AD account for monitoring services across servers

Spratty

12/4/22, 11:38 AM

We have some Windows servers that run various services and we have a situation where sometimes those services just stop. To monitor these services I have written a Windows service that uses the ServiceController to look at the suspect services and check their current status. This works fine when I configure the new service to run under an account which has local admin permissions to the servers in question, but that's not ideal from a security point of view as it grants privileges other than sight of the services on those machines. Ideally, I would like to have an AD account created that can "see" and interrogate the services across all servers (the servers in scope is a list that is bound to widen in future) but have no other privileges on those servers - is this even possible, and if so what are the settings for such an account?

I apologise if this description is a bit vague, so let's say that the service I have written will be installed on ServerA and needs to be able to use the ServiceController to interrogate service "MSSQLSERVER" on ServerB, service "MSSQL$OTHERINSTANCE" on ServerC and services "SOMEOTHERSERVICE" and "RUNNINGOUTOFIDEAS" on ServerD. In addition to this, the list of services to interrogate is held in an MS SQL Server database on ServerZ so the account would need to be able to be connected to that database on that server, so it would need, for my purposes, to be a standard AD account, visible as a user in SQL Server security.

Does anyone have any ideas? Thanks in advance for any suggestions, and thanks for taking the time to read this. Please note: a frame challenge such as "why are you even doing this? You should be doing that" would be just as welcome as a direct answer as I'm not convinced there isn't a better way and I am always happy to learn.

1 + 2

windows

active-directory

service

Zac67

12/4/22, 12:45 PM

You could locally create a group on each server with just the privileges you need and then add an AD account (or group) to it for the monitoring service.

Spratty

12/4/22, 1:43 PM

@Zac67 - Do you know what privileges they would be? That's the thing I'm most stuck with - I'm no network admin so any pointers to any documentation regarding those rights or roles would be very, very much appreciated.

Score:2

Server

Semicolon

12/4/22, 2:15 PM

The account will need the following access on scmanager to remotely monitor all of a machines services:

This String that would need to be injected into the current scmanager ACL: (A;;CCLCRPRC;;;<AccountSID>)

A: Allow
CC - SC_MANAGER_CONNECT - remotely connect
LC - SC_MANAGER_ENUMERATE_SERVICE - list all services
RP - SC_MANAGER_QUERY_LOCK_STATUS - interogate the status of each
RC - STANDARD_RIGHTS_READ - read the permissions of scmanager and services

The ACL is stored at HKLM:\SYSTEM\CurrentControlset\Control\ServiceGroupOrder\Security

You will want to determine what the current ACL is on scmanager, and include the above string in the appropriate location -- which is somewhere in the middle, at the end of the Discretionary ACL and before the System ACL, like so:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx)(A;;CCLCRPRC;;;<SID goes Here>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Depending upon how you deploy it and what your system for automated deployment is, you may find it easier to leverage the sc.exe command. The "service" that you manage with sc.exe isn't really a service, its the service control manager (scmanager):

sc.exe sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx)(A;;CCLCRPRC;;;<SID goes Here>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

This is technically excessive access, as it grants the account the permission to query the status and permissions of any service, not just a handful.

0 + 2

Spratty

12/5/22, 7:52 AM

Thank you - that looks (to my inexpert eye) like a very workable solution; I'll pass it on to the Network Admin team and see what they say, but I have high hopes. Thank you again - I'll be back to accept this answer as soon as I hear back.

Spratty

12/9/22, 8:38 AM

Just so you know, our NA team have agreed to go this way as it's a whole load better than any alternative we can come up with. You note: `This is technically excessive access, as it grants the account the permission to query the status and permissions of any service, not just a handful.` - we're happy with that; the monitoring service will almost certainly be expanded to watch lots of other services on demand, so being able to see all the services will, for us, be a feature and not a bug. Thanks for your time and your answer - you've made things a whole lot easier for me.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AD account for monitoring services across servers

TH: บัญชี AD สำหรับตรวจสอบบริการข้ามเซิร์ฟเวอร์

RO: Cont AD pentru serviciile de monitorizare pe servere

RU: Учетная запись AD для мониторинга служб на серверах

VI: Tài khoản AD cho các dịch vụ giám sát trên các máy chủ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.