoft)
  • Re: Office 2004 Mainstream Support Has Been Extended two years!
    ... Further research indicates that it affects systems where the the Guest ... Phillip: I should have done a bit more research :-) ... concept of a "Guest" account. ... John McGhie, Microsoft MVP, Consultant Technical ...
    (microsoft.public.mac.office.word)
  • Re: Grayed out password box.
    ... >Laptop I get a grayed out Guest sign in box and the guest password does not ... Are your computers running XP Home, XP Pro, or a combination? ... common non-Guest account on all computers. ... Any user can be an Administrator, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Allowing file share browsing for un-authenticated users
    ... it immediately retries using "Guest" (this ... successful when the guest account is enabled. ... states that in Classic mode if you access the server using a local ... Guest account still allows me to enumerate file shares so that Network ...
    (microsoft.public.windows.server.general)