SCAcl - ACL editor for service objects

SCAcl is a little command line utility to change the security settings for service and driver objects on Windows NT. It works like the file-security command cacls.exe.

SCAcl is Freeware, you can use it for whatever you want - but on your own risk :-)

The Problem

Services (like the scheduler service or my nice multisession tool NetExec) are, as almost any object, securable. The default security settings gives Administrators full access and Power-Users the possibility to start and stop the service.

But sometimes it may be neccessary or nice, to let even some normal Users start a special service:

If you want to start the service only on demand, because it is not used very frequently.
If a user-mode program needs to start or stop a special device driver for operating.
...

With SCAcl you can solve this problems.

Synopis

If you start the tool without any arguments, the output is:

SCAcl 1.0 (Copyright (c) 1999 LoSOFT Softwaretechnik)
USAGE: scacl.exe [\\MACHINE] service [/S]
       scacl.exe [\\MACHINE] service [/E] [/Q] [/V] [/S] [/T [User]] [/I] [/C]
       [/G User:Mask ...] [/R User ...] [/P User:Mask ...] [/D User:Mask ...]

type   scacl.exe /?    for help
       scacl.exe /A    for more information

The command line options are explained if you use the /? switch:

SCAcl 1.0 (Copyright (c) 1999 LoSOFT Softwaretechnik)
USAGE: scacl.exe [\\MACHINE] service [/S]
       scacl.exe [\\MACHINE] service [/E] [/Q] [/V] [/S] [/T [User]] [/I] [/C]
       [/G User:Mask ...] [/R User ...] [/P User:Mask ...] [/D User:Mask ...]

  \\MACHINE      SCM address                 /S         List also SIDs
  /E             modify (not replace) ACL    /Q         Quiet mode
  /G User:Mask   Give access                 /V         Verbose
  /R User        Remove from ACL(/E mode)    /C         Set empty ACL (clear)
  /P User:Mask   Replace access (/E mode)    /I         Set standard ACL
  /D User:Mask   Deny access                 /T [User]  Take ownership


'Mask' can be any combination of the following priviliges:
    D - delete the service                 C - query the service security
    O - change the service security        G - change the configuration
    H - query the configuration            L - enumerate dependent services
    I - ask the service about its status   P - pause and continue
    Q - ask the SCM about the status       S - start the service
    E - stop the service                   U - invoke user-defined control
    F =  <all> - full control over the service
    X =  CPSEU - control the service (start, stop, ...)
    R =  CHLIQ - get any information about the service
    W =     CG - change the service configuration (not security)

User can be the name of a user or group account or a textual sid (security id) Examples are: BUILTIN\Users or S-1-5-32-549. Note that user accounts are looked up on \\MACHINE.

Mask can be any combination of the user rights listed above. Note that there are single access rights (like S for start service or E for stop service) and general access rights (like X for Execute) this general access rights are mapped to the listed combination of singel access rights.

Order of command evaluation

The passed command switches are evaluated in the following order:

/Q - quiet. All following commands will be executed without confirmation.
/T - take ownership. The current user will be the new owner of the object. An Administrator can also pass BUILTIN/Administrators after /T. In this case, the Administrators group becomes owner of the service. Note that this behavior is different from most NT build in security editors, where always the Administrators group becomes the owner, if the current user is a member of it
/C - set empty DACL. An empty DACL gives no access to anybody. You must be owner of the service to modify the DACL after setting an empty DACL.
/I - restore standard DACL. This is the DACL used by the system if it installs a service. Use this switch to restore standard security settings. All following commands work on this as the current services DACL
/E - edit dacls. You should probably always pass this parameter. If not, the current service DACL will be replaced by your new one.
/V - verbose. The current and new DACL will be printed out.
/R - remove. All users access entries will be removed from the DACL. This is also true for ACCESS_DENIED entries. The /R command can only be used in /E mode.
/P - replace. The current access mask of the user will be replaced by this new one. This is also true for ACCESS_DENIED entries. If the user has no access entry in the DACL, a new entry will be added. The /P command can only be used in /E mode.
/G - give access. Add an entry that gives user the specified access.
/D - deny access. Insert an enty, that denies user the specified access. Note that ACCESS_DENIED entries are always inserted at the top of the DACL. If you view a service DACL, the are shown by a leading minus sign ("-") in front of the access mask.
/O - set owner. The user will become owner of the service object.

