I'm going to jot down some quick notes on modifying the permissions on Windows services, because I don't think I have written anything about it here before.
Many times, we find ourselves wanting to delegate some administrative activity on a server to another admin or group of admins, but we don't want to give them full administrative control over the entire server. We need to delegate only specific activity. For example, we might want to give our delegated users the right to stop, start and restart only a specific Windows service. Modifying the ACL on a Windows service is a little more involved than modifying the ACL on a file or folder, though.
You can do this with Group Policy if it's a domain-joined machine.
If the computer is not domain joined or if you only want to do this with the local security policy of one or two computers, you can also accomplish this task using Security Templates on the local computer:
You can also use the sc.exe utility:
The sc sdshow servicename command displays the access control list of the Windows service, in SDDL (security descriptor definition language) format.
The SDDL string looks crazy at first, but it’s pretty simple after you analyze it for a second. There is a D: part, and an S: part. The D: part stands for Discretionary ACL. This is what we usually think of when we think of an ACL on a file, etc. The S: part is the system ACL that is used for things like object access auditing, and is not usually modified as much or thought about as much as the DACL.
With the second command, I am setting the new ACL on the service with sc sdset. I have inserted one Access Control Entry into the D: part of the ACL, before the S: part. The SID I specified is of a non-administrative user. I would recommend creating a security group called “IIS Delegated Administrators” or something like that, and using the SID of that security group. I have granted that account the RP, WP, and DT privileges. (Start service, stop service, and pause service.) The A stands for Allow, as opposed to a Deny ACE. And different types of objects such as services, files, MSDTC components, etc., all have slightly different rights strings. In other words, the "RP" right means something different for a Directory Service object than it does for a Windows service. Here are the rights strings for Windows services:
You can find a lot more here.