Login/Register
Access Denied while trying to stop a C# Windows Service
Asked Answered
Solved c#.netweb-servicesvisual-studio-2005iis-5
G

1

6

I have created a C# web service using visual studio to stop the windows service 'Simple Mail Transfer Protocol (SMTP)' called SMTPSVC.

The following is the web method to do it:

[WebMethod]
public string StopService()
{
    String status = "";
    try
    {
        ServiceController scAlerter = new ServiceController("SMTPSVC");

        Console.WriteLine(scAlerter.DisplayName);
        Console.WriteLine(scAlerter.CanStop);

        scAlerter.Stop();
        Console.WriteLine("Service stopped");
        status = "STOPPED";
    }
    catch (Exception e)
    {
        Console.WriteLine("Exception caught here" + e.ToString());
        status = "Exception" + e.ToString();
    }
    return status;
}

I published this web service in my IIS 5.1 server. When I invoked the service it is throwing the following 'Access Denied' exception

<?xml version="1.0" encoding="utf-8" ?> 
<string xmlns="http://y-square.org/">
    ExceptionSystem.InvalidOperationException: Cannot open SMTPSVC service on 
    computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied 
    --- End of inner exception stack trace --- at 
    System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)
    at System.ServiceProcess.ServiceController.Stop() at Service.RestartService()
    in c:\Inetpub\wwwroot\RestartService\App_Code\Service.cs:line 38
</string>

By default the service is using the user account IUSER_system-name and I have added this user account into system Administrators group and also added ASPNET user account in Administrator group.

I was able to stop/start this windows service from C# standalone program successfully.

Can you kindly let me know what is the problem? Any permission settings or IIS user access rights shall I need to change in order to run this?

Also let me know which user account this C# service would use to stop the Windows Service?

Your help is much appreciated.

Thanks in advance, Yogi

Guglielmo answered 8/7, 2011 at 13:9 Comment(0)
C
6

The IUSER_machinename (IUSER for short, in the following) account is, for good reasons, a relatively limited account, with little more privilege than a guest account. It isn't allowed to start and stop Windows services, or even to interrogate them (to get their status etc).
When run in the context of a stand-alone exe, the logic above is successful because the underlying account is [probably] you who is likely a member of the Administrators group, or a rather powerful account at any rate.

The easy, but unrecommended way out of this situation, is to give the IUSER account more privileges. Just to try add this account to the Administrators group, bam!, it will work (but will also introduce some potentially dangerous security hole).
A better approach is to make the explicit list of the particular Windows services that will be allowed to managed by way of IIS, and to set their individual service security descriptor to so that the IUSER account (or another account/group created for the occasion) be allowed to start and/or stop them as desired.
The difficulty in implementing this approach is that, to my knowledge, there's no GUI or intuitive admin tool to inspect and alter the services' security descriptor: you need to use sd and "learn" the SDDL language. Here are a few pointers to do so

Cutaneous answered 8/7, 2011 at 15:4 Comment(4)
Thanks for your reply, I have tried adding IUSER account into system Administrators group by using control panel/user accounts application but still I am getting same exception. Is there any other configuration shall I need to do in IIS server? like virtual directory properties etcGuglielmo
@Yogi. I'm busy at work and without access to Windows machines to check stuff. I still believe this is a matter permission and/or security policy setting. For diagnostics purposes, temporarilly have the IIS use the very account that is used when running the code as stand alone app in lieu of the IUSER account and see if this works. Also you may want to direct this question to the serverfault.com QA site, as sys admins will be in a better position to help with what really appears to be a config issue rather than a code issue.Cutaneous
@mfv: It started working today when I added IUSR account to Administrators group probably due to the restart of my system. Many thanks for your help Cheers, YogiGuglielmo
@Yogi: glad to hear you got it working and thks for accepting the answer. I do REMIND you that adding IUSR account to the Administrators group is a test procedure rather than a long term solution; the preferred solution is to alter the Service Security Descriptors of the only/few services which may need it, allowing the IUSR account (or better yet, a distinct account) to remain with relatively low privileges. The purpose of a distinct account is mostly for ease of maintenance, for example allowing the exact same scripts across different servers; the key is that it isn't an Admin acct.Cutaneous

© 2022 - 2024 — McMap. All rights reserved.