Using SCAcl.exe

To view the current settings of a service or driver. The /S switch tells SCAcl to show also the SIDs:

M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /S

Security settings of service tcpip on \\AMARETTO:
Owner:     NT-AUTHORITY\SYSTEM (S-1-5-18)

DACL:
  00:  [RU]      \World (S-1-1-0)
  01:  [XR]      (null)\(null) (S-1-5-32-547)
  02:  [F]       BUILTIN\Administrators (S-1-5-32-544)
  03:  [F]       BUILTIN\Server-Operators (S-1-5-32-549)
  04:  [XR]      NT-AUTHORITY\SYSTEM (S-1-5-18)

M:\Develop\VC\UTIL\SrvSec\Release>

This is the standard DACL, which is assigned to every service at installation time. Now we want to give all users, but Tom, the possibility to start and stop the service. So we add an entry for BUILTIN\Users and a denied entry for Tom. Note the /E - switch for editing:

M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /E /G BUILTIN\USERS:SE /D Tom:SE
Do you really want to apply the new security settings [Yes/No]:
Successfully applied new security settings to service tcpip
M:\Develop\VC\UTIL\SrvSec\Release>

Now the DACL looks like this. Note the minus (-) in front of Tom, that signals an ACCESS_DENIED entry:

M:\Develop\VC\UTIL\SrvSec\Release>scacl \\AMARETTO tcpip /S

Security settings of service tcpip on \\AMARETTO:
Owner:     NT-AUTHORITY\SYSTEM (S-1-5-18)

DACL:
  00: -[SE]      BISTRO\Tom
                 (S-1-5-21-859451957-1360023216-1846434929-1003)
  01:  [RU]     \World (S-1-1-0)
  02:  [XR]      (null)\(null) (S-1-5-32-547)
  03:  [F]       BUILTIN\Administrators (S-1-5-32-544)
  04:  [F]       BUILTIN\Server-Operators (S-1-5-32-549)
  05:  [XR]      NT-AUTHORITY\SYSTEM (S-1-5-18)
  06:  [SE]      BUILTIN\USERS (S-1-5-32-545)

Note that for being able to start and stop a service, a user must also have GENERIC_READ (R) access. By default this is given to the /World group, so in our example we do not give it also to BUILTIN\USERS.

Unknown user accounts?

An unknown user account is shown as (null)\(null) Some of the BUILTIN user accounts are not available on every computer. But regardless, they are used in the default DACL of a service object. Use the /S switch to find out the Sids for the unknown accounts:

S-1-5-32-549 is the SID of the BUILTIN\Server-Operators account, which is enabled only on domain controllers.

S-1-5-32-547 is the SID of the BUILTIN\Power-Users account, which is not available on domain controllers.

General, all sids of the form S-1-5-32-XXX are used by BUILTIN accounts.

Lost control?

If you forget the /E switch it may happen, that you kicked yourself out of the DACL. Any further command then just returns an "Error 0x5: Access denied".

If this happens, you should take ownership of the object and restore the standard DACL:

scacl.exe \\AMARETTO tcpip /T /I

Newest Version

SCAcl.exe is part of the LS-Tools freeware collection. The newest version can also be found at http://www.uni-koblenz.de/~daniel/ls_nttools.html

The author

Please feel free to send comments, questions and donations :-) to:

Daniel Lohmann,
Rheinstr. 34
D-56068 Koblenz
Germany

daniel@uni-koblenz.de