S
Samus-Aran
Hi!
So our monitoring system (nagios) need to be able to query windows services information on our servers with WMI. Got the WMI-permissions right but I also need to add permissions on the services itself.
Thougt this did it!:
sc sdset SCMANAGER D:(A;;GR;;;S-1-5-21-2891139286-2897928684-3220045268-26198)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S
AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
After adding my group SID on this fake service "scmanager" I can successfully query service status and startupmode for about 1/3 of all services.
I have compared the services and my conclusion is that the permission that differ is this one:
(A;;CR;;;AU) <-- Not Allowed to query. Example VSS
(A;;CCLCSWLORC;;;AU) <-- Allowed to query. Example DHCP client
So on some services, "Authenticated Users" have more permissions than on other services.
The the question is, can I somehow make all services inherit some specific permissions? I don't want to add it to every single service but I want it to be inherited, otherwise new services won't be affected.
I really don't want to create an account that is administrator on all servers and then put that account with password in clear text on our monitoring server!
Thanks!
Continue reading...
So our monitoring system (nagios) need to be able to query windows services information on our servers with WMI. Got the WMI-permissions right but I also need to add permissions on the services itself.
Thougt this did it!:
sc sdset SCMANAGER D:(A;;GR;;;S-1-5-21-2891139286-2897928684-3220045268-26198)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S
AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)After adding my group SID on this fake service "scmanager" I can successfully query service status and startupmode for about 1/3 of all services.
I have compared the services and my conclusion is that the permission that differ is this one:
(A;;CR;;;AU) <-- Not Allowed to query. Example VSS
(A;;CCLCSWLORC;;;AU) <-- Allowed to query. Example DHCP client
So on some services, "Authenticated Users" have more permissions than on other services.
The the question is, can I somehow make all services inherit some specific permissions? I don't want to add it to every single service but I want it to be inherited, otherwise new services won't be affected.
I really don't want to create an account that is administrator on all servers and then put that account with password in clear text on our monitoring server!
Thanks!
Continue reading...