Use Security Descriptor Definition Language to control services

The ability to control services is secured through Access Control Lists (ACLs). It is possible to reduce rights to certain applications that typically control services, but a more appropriate way is to adjust the security on the required services themselves; this prevents users from controlling services. Also, this prevents NET Stop commands, or any process that leverages the Service Control API from executing.

Local Security Solution (LSS) inventories services and their security settings, and also allows you to set the security on services using a Service Configuration client task. Security Descriptors are generally represented as Security Descriptor Definition Language (SDDL), and LSS uses SDDL for user-defined Security Descriptors. (For more information on SDDL, search "SDDL" on Microsoft's Technet, or go to the blog post The Security Descriptor Definition Language of Love).

SDDL examples

Service SDDL includes the following attributes:

CC - SERVICE_QUERY_CONFIG -- asks the SCM for the service's current configuration
LC - SERVICE_QUERY_STATUS -- asks the SCM for the service's current status
SW - SERVICE_ENUMERATE_DEPENDENTS -- lists dependent services
RP - SERVICE_START -- starts the service
WP - SERVICE_STOP -- stops the service
DT - SERVICE_PAUSE_CONTINUE -- pauses or continues the service
LO - SERVICE_INTERROGATE -- asks the service its current status
CR - SERVICE_USER_DEFINED_CONTROL -- sends a service control defined by the service's authors
RC - READ_CONTROL -- reads the security descriptor on this service.

A typical example of a Service Security SDDL is:

O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Breaking this example down, the two ACEs we are interested in are the Administrators (ends with BA), and Power Users (ends with PU):

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Remove the ability to start (if desired), stop and pause services (from the above list, those are RP, WP and DT respectively). Another best practice is adding CR. The modified ACEs are then:

(A;;CCDCLCSWLOSDRCWDWO;;;BA)
(A;;CCLCSWLORC;;;PU)

The desired SDDL is then:

O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;IU)(A;;CCLCSWLORC;;;SU)(A;;CCLCSWLORC;;;PU)

This example SDDL creates a user-defined security descriptor, which can then be used by the "Set Windows Service Configuration" client task.

Kill service processes

Preventing the ability to kill services is a bit more problematic, because this ability is controlled by security ACLs on the target process which Administrators typically have rights to. The Debug privilege also allows (indirectly) the killing of a process. And while it is possible to disable Administrative and Debug privileges on certain processes (such as TaskMgr.exe, or kill.exe) this won't stop advanced users from being able to kill a process by other means, such as a custom program.

Security Descriptor Definition Language aliases

The following table contains a list of SDDL aliases.

"AO"	SDDL_ACCOUNT_OPERATORS	Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.
"RU"	SDDL_ALIAS_PREW2KCOMPACC	Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.
"AN"	SDDL_ANONYMOUS	Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.
"AU"	SDDL_AUTHENTICATED_USERS	Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.
"BA"	SDDL_BUILTIN_ADMINISTRATORS	Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.
"BG"	SDDL_BUILTIN_GUESTS	Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.
"BO"	SDDL_BACKUP_OPERATORS	Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.
"BU"	SDDL_BUILTIN_USERS	Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.
"CA"	SDDL_CERT_SERV_ADMINISTRATORS	Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.
"CD"	SDDL_CERTSVC_DCOM_ACCESS	Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP.
"CG"	SDDL_CREATOR_GROUP	Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.
"CO"	SDDL_CREATOR_OWNER	Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.
"DA"	SDDL_DOMAIN_ADMINISTRATORS	Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.
"DC"	SDDL_DOMAIN_COMPUTERS	Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.
"DD"	SDDL_DOMAIN_DOMAIN_CONTROLLERS	Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.
"DG"	SDDL_DOMAIN_GUESTS	Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.
"DU"	SDDL_DOMAIN_USERS	Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.
"EA"	SDDL_ENTERPRISE_ADMINS	Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.
"ED"	SDDL_ENTERPRISE_DOMAIN_CONTROLLERS	Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.
"RO"	SDDL_ENTERPRISE_RO_DCs	Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS.
"WD"	SDDL_EVERYONE	Everyone. The corresponding RID is SECURITY_WORLD_RID.
"PA"	SDDL_GROUP_POLICY_ADMINS	Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.
"IU"	SDDL_INTERACTIVE	Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.
"LA"	SDDL_LOCAL_ADMIN	Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.
"LG"	SDDL_LOCAL_GUEST	Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST.
"LS"	SDDL_LOCAL_SERVICE	Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.
"SY"	SDDL_LOCAL_SYSTEM	Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
"NU"	SDDL_NETWORK	Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.
"LW"	SDDL_ML_LOW	Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID.
"ME"	SDDL_MLMEDIUM	Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID.
"HI"	SDDL_ML_HIGH	High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID.
"SI"	SDDL_ML_SYSTEM	System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID.
"NO"	SDDL_NETWORK_CONFIGURATION_OPS	Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.
"NS"	SDDL_NETWORK_SERVICE	Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.
"PO"	SDDL_PRINTER_OPERATORS	Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.
"PS"	SDDL_PERSONAL_SELF	Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.
"PU"	SDDL_POWER_USERS	Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.
"RS"	SDDL_RAS_SERVERS	RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.
"RD"	SDDL_REMOTE_DESKTOP	Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.
"RE"	SDDL_REPLICATOR	Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.
"RC"	SDDL_RESTRICTED_CODE	Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.
"SA"	SDDL_SCHEMA_ADMINISTRATORS	Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.
"SO"	SDDL_SERVER_OPERATORS	Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.
"SU"	SDDL_SERVICE	Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.