Can a Windows Service Isolation give a Service access on a remote server?

Fenstad, Darrel B 1 Reputation point
2021-02-18T16:20:07.857+00:00

A product I work on has a Windows Service that is installed on two Windows Servers. The Service is configured to use a local user account (in Services Properties Logon tab) in order to read/write files from the Service on the other Servers. The requirement is that the user account and password must be identical on both servers for the read/write to work. The issue is when a client wants to change the password on one server, they must change it on the other server or the read/write of the files will fail.

So I looked into Service Isolation, which uses a Service Security Identifier (SID) (S-1-5-80-<sha1-hash-of-service-name>) (or 'NT Service\service-name') that can be used to apply permissions to a folder and/or a Windows Share. Unfortunately, I cannot get the read/write from one Service to a file on the other Server to work. I get error 13 from _wsfopen() and error 5 from CreateFile() (access denied) when reading/writing to the file through the Windows Share.

In my test, the Windows Service was updated to run with the LocalSystem account.

Is Service Isolation with the Service's SID restricted to only be applicable to the Server that your Service is running on?

I was hoping that the Service's SID would be in the list of SIDs for the Service process and applying the permissions on the other Server's folder and Share would allow the read/writes to work.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,599 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
{count} votes