Issue:
When a normal user attempts to use the Services MMC to enumerate services of a computer remotely you may receive the following error message.
Unable to open service control manager database on servername.
Error 5: Access is denied.
When a normal user attempts to use the SC command to enumerate services of a computer remotely you may receive the following error message.
[SC] OpenSCManager FAILED 5:
Access is denied.
Cause:
Prior to Windows 2003 SP1 “Authenticated Users” had the ability to enumerate services remotely. In Windows 2003 SP1 this permission was removed.
The ability to enumerate services is controlled by the “service control manager database” in Windows 2003.
Solution:
To allow “Authenticated Users” to the ability to remotely enumerate services on run the following commands on the Windows 2003 server.
1) Run the SC command to get the current security on the “service control manager database”
a. Sc sdshow scmanager
2) Record the SDDL string
3) Copy the SDDL to notepad and replace (A;;CC;;;AU) with (A;;CCLCRPRC;;;AU)
a. This will allow “Authenticated User” the following additional rights
i. List Contents
ii. Read All Properties
iii. Read Permissions
4) Run the following command to set the new security on the “service control manager database”
a. Sc sdset scmanager <SDDL String>
i. Where <SDDL String> is the modified string from step 3.
ii. Windows 2003 SP1 example:
SC sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU) (A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
More Information:
This is the default Windows 2003 SP1 SDDL string:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)
(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This is the original Windows 2003 SDDL string:
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)
(AU;OIIOFA;GA;;;WD)
You are not able to view or modify the security of the “service control database” on Windows 2000 or below.