services. reasons to review services one of the easiest ways for to exploit holes in your system is...
TRANSCRIPT
Services
Reasons to Review Services
One of the easiest ways for to exploit holes in your system is through open services - especially in windows XP, 2000, and earlier systems.
Unnecessary services should be disabled and/or managed.
Removal of services will cause a performance enhancement because stagnant programs aren’t taking up available resources.
Full security audit of your services can reveal some interesting details about your machine. Viruses have been masquerading as
services listed in the Task Manager, making them harder to detect, clean, and prevent.
Windows XP
To manage services on your computer, do the following:
1. Right-click My Computer, and choose Manage.2. Expand the Services & Applications tab, and select
Services.3. Double-click a service.4. Under Startup Type, select Manual to disable a
service from automatically starting upon computer bootup. Click the Stop button to stop the service if it’s already running.
ORDump running services from a typical baseline the
command line1. Net start > services.txt
Review Active Services
Study results for the following: Which services require an account to start?
Will a local account work? Narrowly define permissions account requires Audit for activity against that account in the
future Which services are unnecessary?
Start with Security Guides list of services to disable
Maintain settings in security template
Common Services
Following pages contain a nearly complete list of all services that ship with Windows XP and the recommended state that each should be in on your computer, assuming normal office functions are being performed on the machine.
Common Services to Review
Service Name Description Recommended StateAlerter Raises administrative alerts for selected
users and computers. Disabled
Application Layer Gateway Service
Required if you use Internet Connection Sharing (ICS) or XP’s included Internet Connection Firewall to connect to the Internet.
Automatic if using ICS; disabled if not.
Application Management
Used to assign, publish, and remove software through Group Policy.
Disabled unless you participate in an Active Directory domain.
Automatic Updates Services
Used to check if any critical updates are available for download.
Requires Cryptographic to be running. Automatic if you don’t wish to use Windows Update manually.
Background Intelligent Transfer Service
Used by Windows Update to transfer data in the background using otherwise idle available network bandwidth.
Disabled.
ClipBook Enables the ClipBook Viewer to create and share data to be viewed by remote computers.
Disabled.
COM+ Event System Provides automatic distribution of events to subscribing programmatic components.
Disabled.
COM+ System Application
Provides automatic distribution of events to subscribing programmatic components.
Disabled.
Computer Browser Maintains an up-to-date list of computers on your network, and supplies the list to programs that request it.
Disabled.
Cryptographic Services Confirms signatures of Windows files. Required for Windows Update to function in manual and automatic mode, and required for Windows Media Player as well.
Automatic.
DHCP Client Manages network configuration by registering and updating IP addresses and DNS server information.
Automatic if required; disabled if not.
Common Services to Review -2
Service Name Description Recommended StateDistributed Link Tracking Client
Maintains links between the NTFS file system files within a computer or across computers in a network domain.
Disabled.
Distributed Transaction Coordinator
Coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers.
Disabled.
DNS Client Resolves and caches DNS names. The DNS client service must be running on every computer that will perform DNS name resolution.
Automatic.
Error Reporting Service Calls home to Microsoft when errors occur. Disabled
Event Log Logs event messages issued by programs and Windows. This can be useful in diagnosing problems.
Automatic
Fax Service Enables you to send and receive faxes. Disabling this service will render the computer unable to send or receive faxes.
Disabled; or don’t install from distribution media.
Telephony Provides Java Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service.
Disabled unless required.
FTP Publishing Service Not available on Windows XP Home. Not installed by default on Windows XP Pro. Enables FTP service.
Disabled; or don’t install from distribution media.
Help and Support Required for Microsoft’s online help documents.
Automatic
Common Services to Review -3
Service Name Description Recommended StateHuman Interface Device Access
If all your devices function, then disable it. Disabled.
IIS Admin Not available on Windows XP Home. Not installed by default on Windows XP Pro. Allows administration of Internet Information Services (IIS).
Disabled; or don’t install from distribution media.
IMAPI CD-Burning COM Service
Used for the “drag-and-drop” CD-burn capability. You’ll need this service to burn CDs.
Automatic
ndexing Service Indexes contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language.
Disabled.
Internet Connection Firewall and Internet Connection Sharing
Provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection.
Automatic if sharing connection, disabled if not required.
IPSEC Services Manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE), and coordinates IPsec policy settings with the IP security driver.
Disabled.
Logical Disk Manager Watches Plug & Play events for new drives to be detected and passes volume and/or disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management snap-in display will not change when disks are added or removed.
