Service Security and Access Rights

The Windows security model enables you to control access to the service control manager (SCM) and service objects. The following sections provide detailed information:

Access Rights for the Service Control Manager

The following are the specific access rights for the SCM.

Access right Description
SC_MANAGER_ALL_ACCESS (0xF003F) Includes STANDARD_RIGHTS_REQUIRED, in addition to all access rights in this table.
SC_MANAGER_CREATE_SERVICE (0x0002) Required to call the CreateService function to create a service object and add it to the database.
SC_MANAGER_CONNECT (0x0001) Required to connect to the service control manager.
SC_MANAGER_ENUMERATE_SERVICE (0x0004) Required to call the EnumServicesStatus or EnumServicesStatusEx function to list the services that are in the database.
Required to call the NotifyServiceStatusChange function to receive notification when any service is created or deleted.
SC_MANAGER_LOCK (0x0008) Required to call the LockServiceDatabase function to acquire a lock on the database.
SC_MANAGER_MODIFY_BOOT_CONFIG (0x0020) Required to call the NotifyBootConfigStatus function.
SC_MANAGER_QUERY_LOCK_STATUS (0x0010) Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database.

The following are the generic access rights for the SCM.

Access right Description
GENERIC_READ
STANDARD_RIGHTS_READ
SC_MANAGER_ENUMERATE_SERVICE
SC_MANAGER_QUERY_LOCK_STATUS
GENERIC_WRITE
STANDARD_RIGHTS_WRITE
SC_MANAGER_CREATE_SERVICE
SC_MANAGER_MODIFY_BOOT_CONFIG
GENERIC_EXECUTE
STANDARD_RIGHTS_EXECUTE
SC_MANAGER_CONNECT
SC_MANAGER_LOCK
GENERIC_ALL
SC_MANAGER_ALL_ACCESS

A process with the correct access rights can open a handle to the SCM that can be used in the OpenService, EnumServicesStatusEx, and QueryServiceLockStatus functions. Only processes with Administrator privileges are able to open handles to the SCM that can be used by the CreateService and LockServiceDatabase functions.

The system creates the security descriptor for the SCM. To get or set the security descriptor for the SCM, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions with a handle to the SCManager object.

Windows Server 2003 and Windows XP: Unlike most other securable objects, the security descriptor for the SCM cannot be modified. This behavior has changed as of Windows Server 2003 with Service Pack 1 (SP1).

The following access rights are granted.

Account Access rights
Remote authenticated users
SC_MANAGER_CONNECT
Local authenticated users (including LocalService and NetworkService)
SC_MANAGER_CONNECT
SC_MANAGER_ENUMERATE_SERVICE
SC_MANAGER_QUERY_LOCK_STATUS
STANDARD_RIGHTS_READ
LocalSystem
SC_MANAGER_CONNECT
SC_MANAGER_ENUMERATE_SERVICE
SC_MANAGER_MODIFY_BOOT_CONFIG
SC_MANAGER_QUERY_LOCK_STATUS
STANDARD_RIGHTS_READ
Administrators
SC_MANAGER_ALL_ACCESS

Notice that remote users authenticated over the network but not interactively logged on can connect to the SCM but not perform operations that require other access rights. To perform these operations, the user must be logged on interactively or the service must use one of the service accounts.

Windows Server 2003 and Windows XP: Remote authenticated users are granted the SC_MANAGER_CONNECT, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS, and STANDARD_RIGHTS_READ access rights. These access rights are restricted as described in the previous table as of Windows Server 2003 with SP1

When a process uses the OpenSCManager function to open a handle to a database of installed services, it can request access rights. The system performs a security check against the security descriptor for the SCM before granting the requested access rights.

Access Rights for a Service

The following are the specific access rights for a service.

Access right Description
SERVICE_ALL_ACCESS (0xF01FF) Includes STANDARD_RIGHTS_REQUIRED in addition to all access rights in this table.
SERVICE_CHANGE_CONFIG (0x0002) Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration. Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators.
SERVICE_ENUMERATE_DEPENDENTS (0x0008) Required to call the EnumDependentServices function to enumerate all the services dependent on the service.
SERVICE_INTERROGATE (0x0080) Required to call the ControlService function to ask the service to report its status immediately.
SERVICE_PAUSE_CONTINUE (0x0040) Required to call the ControlService function to pause or continue the service.
SERVICE_QUERY_CONFIG (0x0001) Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
SERVICE_QUERY_STATUS (0x0004) Required to call the QueryServiceStatus or QueryServiceStatusEx function to ask the service control manager about the status of the service.
Required to call the NotifyServiceStatusChange function to receive notification when a service changes status.
SERVICE_START (0x0010) Required to call the StartService function to start the service.
SERVICE_STOP (0x0020) Required to call the ControlService function to stop the service.
SERVICE_USER_DEFINED_CONTROL(0x0100) Required to call the ControlService function to specify a user-defined control code.

The following are the standard access rights for a service.

Access right Description
ACCESS_SYSTEM_SECURITY Required to call the QueryServiceObjectSecurity or SetServiceObjectSecurity function to access the SACL. The proper way to obtain this access is to enable the SE_SECURITY_NAMEprivilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.
DELETE (0x10000) Required to call the DeleteService function to delete the service.
READ_CONTROL (0x20000) Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
WRITE_DAC (0x40000) Required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object's security descriptor.
WRITE_OWNER (0x80000) Required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object's security descriptor.

The following are the generic access rights for a service.

Access right Description
GENERIC_READ
STANDARD_RIGHTS_READ
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
GENERIC_WRITE
STANDARD_RIGHTS_WRITE
SERVICE_CHANGE_CONFIG
GENERIC_EXECUTE
STANDARD_RIGHTS_EXECUTE
SERVICE_START
SERVICE_STOP
SERVICE_PAUSE_CONTINUE
SERVICE_USER_DEFINED_CONTROL

The SCM creates a service object's security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.

Account Access rights
Remote authenticated users Not granted by default.Windows Server 2003 with SP1: SERVICE_USER_DEFINED_CONTROL
Windows Server 2003 and Windows XP: The access rights for remote authenticated users are the same as for local authenticated users.
Local authenticated users (including LocalService and NetworkService)
READ_CONTROL
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_INTERROGATE
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS
SERVICE_USER_DEFINED_CONTROL
LocalSystem
READ_CONTROL
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_INTERROGATE
SERVICE_PAUSE_CONTINUE
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
Administrators
DELETE
READ_CONTROL
SERVICE_ALL_ACCESS
WRITE_DAC
WRITE_OWNER

To perform any operations, the user must be logged on interactively or the service must use one of the service accounts.

To get or set the security descriptor for a service object, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions. For more information, see Modifying the DACL for a Service.

When a process uses the OpenService function, the system checks the requested access rights against the security descriptor for the service object.

Granting certain access rights to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possibly allow them to run applications under the LocalSystem account.

When EnumServicesStatusEx function is called, if the caller does not have the SERVICE_QUERY_STATUS access right to a service, the service is silently omitted from the list of services returned to the client.