Access Denied while trying to stop a C# Windows Service

Question

I have created a C# web service using visual studio to stop the windows service 'Simple Mail Transfer Protocol (SMTP)' called SMTPSVC.

The following is the web method to do it:

[WebMethod]
public string StopService()
{
    String status = "";
    try
    {
        ServiceController scAlerter = new ServiceController("SMTPSVC");

        Console.WriteLine(scAlerter.DisplayName);
        Console.WriteLine(scAlerter.CanStop);

        scAlerter.Stop();
        Console.WriteLine("Service stopped");
        status = "STOPPED";
    }
    catch (Exception e)
    {
        Console.WriteLine("Exception caught here" + e.ToString());
        status = "Exception" + e.ToString();
    }
    return status;
}

I published this web service in my IIS 5.1 server. When I invoked the service it is throwing the following 'Access Denied' exception

<?xml version="1.0" encoding="utf-8" ?> 
<string xmlns="http://y-square.org/">
    ExceptionSystem.InvalidOperationException: Cannot open SMTPSVC service on 
    computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied 
    --- End of inner exception stack trace --- at 
    System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)
    at System.ServiceProcess.ServiceController.Stop() at Service.RestartService()
    in c:\Inetpub\wwwroot\RestartService\App_Code\Service.cs:line 38
</string> 

By default the service is using the user account IUSER_system-name and I have added this user account into system Administrators group and also added ASPNET user account in Administrator group.

I was able to stop/start this windows service from C# standalone program successfully.

Can you kindly let me know what is the problem? Any permission settings or IIS user access rights shall I need to change in order to run this?

Also let me know which user account this C# service would use to stop the Windows Service?

Your help is much appreciated.

Thanks in advance, Yogi

Answer 1

The IUSER_machinename (IUSER for short, in the following) account is, for good reasons, a relatively limited account, with little more privilege than a guest account. It isn't allowed to start and stop Windows services, or even to interrogate them (to get their status etc).
When run in the context of a stand-alone exe, the logic above is successful because the underlying account is [probably] you who is likely a member of the Administrators group, or a rather powerful account at any rate.

The easy, but unrecommended way out of this situation, is to give the IUSER account more privileges. Just to try add this account to the Administrators group, bam!, it will work (but will also introduce some potentially dangerous security hole).
A better approach is to make the explicit list of the particular Windows services that will be allowed to managed by way of IIS, and to set their individual service security descriptor to so that the IUSER account (or another account/group created for the occasion) be allowed to start and/or stop them as desired.
The difficulty in implementing this approach is that, to my knowledge, there's no GUI or intuitive admin tool to inspect and alter the services' security descriptor: you need to use sd and "learn" the SDDL language. Here are a few pointers to do so

• MSDN Best practices and guidance for writers of service discretionary access control lists
• sc sdshow command
• sc sdset command