[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

MFC solution to stop/start services

Right now our domain user accounts default to membership in the local Users group; however, they need the ability to start/stop some Windows 2000 services, such as SNA. Since this requires administrative rights, I was wondering if it would be possible to run another service with administrative rights which the users can access in order to start/stop these services. This would need to be an MFC/WIN32 solution, perhaps cli/srv model in design: a GUI interface to communicate with the custom service and the custom service will have the ability to start/stop selected services. Is this possible or is there another way to accomlish this?
0
deadice
Asked:
deadice
  • 5
  • 5
  • 2
  • +1
1 Solution
 
jhanceCommented:
Three possible solutions:

1) Make users who need to do this members of the local admins group.

2) Change the permissions on the specific services in question to permit specified users or groups to control them.

3) Create a service that can manage these other services on unprivileged users behalf.

I prefer #3 even though it's more work.  Either of the first two defeat the purpose of service security.

It's not a problem to have a service with a GUI or to write a GUI app that just communicates with the service controlling service.  Whatever fits best with your approach.  I'd probably lean toward a separate GUI that talks to the service.  I like to compartmentalize the things.
0
 
DanRollinsCommented:
Another alternative might be to use the LogonUser() API to get an access token for an admin-level user, then use ImpersonateLoggedOnUser() to make calls into OpenSCManager, OpenServcie, and ControlService.

I have not tried this, but it seems reasonable.

-- Dan
0
 
jhanceCommented:
Of course to use LogonUser() you must have the password of the user you want to logon as. To use ImpersonateLoggedOnUser() you must have that user's access token (which also requires a password to get) and so you either must give these users the admin password (BAD) or embed the admin password into the application (WORSE).

Frankly, I don't think that is a viable solution.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
DanRollinsCommented:
>>or embed the admin password into the application (WORSE).

If the program does a very limited number of things (e.g., stop a particular service), why is it so bad?  Of course, I assume that anyone concerned with security would do at least a simple encrypt of the username and password so that a casual user with a hex editor couldn't see these in clear test.  That goes without saying.

Also, the user who gets impersonated can be set to have very few privileges other than stoping and starting Services, so that even if a trusted employee hacked the password by looking in the EXE, locating the string constant, and decrypting it, he would end up with the ability to do what the program allows him to do (much more easily) anyway.

-- Dan
0
 
deadiceAuthor Commented:
yeah, i wouldn't embed admin passwords in an app for any reason. too risky, for one, and inefficient if the pwd ever needs to be changed.

once the "proxy" service is running, how can i communicate with it? through SendMessage(), PostThreadMessage(), ControlService()? what access/rights will the users require in order to communicate with it? so far i have successfully created/installed the service and just need to find the best way to send/receive information from another application which is imperonsating the currently logged-on user.
0
 
sudhakar_koundinyaCommented:

0
 
DanRollinsCommented:
>>once the "proxy" service is running...
Why are you thinking that you need a new service?  All you need to do is communicate with the SCM.  Look at Ms SQL: It has a program sqlmangr.exe that lets you start and stop the service.  That program is not a service.  You can also go toa DOS prompt and use the NET STOP command.

-- Dan
0
 
deadiceAuthor Commented:
Well, I have the rights to start/stop services on my machine, but the end-users on our network do not. I will not allow them the ability to shutdown ANY service - just a select few - on their workstation and do not wish to create local accounts on each workstation (they need the ability to accomplish this without logging off. su is not an option either). I have a working solution to this now, anyways.
0
 
deadiceAuthor Commented:
Since my "proxy" service runs as LocalSystem, it has the ability to start/stop any services.

I pass user-defined control codes using ControlSevice() to a "proxy" service from a Dialog-based application. The "proxy" service in turn calls SendMessage() with user-defined WM_'s to communicate with the CDialog application for status updates. Works like a charm and is quite an easy solution.
0
 
DanRollinsCommented:
One more thought:  Why not just put the start/stop functionality into the original service?  It just seems like a second service is extra baggage.

-- Dan
0
 
deadiceAuthor Commented:
The original services are not of my making: SnaBase and Messenger. I think there would be some copyright infingements if I were to disassemble these services and use hacked code to replace 'em :) Microsoft wouldn't be too happy if they found out nor would I have a career.
0
 
DanRollinsCommented:
>>nor would I have a career.
lol.  There are plenty of people who would hire somebody with the ability to rewrite snaBase and Messenger starting with only a dissassembly.

0
 
deadiceAuthor Commented:
yeah, but not with the company i work for now.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now