Understanding Vista Service Hardening

written by: Peter Y. Moss; article published: year 2007, month 03;


In: Root » Computers and technology » Windows » Understanding Vista Service Hardening

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

Earlier versions of Windows grant wide access to the system-level services running on the computer. Many of these services run under the LocalSystem account, where any breach could:

  • Grant wide access to the data on the computer.

  • Allow malicious programs to modify the system configuration.

  • Open the computer to other types of attacks.

Windows Vista uses Windows Service Hardening to provide an additional layer of protection so that services cannot be compromised. Following the security principle of defense-in-depth, Windows Service Hardening:

  • Restricts critical Windows services from performing abnormal activities that affect the file system, registry, network, or other resources that could be used to allow malicious software to install itself or attack other computers. Services can be restricted from replacing system files or modifying the registry. Unnecessary Windows privileges, such as the ability to perform debugging, have also been removed on a per-service basis.

  • Limits the number of services that are running and operational by default to reduce the overall attack surface in Windows. Some services are now configured to start manually as needed rather than automatically when the operating system starts.

  • Limits the privilege level of servers by limiting the number of services that run in the

LocalSystem account. Some services that previously ran in the LocalSystem account now run in a less privileged account, such as the Local Service or Network Service account. This reduces the overall privilege level of the service, which is similar to the benefits derived from User Account Control (UAC).

Windows Service Hardening introduces entirely new features, which are used by Windows services as well. Like user accounts, each service has a security identifier that is used to manage the security permissions granted to the service. Per-service security identifiers (SIDs) enable per-service identity. Per-service identity, in turn, enables access control partitioning through the existing Windows access control model, covering all objects and resource managers that use access control lists (ACLs). Services can now apply explicit ACLs to resources that are private to the service, and this prevents other services as well as the user from accessing those resources.

All services now have write-restricted access tokens. A write-restricted access token can be used in cases where the set of objects written to by the service is bounded and can be configured. Write attempts to resources to which the service was not granted explicit access fail. Further, services are assigned a network firewall policy to prevent network access outside the normal bounds of the service program. The firewall policy is linked directly to the per-service SID.

While Windows Service Hardening cannot prevent a vulnerable service from being compromised, it does go a long way toward limiting how much damage an attacker can do in the unlikely event the attacker is able to identify and exploit a vulnerable service. When combined with other Windows Vista components and other defense-in-depth strategies, such as Windows Firewall and Windows Defender, computers running Windows Vista have much more protection than computers running earlier versions of Windows.

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article