Windows Service Hardening
Feature Description
Windows Service Hardening restricts critical Windows services from doing abnormal activities in the file system, registry, network, or other resources that could be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry.
Windows services represent a large percentage of the overall attack surface in Windows?from the perspective of the quantity of overall “always-on” code footprint in the system, and the privilege level of that code. Windows Vista limits the number of services that are running and operational by default. Today, many system and third-party services run in the LocalSystem account, where any breach could lead to unbounded damage to the local machine?including disk formatting, user data access, or driver installation.
Windows Service Hardening reduces the damage potential of a compromised service by introducing new concepts which are used by Windows services:
Introduction of a per-service security identifier (SID). It enables per-service identity which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers which use access control lists (ACLs). Services can now apply explicit ACLs to resources which are private to the service, which prevents other services as well as the user from accessing the resource.
Moving services from LocalSystem to a lesser privileged account such as LocalService or NetworkService. This reduces the overall privilege level of the service, which is similar to the benefits derived from User Account Control.
Removal of un-necessary Windows privileges on a per-service basis; for example, the ability to do debugging.
Applying a write-restricted access token to the service process. This access token can be used in cases where the set of objects written to by the service is bounded and can be configured. Write attempts to resources that do not explicitly grant the Service SID access will fail.
Services are assigned network firewall policy, which prevents network access outside the normal bounds of the service program. The firewall policy is linked directly to per-service SID.
Benefits
Windows Service Hardening provides an additional layer of protection for services based on the security principle of defense-in-depth. Windows Service Hardening cannot prevent a vulnerable service from being compromised; other Windows Vista components and defense-in-depth strategies, such as the Windows firewall and good patch management processes, help with that. Instead, Windows Service Hardening limits how much damage an attacker can do in the unlikely event the attacker is able to identify and exploit a vulnerable service.
Windows Service Hardening is also supported for consumption by third-party service authors, which allows application authors to get this same security benefit for their code.
Why It Matters
The cost of a security compromise can be huge. Confidential data can be compromised, users can lose data, and productivity can be sacrificed. An IT department might spend several weeks repairing the damage done by a severe compromise. Windows Service Hardening can greatly reduce the damage caused by a compromised service by preventing the service from changing important configuration settings or infecting other computers on the network. With Windows Service Hardening, what could have been a major security exploit can potentially be limited to a minor compromise.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment