0

We have an installer, running as administrator, which installs a web application, running as IUSR, and a windows service, running as Local Service (for now). The web application should be able to start/stop that windows service (and no other) when maintenance mode is enabled via the web interface (e.g. when an update is applied).

Question: Which options do I have?

  • The installer has a "Run as" option for the service, but it takes username AND password, which I don't have for IUSR. IUSR should be able to start/stop a service that runs as IUSR, right?
  • Can I give IUSR permission to start/stop that service somehow else (registry)?
  • Or will I have to create a second service that checks a file for changes, and acts upon these. But then I cannot replace this service in maintenance mode, ever, so this is a dirty hack.
Alexander
  • 19,906
  • 19
  • 75
  • 162
  • The web app should be allowed to restart a single service, not to do `rm -rf /`, so running the apppool as admin is a strict no. – Alexander Sep 19 '16 at 15:27
  • You can reconfigure a service's ACL either via software (typically during the service installation) or using the `sc sdset` command-line tool. Basically the same as http://stackoverflow.com/a/8380009/886887 except that you'll have to look up the SID for IUSR and use that instead of `IU` ("interactive users"). (PS: if you're doing it in software, you might prefer to use a different method for building the ACL. SDDL is a very convenient way to build a constant ACL, but a bit messy if you need to feed in a SID.) – Harry Johnston Sep 19 '16 at 21:59

0 Answers0