windows - How to add a service SID to a service?

Question

I have a windows service with a TCP/IP server built in. Clients and connect and some information is distributed etc. Typically the service is installed to log on as Network Service.

There is some data that is stored in a folder under ProgramData and read/write access to that folder is therefor granted to the service during installation. However, access is thus typically granted to all services using the Network Service account. I understand that it is possible to add a specific service SID using ChangeServiceConfig2 with SERVICE_CONFIG_SERVICE_SID_INFO. From there it is however not at all clear how to proceed and if this is even a solution to my problem.

Any help would be much appreciated!

Answer 1

This is called Service Isolation. Specifying with SERVICE_CONFIG_SERVICE_SID_INFO parameter with SERVICE_SID_INFO structure with the SID type instructs the SCM to add the service SID to the service's process token, thus allowing the service to gain access to resources that you may have configured to allow access only to your specific service. Also you may use sc command

sc <server> sidtype [service name] [type]

OPTIONS:
 type = <none|unrestricted|restricted>

sc <server> qsidtype [service name]