How to Start/Stop a Windows Service from an ASP.NET app - Security issues
To give IIS permission to start/stop a particular service:
- Download and install Subinacl.exe. (Be sure to get the latest version! Earlier versions distributed in some resource kits don't work!)
- Issue a command similar to:
subinacl /service {yourServiceName} /grant=IIS_WPG=F
This grants full service control rights for that particular service to the built-in IIS_WPG group. (This works for IIS6 / Win2k3.) YMMV for newer versions of IIS.)
Try adding this to your Web.Config.
<identity impersonate="true"/>
This was a good question that intrigued me as well...
So here is what I did to solve this problem:
- Step 1: Create a Windows user account on the local machine with minimal rights.
- Step 2: Give this user rights to start and stop the service via subinacl.exe
- i.e. subinacl.exe /service WindowsServiceName /GRANT=PCNAME\TestUser=STOE
- Dowload from : http://www.microsoft.com/en-za/download/details.aspx?id=23510
Step 3: Use Impersonation to impersonate the use created in Step 1 to start and stop the Service
public const int LOGON32_PROVIDER_DEFAULT = 0;WindowsImpersonationContext _impersonationContext;[DllImport("advapi32.dll")]// ReSharper disable once MemberCanBePrivate.Globalpublic static extern int LogonUserA(String lpszUserName, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]// ReSharper disable once MemberCanBePrivate.Globalpublic static extern int DuplicateToken(IntPtr hToken, int impersonationLevel, ref IntPtr hNewToken);[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]// ReSharper disable once MemberCanBePrivate.Globalpublic static extern bool RevertToSelf();[DllImport("kernel32.dll", CharSet = CharSet.Auto)]// ReSharper disable once MemberCanBePrivate.Globalpublic static extern bool CloseHandle(IntPtr handle);private bool _impersonate;public bool ImpersonateValidUser(String userName, String domain, String password){ IntPtr token = IntPtr.Zero; IntPtr tokenDuplicate = IntPtr.Zero; if (RevertToSelf()) { if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0) { if (DuplicateToken(token, 2, ref tokenDuplicate) != 0) { var tempWindowsIdentity = new WindowsIdentity(tokenDuplicate); _impersonationContext = tempWindowsIdentity.Impersonate(); if (_impersonationContext != null) { CloseHandle(token); CloseHandle(tokenDuplicate); _impersonate = true; return true; } } } } if (token != IntPtr.Zero) CloseHandle(token); if (tokenDuplicate != IntPtr.Zero) CloseHandle(tokenDuplicate); _impersonate = false; return false;}#region Implementation of IDisposable#endregion#region Implementation of IDisposableprivate void Dispose(bool dispose){ if (dispose) { if (_impersonate) _impersonationContext.Undo(); _impersonationContext.Dispose(); }}public void Dispose(){ Dispose(true);}#endregionpublic static void StartStopService(bool startService, string serviceName){ using (var impersonateClass = new Impersonation()) { impersonateClass.ImpersonateValidUser(Settings.Default.LocalUsername, Settings.Default.Domain, Settings.Default.Password); using (var sc = new ServiceController(serviceName)) { if (startService) sc.Start(); else if (sc.CanStop) sc.Stop(); } }}