SCAcl is a little command line utility to change the security settings for service and driver objects on Windows NT. It works like the file-security command cacls.exe.

SCAcl is Freeware, you can use it for whatever you want - but on your own risk :-)

The Problem

Services (like the scheduler service or our nice multisession tool NetExec) are, as almost any object, securable. The default security settings give Administrators full access and Power-Users the possibility to start and stop the service.

But sometimes it may be neccessary, or nice, to let even some normal Users start a special service:

With SCAcl you can solve these problems.

Synopis

If you start the tool without any arguments, the output is:

SCAcl 1.0 (Copyright (c) 1999 LoSOFT Softwaretechnik)
USAGE: scacl.exe [\\MACHINE] service [/S]
       scacl.exe [\\MACHINE] service [/E] [/Q] [/V] [/S] [/T [User]] [/I] [/C]
       [/G User:Mask ...] [/R User ...] [/P User:Mask ...] [/D User:Mask ...]

type   scacl.exe /?    for help
       scacl.exe /A    for more information

The command line options are explained if you use the /? switch:

USAGE: scacl.exe [\\MACHINE] service [/S]
       scacl.exe [\\MACHINE] service [/E] [/Q] [/V] [/S] [/T [User]] [/I] [/C]
       [/G User:Mask ...] [/R User ...] [/P User:Mask ...] [/D User:Mask ...]

  \\MACHINE      SCM address                 /S         List also SIDs
  /E             modify (not replace) ACL    /Q         Quiet mode
  /G User:Mask   Give access                 /V         Verbose
  /R User        Remove from ACL(/E mode)    /C         Set empty ACL (clear)
  /P User:Mask   Replace access (/E mode)    /I         Set standard ACL
  /D User:Mask   Deny access                 /T [User]  Take ownership


'Mask' can be any combination of the following priviliges:
    D - delete the service                 C - query the service security
    O - change the service security        G - change the configuration
    H - query the configuration            L - enumerate dependent services
    I - ask the service about its status   P - pause and continue
    Q - ask the SCM about the status       S - start the service
    E - stop the service                   U - invoke user-defined control
    F =  <all> - full control over the service
    X =  CPSEU - control the service (start, stop, ...)
    R =  CHLIQ - get any information about the service
    W =     CG - change the service configuration (not security)

User can be the name of a user or group account or a textual sid (security id). Examples are: BUILTIN\Users or S-1-5-32-549. Note that user accounts are looked up on \\MACHINE.

Mask can be any combination of the user rights listed above. Note that there are single access rights (like S for start service or E for stop service) and general access rights (like X for Execute). General access rights are mapped to the listed combination of single access rights.

 

Order of command evaluation

The passed command switches are evaluated in the following order:

  1. /Q - quiet. All following commands will be executed without confirmation.
  2. /T - take ownership. BUILTIN\Administrators will be the new owner of the object.
  3. /I - restore standard DACL. This is the DACL used by the system if it installs a service. Use this switch to restore standard security settings. All following commands work on this as the current services DACL
  4. /E - edit dacls. You should probably always pass this parameter. If not, the current service DACL will be replaced by your new one.
  5. /V - verbose. The current DACL will be printed out.
  6. /R - remove. All users access entries will be removed from the DACL. This is also true for ACCESS_DENIED entries. The /R command can only be used in /E mode.
  7. /P - replace. The current access mask of the user will be replaced by this new one. This is also true for ACCESS_DENIED entries. If the user has no access entry in the DACL, a new entry will be added. The /P command can only be used in /E mode.
  8. /G - give access. Add an entry that gives user the specified access.
  9. /D - deny access. Insert an entry that denies the specified access to the user. Note that ACCESS_DENIED entries are always inserted at the top of the DACL. If you view a service DACL, they are shown by a leading minus sign ("-") in front of the access mask.
  10. /O - set owner. The user will become owner of the service object.

Using SCAcl.exe

To view the current settings of a service or driver. The /S switch tells SCAcl to show also the SIDs:

M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /S

Security settings of service tcpip on \\AMARETTO:
Owner:     NT-AUTHORITY\SYSTEM (S-1-5-18)

DACL:
  00:  [RIU]     \World (S-1-1-0)
  01:  [XR]      (null)\(null) (S-1-5-32-547)
  02:  [F]       BUILTIN\Administrators (S-1-5-32-544)
  03:  [F]       BUILTIN\Server-Operators (S-1-5-32-549)
  04:  [XR]      NT-AUTHORITY\SYSTEM (S-1-5-18)

M:\Develop\VC\UTIL\SrvSec\Release>

Now we want to give all users, but Tom, the possibility to start and stop the service. So we add an entry for BUILTIN\Users and a denied entry for Tom. Note the /E - switch for editing:

M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /E /G BUILTIN\Use
	rs:SE /D Tom:SE
Do you really want to apply the new security settings [Yes/No]:
Successfully applied new security settings to service tcpip
M:\Develop\VC\UTIL\SrvSec\Release>

Now the DACL looks like this. Note the minus (-) in front of Tom, that signals an ACCESS_DENIED entry:

M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /S

Security settings of service tcpip on \\AMARETTO:
Owner:     NT-AUTHORITY\SYSTEM (S-1-5-18)

DACL:
  00: -[SE]      BISTRO\Tom
                 (S-1-5-21-859451957-1360023216-1846434929-1003)
  01:  [RIU]     \World (S-1-1-0)
  02:  [XR]      (null)\(null) (S-1-5-32-547)
  03:  [F]       BUILTIN\Administrators (S-1-5-32-544)
  04:  [F]       BUILTIN\Server-Operators (S-1-5-32-549)
  05:  [XR]      NT-AUTHORITY\SYSTEM (S-1-5-18)
  06:  [SE]      BUILTIN\USERS (S-1-5-32-545)

Unknown user accounts?

An unknown user account is shown as (null)\(null) Some of the BUILTIN user accounts are not available on every computer. But regardless, they are used in the default DACL of a service object. User the /S switch to find out the Sids for the unknown accounts:

S-1-5-32-549 is the SID of the BUILTIN\Server-Operators account, which is enabled only on domain controllers.

S-1-5-32-547 is the SID of the BUILTIN\Power-Users account, which is not available on domain controllers.

General, all sids of the form S-1-5-32-XXX are used by BUILTIN accounts.

Lost control?

If you forget the /E switch it may happen, that you kicked yourself out of the DACL. Any further command then just returns an "Error 0x5: Access denied".

If this happens, you should take ownership of the object and restore the standard DACL:

scacl.exe \\AMARETTO tcpip /T /I

Newest Version

The newest version is always available at http://www.losoft.de/

The Author

Please feel free to send comments, questions and donations :-) to:

LoSOFT Softwaretechnik
Daniel Lohmann
Rheinstr. 34
D-56068 Koblenz
Germany

daniel@losoft.de