如何为服务添加服务 SID? [英] How to add a service SID to a service?

问题描述

我有一个内置 TCP/IP 服务器的 Windows 服务.客户端和连接以及一些信息被分发等.通常该服务被安装为作为网络服务登录.

I have a windows service with a TCP/IP server built in. Clients and connect and some information is distributed etc. Typically the service is installed to log on as Network Service.

有一些数据存储在 ProgramData 下的文件夹中，因此在安装过程中授予该服务对该文件夹的读/写访问权限.但是，通常使用网络服务帐户授予所有服务的访问权限.我知道可以使用 ChangeServiceConfig2 与 SERVICE_CONFIG_SERVICE_SID_INFO.然而，从那里开始，根本不清楚如何进行，以及这是否能解决我的问题.

There is some data that is stored in a folder under ProgramData and read/write access to that folder is therefor granted to the service during installation. However, access is thus typically granted to all services using the Network Service account. I understand that it is possible to add a specific service SID using ChangeServiceConfig2 with SERVICE_CONFIG_SERVICE_SID_INFO. From there it is however not at all clear how to proceed and if this is even a solution to my problem.

任何帮助将不胜感激！

推荐答案

这叫做 服务隔离.使用 SERVICE_CONFIG_SERVICE_SID_INFO 参数指定 SERVICE_SID_INFO 结构指示 SCM 将服务 SID 添加到服务的进程令牌，从而允许服务访问您可能已配置为仅允许访问您的特定服务的资源.你也可以使用 sc 命令

This is called Service Isolation. Specifying with SERVICE_CONFIG_SERVICE_SID_INFO parameter with SERVICE_SID_INFO structure with the SID type instructs the SCM to add the service SID to the service's process token, thus allowing the service to gain access to resources that you may have configured to allow access only to your specific service. Also you may use sc command

sc <server> sidtype [service name] [type]

OPTIONS:
 type = <none|unrestricted|restricted>

sc <server> qsidtype [service name]

这篇关于如何为服务添加服务 SID?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！