Service Security

When a process uses the OpenSCManager function to open a handle to a database of installed services, it can request different types of access. The system performs a security check before granting the requested access. All processes are permitted the following access to the database:

• SC_MANAGER_CONNECT
• SC_MANAGER_ENUMERATE_SERVICE
• SC_MANAGER_QUERY_LOCK_STATUS

This enables any process to open a handle to the SCManager object that it can use in calls to the OpenService, EnumServicesStatus, and QueryServiceLockStatus functions. Only processes with Administrator privileges are able to open handles to the SCManager object that can be used by the CreateService and LockServiceDatabase functions.

When a process uses the OpenService function, the system performs an access check. The type of access permitted to different users depends on the SECURITY_DESCRIPTOR structure associated with the service object. The SCM creates a service object's security descriptor when the service is installed by the CreateService function. You can use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions to query and set the security descriptor of a service object. The default security descriptor of a service object permits the following access:

• Authenticated users have SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_INTERROGATE, and SERVICE_USER_DEFINED_CONTROL access.
• Members of the Power Users group and the LocalSystem account have SERVICE_START, SERVICE_PAUSE_CONTINUE, and SERVICE_STOP access, plus the access rights granted to all users.
• Members of the Administrators and System Operators groups have SERVICE_ALL_ACCESS access.

Note that granting certain access to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possible allow them to run applications under the LocalSystem account.