?
Solved

MFC solution to stop/start services

Posted on 2002-04-15
13
Medium Priority
?
185 Views
Last Modified: 2013-11-20
Right now our domain user accounts default to membership in the local Users group; however, they need the ability to start/stop some Windows 2000 services, such as SNA. Since this requires administrative rights, I was wondering if it would be possible to run another service with administrative rights which the users can access in order to start/stop these services. This would need to be an MFC/WIN32 solution, perhaps cli/srv model in design: a GUI interface to communicate with the custom service and the custom service will have the ability to start/stop selected services. Is this possible or is there another way to accomlish this?
0
Comment
Question by:deadice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6942261
Three possible solutions:

1) Make users who need to do this members of the local admins group.

2) Change the permissions on the specific services in question to permit specified users or groups to control them.

3) Create a service that can manage these other services on unprivileged users behalf.

I prefer #3 even though it's more work.  Either of the first two defeat the purpose of service security.

It's not a problem to have a service with a GUI or to write a GUI app that just communicates with the service controlling service.  Whatever fits best with your approach.  I'd probably lean toward a separate GUI that talks to the service.  I like to compartmentalize the things.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 6943043
Another alternative might be to use the LogonUser() API to get an access token for an admin-level user, then use ImpersonateLoggedOnUser() to make calls into OpenSCManager, OpenServcie, and ControlService.

I have not tried this, but it seems reasonable.

-- Dan
0
 
LVL 32

Expert Comment

by:jhance
ID: 6943151
Of course to use LogonUser() you must have the password of the user you want to logon as. To use ImpersonateLoggedOnUser() you must have that user's access token (which also requires a password to get) and so you either must give these users the admin password (BAD) or embed the admin password into the application (WORSE).

Frankly, I don't think that is a viable solution.
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 49

Expert Comment

by:DanRollins
ID: 6943214
>>or embed the admin password into the application (WORSE).

If the program does a very limited number of things (e.g., stop a particular service), why is it so bad?  Of course, I assume that anyone concerned with security would do at least a simple encrypt of the username and password so that a casual user with a hex editor couldn't see these in clear test.  That goes without saying.

Also, the user who gets impersonated can be set to have very few privileges other than stoping and starting Services, so that even if a trusted employee hacked the password by looking in the EXE, locating the string constant, and decrypting it, he would end up with the ability to do what the program allows him to do (much more easily) anyway.

-- Dan
0
 

Author Comment

by:deadice
ID: 6943692
yeah, i wouldn't embed admin passwords in an app for any reason. too risky, for one, and inefficient if the pwd ever needs to be changed.

once the "proxy" service is running, how can i communicate with it? through SendMessage(), PostThreadMessage(), ControlService()? what access/rights will the users require in order to communicate with it? so far i have successfully created/installed the service and just need to find the best way to send/receive information from another application which is imperonsating the currently logged-on user.
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 6944395

0
 
LVL 49

Expert Comment

by:DanRollins
ID: 6945763
>>once the "proxy" service is running...
Why are you thinking that you need a new service?  All you need to do is communicate with the SCM.  Look at Ms SQL: It has a program sqlmangr.exe that lets you start and stop the service.  That program is not a service.  You can also go toa DOS prompt and use the NET STOP command.

-- Dan
0
 

Author Comment

by:deadice
ID: 6948759
Well, I have the rights to start/stop services on my machine, but the end-users on our network do not. I will not allow them the ability to shutdown ANY service - just a select few - on their workstation and do not wish to create local accounts on each workstation (they need the ability to accomplish this without logging off. su is not an option either). I have a working solution to this now, anyways.
0
 

Author Comment

by:deadice
ID: 6948794
Since my "proxy" service runs as LocalSystem, it has the ability to start/stop any services.

I pass user-defined control codes using ControlSevice() to a "proxy" service from a Dialog-based application. The "proxy" service in turn calls SendMessage() with user-defined WM_'s to communicate with the CDialog application for status updates. Works like a charm and is quite an easy solution.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 6948977
One more thought:  Why not just put the start/stop functionality into the original service?  It just seems like a second service is extra baggage.

-- Dan
0
 

Author Comment

by:deadice
ID: 6961819
The original services are not of my making: SnaBase and Messenger. I think there would be some copyright infingements if I were to disassemble these services and use hacked code to replace 'em :) Microsoft wouldn't be too happy if they found out nor would I have a career.
0
 
LVL 49

Accepted Solution

by:
DanRollins earned 800 total points
ID: 6962137
>>nor would I have a career.
lol.  There are plenty of people who would hire somebody with the ability to rewrite snaBase and Messenger starting with only a dissassembly.

0
 

Author Comment

by:deadice
ID: 7007001
yeah, but not with the company i work for now.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Load and Save to file, Document-View interaction inside the SDI. Continuing from the second article about sudoku.   Open the project in visual studio. From the class view select CSudokuDoc and double click to open the header …
Introduction: Dialogs (1) modal - maintaining the database. Continuing from the ninth article about sudoku.   You might have heard of modal and modeless dialogs.  Here with this Sudoku application will we use one of each type: a modal dialog …
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question