Get to grips with Vista's service hardening

The services that run in Windows provide functionality for users, but they also offer a point of potential attack because they're well known to hackers and, in the past, have been easy to exploit.

Network security experts have long recommended that administrators disable all unnecessary services on servers and workstations to reduce the chances of a service exploit. However, there are many services you can't disable because they must run for a computer to perform properly. That's where Windows service hardening comes in.

Service hardening refers to the process of making it more difficult for the bad guys to do damage to the system or network by exploiting Windows services, and it's one of the many security mechanisms Microsoft builds into Windows Vista.

Windows services: Why they're vulnerable
Windows services are programs, which in many cases are built into the operating system. But they're different from other applications in several ways:

• Services usually start automatically and run continuously, rather than being opened and closed by the user.
• Services are managed in Windows by the Service Control Manager (SCM), which maintains a database of the installed services and manages each service's state via control requests.
• Services have traditionally run under accounts that have a very high level of privileges (typically the LocalSystem account).

Malicious software is often designed to exploit services by piggybacking on them, thus running at the same privilege level as the service it exploits. Attackers have taken advantage of this many times in the past — for example, with the Slammer, Code Red, and Blaster worms.

The purpose of service hardening
You might guess that service hardening is designed to prevent attackers from compromising services, but that's not really its purpose.

There are other security mechanisms in Vista, such as the Windows Firewall, that perform that "outer layer" protection.

Service hardening, on the other hand, reduces the chances that an attacker who does manage to compromise a service will be able to do damage. Think of it this way: in a multi-layered physical security plan, you might have a gated fence, with a large dog inside it, to keep burglars away from your front door. But if they do manage to get in, you also have deadbolts on the door itself. And if they manage to pick those locks, you have a security alarm system to scare them off. The alarm system does nothing to prevent entry into your house — that's the purpose of the fence, dog, and deadbolts. But it's there so that if intruders do compromise your outer layer security, they're less able to do damage (get away with your valuables). Service hardening is more like the alarm system, an inner-layer element of a multilayered security strategy.

What does service hardening do?
Just as User Account Control (UAC) is designed to ensure that user accounts — even administrator accounts — run with the lowest possible level of privileges to minimise any damage that can be done if they're exploited, Windows service hardening ensures that the services running in Windows run under the least privileged accounts possible. For example, many services that used to run under the LocalSystem account now run under the lower-privileged NetworkService or LocalService accounts. In addition, privileges that a service doesn't need, such as debugging, are removed to reduce the attack surface.

Services that run under lower-privileged accounts are referred to as restricted services. Both UACs and Windows service hardening's behaviour are examples of using the principle of least privilege, which states that every user (and program) should operate using the least set of privileges necessary to perform its job.

How it works
Windows Vista uses "isolation" techniques to protect services from exploit. Session 0 isolation prevents services and user applications from running in the same session, and service isolation makes it possible for services to separate themselves from other services and applications by means of a security identifier (SID). Session 0 is the session created when Windows starts. In prior operating systems, user applications could run in session 0. (In XP with Fast User Switching, the first user who logs on is assigned to session 0.) In Vista, only services and applications not associated with a user session are allowed to run in session 0.

Each service is assigned an SID, which is a unique value. You're probably already familiar with SIDs, as they are assigned to all users and groups in Windows. This means the familiar Windows access control model can be used to the control the access of services to resources in the same way it can be applied to user and group accounts. In other words, access control lists (ACLs) can now be assigned to services. An ACL is a set of Access control entries (ACEs). Each resource has a security descriptor that contains the ACLs assigned to it. Permissions defining who or what can access the object are stored in the ACL.

Network firewall policies can also be applied to services with the policy linked to the service SID, so that the service can't access the network in ways it's not supposed to. The Vista Firewall is integrated with the service hardening feature. Rules are defined in the service hardening platform as to how a specific service needs access to the network, Registry and file system. The firewall enforces those rules and blocks traffic that violates them. Unlike the XP Firewall, the Vista Firewall can enforce both outbound and inbound rules.

Specific services can be restricted so they can't make edits to the Registry or write to system files, and so on. Or a service can be restricted so that it can write to only specific areas of the Registry or file system or can't send outbound network traffic. Services can be prohibited from making changes to configuration settings and performing other actions that can do damage.

Each service included in the Vista operating system already has been assigned a service hardening profile, which defines what it should and shouldn't be allowed to do. The SCM then assigns those privileges it needs — and only those privileges — to the process. Thus, there's no configuration or administrative overhead required.

Summary
Windows service hardening is one component in Vista's new security arsenal that's built around the concept of the principle of least privilege. Working in conjunction with other new security mechanisms, such as User Account Control and the Vista Firewall, it helps provide a broad-based, multilayered defence against the harm that could otherwise be done by malicious software.

The service hardening feature leverages existing Windows security mechanisms, such as security identifiers and access control lists, extending their functionality for added protection. Perhaps best of all, service hardening is transparent to both users and administrators; it just works in the background and doesn't require any administrative attention.

Glossary

• Access control list (ACL): A list of access control entries (ACEs) that contain permissions defining who or what can access the object to which it is applied
• Piggybacking: A method used by viruses and other malicious software that exploits a legitimate account or process and runs with the same level of privileges
• Principle of least privilege: A security model under which all accounts run with the lowest possible level of privileges that will allow them to do their jobs
• Restricted services: Services that run under lower privileges
• Security Identifier (SID): A unique value assigned to an object by which it is identified
• Service Control Manager (SCM): The Windows component that maintains a database of installed services and manages each service's state
• Service isolation: A Vista security mechanism enabling services to isolate themselves from other services
• Services: Programs that are managed in Windows by the Service Control Manager (SCM)
• Session 0 isolation: A Vista security mechanism that prevents user accounts and user applications from running in session 0, reserving it for services and other applications not associated with a user logon
• User Account Control (UAC): A Vista security mechanism designed to ensure that user accounts, including administrator accounts, run with the least privilege to minimise the chance of exploit