Solved

MFC solution to stop/start services

Posted on 2002-04-15
13
178 Views
Last Modified: 2013-11-20
Right now our domain user accounts default to membership in the local Users group; however, they need the ability to start/stop some Windows 2000 services, such as SNA. Since this requires administrative rights, I was wondering if it would be possible to run another service with administrative rights which the users can access in order to start/stop these services. This would need to be an MFC/WIN32 solution, perhaps cli/srv model in design: a GUI interface to communicate with the custom service and the custom service will have the ability to start/stop selected services. Is this possible or is there another way to accomlish this?
0
Comment
Question by:deadice
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6942261
Three possible solutions:

1) Make users who need to do this members of the local admins group.

2) Change the permissions on the specific services in question to permit specified users or groups to control them.

3) Create a service that can manage these other services on unprivileged users behalf.

I prefer #3 even though it's more work.  Either of the first two defeat the purpose of service security.

It's not a problem to have a service with a GUI or to write a GUI app that just communicates with the service controlling service.  Whatever fits best with your approach.  I'd probably lean toward a separate GUI that talks to the service.  I like to compartmentalize the things.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 6943043
Another alternative might be to use the LogonUser() API to get an access token for an admin-level user, then use ImpersonateLoggedOnUser() to make calls into OpenSCManager, OpenServcie, and ControlService.

I have not tried this, but it seems reasonable.

-- Dan
0
 
LVL 32

Expert Comment

by:jhance
ID: 6943151
Of course to use LogonUser() you must have the password of the user you want to logon as. To use ImpersonateLoggedOnUser() you must have that user's access token (which also requires a password to get) and so you either must give these users the admin password (BAD) or embed the admin password into the application (WORSE).

Frankly, I don't think that is a viable solution.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 49

Expert Comment

by:DanRollins
ID: 6943214
>>or embed the admin password into the application (WORSE).

If the program does a very limited number of things (e.g., stop a particular service), why is it so bad?  Of course, I assume that anyone concerned with security would do at least a simple encrypt of the username and password so that a casual user with a hex editor couldn't see these in clear test.  That goes without saying.

Also, the user who gets impersonated can be set to have very few privileges other than stoping and starting Services, so that even if a trusted employee hacked the password by looking in the EXE, locating the string constant, and decrypting it, he would end up with the ability to do what the program allows him to do (much more easily) anyway.

-- Dan
0
 

Author Comment

by:deadice
ID: 6943692
yeah, i wouldn't embed admin passwords in an app for any reason. too risky, for one, and inefficient if the pwd ever needs to be changed.

once the "proxy" service is running, how can i communicate with it? through SendMessage(), PostThreadMessage(), ControlService()? what access/rights will the users require in order to communicate with it? so far i have successfully created/installed the service and just need to find the best way to send/receive information from another application which is imperonsating the currently logged-on user.
0
 
LVL 14

Expert Comment

by:sudhakar_koundinya
ID: 6944395

0
 
LVL 49

Expert Comment

by:DanRollins
ID: 6945763
>>once the "proxy" service is running...
Why are you thinking that you need a new service?  All you need to do is communicate with the SCM.  Look at Ms SQL: It has a program sqlmangr.exe that lets you start and stop the service.  That program is not a service.  You can also go toa DOS prompt and use the NET STOP command.

-- Dan
0
 

Author Comment

by:deadice
ID: 6948759
Well, I have the rights to start/stop services on my machine, but the end-users on our network do not. I will not allow them the ability to shutdown ANY service - just a select few - on their workstation and do not wish to create local accounts on each workstation (they need the ability to accomplish this without logging off. su is not an option either). I have a working solution to this now, anyways.
0
 

Author Comment

by:deadice
ID: 6948794
Since my "proxy" service runs as LocalSystem, it has the ability to start/stop any services.

I pass user-defined control codes using ControlSevice() to a "proxy" service from a Dialog-based application. The "proxy" service in turn calls SendMessage() with user-defined WM_'s to communicate with the CDialog application for status updates. Works like a charm and is quite an easy solution.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 6948977
One more thought:  Why not just put the start/stop functionality into the original service?  It just seems like a second service is extra baggage.

-- Dan
0
 

Author Comment

by:deadice
ID: 6961819
The original services are not of my making: SnaBase and Messenger. I think there would be some copyright infingements if I were to disassemble these services and use hacked code to replace 'em :) Microsoft wouldn't be too happy if they found out nor would I have a career.
0
 
LVL 49

Accepted Solution

by:
DanRollins earned 200 total points
ID: 6962137
>>nor would I have a career.
lol.  There are plenty of people who would hire somebody with the ability to rewrite snaBase and Messenger starting with only a dissassembly.

0
 

Author Comment

by:deadice
ID: 7007001
yeah, but not with the company i work for now.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Decoding 32 bit binary streams 6 49
Question regarding Copy/Paste 16 96
string initialization in java 11 115
matchUp  challenge 9 115
In this article, I'll describe -- and show pictures of -- some of the significant additions that have been made available to programmers in the MFC Feature Pack for Visual C++ 2008.  These same feature are in the MFC libraries that come with Visual …
Introduction: Dynamic window placements and drawing on a form, simple usage of windows registry as a storage place for information. Continuing from the first article about sudoku.  There we have designed the application and put a lot of user int…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question