USER AUTHORIZATION Pt 1

http://blogs.msdn.com/b/distributedservices/archive/2009/03/13/troubleshooting-msdtc-permission-issues-when-a-distributed-transaction-starts.aspx


1. Grant the client application identity the Full Control permission to the cluster serverThe user account associated with the client application must be a member of the local Administrators group, or have the Full Control to the cluster server. Otherwise the RPC call made from the client application to the cluster server will fail and an error message that resembles the following will be logged in the application event log:Event Type:        Error Event Source:    MSDTC Client Event Category:                MSDTC Proxy Event ID:                              4376 Date:                     11/12/2008 Time:                     1:25:31 PM User:                     N/A Computer:                          ComputerName Description:        The application could not connect to MSDTC because of insufficient permissions. Please make sure that the identity under which the application is running has permission to access the cluster. Please refer to MSCS documentation on how to grant permissions. Error Specifics: d:\srvrtm\com\complus\dtc\dtc\msdtcprx\src\dtcinit.cpp:652, Pid: 4544 For more information for granting the permission, see You cannot start transactions from a COM+ component on a clustered SQL Server server.2. Grant the user access rights to Service Control Manager on the cluster server In addition to the full control cluster permissions, the user account must also have the GENERIC_READ access right to the Service Control Manager (SCM) on the cluster, else it cannot begin the distributed transaction.If the user doesn't have the access right to the SCM, the following error is logged in the security event log. Note this error is only logged if "Audit object access" is enabled in the Local Policies. For more info for enabling "Audit object access", see How to enable and apply security auditing in Windows 2000Event Type:   Failure Audit Event Source: Security Event Category:       Object Access Event ID:       560 Date:            11/24/2008 Time:            12:46:33 PM User:            Domain\User Computer:     ComputerName Description: Object Open:           Object Server:         SC Manager           Object Type:  SC_MANAGER OBJECT           Object Name: ServicesActive           Handle ID:     -           Operation ID: {0,55865185}           Process ID:    1340           Image File Name:     C:\WINDOWS\system32\services.exe           Primary User Name: ComputerName$           Primary Domain:      Domain           Primary Logon ID:    (0x0,0x3E7)           Client User Name:     User           Client Domain:         Domain           Client Logon ID:        (0x0,0x353882A)           Accesses:     READ_CONTROL                              Connect to service controller                              Enumerate services                              Query service database lock state           Privileges:      -           Restricted Sid Count: 0           Access Mask: 0x20015To display the discretionary access control list (DACL) on the Service Control Manager (SCM), run the following SC command at a command prompt:sc sdshow SCMANAGERHere is a sample output:D:(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)In the output above, there is (A;;CC;;;AU). The first 'A" means allow access. The 'CC" means the SC_MANAGER_CONNECT right and the 'AU'  represents the "Authenticated Users" group. This means the "Authenticated Users" have the SC_MANAGER_CONNECT access right to SCM.To add the GENERIC_READ (GR) access right for "Authenticated Users" to the SCM to the existing DACL, run the following SC command at a command prompt:sc sdset SCMANAGER D:(A;;CCGR;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)Run "sc sdshow SCMANAGER" again to display the new DACL on the SCM:D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)You can see in the new output that 'GR' is replaced with 'LCRPRC'. This is because:GENERIC_READ for SCMANAGER is:READ_CONTROL (RC)SC_MANAGER_ENUMERATE_SERVICE or Enumerate services (LC)SC_MANAGER_QUERY_LOCK_STATUS or Query service database lock state (RP)This will ensure the user has the GENERIC_READ access right to the SCM.3. Grant the user access rights to the cluster service on the clusterThe user account must also have the GENERIC_READ access right to the cluster service (ClusSvc) on the cluster. If the user doesn't have the access right to ClusSvc, an error message that resembles the following will be logged in