Hi

Does any one know how to disable (Not able to Stop / Start / Kill) the individual services under Services.msc. I tried SC Command but doesn't help much.

If anybody know what arguments or parameters to add in MSI which can facilitate to disable the services Example RPC...

I need a answer vry urgently. If any one have a idea to SHARE, it will be great.

Thanks

Sam
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Could you not use a custom action to run:

NET STOP "The Service Name Goes Here"

as well there's the ever popular:

NET START "The Service Name Goes Here"

Net.exe is usually located in your system32 directory. The "'s are important if your service has spaces in the name.

Kindest Regards,
---- Robb -----
Answered 09/12/2005 by: Robb Thomas
Senior Yellow Belt

Please log in to comment
0
Oh, almost forgot, to disable the service, you can do this using Registry Key Entries.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
Start = 2 <- automatically start the service
Start = 3 <- Does not run during startup (you'd have to "Net Start Remote Procedure Call (RPC)"
If 'something' specifically needs this services it will start.
Start = 4 <- Service is disabled.

So you'd use the Net Stop to stop the service, then the above would let you change how the service runs at startup.

Regards,
---- Robb ----
Answered 09/12/2005 by: Robb Thomas
Senior Yellow Belt

Please log in to comment
0
Hi Robb Thomas,

Thanks for you reply.

Please under my requirement is Disabling of Stop / Start (to make it gray)buttons the individual services under Services.msc

I doesn't want to stop or disable to service.. Service should be keep running. But i don't want users to entertain stoping or starting the services. for example On XP OS if you look at RPC, you will be able understand about my question.

Thanks buddy,
Answered 09/14/2005 by: Sathia
Senior Yellow Belt

Please log in to comment
0
The easiest approach would be to remove the desktop administrative or Power User rights from the users.

Another possibility could be a Group Policy that you could deploy to deny access to system services. I do not know of such a policy.

Change the Permission on the MSC file so that the users are denied read access to the file.

Deploy a hacked up version of the MSC file. As I understand it, microsoft has rigged MSC files so that you can edit them, and or remove / add your own functions to them. I have never done this, and therefor cannot help you more in this.

That's about all I can think of.

Regards,
---- Robb ----
Answered 09/15/2005 by: Robb Thomas
Senior Yellow Belt

Please log in to comment
0
Dear Robb,

Thanks for your time.

I do practice the same as you recommended. But the worst scenario is, those pc are legacy, not likely to upgrade to SOE. Tot of any one have experienced this before.

No choice, I will see what i can do my best.

Thank you again for sharing you time and knowledge.
Answered 09/15/2005 by: Sathia
Senior Yellow Belt

Please log in to comment
2
Sam

Do you want to protect all your services from being stopped or disabled by your users or only a few of them?
We managed to protect the four services that come with McAfee VirusScan from being stopped. Therefore we deployed an msi which ran a VB Script that put those settings from an sdb-file to the workstation.
Is this what you want?
Let me know

Roland
Answered 09/20/2005 by: rpfenninger
Second Degree Green Belt

Please log in to comment
0
Sounds like your users are local admins as only administrators can manage services, is this true?
Answered 09/21/2005 by: AngelD
Red Belt

Please log in to comment
0
Nope. Our users are 'Power Users' but no 'Administrators'.
But the VB Script (that installs the .sdb file which locks down the services) is being executed in the system context (deferred execution) of the msi, that's why it works...
Answered 09/21/2005 by: rpfenninger
Second Degree Green Belt

Please log in to comment
0
Hi Ronald,

You are right. We don't want to disable all of the services at this moment. But i can recommend that to my Project. The scenario is "All of the users have local admin rights" but they are not an administrators. They can play/stop any services on their Local Machine. Due to some security is concern, we don't want them to stop Antivirus services at any situation.

I think your recommendation should work." We managed to protect the four services that come with McAfee VirusScan from being stopped. Therefore we deployed an msi which ran a VB Script that put those settings from an sdb-file to the workstation".

Are you able to guide me how shall go about doing it. Or if possible can you send me the VB Script file and sdb file to jsathia@hotmail.com.

I Appreciate you reply and give you 2 scores..

Thank you
Answered 09/21/2005 by: Sathia
Senior Yellow Belt

Please log in to comment
0
Hi Sam

I didn't realize that all your users have local administrator rights. (Or what exactly do you mean with "All of the users have local admin rights but they are not an administrators")?
I'm not sure if this is going to work as it is pretty hard to lock an administrator down.
In our company all the users are only Power Users. They do have the ability to change the state of a service. This is why we locked the McAfee services down.

I hope that it works in your environment as well.

Roland


BTW: Thanks for the rating!
Answered 09/22/2005 by: rpfenninger
Second Degree Green Belt

Please log in to comment
0
Hi Roland,

Thanks a lot for your effort for sending those files.
but i couldn't edit sdb file..
do you have any idea how to create the file, if so i can create and test it out.

Any way thanks again.
Answered 09/28/2005 by: Sathia
Senior Yellow Belt

Please log in to comment
0
Hi Sam

Ok, I try to translate my German manual I created for myself for those tasks:

First of all you can convert the .sdb file to a readable .inf file by using the following command line:
C:\Windows\security\Database> secedit /export /db "file.sdb" /cfg "yourname.inf"
---> secedit is the command (for more information)

To create your very own .sdb file first open an mmc.
Load the two security SnapIns (they should be called something like Security Templates and Security Configuration)
Create a new Security Template
Set your rights as expected (this works for filesystem, registry and services)
Save the template. You get an .inf file in C:\Windows\security\templates
Then in the other SnapIn (Security Configuration) choose to open a database. Browse to your .inf file
Provide a name for your new .sdb file and click the option for cleaning up the database before the import.
So you get the .sdb file in %USERPROFILE%\My Documents\Security\Database

You can then test your .sdb file by choosing "Configure Computer Now" in the context menu of the mmc. Let the program write a log so you can check if everything worked as expected.

That's it
Hope that this works for you

Roland
Answered 09/28/2005 by: rpfenninger
Second Degree Green Belt

Please log in to comment
Answer this question or Comment on this question for clarity