Windows 2003 Service

[Guest]

Is there a specific process or permissions that must be granted to get a .NET
(framework 1.4) Window Service to run properly on a Windows 2003 Server?

I built a Windows Service to start two local programs (Putty and Pageant)
located on a Win 2003 Server. The service installs but doesn't start the
Putty / Pageant programs properly when using any user ID except my own. Why
will it work with my User ID? I install the Windows Service on a Win 2000
machine and the service works fine with the local administrator account I
setup. I set the same user on the Win 2003 Server and the service doesn't
start the programs prooperly. I know there are a bunch of variables between
the 2 operating systems and progams. Most of what I have found is Win 2003
needs permissions granted to certain functions and no longer grants them out
of the box. I'm trying to find out what those permissions are and the
differences.

thank you,

 

[Kevin Yu [MSFT]]

Hi Chis,

First of all, I would like to confirm my understanding of your issue. From
your description, I understand that you are having problem to start a
windows service on Windows 2003 server. If there is any misunderstanding,
please feel free to let me know.

There is some minor difference on the LocalSystem Account of Windows 2000
and Windows 2003. Windows 2000 LocalSystem account doesn't have SE_TCB_NAME
privilege. In Windows 2000, the process calling LogonUser requires the
SE_TCB_NAME privilege. If the calling process does not have this privilege,
LogonUser fails and GetLastError returns ERROR_PRIVILEGE_NOT_HELD.

However, I think if you try to use an administrator account the start the
server, the above privilege doesn't matter. If it doesn't start, is there
any error messages?

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

 

[UAError]

Is there a specific process or permissions that must be granted to get a .NET
(framework 1.4) Window Service to run properly on a Windows 2003 Server?

I built a Windows Service to start two local programs (Putty and Pageant)
located on a Win 2003 Server. The service installs but doesn't start the
Putty / Pageant programs properly when using any user ID except my own. Why
will it work with my User ID? I install the Windows Service on a Win 2000
machine and the service works fine with the local administrator account I
setup. I set the same user on the Win 2003 Server and the service doesn't
start the programs prooperly. I know there are a bunch of variables between
the 2 operating systems and progams. Most of what I have found is Win 2003
needs permissions granted to certain functions and no longer grants them out
of the box. I'm trying to find out what those permissions are and the
differences.

thank you,

Your best bet is to create an special account for your
service and the programs it spawns. You really shouldn't be
running a service with the administrators account.

- Enable security auditing on the machine.

- Create a special (unprivileged) account for your service.

- Test the programs that the service spawns under that
account. Security auditing should indicate the missing
privileges. Add each privilege in turn.

- Not all problems are related to privileges, sometimes its
an issue with the Discretionary Access Control Lists (DACL,
or sometimes even just ACL). For that you'll have to get and
install FileMon (for file accesses) and RegMon (for registry
accesses) - that should help you identify the problem
file(s) and registry entries.

- Once your programs run fine set the service up to use that
account. Depending on "how" you do things in your service
you may need to add further privileges of tweak some more
File/Registry ACLs.

- Once you got everything running, shutdown FileMon, RegMon
and disable Security Auditing (or set it to a more suitable
configuration). DOCUMENT the privileges and ACL changes
needed to make it work for the next administrator to come
along.

- In the future develop under an account that is set up
according to the least privilege principle - that way you
will be alerted early to any problems that third party
components or your own code is causing.



How To Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549
(Shouldn't be too different for 2003)

Filemon
http://www.sysinternals.com/ntw2k/source/filemon.shtml

RegMon
http://www.sysinternals.com/ntw2k/source/regmon.shtml



Defend Your Code with Top Ten Security Tips Every Developer
Must Know
http://msdn.microsoft.com/msdnmag/issues/02/09/securitytips/default.aspx

Developing Software in Visual Studio .NET with
Non-Administrative Privileges
http://msdn.microsoft.com/library/d...studionetwithnon-administrativeprivileges.asp

Secure Coding Practices: Running with Least Privileges in
Windows
http://www.codeproject.com/tips/runas.asp

How To: Secure Your Developer Workstation
http://msdn.microsoft.com/security/...l=/library/en-us/dnnetsec/html/htworkstat.asp

The Challenge of Least Privilege
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure06112002.asp