Manual.
Logical Disk Manager Administrative Service
See previous item’s description. Manual.
Message Queuing A messaging infrastructure and development tool for creating distributed messaging applications for Windows.
Disabled; or don’t install from distribution media.
Common Services to Review -4
Service Name Description Recommended StateMessage Queuing Triggers
Required only if you use Message Queuing Service.
Disabled; or don’t install from distribution media.
Messenger Sends and receives messages to or from users and computers, or those transmitted by administrators or by the Alerter Service.
Disabled.
MS Software Shadow Copy Provider
Used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services.
Enabled.
NetMeeting Remote Desktop Sharing
Allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet by using NetMeeting.
Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections.
Automatic.
Network DDE Useless service unless you use remote ClipBook.
Disabled.
Network DDE DSDM See previous item’s description. Disabled.
Network Location Awareness (NLA)
Required for use with the Internet Connection Sharing Service (server only).
Disabled unless running ICS or ICF.
NTLM Security Support Provider
Enables users to log on to the network using the NTLM Authentication Protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Automatic.
Common Services to Review -5
Service Name Description Recommended StatePerformance Logs and Alerts
Configures performance logs and alerts. Disabled.
Plug & Play Enables a computer to recognize and adapt to hardware changes with little or no user input.
Automatic.
Portable Media Serial Number
Retrieves serial numbers from portable music players connected to your computer.
Disabled.
Print Spooler Queues and manages print jobs locally and remotely. If you don’t have a printer attached, then disable.
Automatic.
Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services processes or users.
Disabled.
QoS RSVP Provides network signaling and local, traffic-control functionality.
Disabled unless required by your network administrator.
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Disabled.
Remote Access Connection Manager
Creates a network connection. Automatic if using Dial-Up Networking; disabled otherwise
Remote Desktop Help Session Manager
Manages and controls Remote Assistance. Disabled
Remote Procedure Call (RPC)
Provides the endpoint mapper and other miscellaneous RPC services.
Automatic
Common Services to Review -6
Service Name Description Recommended StateRemote Procedure Call Locator
Manages the RPC name service database. Disabled
Remote Registry Service Not available on Windows XP Home. Allows users to connect to a remote registry and read and/or write keys to it—providing they have the required permissions.
Disabled
Removable Storage Manages removable media drives and libraries. This service maintains a catalog of identifying information for removable media used by a system, including tapes, CDs, and so on.
Disabled
RIP Listener Not installed by default. Disabled; or don’t install from distribution media.
Routing and Remote Access
Offers routing services in local area and wide area network environments.
Disabled; or don’t install from distribution media.
Secondary Logon Allows you to run specific tools and programs with different permissions than your current logon provides.
Automatic
Security Accounts Manager
Startup of this service signals other services that the Security Accounts Manager subsystem is ready to accept requests.
Automatic
Server Provides RPC support and file print and named pipe sharing over the network. The Server Service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them.
Automatic if you’re sharing files; disabled if not.
Shell Hardware Detection
Used for the autoplay of devices like memory cards, some CD drives, and so on.
Disabled unless required.
Simple Mail Transport Protocol (SMTP)
Transports email across the network Disabled; or don’t install from distribution media.
Common Services to Review -7
Service Name Description Recommended StateSimple TCP/IP Services Implements support for a number of IP
protocols. Disabled; or don’t install from distribution media.
Smart Card Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
Disabled unless using a smart card reader.
Smart Card Helper Provides support for earlier smart card readers attached to the computer.
Disabled unless using a smart card reader.
SNMP Service Allows Simple Network Management Protocol (SNMP) requests to be serviced by the local computer.
Disabled; or don’t install from distribution media.
SNMP Trap Service Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer.
Disabled; or don’t install from distribution media.
SSDP Discovery Service Used to locate UPnP devices on your home network.
Disabled
System Event Notification
Tracks system events such as Windows logon network and power events.
Disabled
System Restore Service Creates system snapshots or restore points for returning to at a later time.
Disabled
Task Scheduler Enables a program to run at a designated time.
Disabled unless absolutely required.
TCP/IP NetBIOS Helper Service
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Only required if you need to share files with others.
Disabled unless sharing is enabled.
TCP/IP Printer Server Used for setting up a local UNIX print server.
Disabled; or don’t install from distribut ion media.
Common Services to Review -8
Service Name Description Recommended StateTelephony Provides Telephony API (TAPI) support for
programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service.
Disabled.
Telnet Allows a remote user to log on to the system and run console programs by using the command line.
Disabled; or don’t install from distribution media.
Terminal Services Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server.
Disabled; or don’t install from distribution media.
Themes Used to display all those new XP themes and colors on your desktop. Lots of space needed.
Automatic or manual, depending on your preferences.
Uninterruptible Power Supply (UPS)
Manages communications with a UPS connected to the computer by a serial port.
Disabled unless using a UPS.
Universal Plug & Play Device Host
Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network.
Disabled
Upload Manager As with BITS, this service manages file transfers between clients and servers on the network. This service is NOT required for basic File and Print sharing.
Disabled
Volume Shadow Copy Used in conjunction with the MS Software Shadow Copy Provider Service. Microsoft Backup uses these services.
Disabled
WebClient Disable this for security reasons. Disabled
Windows Audio Used for some scanners and cameras. If, after disabling this service, your scanner or camera fails to function properly, enable this service.
Automatic
Common Services to Review -9
Service Name Description Recommended StateWindows Image Acquisition (WIA)
Used for some scanners and cameras. If, after disabling this service, your scanner or camera fails to function properly, enable this service.
Disabled
Windows Installer Installs, repairs, or removes software according to instructions contained in MSI files provided with the applications.
Manual
Windows Management Instrumentation (WMI)
Provides system management information. WMI is an infrastructure for building management applications and instrumentation shipped as an integral part of the current generation of Microsoft operating systems.
Automatic
Windows Management Instrumentation Driver Extension
Tracks all of the drivers that have registered WMI information to publish.
Manual
Windows Time Sets the computer clock. W32Time maintains date and time synchronization on all computers running on a Microsoft Windows network.
Automatic
Wireless Zero Configuration
Automatic configuration for wireless network devices.
Disabled
WMI Performance Adapter
Optimizes the speed of WMI queries. Disabled
Workstation Provides network connections and communications. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks.
Automatic
World Wide Web Publishing Service
Provides HTTP services for applications on the Windows platform.
Disabled; or don’t install from distribution media.
Providing a Secure Configuration for Services
While disabling unnecessary services is a fundamental step to hardening Windows, there are some other necessary items to accomplish to further secure the services that remain and any services that you may add in the future.
Give strong passwords to service accounts.
When you install applications that require services to be run, you are typically given the option to choose an account under which the service is to be run. Use 15+ character passwords, and
remember that you must set these passwords both in: Active Directory Users and
Computers or Computer Management (depending on your operating environment)
and The Log On tab of the service’s
property sheet.
Never let users log on using service accounts
This most particularly applies to the Administrator account Never assign the
Administrator account to a service, and
Never distribute any service account name and password to any users.
There is absolutely no reason to do so, and if users can access systems in these contexts, they can wreak havoc
Just don’t do it.
Do not allow network access to service accounts
This means don’t create domain accounts for services unless no other option exists; Wherever possible, use a local
account on the server where the service is located.
Also, check the Deny Access to this Computer from the Network right within the service account’s property sheet to eliminate network access for that account.
Use least privilege for service accounts
Windows XP includes a set of built-in accounts, collectively called the Network Service and Local Service, Specifically designed to be
used for services that require different amounts of network connectivity.
Use these where possible to decrease the attack surface of services.
Post XP Windows Services Hardening
Windows Service Hardening
Windows services are profiled for allowed actions to the network, file system, and registry
Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile
Service Hardening
Activeprotection
File system
Registry
Network
What is Service Hardening?
High privileged services when exploited allow attacker to gain unbounded control on the computer
Hardening a service means limiting damage to the system even if a service is compromised
Can not prevent a service from being compromised but provides additional layer of protection Based on principle of
defense-in-depth
Service Hardening
Service hardening is one of many new security mechanisms in Windows Vista and in Windows 7
The next generations of Windows server, including W2K8
It more difficult for service exploits to do damage
Why Service Hardening?Issues with earlier versions of Windows
Related Background
LogOn
Session 0
“Alice”“Bob”
“Bob”
Session 1 Session 2
“Alan”
“Alice”“Alan”
Session• Mechanism to
support multiple interactive users logging on to the system simultaneously
• Each user (remote or local) feels as if she is using the system locally
Related Background
Window Messages Communication mechanism
between application windows or system and application windows
E.g. when system time is changed, system sends WM_TIMECHANGE to all application windows on desktop.
Privilege Right of an account to perform
various system-related operations on the local computer
Example: shutting down the system, changing system time etc
Issues with earlier versions of Windows
Shared Session 0 Privilege Issue No Service Isolation
Shared Session 0
Services and user applications for console user run in the same session (session 0)
Application windows in same session can freely send window messages to each other.
