Services Hardening in Windows Vista

Windows services, formerly known as NT services, are long-running executable applications that run in their own Windows sessions. Services can be started automatically when the computer boots, can be paused and restarted, generally don't show any user interface, and can run in the security context of an account that is different from either the logged-on user or the default computer account. Windows services are thus a great facility for certain types of application development and for end users who need to use these applications. However, because of their power and flexibility, Windows services have traditionally been vulnerable to exploitation-for several reasons.

First, in the past, Windows services have generally run in highly privileged Windows accounts such as the Local System account. If a service running in the Local System account is compromised by malware, the malware has a great chance of doing absolutely anything it desires on that system. Consider, for example, the remote procedure call (RPC) service in Windows XP. Prior to Windows XP SP2, the RPC service ran under the Local System account, which is what enabled Blaster, Welchia, and other worms to perform administrative tasks once the RPC vulnerability was exploited.

Second, many services are network-facing, which provides an opportunity for malware to exploit them by creating inbound connections to them over the network, and for an infected service to make an outbound connection to infect other systems or perform some other illicit activity such as forwarding monitored keystrokes. Most of today's worms and malware infections occur through some method of network connection.

Finally, services are typically long-running, which is to say that they run from the time a system boots up until it is shut down. This is attractive to malware writers because it means they can probe that service for flaws for as long as the system is up-ultimately providing malware plenty of time to perform its nefarious activities.

Services have been hardened and secured in Windows Vista in four ways: running services with Least Privilege, Service Isolation, Restricted Network Access, and Session 0 Isolation. I'll discuss each of these in detail. Security Watch: Services Hardening in Windows Vista -- TechNet Magazine, January 2007

Linked by shanmuga Wednesday, 10th January 2007 10:46PM