the security event log. Note this error is only logged if "Audit object access" is enabled in the Local Policies.Event Type:   Failure Audit Event Source: Security Event Category:       Object Access Event ID:       560 Date:            2/24/2009 Time:            5:28:31 PM User:            Domain\User Computer:     ComputerName Description: Object Open:           Object Server:         SC Manager           Object Type:  SERVICE OBJECT           Object Name: ClusSvc           Handle ID:     -           Operation ID: {4,1888529168}           Process ID:    1208           Image File Name:     C:\WINDOWS\system32\services.exe           Primary User Name: ComputerName$           Primary Domain:      Domain           Primary Logon ID:    (0x0,0x3E7)           Client User Name:     User           Client Domain:         Domain           Client Logon ID:        (0x4,0x7085A6C0)           Accesses:     READ_CONTROL                              Query service configuration information                              Query status of service                              Enumerate dependencies of service                              Query information from service           Privileges:      -           Restricted Sid Count: 0           Access Mask: 0x2008DTo display the DACL on Cluster Service (ClusSvc), run the following SC command:sc sdshow clussvcHere is a sample output:D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)To add the GENERIC_READ (GR) access right for "Authenticated Users" to ClusSvc to the existing DACL, run the following SC command:sc sdset clussvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CRGR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)Run "sc sdshow clussvc" again to display the new DACL on ClusSvc:D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)You can see in the new output that 'GR' is replaced with 'CCLCSWLORC'. This is because GENERIC_READ for a service is:READ_CONTROL (RC)SERVICE_QUERY_CONFIG or Query service configuration information (CC)SERVICE_QUERY_STATUS or Query status of service (LC)SERVICE_INTERROGATE or Query information from service (LO)SERVICE_ENUMERATE_DEPENDENTS or Enumerate dependencies of service (SW)This will ensure the user has the GENERIC_READ access right to ClusSvc.4. Grant the user access rights to Service Control Manager (SCM) on the non-clustered serverThere is a DWORD registry value named HKLM\Software\Microsoft\Windows NT\CurrentVersion\Cluster Server\ClusterInstallationState on both clustered and non-clustered servers. On clustered Windows Server 2003, the value is 2 or 3. On non-clustered Windows Server 2003, the value is 1, meaning "Files Copied but Cluster Service not configured."The GENERIC_READ access right to SCM is not enforced on standalone servers so the event ID 560 for SCM can be ignored on non-clustered servers. The exception is Windows Server 2003 Web Edition where the subkey is absent by default. To be able to ignore this error as on Standard Edition, add the following cluster registry information:C:\>reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Cluster Server" C:\>reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Cluster Server" /v ClusterInstallationState /d 1 /t REG_DWORD5. Grant the user access rights to MSDTC on both the clustered and non-clustered serversThe desired access right to the MSDTC service is SERVICE_QUERY_CONFIG (CC). The event ID 560 for the MSDTC service will be logged in the security event log if the DACL is (A;;CR;;;AU).To display the DACL on MSDTC, run the following SC command:sc sdshow msdtcHere is a sample outputD:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPRC;;;WD)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)If you see the error 560 for MSDTC in the event log, you need add CC to (A;;CR;;;AU) with the following SC command:sc sdset msdtc D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCCR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPRC;;;WD)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)The SC command is used throughout this article. Subinacl is another utility that is commonly used to display and grant user rights to any services. Note Subinacl cannot be used for SCM. The article below has examples of using the utility:Grant Users Rights to Manage Services in Windows Server 2003For more information about Service Security and Access Rights, ACE Strings and Service DACLs, see the following articles:Service Security and Access Rights ACE Strings Best practices and guidance for writers of service discretionary access control listsDTCComments

http://support.microsoft.com/kb/324802/EN-US

How To Configure Group Policies to Set Security for System Services in Windows Server 2003

Article ID: 324802 - View products that this article applies to.This article was previously published under Q324802Expand all | Collapse all

On This Page

SUMMARY

This article describes how to use Group Policy to set security for system services for an organizational unit in Windows Server 2003.When you implement security on system services, you can control who can manage services on a workstation, member server, or domain controller. Currently, the only way to change a system service is through a Group Policy computer setting. If you implement Group Policy as the Default Domain Policy, the policy is applied to all computers in the domain. If you implement Group Policy as the Default Domain Controllers policy, the policy applies only to the servers in the domain controller's organizational unit. You can create organizational units that contain workstation computers to which policies can be applied. This article describes the steps to implementing a Group Policy on an organizational unit to change permissions on system services.

How to Assign System Service Permissions

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.Right-click the domain to which you want to add the organizational unit, point to New, and then click Organizational Unit.Type a name for the organizational unit in the Name box, and then click OK.The new organizational unit is listed in the console tree.Right-click the new organizational unit that you created, and then click Properties.Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use the name of the organizational unit for which it is implemented), and then press ENTER.Click the new Group Policy object in the Group Policy Objects Linkslist (if it is not already selected), and then click Edit.Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.In the right pane, double-click the service to which you want to apply permissions.The security policy setting for that specific service is displayed.Click to select the Define this policy setting check box.Click Edit Security.Grant the appropriate permissions to the user accounts and groups that you want, and then click OK.Under Select service startup mode, click the startup mode option that you want, and then click OK.Close the Group Policy Object Editor, click OK, and then close the Active Directory Users and Computers tool.NOTE: You must move the computer accounts that you want to manage into the organizational unit. After the computer accounts are contained in the organizational unit, the authorized user or groups can manage the service. Back to the top | Give Feed


http://msdn.microsoft.com/en-us/library/aa374928.aspx

The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guidfields. The ace_flags field is also empty, which indicates that none of the ACE flags are set.C++ (A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0) The ACE string shown above describes the following ACE information.C++ AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE) AceFlags: 0x00 Access Mask: 0x100e003f READ_CONTROL WRITE_DAC WRITE_OWNER GENERIC_ALL Other access rights(0x0000003f) Ace Sid : (S-1-0-0) The following example shows a file classified with resource claims for Windows and Structured Query Language (SQL) with Secrecy set to High Business Impact.C++ (RA;CI;;;;S-1-0-0; ("Project",TS,0,"Windows","SQL")) (RA;CI;;;;S-1-0-0; ("Secrecy",TU,0,3)) The ACE string shown above describes the following ACE information.C++ AceType: 0x12 (SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE) AceFlags: 0x1 (SDDL_CONTAINER_INHERIT) Access Mask: 0x0 Ace Sid : (S-1-0-0) Resource Attributes: Project has the strings Windows and SQL, Secrecy has the unsigned int value of 3 For more information, see Security Descriptor String Formatand SID Strings. For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.

Related topics

[MS-DTYP]: Security Descriptor Description Language 

http://msdn.microsoft.com/en-us/library/aa375774(v=vs.85).aspx

Authorization Reference

2 out of 4 rated this helpful - Rate this topicAuthorization reference pages contain detailed descriptions of the Microsoft authorization functions, interfaces, objects, structures, and other programming elements. These pages include reference descriptions of the API for working with access controls including the access control editors.Reference pages are divided into the following groups.SectionDescriptionMicrosoft.Interop.Security.AzRoles AssemblyLinks to documentation for the AzRoles assembly interfaces.Authorization ConstantsConstants used by authorization programming elements.Authorization Data TypesData types used by authorization programming elements.Authorization EnumerationsEnumerations used by authorization programming elements.Authorization FunctionsFunctions used with authorization.Authorization InterfacesInterfaces used with authorization.Authorization ObjectsObjects used with authorization.Authorization StructuresStructures used with authorization functions, interfaces, and objects.   
Authorization Constants

1 out of 21 rated this helpful - Rate this topicAuthorization constants are categorized according to usage as follows.

In this section

TopicDescriptionAccount Rights ConstantsAccount rights determine the type of logon that a user account can perform. An administrator assigns account rights to user and group accounts. Each user's account rights include those granted to the user and to the groups to which the user belongs.App Container SID ConstantsDictate the application package authority.Auditing ConstantsRepresent categories and subcategories of audit-policy events.Capability SID ConstantsDefine for applications well-known capabilities by using the AllocateAndInitializeSid function.Privilege ConstantsPrivileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.