Solved

MFC solution to stop/start services

Posted on 2002-04-15
13
175 Views
Last Modified: 2013-11-20
Right now our domain user accounts default to membership in the local Users group; however, they need the ability to start/stop some Windows 2000 services, such as SNA. Since this requires administrative rights, I was wondering if it would be possible to run another service with administrative rights which the users can access in order to start/stop these services. This would need to be an MFC/WIN32 solution, perhaps cli/srv model in design: a GUI interface to communicate with the custom service and the custom service will have the ability to start/stop selected services. Is this possible or is there another way to accomlish this?
0
Comment
Question by:deadice
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Three possible solutions:

1) Make users who need to do this members of the local admins group.

2) Change the permissions on the specific services in question to permit specified users or groups to control them.

3) Create a service that can manage these other services on unprivileged users behalf.

I prefer #3 even though it's more work.  Either of the first two defeat the purpose of service security.

It's not a problem to have a service with a GUI or to write a GUI app that just communicates with the service controlling service.  Whatever fits best with your approach.  I'd probably lean toward a separate GUI that talks to the service.  I like to compartmentalize the things.
0
 
LVL 49

Expert Comment

by:DanRollins
Comment Utility
Another alternative might be to use the LogonUser() API to get an access token for an admin-level user, then use ImpersonateLoggedOnUser() to make calls into OpenSCManager, OpenServcie, and ControlService.

I have not tried this, but it seems reasonable.

-- Dan
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Of course to use LogonUser() you must have the password of the user you want to logon as. To use ImpersonateLoggedOnUser() you must have that user's access token (which also requires a password to get) and so you either must give these users the admin password (BAD) or embed the admin password into the application (WORSE).

Frankly, I don't think that is a viable solution.
0
 
LVL 49

Expert Comment

by:DanRollins
Comment Utility
>>or embed the admin password into the application (WORSE).

If the program does a very limited number of things (e.g., stop a particular service), why is it so bad?  Of course, I assume that anyone concerned with security would do at least a simple encrypt of the username and password so that a casual user with a hex editor couldn't see these in clear test.  That goes without saying.

Also, the user who gets impersonated can be set to have very few privileges other than stoping and starting Services, so that even if a trusted employee hacked the password by looking in the EXE, locating the string constant, and decrypting it, he would end up with the ability to do what the program allows him to do (much more easily) anyway.

-- Dan
0
 

Author Comment

by:deadice
Comment Utility
yeah, i wouldn't embed admin passwords in an app for any reason. too risky, for one, and inefficient if the pwd ever needs to be changed.

once the "proxy" service is running, how can i communicate with it? through SendMessage(), PostThreadMessage(), ControlService()? what access/rights will the users require in order to communicate with it? so far i have successfully created/installed the service and just need to find the best way to send/receive information from another application which is imperonsating the currently logged-on user.
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
Comment Utility

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 49

Expert Comment

by:DanRollins
Comment Utility
>>once the "proxy" service is running...
Why are you thinking that you need a new service?  All you need to do is communicate with the SCM.  Look at Ms SQL: It has a program sqlmangr.exe that lets you start and stop the service.  That program is not a service.  You can also go toa DOS prompt and use the NET STOP command.

-- Dan
0
 

Author Comment

by:deadice
Comment Utility
Well, I have the rights to start/stop services on my machine, but the end-users on our network do not. I will not allow them the ability to shutdown ANY service - just a select few - on their workstation and do not wish to create local accounts on each workstation (they need the ability to accomplish this without logging off. su is not an option either). I have a working solution to this now, anyways.
0
 

Author Comment

by:deadice
Comment Utility
Since my "proxy" service runs as LocalSystem, it has the ability to start/stop any services.

I pass user-defined control codes using ControlSevice() to a "proxy" service from a Dialog-based application. The "proxy" service in turn calls SendMessage() with user-defined WM_'s to communicate with the CDialog application for status updates. Works like a charm and is quite an easy solution.
0
 
LVL 49

Expert Comment

by:DanRollins
Comment Utility
One more thought:  Why not just put the start/stop functionality into the original service?  It just seems like a second service is extra baggage.

-- Dan
0
 

Author Comment

by:deadice
Comment Utility
The original services are not of my making: SnaBase and Messenger. I think there would be some copyright infingements if I were to disassemble these services and use hacked code to replace 'em :) Microsoft wouldn't be too happy if they found out nor would I have a career.
0
 
LVL 49

Accepted Solution

by:
DanRollins earned 200 total points
Comment Utility
>>nor would I have a career.
lol.  There are plenty of people who would hire somebody with the ability to rewrite snaBase and Messenger starting with only a dissassembly.

0
 

Author Comment

by:deadice
Comment Utility
yeah, but not with the company i work for now.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

In this article, I'll describe -- and show pictures of -- some of the significant additions that have been made available to programmers in the MFC Feature Pack for Visual C++ 2008.  These same feature are in the MFC libraries that come with Visual …
Introduction: Dynamic window placements and drawing on a form, simple usage of windows registry as a storage place for information. Continuing from the first article about sudoku.  There we have designed the application and put a lot of user int…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now