If you have a Windows Service that you wish to secure so that only a couple of users can start and stop theis service then you will need to edit the services DACL to complete this operation.
NOTICE : This process chnaged the DACL on the Service, please do not use this command without understand what you are doing!
WARNING: If you RESET the DACLs on a Service you cannot restore them to their defaults as you have removed the "revoked" users from the DACLs,
SetACL Permissions
***
read
start_stop
full
Add the Group/User Required
******
setacl -on "\computerservice" -ot srv -actn ace -ace "n : domainuser ; p :start_stop"
Failsafe Groups/Users Already in List
*******
setacl -on "\computerservice" -ot srv -actn ace -ace "n : domainuser ; p :read"
Revoke Groups/Users Already in List
*********
setacl -on "\computerservice" -ot srv -actn ace -ace "n:system; p :read"
setacl -on "\computerservice" -ot srv -actn ace -ace "n:administrators; p :read"
NOTICE : This process chnaged the DACL on the Service, please do not use this command without understand what you are doing!
WARNING: If you RESET the DACLs on a Service you cannot restore them to their defaults as you have removed the "revoked" users from the DACLs,
SetACL Permissions
***
read
start_stop
full
Add the Group/User Required
******
setacl -on "\computerservice" -ot srv -actn ace -ace "n : domainuser ; p :start_stop"
Failsafe Groups/Users Already in List
*******
setacl -on "\computerservice" -ot srv -actn ace -ace "n : domainuser ; p :read"
Revoke Groups/Users Already in List
*********
setacl -on "\computerservice" -ot srv -actn ace -ace "n:system; p :read"
setacl -on "\computerservice" -ot srv -actn ace -ace "n:administrators; p :read"
Tags
Windows