Windows 7 Architectural and Internal Security Improvements - Windows Service Hardening

Historically, many Windows network compromises (especially worms) resulted from attackers exploiting vulnerabilities in Windows services. Because many Windows services listen for incoming connections and often have system-level privileges, a vulnerability can allow an attacker to perform administrative tasks on a remote computer.

Windows Service Hardening, a feature of Windows Vista and Windows 7, restricts all
Windows services from performing abnormal activities in the file system, registry, network, or other resources that can be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service is restricted to performing network communications on defined ports only, eliminating the possibility of abusing it to, for instance, replace system files or modify the registry (which is what the Blaster worm did). Essentially, Windows Service Hardening enforces the security concept of least privilege on services, granting them only enough permission to perform their required tasks.

Windows Service Hardening reduces the damage potential of a compromised service by:

• Introducing a per-service security identifier (SID) to uniquely identify services, which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers that use ACLs. Services can now apply explicit ACLs to resources that are private to the service, which prevents other services, as well as the user, from accessing the resource.

• Moving services from LocalSystem to a lesser-privileged account, such as LocalService or NetworkService, to reduce the privilege level of the service.

• Stripping unnecessary Windows privileges on a per-service basis—for example, the ability to perform debugging.

• Applying a write-restricted token to services that access a limited set of files and other resources so that the service cannot update other aspects of the system.

• Assigning a network firewall policy to services to prevent network access outside the normal bounds of the service program. The firewall policy is linked directly to the per-service SID and cannot be overridden or relaxed by user- or administrator-defined exceptions or rules.

A specific goal of Windows Service Hardening is to avoid introducing management complexity for users and system administrators. Every service included in Windows Vista and Windows 7 has been through a rigorous process to define its Windows Service Hardening profile, which is applied automatically during Windows setup and requires no ongoing administration, maintenance, or interaction from the end user. For these reasons, there is no administrative interface for managing Windows Service Hardening.

Windows Service Hardening provides an additional layer of protection for services based on the security principle of defense-in-depth. Windows Service Hardening cannot prevent a vulnerable service from being compromised—a task Windows Firewall and Automatic Updates supports. Instead, Windows Service Hardening limits how much damage an attacker can do in the event the attacker is able to identify and exploit a vulnerable service.

Third-party software developers can also take advantage of the Windows Service Hardening security benefits by providing profiles for custom services.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press