What SIDS need permisions to start my service?

Giganews Newsgroups
Subject: What SIDS need permisions to start my service?
Posted by:  John S (Joh…@discussions.microsoft.com)
Date: Tue, 8 May 2007

Here is the short version.  I have an application which has a service
component. It is a requirement that the service component be running only
when the application is running,  so AutoStart is not an option.

I want to grant the following permissions on my service
                READ_CONTROL |
                SERVICE_QUERY_CONFIG |
                SERVICE_QUERY_STATUS |
                SERVICE_ENUMERATE_DEPENDENTS |
                SERVICE_START |
                SERVICE_STOP |
                SERVICE_PAUSE_CONTINUE |
                SERVICE_INTERROGATE
to all users on the local machine.  Currently I am granting this access to
Everyone, Users, and Guest.  This approach definitely gives permisions to the
accounts i need.. but is this a securty risk (I am only concerned about
security risks involving remote attacks,  not ones that originate from the
local machine).  Should i be granting access to just "Guest and Users"  or
maybe "Guests and Authenticated Users"?  Also note, the machines may or may
not be on a domain.. the target os is 2k,xp,vista(32/64).  This may be
deployed on a large number of laptops (and i mean laaarrrggge).

Can anyone shed some light on this issue?

Replies