When running Service Manager as a Service on Windows Server,
currently sm.exe needs to be run as user which is member of the "Administrators" group.
This is a potential high risk because the user (often called service account) has full admin rights on this windows server. Therefore this user has MUCH MORE rights than it actually requires to run sm.exe.
Being member of the "Administrators" group is actually not needed for the service account.
It would be sufficient to have the rights "SeCreateGlobalPrivilege" to create shared memory objects.
Adjust the required condition for a user to run sm.exe. Remove the requirement to be member of "Administrators" group and add requirement to have "SeCreateGlobalPrivilege" right.
Pros of this solution:
- sm.exe can be run as a service account which is NOT member of Administrators group
- the "high risk" of the service account being member of Administrator group is mitigated
Cons of this solution: