Windows Vista Service Hardening

There are a number of security features built into Microsoft Vista’s operating system.. one of them that I thought I would share some 411 with you on, in case you are not familiar is Windows Service Hardening.   In older versions of Windows, services did not necessarily run with the least possible privileges.  In fact, Windows services often ran under accounts with very high level of access, such as LocalSystem account.   Further, users are not aware of the services running on their system & do not realize that some services are safe to disable.   Services & user applications run in the same space which could of course run into inappropriate access.  As a result of services running with privilegse that do not match necessity and services running that users did not require, Windows desktops were left more vulnerable to attack.

Vista’s Service Hardening is designed to mitigate some of these shortcomings.  The feature uses four methods:

1. Service Isolation-  a method by which Vista service can access a required object without having to jump through administrative hoops or use super administrator account like localsystem.  Service isolation works by securing a target object- such as registry key- with an access control entry that contains a security ID.  This ID is referred to as a ”service identity” “per service SID” or in some documentation just ”SID” which should not be confused with the phrase “security identifier” (also knows as SID) used by Windows and Active Directory.  This SID is unique to the service and is derived from the service name.   Once the SID is created and assigned for use by a service, an object’s access control list can be modified to include the new SID, thus allowing the service to access the object without giving away the privilege farm 
2. Least privilage – Even when a service is using one of these service-specific SIDs the service is still able to access other resources because of the service’s process token also contains the SID for the service account (ie LocalService or Network Service).  If the service is compromised a potential attacker can cause additional damage by accessing the resources that are not related to the service but are accessable to the LocalService account.   In an attempt to limit the potential damage caused by compromised service, Windows Vista combines write-restricted tokens and per service SIDs to establish restricted SIDs for services.  If a service enables a restricted SID, then that service’s per service SID is combined with both the normal and restricted SID list of the write-restricted service access token.  Now, the service can write only to objects that have been specifically granted write access to one of the SIDs in the restricted list.
3. Restricted network access When a service starts, the service requests specific privileges – not all privileges- provided by LocalSystems account.  Rights that are not specially requested in some way are removed from the services access token.  If a services has not been designed with the new security feature, the service is assigned all of the rights granted by the LocalSystem.  This helps to maintain backward compatibility for older services.  For shared process services, all processes in the group are assigned all of the rights requested by each individual process.  This of course does not limit a hacker’s ability to exploit a flaw in the service but rather it limits the damage that can be wrought by an attacker’s unsuccessful breach of your other defenses.
4. Session 0 isolation this is under the assumption you are using Vista desktop & not as a server serving remote users.  Vista does not allow any user application to be run in Session 0.  All other applications must run Session 1 and higher.  Only services and other non-user facing applications run in Session 0, thus maintaining isolation between services and user applications.

With the exception of Session 0 isolation, Vista’s service Hardening features are not necessarily designed to block attacks on services hosted in Vista.  Instead Vista’s Service Hardening features are designed to limit the potential damage that can be done when a service is breached. 

Service hardening when combined with other Vista services, such as as its firewall, can provide a formidable device.  Between these & other services, Vista provides multiple layers of defense to keep your system save & secure.