Cloud Computing Options

 Cloud Computing, Technology, Web Services and Interop  No Responses »
Jan 312011
 

Recently, I’ve come to find a lot of spare time on my hands and today I decided that I’ve been sitting on the sidelines long enough; it’s time I got my head into the various APIs and pricing models involved in “Cloud Computing”.

There’s a good reason I’ve been waiting – I’ve been waiting for the hype to die down, and for real world solutions to present themselves.  Both Amazon EC2 (Elastic Compute Cloud, part of Amazon’s Web Service offering) and Microsoft’s Windows Azure (incorporating SQLAzure, which has previously been reviewed on this site) have matured to the point where real world applications are making use of them, and I think it is fair to say that they are the big names currently associated with the cloud computing concept.

I’m excluding VPS (virtual private server) technologies, which are a (somewhat) more generic product/service for virtual hosts provided by web hosting companies, as they typically are hosted servers and lack a programmatic API such as Azure and Amazon EC2.  Their product is slightly different from the Cloud model offered by Amazon and Microsoft, although a VPS or Virtuozzo style setup would surely be a valid option for many businesses, depending on their scalability needs.

So, I’ll be starting with Amazon EC2 and a re-review of Windows Azure (I’ve previously used Azure and SQLAzure pre-RTM).  My main goal will be to compile a pricing comparison and to create a test cloud application and compare each platform.  Check back for more information as I begin looking into each platform.

Cheers.. R

Delegating Minimal Permissions to Access Windows Services

 Build and Config, Security, Web Services and Interop  2 Responses »
Aug 082010
 

You might find this information handy if you work with Windows Services, and wish to grant some basic permissions to user accounts.  In my scenario, I wanted to be able to list the status of several key Windows Services used in my overall architecture (for a diagnostic website/control panel) and to be able to restart the service(s) should they stop for some reason.

This has become increasingly difficult as, over time, Windows Server has become further locked down.  By default, local users and non-administrative accounts do not even possess the rights to even aggregate local services, let alone query their status or restart them.  Luckily, there is a way to remedy this.  Please note that this applies on a per Account basis, I have not found a solution which applies to security groups.

You’ll need a special utility (called Subinacl) to grant permissions, you can download a copy from  Microsoft hereNote that you will require local administrative privileges to perform the following steps.

The first thing you need to do is to [1] determine the SID (security identifier) of the account you wish to grant permissions to.  This can be achieved a number of ways, the easiest being the execution of a little VBS script.  Copy and paste the below VBS into a text file, save it with a .vbs extension,  and double click the file to execute.

strComputer = "."   ‘ — or the full name of the machine
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _ ("Win32_UserAccount.Name=’<USERNAME>‘,Domain=’<DOMAIN OR LOCAL MACHINE NAME>")
Wscript.Echo objAccount.SID

Once you’ve obtained the SID for the account you wish to grant permissions to, read the following blog article – scroll down to the section titled “Grant access to run the Services Control Panel“.  This blog article will take you the rest of the way.  I strongly suggest reading through the linked article.

If, however, you’d prefer a quick summary of the remaining steps, keep reading below.

  1. Open a Command Prompt and execute the following statement:

    sc sdshow scmanager

  2. Copy the output (SDDL) to a text editor, it will look something like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  3. Copy the section of the SDDL that ends in IU (interactive users) to just before the S: in the SDDL line.
  4. Replace ‘IU’ with the SID of the user you looked up previously, it may look like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  5. Run the following command to grant the permission to enumerate local Windows services to the specified User Account/SID:

    sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

You’ll need to know the “short name” of the Windows Service you want to grant permissions on, to do this quickly, type the following command:

sc getkeyname "<Service Name>”

You can also get the name from the Services applet in the Control Panel –> Administrative Tools.

Then, using subinacl (which you previously downloaded and installed, right?) you can grant permissions to your user account like so:

subinacl /verbose /service “<short name of service>” /grant=<DOMAIN or MACHINE>\<user account>=F

Note that the “=F” grants full permissions.

A big thanks to the two blog entries I’ve referenced for steering the way here.  I found the VBS script an easier way to lookup the user SID than the one referenced in the second blog article.

To grant enumeration rights to a security group, you may be able to follow steps outlined in the following blog article, though I have not tested it out myself.

Source Articles:

[1] http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/03/how-can-i-determine-the-sid-for-a-user-account.aspx

[2] http://lanestechblog.blogspot.com/2010/07/how-to-delegate-services-control-in.html
[3] http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20allow%20users%20to%20enumerate%20service%20remotely.aspx

 Older Entries  Newer Entries