10 things you should know about Windows Vista's service hardening
Takeaway: Service hardening extends the functionality of existing Windows security mechanisms, such as security identifiers and access control lists, to reduce the level of damage that can be done if a service is compromised. Here are the key things you need to know about this new feature.
This article is available as a PDF download. It's also part of the collection "100 things you should know about Windows Vista."
Service hardening is one of many new security mechanisms in Windows Vista and the next generation of Windows server, currently known as Longhorn Server. Because it's not always desirable or possible to disable Windows services that provide attackers with an exploitable point of attack, the new operating systems include features that make it more difficult for service exploits to do damage.
Here are a few facts you should know about service hardening:
#1: SCM manages services
Windows services are programs that are managed by the Service Control Manager (SCM), which maintains a database of installed services and manages each service's state. Usually services start automatically when Windows boots and run continuously, making them always available and thus attractive to attackers.
#2: Higher privileges = greater exposure
In previous Windows operating systems, most services ran under the LocalSystem account, which has a high level of privileges. That meant that if the service were compromised, attackers could do major damage because they would have access to almost everything.
#3: Vista and Longhorn Server run services with lowest possible privileges
In Vista and Longhorn, many of the services that used to run under LocalSystem now run under the NetworkService or LocalService accounts, which have a lower level of privileges. Services run with the lowest possible privileges. Any privileges that a service doesn't need are removed, which helps reduce the attack surface.
#4: Vista protects services by using "isolation" techniques
Isolation techniques includes Session 0 isolation, which prevents user applications from running in Session 0 (the first session created when Windows starts up). Only services and other applications that are not associated with a user session can run there. This protects the services from the actions of other applications.
#5: Vista assigns a Security Identifier (SID) to each service
Assigning an SID to each service allows services to be separated from one another and enables the operating system to apply the Windows access control model to restrict services' access to resources in the same way user and group accounts' access can be restricted.
#6: In Vista, access control lists (ACLs) can now be applied to services
An ACL is a set of access control entries (ACEs). Every resource on the network has a security descriptor that contains the ACLs assigned to it. Permissions defining who or what can access that resource are stored in the ACL.
#7: Vista allows the application of network firewall policies to services
The policy is linked to the service's SID. This allows you to control how the service is allowed to access the network and prevent it from using the network in ways it's not supposed to, such as sending outbound network traffic. The Vista Firewall is integrated with the service hardening feature.
#8: Specific services can be restricted so that they can't make edits to the registry, write to system files, and so forth
If a service needs to perform those actions to function properly, it can be restricted so that it can write only to specific areas of the registry or a file system. Services can also be prevented from making changes to configuration settings and performing other actions that can be exploited by an attacker.
#9: Each service is pre-assigned a service hardening profile
This profile defines what the service should and shouldn't be allowed to do. Based on this profile, the SCM assigns the services only the privileges they must have. This all happens transparently, with no configuration or administrative overhead required.
#10: Service hardening does not prevent attackers from compromising services
The Windows Firewall and other protective layers are designed to prevent that. The purpose of service hardening is to reduce the level of damage that can be done if the service does become compromised. It provides inner layer protection in Vista's multilayered security strategy.
Print/View all Posts Comments on this article
10 things you should know about Windows Vista's service hardening
JodyGilbert | 01/02/07
|
Sounds Like The Old Days
richard.n.carpenter@... | 01/08/07
|
That's what I keep thinking
ward@... | 01/08/07
|
|
Very interesting
karsten.breivik@... | 01/08/07
|
|
RE: 10 things you should know about Windows Vista's service hardening
FilElli | 01/14/07
|
|
About time
Schuylkill | 01/05/07
|
|
If a service has it's own SID...
petera232 | 01/08/07
|
|
Isolation?
Mercutio7 | 01/08/07
|
|
Vista
Jegon | 01/11/07
|
Ignorance
FilElli | 01/14/07
|
|
Correct link
thefixer@... | 01/15/07
|
White Papers, Webcasts, and Downloads
- Email Security and Archiving - Clearer in the Cloud Google The time is NOW for businesses and organizations of all sizes to implement ... Download Now
- Five Steps to Determine When to Virtualize YourServers VMware Thinking of virtualizing the servers at your company? Use this step-by-step guide to determine when's the best time to make your big move. Download Now
- The True Costs of Virtual Server Solutions VMware Discover ways to streamline and simplify your assessment of the total acquisition costs of a server virtualization environment. Download Now
- Tom Davenport Study: Linking decisions and information for organizational performance IBM Tom Davenport's new client study looks at approaches to linking ... Download Now
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Ever wonder why your company isn't saving more from its server virtualization? Making a few small changes could dramatically increase your efficiency. Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
