15

Here's my Windows/.NET security stack:

  • A Windows Service running as LocalSystem on a Windows Server 2003 box.
  • A .NET 3.5 Website running on the same box, under "default" production server IIS settings (so probably as NETWORKSERVICE user?)

On my default VS2008 DEV environment I have this one method, which gets called from the ASP.NET app, which works fine:

private static void StopStartReminderService() {

    ServiceController svcController = new ServiceController("eTimeSheetReminderService");

    if (svcController != null) {
        try {
            svcController.Stop();
            svcController.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(10));
            svcController.Start();
        } catch (Exception ex) {
            General.ErrorHandling.LogError(ex);
        }
    }
}

When I run this on the production server, I get the following error from the ServiceController:

Source: System.ServiceProcess -> System.ServiceProcess.ServiceController -> IntPtr GetServiceHandle(Int32) -> System.InvalidOperationException Message: Cannot open eTimeSheetReminderService service on computer '.'.

Why is this happening, and how do I fix it?

EDIT:

The answer is below, mostly in comments, but to clarify:

  1. The issue was Security related, and occurred because the NETWORKSERVICE account did not have sufficient rights to Start/Stop a service
  2. I created a Local User Account, and added it to the PowerUsers Group (this group has almost admin rights)
  3. I don't want my whole Web App to impersonate that user all the time, so I impersonate only in the method where I manipulate the service. I do this by using the following resources to help me do it in code:

MS KB article and this, just to get a better understanding

NOTE: I don't impersonate via the web.config, I do it in code. See the MS KB Article above.

stj
  • 9,037
  • 19
  • 33
andy
  • 8,775
  • 13
  • 77
  • 122

6 Answers6

14

To give IIS permission to start/stop a particular service:

  • Download and install Subinacl.exe. (Be sure to get the latest version! Earlier versions distributed in some resource kits don't work!)
  • Issue a command similar to: subinacl /service {yourServiceName} /grant=IIS_WPG=F

This grants full service control rights for that particular service to the built-in IIS_WPG group. (This works for IIS6 / Win2k3.) YMMV for newer versions of IIS.)

Martin_W
  • 1,582
  • 1
  • 19
  • 24
  • Perfect, did the trick for me and I didn't even have to add impersonation to my web.config. Cheers! – Nabster Jan 17 '13 at 09:50
  • This is the better solution in my opinion. Thanks Martin_ATS. – amiir Apr 27 '14 at 10:57
  • Use this tool to give a user rights, whereby you use impersonation to impersonate the user that has rights to start and stop the service. – 130nk3r5 Oct 13 '14 at 08:39
6

Try adding this to your Web.Config.

<identity impersonate="true"/>
Phaedrus
  • 8,351
  • 26
  • 28
  • Is anonymous access enabled in IIS? – Phaedrus May 04 '09 at 03:32
  • yep, "Enable anonymous access" is ticked – andy May 04 '09 at 03:36
  • Disable it, enable Integrated Windows Authentication. – Phaedrus May 04 '09 at 03:38
  • cool, I'll try it out. How will that affect access to the site? it is a public site. Also, can impersonating be done just for that one method? Anyway, I'll try it out to see if it works, thanks, much appreciated. – andy May 04 '09 at 03:43
  • ah ha! we're getting somewhere. ok, that worked. However, I need Anonymous access turned on, and I'd rather only give special privileges to sections of code that need it. Any ideas? cheers!! – andy May 04 '09 at 03:55
  • No, running a public site with Integrated Windows Authentication enabled probably isn't the best idea. It's just a way to find out if your problem is in fact related to security. Your probably going to want to enable anonymous access and give the appropriate permissions to the IUSR_ account so that it has sufficient rights to access your service. – Phaedrus May 04 '09 at 04:00
  • cool, thanks Phaedrus. yes, I figured you only wanted to eliminate possibilities, awesome. Ok, this is the bit that gets me. So I have to find the Account that my ASP.NET app is running under, right? and then how do I give it rights to access the service, what rights would that be? Is there a way to give it rights to that particular service only, or do I just have to give complete control to the IUSR_etc Account? – andy May 04 '09 at 04:05
1

This was a good question that intrigued me as well...

