\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]
I've heard that I can set permissions on Windows 2000 services to control who can start, stop, or change the services. However, when I open a service's Properties dialog box through the Microsoft Management Console (MMC) Computer Management snap-in, I can't find a Security tab (which is where I set permissions on other objects). How do I edit a service's permissions?
Each service does indeed have an ACL that governs who can start, stop, pause, query the status of, change, or delete a service. The default permissions vary according to the service, but typically Administrators have Full Control, Authenticated Users have Read, and Interactive and Power Users have Start, but not Stop or Pause, permissions.
The only way to view a service's current ACL is to log on to the server, open the MMC Security Templates snap-in, create a new template, click System Services, then double-click the appropriate service. Click Define this policy setting in the template, then click Edit Security to open the dialog box that Figure 1 shows. Because the new template's policy is undefined, this dialog box shows you the ACL of this service on your local system. To change the ACL, edit it, then save the template. Import the template into the MMC Security Configuration and Analysis snap-in, then apply the template. For more information about creating and editing security templates, see Paula Sharick, "Security Templates Define and Enforce the Rules," January 2002, InstantDoc ID 23375, and John Howie, "Using MMC Snap-ins to Secure Win2K Systems," August 2001, InstantDoc ID 21668.