而试图阻止一个C#Windows服务访问被拒绝 [英] Access Denied while trying to stop a C# Windows Service
问题描述
我已经使用Visual Studio停止Windows服务简单邮件传输协议(SMTP)创建一个C#Web服务,即SMTPSVC。
I have created a C# web service using visual studio to stop the windows service 'Simple Mail Transfer Protocol (SMTP)' called SMTPSVC.
以下是Web方法来做到这一点:
The following is the web method to do it:
[WebMethod]
public string StopService()
{
String status = "";
try
{
ServiceController scAlerter = new ServiceController("SMTPSVC");
Console.WriteLine(scAlerter.DisplayName);
Console.WriteLine(scAlerter.CanStop);
scAlerter.Stop();
Console.WriteLine("Service stopped");
status = "STOPPED";
}
catch (Exception e)
{
Console.WriteLine("Exception caught here" + e.ToString());
status = "Exception" + e.ToString();
}
return status;
}
我在IIS 5.1服务器发布此Web服务。当我调用的服务则抛出下面的'拒绝访问异常
I published this web service in my IIS 5.1 server. When I invoked the service it is throwing the following 'Access Denied' exception
<?xml version="1.0" encoding="utf-8" ?>
<string xmlns="http://y-square.org/">
ExceptionSystem.InvalidOperationException: Cannot open SMTPSVC service on
computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace --- at
System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)
at System.ServiceProcess.ServiceController.Stop() at Service.RestartService()
in c:\Inetpub\wwwroot\RestartService\App_Code\Service.cs:line 38
</string>
在默认情况下该服务使用的用户帐户 IUSER_system名和我添加该用户帐户为系统管理员组,并加入 ASPNET 在管理员组的用户帐户。
By default the service is using the user account IUSER_system-name and I have added this user account into system Administrators group and also added ASPNET user account in Administrator group.
我能停止/启动成功从C#独立的程序,这个窗口服务。
I was able to stop/start this windows service from C# standalone program successfully.
能否请你让我知道是什么问题?任何权限设置或IIS用户访问权限应,我需要运行这个变化?
Can you kindly let me know what is the problem? Any permission settings or IIS user access rights shall I need to change in order to run this?
也让我知道哪个用户帐户此C#的服务将使用停止Windows服务?
Also let me know which user account this C# service would use to stop the Windows Service?
您的帮助是非常AP preciated。
Your help is much appreciated.
在此先感谢, 瑜伽
推荐答案
在IUSER_machinename(IUSER短,在下面)账户,有充分的理由,相对有限的账户,很少有超过来宾帐户的更多特权。不允许启动和停止的Windows服务,甚至询问他们(以获取其状态等)。
当一个独立的EXE的上下文中运行,逻辑上面是成功的,因为底层的帐户[可能]你是谁可能是管理员组的成员,或者一个相当强大的帐户在任何速度。
The IUSER_machinename (IUSER for short, in the following) account is, for good reasons, a relatively limited account, with little more privilege than a guest account. It isn't allowed to start and stop Windows services, or even to interrogate them (to get their status etc).
When run in the context of a stand-alone exe, the logic above is successful because the underlying account is [probably] you who is likely a member of the Administrators group, or a rather powerful account at any rate.
最简单的,但是 unrecommended 办法摆脱这种局面,是给IUSER帐户更多的权限。只是为了尝试将此帐户添加到Administrators组,BAM!它会工作(同时也将介绍一些具有潜在危险的安全漏洞)。
A 更好的办法是使特定的Windows服务将被允许通过IIS的方式来管理的明确列表,并设置自己的个性化服务的安全描述符,这样的IUSER帐户(或其他帐户之际创建/组),一律不得开工和/或根据需要阻止他们。照片
在实施这种方法的困难是,据我所知,没有GUI或直观的管理工具来检查和更改服务的安全描述符:你需要使用SD和学习SDDL语言。这里有几个指针,这样做
The easy, but unrecommended way out of this situation, is to give the IUSER account more privileges. Just to try add this account to the Administrators group, bam!, it will work (but will also introduce some potentially dangerous security hole).
A better approach is to make the explicit list of the particular Windows services that will be allowed to managed by way of IIS, and to set their individual service security descriptor to so that the IUSER account (or another account/group created for the occasion) be allowed to start and/or stop them as desired.
The difficulty in implementing this approach is that, to my knowledge, there's no GUI or intuitive admin tool to inspect and alter the services' security descriptor: you need to use sd and "learn" the SDDL language. Here are a few pointers to do so
- MSDN Best practices and guidance for writers of service discretionary access control lists
- sc sdshow command
- sc sdset command
这篇关于而试图阻止一个C#Windows服务访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