Shared Session 0 ( contd)
Shatter Attack Freelance security consultant Chris
Paget discovered flaw in Windows messaging named as “Shatter Attack”
A low privilege application window may exploit a vulnerability in high privilege application window by means of window messaging
It is possible due to Shared Session 0
Shatter Attack
WM_TIMER abuse
SendMessage( WM_TIMER, BadFunc )
void BadFunc(){ FormatDisk();}
Desktop
Window 1 Window 2
Privilege Issue
Services automatically gain all privileges of account they are running in
Services cannot specify set of privileges required
Lack of granular control over privileges Services run with
unnecessary high privileges
Local systemService:
Disk Manager
Garbage Collector
Privileges:
Load driver
Shut Down
Back Up
No Service Isolation
Services do not have their individual identity Identity of a service is tied up with
account it’s running in E.g. When Web Server is granted access to
database, Time Server also gains access to the database
`
Web Server
Database
Account:LocalService Account:LocalService
Time Server
Service Hardening in Vista/7
Service Hardening in Vista/7 Session 0 Isolation
Session 0 is assigned exclusively to services and the session is made non-interactive
Fostering principle of “least privileges” Services can now specify required
set of privileges Per-service Security Identifier (SID) Network Access Restriction
Session 0 Isolation
No More Share Session 0 Session 0 is assigned
exclusively to services and the session is made non-interactive
User applications run in session 1 and higher
Services are isolated from user applications to avoid shatter attacks
35
Fostering principle of “least privileges”
Services can now specify required set of privileges Services are no longer required
to run with all the privileges associated with the accounts they run in
Provides granular control Service Control Manager (SCM)
removes all the privileges that are not specified as required privileges from the process token If no required privileges are
specified, SCM assumes that service needs all the privileges
If service requires privileges not present in the process token, service is not started
36
Per-service Security Identifier (SID)
Per-service Security Identifier (SID) Each service installed on
Longhorn/Vista is assigned a SID Per-service SID is based on the
service name and is unique to that service on the computer
When per-service SID is enabled for a service, it is added to the service’s process token by SCM when the service is started
Per-service SID can be used to protect service resources Service resources can be ACL’d
with service SID to grant access exclusively to that service
It provides more granularity and service isolation
37
Per-service Security Identifier (SID)
Per-service SID can be used to gain access to certain objects normally accessible to administrative privileges By virtue of service SID, services
can run in low privilege account and can still access certain objects that are accessible only to high privilege accounts
e.g. A service running in low privilege might need write-access to its log files stored in “Program Files\<application_dir>”directory; by adding service SID to directory’s DACL, the service can write to its log files even if it’s running with low privileges
38
Network Access Restriction
Service network restriction are implemented with per-service SIDs
Longhorn/Vista firewall has been enhanced to support service network restriction
39
Network Access Restriction (Continued)
Services can add firewall rule to specify communication protocol, ports and direction of the traffic e.g. A service can add a rule to restrict its network access on TCP port 10000 for outbound communication Integrated firewall in Vista/Longhorn will block all other type of network access
40
Weakness
With reduced privileges, certain Services may not function correctly Extensive research is
required to determine exact required privileges
Cannot completely avoid the damage caused by vulnerability exploit
May ask for design level changes
Strength
Adds as second layer of protection
Reduces damage of vulnerability exploit to a great extent
Fosters better security practices
Access Control Lists
Access Control Lists (ACLs)
Extensive ACL edits have been done in the past to harden systems Starting with NT and 2000 NSA led the way File and Registry Permissions Not as necessary with Windows 2003
and beyond (if it doesn’t have to support legacy trusts); Security Guide does not recommend ACL edits for W2K3 or newer
Rough summary of typical edits: Substitute Authenticated Users for
Everyone (Anonymous SID exposure) Remove unused or more exposed
groups such as Power Users from all ACLs
Remove Batch or Interactive ACLs on particularly vulnerable executables
Limit Access Administrator and
Service Accounts
Limit and Control Access All the protection in the world can
be circumvented by poor Administrator and Service Account maintenance and monitoring
Most attacks are internal Most users and even administrators
do NOT require full administrator status to get their jobs done Example: developers can do most of
their development logged in as a Normal User, and should be encouraged to do so
Use of Run As to elevate privileges ONLY when required for a specific task
Limit and Control AccessAdministrators Train Administrators to use passwords
with more than 15 characters Phrases are easy to remember (spaces
allowed in 2000 and 2003) Make sure all Administrators have at
least two accounts Normal User for daily tasks (e-mail, word
processing) Separate account with Administrator
permissions (audit this account closely) Consider using local groups on
individual servers to limit who can administrate
Limit and Control AccessService Accounts Use passwords with more than 15
characters and extended characters (Alt + Numbers)
Limit the damage if the account is compromised See if a local account can be used instead
of a domain account However, won’t work for accounts that
must communicate with other servers SQL agents, for instance, often require
connectivity to other servers Narrow permissions of what the account
can do Audit these accounts closely
Workstation Applications
How to Choose Secure Applications
Keep the focus on the lowest common denominator: what must be on every desktop? Every server?
