SCAcl is a little command line utility to change the security settings for service and driver objects on Windows NT. It works like the file-security command cacls.exe.
SCAcl is Freeware, you can use it for whatever you want - but on your own risk :-)
Services (like the scheduler service or our nice multisession tool NetExec) are, as almost any object, securable. The default security settings give Administrators full access and Power-Users the possibility to start and stop the service.
But sometimes it may be neccessary, or nice, to let even some normal Users start a special service:
With SCAcl you can solve these problems.
If you start the tool without any arguments, the output is:
SCAcl 1.0 (Copyright (c) 1999 LoSOFT Softwaretechnik) USAGE: scacl.exe [\\MACHINE] service [/S] scacl.exe [\\MACHINE] service [/E] [/Q] [/V] [/S] [/T [User]] [/I] [/C] [/G User:Mask ...] [/R User ...] [/P User:Mask ...] [/D User:Mask ...] type scacl.exe /? for help scacl.exe /A for more information
The command line options are explained if you use the /? switch:
USAGE: scacl.exe [\\MACHINE] service [/S] scacl.exe [\\MACHINE] service [/E] [/Q] [/V] [/S] [/T [User]] [/I] [/C] [/G User:Mask ...] [/R User ...] [/P User:Mask ...] [/D User:Mask ...] \\MACHINE SCM address /S List also SIDs /E modify (not replace) ACL /Q Quiet mode /G User:Mask Give access /V Verbose /R User Remove from ACL(/E mode) /C Set empty ACL (clear) /P User:Mask Replace access (/E mode) /I Set standard ACL /D User:Mask Deny access /T [User] Take ownership 'Mask' can be any combination of the following priviliges: D - delete the service C - query the service security O - change the service security G - change the configuration H - query the configuration L - enumerate dependent services I - ask the service about its status P - pause and continue Q - ask the SCM about the status S - start the service E - stop the service U - invoke user-defined control F = <all> - full control over the service X = CPSEU - control the service (start, stop, ...) R = CHLIQ - get any information about the service W = CG - change the service configuration (not security)
User can be the name of a user or group account or a textual sid (security id). Examples are: BUILTIN\Users or S-1-5-32-549. Note that user accounts are looked up on \\MACHINE.
Mask can be any combination of the user rights listed above. Note that there are single access rights (like S for start service or E for stop service) and general access rights (like X for Execute). General access rights are mapped to the listed combination of single access rights.
The passed command switches are evaluated in the following order:
To view the current settings of a service or driver. The /S switch tells SCAcl to show also the SIDs:
M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /S Security settings of service tcpip on \\AMARETTO: Owner: NT-AUTHORITY\SYSTEM (S-1-5-18) DACL: 00: [RIU] \World (S-1-1-0) 01: [XR] (null)\(null) (S-1-5-32-547) 02: [F] BUILTIN\Administrators (S-1-5-32-544) 03: [F] BUILTIN\Server-Operators (S-1-5-32-549) 04: [XR] NT-AUTHORITY\SYSTEM (S-1-5-18) M:\Develop\VC\UTIL\SrvSec\Release>
Now we want to give all users, but Tom, the possibility to start and stop the service. So we add an entry for BUILTIN\Users and a denied entry for Tom. Note the /E - switch for editing:
M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /E /G BUILTIN\Use rs:SE /D Tom:SE Do you really want to apply the new security settings [Yes/No]: Successfully applied new security settings to service tcpip M:\Develop\VC\UTIL\SrvSec\Release>
Now the DACL looks like this. Note the minus (-) in front of Tom, that signals an ACCESS_DENIED entry:
M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /S Security settings of service tcpip on \\AMARETTO: Owner: NT-AUTHORITY\SYSTEM (S-1-5-18) DACL: 00: -[SE] BISTRO\Tom (S-1-5-21-859451957-1360023216-1846434929-1003) 01: [RIU] \World (S-1-1-0) 02: [XR] (null)\(null) (S-1-5-32-547) 03: [F] BUILTIN\Administrators (S-1-5-32-544) 04: [F] BUILTIN\Server-Operators (S-1-5-32-549) 05: [XR] NT-AUTHORITY\SYSTEM (S-1-5-18) 06: [SE] BUILTIN\USERS (S-1-5-32-545)
An unknown user account is shown as (null)\(null) Some of the BUILTIN user accounts are not available on every computer. But regardless, they are used in the default DACL of a service object. User the /S switch to find out the Sids for the unknown accounts:
S-1-5-32-549 is the SID of the BUILTIN\Server-Operators account, which is enabled only on domain controllers.
S-1-5-32-547 is the SID of the BUILTIN\Power-Users account, which is not available on domain controllers.
General, all sids of the form S-1-5-32-XXX are used by BUILTIN accounts.
If you forget the /E switch it may happen, that you kicked yourself out of the DACL. Any further command then just returns an "Error 0x5: Access denied".
If this happens, you should take ownership of the object and restore the standard DACL:
scacl.exe \\AMARETTO tcpip /T /I
The newest version is always available at http://www.losoft.de/
Please feel free to send comments, questions and donations :-) to:
LoSOFT Softwaretechnik
Daniel Lohmann
Rheinstr. 34
D-56068 Koblenz
Germany