So here is what I did to solve this problem:

  • Step 1: Create a Windows user account on the local machine with minimal rights.
  • Step 2: Give this user rights to start and stop the service via subinacl.exe
  • i.e. subinacl.exe /service WindowsServiceName /GRANT=PCNAME\TestUser=STOE
  • Dowload from : http://www.microsoft.com/en-za/download/details.aspx?id=23510

  • Step 3: Use Impersonation to impersonate the use created in Step 1 to start and stop the Service

    public const int LOGON32_PROVIDER_DEFAULT = 0;

WindowsImpersonationContext _impersonationContext;

[DllImport("advapi32.dll")]
// ReSharper disable once MemberCanBePrivate.Global
public static extern int LogonUserA(String lpszUserName,
    String lpszDomain,
    String lpszPassword,
    int dwLogonType,
    int dwLogonProvider,
    ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
// ReSharper disable once MemberCanBePrivate.Global
public static extern int DuplicateToken(IntPtr hToken,
    int impersonationLevel,
    ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
// ReSharper disable once MemberCanBePrivate.Global
public static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
// ReSharper disable once MemberCanBePrivate.Global
public static extern bool CloseHandle(IntPtr handle);

private bool _impersonate;

public bool ImpersonateValidUser(String userName, String domain, String password)
{
    IntPtr token = IntPtr.Zero;
    IntPtr tokenDuplicate = IntPtr.Zero;

    if (RevertToSelf())
    {
        if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
            LOGON32_PROVIDER_DEFAULT, ref token) != 0)
        {
            if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
            {
                var tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                _impersonationContext = tempWindowsIdentity.Impersonate();
                if (_impersonationContext != null)
                {
                    CloseHandle(token);
                    CloseHandle(tokenDuplicate);
                    _impersonate = true;
                    return true;
                }
            }
        }
    }
    if (token != IntPtr.Zero)
        CloseHandle(token);
    if (tokenDuplicate != IntPtr.Zero)
        CloseHandle(tokenDuplicate);
    _impersonate = false;
    return false;
}

#region Implementation of IDisposable




#endregion

#region Implementation of IDisposable

private void Dispose(bool dispose)
{
    if (dispose)
    {
        if (_impersonate)
            _impersonationContext.Undo();
        _impersonationContext.Dispose();
    }
}

public void Dispose()
{
    Dispose(true);
}
#endregion

public static void StartStopService(bool startService, string serviceName)
{
    using (var impersonateClass = new Impersonation())
    {
        impersonateClass.ImpersonateValidUser(Settings.Default.LocalUsername, Settings.Default.Domain, Settings.Default.Password);
        using (var sc = new ServiceController(serviceName))
        {
            if (startService)
                sc.Start();
            else if (sc.CanStop)
                sc.Stop();
        }

    }
}
130nk3r5
  • 1,120
  • 10
  • 12
  • LOGON32_LOGON_INTERACTIVE didn't work for me but thanks to this answer https://stackoverflow.com/a/28503968/4568373 I changed it to LOGON32_LOGON_NETWORK and worked fine. – ThePatelGuy Dec 07 '17 at 00:31
1

Update for IIS 8 (and maybe some slightly earlier versions)

The usergroup IIS_WPG does not exist anymore. It has changed to IIS_IUSRS.

Also, to start stop a service it is not neccesary to give full permissions (F). Permissions to start, stop and pause a service (TOP) should be enough. As such the command should be:

subinacl /service {yourServiceName} /grant=IIS_IUSRS=TOP

Note that you need to point the command prompt (preferably elevated to run as administrator) to C:\Windows\System32 Folder before running this command.

Also make sure that you have copied the subinacl.exe file to C:\Windows\System32 from the installation directory if there is an error.

toing_toing
  • 2,334
  • 1
  • 37
  • 79
0

If your web application has the database and windows service can access it, you can just use the flag in the DB to restart the service. In the service, you can read this flag and restart if not busy etc. Only in case if you can modify the code of the service. If it's third party service you can create your own windows service and use database config to control (restart) services. It's the safe way and gives you much more flexibility and security.

Alex
  • 1
0

Just a hunch, but it does not appear to me the error is necessarily related to security. Did you give the service the same name on the production server?

cdonner
  • 37,019
  • 22
  • 105
  • 153
  • @cdonner: yeah, I suspected that too, but didn't know how I could test it? Yes, the name is the same, its defined in the code, in the ServiceInstaller component. Any ideas on how I could get a definite answer on whether it even is security? cheers – andy May 04 '09 at 02:13
  • can you start and stop it from the command line, using NET START/STOP? – cdonner May 04 '09 at 02:27
  • hey man, yeah, running "NET START eTimeSheetReminderService" in the command prompt starts the service successfully – andy May 04 '09 at 03:23