How to reset an empty DACL in a service security descriptor on a Windows Server 2003-based computer


INTRODUCTION


This article describes how to reset an empty discretionary access control list (DACL) in a service security descriptor on a Microsoft Windows Server 2003-based computer.

More Information


By default, the security descriptor that is set on a service assigns administrator rights and permissions to the members of the Administrators group. The members of the Administrators group cannot manage a service until the computer is restarted if one of the following conditions is true:
  • A service is created by using a security descriptor that contains an empty DACL.
  • The security of an existing service is modified by using a security descriptor that contains an empty DACL.
The members of the Administrators group receive an "access denied" error message when they try to do the following tasks:
  • Start the service security descriptor.
  • Stop the service security descriptor.
  • Pause the service security descriptor.
  • Change the service security descriptor.
To set a security descriptor that contains an empty DACL on a service, run the following command at a command prompt:
sc sdset service_name D:S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Note In this command, service_name is a placeholder for the name of the service.

When you restart the computer, the service control manager detects that the service has an empty DACL. Additionally, the service control manager implicitly applies a default DACL. The default DACL assigns full access to the members of the Administrators group. To verify that the default DACL is applied after you restart the computer, run the following command at a command prompt:
sc sdshow service_name
The command must return the following result:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Note The implicit DACL does not appear in the Security registry value for the service or in the permissions that the Security Configuration and Analysis utility shows.

The Local System account has an implicit right to every service. This right allows the Local System account to reset the service DACL.

To manage a service, use one of the following methods.

Method 1: Reset the service to the default permission

  1. Restart the computer.
  2. Log on by using an account that has administrative credentials.
  3. Reset the service to the default permission.

    For example, run the following command at a command prompt to reset the service to the default permission:
    sc sdset service_name D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD)
If you cannot restart the computer quickly, use method 2.

Method 2: Assign the default rights to the service

  1. Schedule a command prompt to run under the Local System account. To do this, run the following command at a command prompt:
    at current_time + 1 minute /interactive cmd
    Note In this command, current_time + 1 minute is a placeholder for one minute added to the current time on the computer. For example, if 6:30 is the current time on the computer, type at 6:31 /interactive cmd, and then press ENTER.
  2. When the new command prompt appears, run the following command to assign the default rights to the service:
    sc sdset service_name D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD)