Re: What SIDS need permisions to start my service?



Typically in such circumstances grants are made to
Administrators, System, the account used to run the
service if different from System, and Interactive.
Those would seem sufficient by what you have stated,
as Interactive represents the locally logged in account.


"John S" <JohnS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E73D2AF0-FD62-4186-A730-BFDF329FA676@xxxxxxxxxxxxxxxx
Here is the short version. I have an application which has a service
component. It is a requirement that the service component be running only
when the application is running, so AutoStart is not an option.

I want to grant the following permissions on my service
READ_CONTROL |
SERVICE_QUERY_CONFIG |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS |
SERVICE_START |
SERVICE_STOP |
SERVICE_PAUSE_CONTINUE |
SERVICE_INTERROGATE
to all users on the local machine. Currently I am granting this access to
Everyone, Users, and Guest. This approach definitely gives permisions to
the
accounts i need.. but is this a securty risk (I am only concerned about
security risks involving remote attacks, not ones that originate from the
local machine). Should i be granting access to just "Guest and Users" or
maybe "Guests and Authenticated Users"? Also note, the machines may or
may
not be on a domain.. the target os is 2k,xp,vista(32/64). This may be
deployed on a large number of laptops (and i mean laaarrrggge).

Can anyone shed some light on this issue?


.