There is a law of computing that states the larger a computer's executable code base, the greater the likelihood that the code contains an exploitable security vulnerability. The Windows operating system contains dozens of services, many of which are enabled by default. In an effort to improve security (and get a performance boost), Microsoft has been telling us for years to disable unnecessary services. However, with Windows Vista and Longhorn Server, Microsoft takes service hardening to a new level.
In pre-Vista versions of Windows, most services run under the Local System account. This means they act as a part of the operating system and therefore have full reign over the system. If a service is compromised it can be used for all sorts of malicious purposes.
A classic example of this is the Print Spooler service. For many years it was a common practice for those with ill intent to replace the Print Spooler service's executable file with a malicious file that had been given the name SPOOLER.EXE. The print spooler was relatively unprotected, and yet Windows gave full access to the operating system to any file named SPOOLER.EXE that resided in a specific directory.
Windows Vista and Longhorn services
The changes to Longhorn and Vista services are based on one idea: no service is so important that it disserves completely unrestricted rights to the entire system. That being the case, Microsoft set out to define exactly what the job is of each service, and what resources a service needs access to in order to do its job. For example, a printing related service should not have sufficient permissions to format a hard disk. Likewise, RPC service has no business replacing files on a machine.
Once Microsoft defined the scope of each service, they did something unprecedented. They assigned each service its own security identifier (SID). This made it possible to restrict individual services from accessing various parts of the system. On the flip side, most services have various sub components, which should only be used by the intended service. By using ACLs, Windows can insure that no service can use another service's components.
Another sweeping change that Microsoft has made to services is that few, if any, services use the Local System account. Instead, services run under the Local Service or the Network Service account, which have far fewer privileges. The Network Service account is allowed to communicate across the network, while the Local Service account is not. Services are regulated by network and firewall policies that prevent services from operating across the network should they only need access to components or data located on the local computer. These policies are tied directly to a service's SID.
As you can see, system services have historically provided an easy mechanism through which to compromise a system. In Longhorn Server and Windows Vista though, services have been locked down in a way that they should have been to begin with.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