Research for security breaches on all software planned for installation (not just the operating system)
Gather the necessary updates and patches Windows Update Catalog Microsoft Security Alerts Vendor sites for third-party applications Forums and sites like
Choosing Components
Choose as few components as possible
Set to No (do not install) even if that is the default (for accountability later)
Avoid installing IIS on the workstations
Avoid commonly attacked components, such as FTP, Simple TCP/IP, and SNMP
Commonly Encountered Problems
Applications Won’t Run
Biggest problem with desktops
Usually legacy applications that are unaware of security contexts Symptom: Runs as
administrator, fails as Normal User
Doesn’t understand profiles
Often due to more restrictive file and/or registry permissions in the new OS
Occasionally due to hard-coded calls to previous operating system APIs
Applications Won’t Run (cont)
Windows XP SP2 introduced new, secure-by-default changes RPC Interfaces no longer
allow anonymous remote connections by default
DCOM Remote Launch and Activation limited to administrators by default
Windows Firewall on by default
Access to system services using RPC blocked by default
Solution Applications Won’t Run
Ideally, upgrade or re-develop, but this can be prohibitively expensive
Use Application Compatibility Toolkit on Windows XP Construct a custom SDB fix Work with Compatibility Modes to emulate other
operating systems Use Sysinternal’s regmon.exe and
filemon.exe to isolate permissions Develop a custom INF to loosen the necessary
settings Goal: Figure out the minimal settings
necessary to get the application running
Configuration Management of Security Templates Ongoing changes will be
inevitable, particularly to manage desktop application requirements
Security settings should evolve as the environment does Example: NT 4.0 trusts go
away Complexity and number of
settings makes this a challenge
Solution Configuration Management of Security Templates
Layer security template deltas1. Start with standard MSS template 2. Overlay Customer Delta from security
standard3. Overlay Application specific loosening of ACLs
Make it clear what was adjusted for each application
Can remove template if application goes away later
Merge everything at the end; but maintain original files to provide accountability
Auditors receive deltas with justifications for the changes; much faster certification
Challenge: INFs Don’t Capture all Security Related Settings Security Template INF files have
limited scope Need to extend Group Policy
into other areas such as: Secure e-mail settings Internet Explorer settings Windows Update client
settings Need to be able to transport
these settings to other systems easily
Solution: INFs Don’t Capture all Security Related Settings Extend choices through use of
ADMs1. Run Group Policy
(gpedit.msc)2. Right click Administrative
Templates, choose Add/Remove Templates, pick the ADM file (e.g. Outlook ADM file)
Can be added as part of the build (locally) OR
Distributed via GPOs and AD Can add custom settings
Rollback Security Settings
Need to be able to confirm whether a reported problem is due to the security templates
If Access Control List (ACL) edits have been made, these “tattoo” the system permanently, even when a GPO is used How to roll back to out-of-the-
box permissions? Need to be able to do this on a
standalone system
Solution Rollback Security Settings Utilize INF files that are applied
as part of the original setup of the operating system: Defltwk.inf Defltdc.inf Delftsv.inf
Can be loaded like any other security template: via MMC Security Configuration Editor or secedit.exe
Microsoft Security Solutions (MSS) Security Guides Windows 2000 (W2K) Hardening Guide,
Windows XP, VISTA, 7, and W2k3, W2K8 Security Guides available
Threats and Countermeasures Security Templates Custom sceregvl.inf Guides coming out for all key Microsoft
enterprise systems, such as Exchange 2003
Best common sense, field tested source for security lockdowns
Secure Configuration Resources: Tools
Setup Manager Security Template Snap-In Security Configuration Editor
Snap-In Secedit.exe Group Policy Management
Console Security Configuration Wizard Application Compatibility Toolkit Sysinternals Regmon and
Filemon