Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

This article describes a change in security policy beginning with Windows 10 version 1709 and Windows Server 2016 version 1709. Under the new policy, only users who are local administrators on a remote computer can start or stop services on that computer.

This article also describes how to opt individual services out of this new policy.

More information

A common security mistake is to configure services to use an overly permissive security descriptor (see Service Security and Access Rights), and thereby inadvertently grant access to more remote callers than intended. For example, it’s not unusual to find services that grant SERVICE_START or SERVICE_STOP permissions to Authenticated Users. While the intent is usually to grant those rights only to local nonadministrative users, Authenticated Users also includes every user or computer account in the Active Directory forest, whether that account is a member of the Administrators group on the remote or local computer. These excessive permissions could be abused and wreak havoc across a whole network.

Given the pervasiveness and potential severity of this issue and the modern security practice of assuming that any sufficiently large domain contains compromised computers, a new system security setting was introduced that requires that remote callers also be local administrators on the computer to be able request the following service permissions:

SERVICE_CHANGE_CONFIG
SERVICE_START
SERVICE_STOP
SERVICE_PAUSE_CONTINUE
DELETE
WRITE_DAC
WRITE_OWNER

The new security setting also requires that remote callers be local administrators on the computer to request the following service control manager permission:

SC_MANAGER_CREATE_SERVICE

Note This local administrator check is in addition to the existing access check against the service or service controller security descriptor. That setting was introduced starting in Windows 10 version 1709 and in Windows Server 2016 version 1709. By default, the setting is turned on.

This new check might cause problems for some customers who have services that rely on the ability for non-administrators to start or stop them remotely. If it is necessary, you can opt individual services out of this policy by adding the service name to the RemoteAccessCheckExemptionList REG_MULTI_SZ registry value at the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\SCM

To do this, follow these steps:

  1. Select Start, select Run, type regedit in the Open box, and then click OK.

  2. Locate and then select the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\SCM

    Note     If the subkey does not exist, you must create it: On the Edit menu, select New, and then select Key. Type the name of the new subkey and then press Enter.

  3. On the Edit menu, point to New, and then select REG_MULTI_SZ Value.

  4. Type RemoteAccessCheckExemptionList for the name of the REG_MULTI_SZ value, and then press Enter.

  5. Double-click the RemoteAccessCheckExemptionList value, type the name of the service to exempt from the new policy, then click OK.

  6. Exit Registry Editor, and then restart the computer.

Administrators who want to globally disable this new check and restore the older, less-secure behavior, can set the RemoteAccessExemption REG_DWORD registry value to a nonzero value at the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

Note Setting this value temporarily can be a quick way to determine whether this new permission model is the cause of application compatibility issues.

To do this, follow these steps:

  1. Select Start, select Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

  3. On the Edit menu, point to New, and then select REG_DWORD  (32-bit) Value.

  4. Type RemoteAccessExemption for the name of the REG_DWORD value, and then press Enter.

  5. Double-click the RemoteAccessExemption value, enter 1 in the Value data field, and then click OK.

  6. Exit Registry Editor, and then restart the computer.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×