Allowing only a specific service read/write access to a folder

Posted on

QUESTION :

Is there a way to prevent read and/or write access to a specific folder in Windows and grant only a specific service/process access to it?

It seems that permissions are user-based and not service-based but I’d like to know if there is a way to achieve such a functionality anyway.

ANSWER :

Yes, there is a way to do this in Windows 7, although it may be necessary to reconfigure the service which introduces a (probably fairly small) risk of introducing a compatibility problem.

The security ID associated with a service can be referenced as

NT SERVICESERVICENAME

where servicename is replaced with the actual name of the service (shown as “Service name” in the Services administrative tool, and distinct from the display name shown in the main list of services). If you’re using the GUI to change security settings, and the machine is joined to a domain, you’ll need to change the search scope to the local computer. Also note that this only works for services that are currently installed.

You can determine the SID associated with a particular service name, whether or not such a service is installed, using the sc showsid command:

C:working>sc showsid wjkjk

NAME: wjkjk
SERVICE SID: S-1-5-80-492907775-8774055-3223757035-3566066944-1037782649

If you are setting security on a file or folder using the icacls command you can specify a SID by prefixing it with *, e.g., *S-1-5-80-492907775-8774055-3223757035-3566066944-1037782649.

In order for the service to access files using this security ID, it has to be configured with a service SID type of either “unrestricted” or “restricted”. If it is configured with a service SID type of “none” the service SID will not work. You can check the service SID type of an installed service with the sc qsidtype command:

C:working>sc qsidtype wuauserv
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: wuauserv
SERVICE_SID_TYPE:  UNRESTRICTED

If the service type is “none” you can change it to “unrestricted” using the sc sidtype command:

C:working>sc qsidtype psexesvc
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: psexesvc
SERVICE_SID_TYPE:  NONE

C:working>sc sidtype psexesvc unrestricted
[SC] ChangeServiceConfig2 SUCCESS

C:working>sc qsidtype psexesvc
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: psexesvc
SERVICE_SID_TYPE:  UNRESTRICTED

This will not take effect until the service is restarted.

Note: you should not change the SID type of a service from “none” to “restricted”. Doing so will almost certainly cause the service to malfunction. Changing the type from “none” to “unrestricted” is much less likely to cause any problems. If the service SID type is already “restricted” or “unrestricted” you should not change it.

There is a pseudo “user” called SERVICE that all services use so you can simply restrict access by only allowing this “user” access.

However, this is not quite what you asked since this isn’t a single specific service, it is all services. There is no default mechanism to restrict to a single service though it may be possible with some considerable faffing around trying to force a service to use a different ID on startup – I wouldn’t recommend it.

Leave a Reply

Your email address will not be published.