Block remote callers who are not local administrators from starting/stopping services

Applies to: Windows Server version 1803Windows 10, version 1803Windows Server 2016 Version 1709

Summary


This article describes a change in security policy beginning with Windows 10 version 1709 and Windows Server 2016 version 1709. Under the new policy, only users who are local administrators on a remote computer can start or stop services on that computer.

This article also describes how to opt individual services out of this new policy.

More information


A common security mistake is to configure services to use an overly permissive security descriptor (see Service Security and Access Rights), and thereby inadvertently grant access to more remote callers than intended. For example, it’s not unusual to find services that grant SERVICE_START or SERVICE_STOP permissions to Authenticated Users. While the intent is usually to grant those rights only to local nonadministrative users, Authenticated Users also includes every user or computer account in the Active Directory forest, whether that account is a member of the Administrators group on the remote or local computer. These excessive permissions could be abused and wreak havoc across a whole network.

Given the pervasiveness and potential severity of this issue and the modern security practice of assuming that any sufficiently large domain contains compromised computers, a new system security setting was introduced that requires that remote callers also be local administrators on the computer to be able request the following service permissions:

SERVICE_CHANGE_CONFIG
SERVICE_START
SERVICE_STOP
SERVICE_PAUSE_CONTINUE
DELETE
WRITE_DAC
WRITE_OWNER

The new security setting also requires that remote callers be local administrators on the computer to request the following service control manager permission:

SC_MANAGER_CREATE_SERVICE

Note This local administrator check is in addition to the existing access check against the service or service controller security descriptor. That setting was introduced starting in Windows 10 version 1709 and in Windows Server 2016 version 1709. By default, the setting is turned on.

This new check might cause problems for some customers who have services that rely on the ability for non-administrators to start or stop them remotely. If it is necessary, you can opt individual services out of this policy by adding the service name to the RemoteAccessCheckExemptionList REG_MULTI_SZ registry value at the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\SCM

To do this, follow these steps:

  1. Select Start, select Run, type regedit in the Open box, and then click OK.
  2. Locate and then select the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\SCM

    Note 
    If the subkey does not exist, you must create it: On the Edit menu, select New, and then select Key. Type the name of the new subkey and then press Enter.
  3. On the Edit menu, point to New, and then select REG_MULTI_SZ Value.
  4. Type RemoteAccessCheckExemptionList for the name of the REG_MULTI_SZ value, and then press Enter.
  5. Double-click the RemoteAccessCheckExemptionList value, type the name of the service to exempt from the new policy, then click OK.
  6. Exit Registry Editor, and then restart the computer.

Administrators who want to globally disable this new check and restore the older, less-secure behavior, can set the RemoteAccessExemption REG_DWORD registry value to a nonzero value at the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

Note Setting this value temporarily can be a quick way to determine whether this new permission model is the cause of application compatibility issues.

To do this, follow these steps:

  1. Select Start, select Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  3. On the Edit menu, point to New, and then select REG_DWORD  (32-bit) Value.
  4. Type RemoteAccessExemption for the name of the REG_DWORD value, and then press Enter.
  5. Double-click the RemoteAccessExemption value, enter 1 in the Value data field, and then click OK.
  6. Exit Registry Editor, and then restart the computer.