6003 OS & Appl Security Week 7 Service Security Concepts
Windows Services
Since the introduction of Windows Vista / Server 2008, services have been designated with a Security Identifier (SID), making them security principals.
This SID is utilized to limit the access that a service has to securable objects.
Furthermore, when services are initiated by a process, they operate within the security context of that specific process.
Service Vulnerabilities
Services may be vulnerable to buffer overflow assaults.
Some versions of Windows may be vulnerable to password guessing attacks.
Terminal services, remote desktop, and FTP services, all offer entry points that could be exploited.
It is advisable to monitor logs for unauthorized login attempts.
Administrator accounts cannot be subjected to lockout mechanisms.
Service Vulnerabilities
Several network services transmit data without encryption, including Telnet, FTP, POP, and SNMP. This exposes sensitive information such as login credentials to potential interception by sniffers.
Service vulnerabilities can arise from configuration errors, weak passwords, or the utilization of shared folders.
Additionally, some services inadvertently divulge excessive information during connection requests or error responses, potentially exposing sensitive details about the service and the underlying system.
Furthermore, MS SQL's use of Extended Stored Procedures may contain flaws, and inadequate input validation can enable attackers to execute code within the security context of the SQL Server.
Netstatt
Various services utilize TCP/UDP ports to facilitate remote network connectivity.
Monitoring these ports can be achieved through tools like netstat. For instance, TCP port 135 is utilized by the RPC port mapper, TCP port 139 is employed by SMB, TCP port 445 is designated for CIFS, and ports 137 & 138 are utilized by the Computer Browser service for NetBIOS functionality.
While these services were once crucial for network operations, they are often left enabled for compatibility purposes in Vista/S2008 Networks, though they are no longer necessary.
Unless explicitly required, it is advisable to disable these services.
Netstat -nao
The port a service is listening on can be shown with: netstat -nao
Netstat States
When using netstat, you'll observe services in different states:
- ESTABLISHED: Denotes that the server has acknowledged the SYN signal from the client, establishing the session.
- LISTENING: Signifies the server's readiness to accept incoming connections.
- TIME_WAIT: Indicates that the client acknowledges the connection as active but currently inactive.
Windows Services Summary
The registry stores data essential for the Services Control Manager (SCM) to initiate services and includes details regarding startup preferences and related services.
These preferences are categorized into Registry Start values, namely Auto Start, Auto Start (Delayed), Manual, and Disabled.
In Windows, services operate within the security context of the initiating account, which could be Local System, Local Service, or Network Service. Additionally, some services rely on svchost to launch.
Windows users can access information about services using tools like tasklist.exe and services.msc.
For more detailed insights into running services, Sysinternals Process Explorer provides extensive information.
Application
An application, typically accessed on desktop computers, is a software program through which users engage.
These programs, often executable files with the .exe extension, can run multiple processes simultaneously.
They may rely on specific services, such as a print spooler, for certain functionalities like document printing.
Processes
Processes represent individual occurrences of executable programs, capable of direct user interaction.
For instance, modern web browsers utilize multiple processes for each tab opened, enhancing performance and stability.
Services
Services operate in the background without direct user interaction.
These processes, like those under the Windows Service Host (svchost.exe), perform system-wide tasks independently of user input.
Session Isolation
Prior to Vista, all Windows operating systems ran built-in services, applications, and even some third-party programs in session 0, alongside the Local System context with kernel access.
This setup posed significant security risks, as the first logged-on user and potentially malicious applications operated in the same session.
With Vista and later versions, session isolation was introduced, assigning the first user to session 0 and subsequent users and applications to session 1, reducing the likelihood of malware infecting the kernel.
Now, session 0 is exclusively reserved for the Windows kernel, preventing direct communication and potential exploitation from session 1.
This session isolation strategy mitigates shatter attacks, where applications in session 1 could exploit session 0 privileges.
Additionally, legacy drivers are restricted from interacting with system services, and an Interactive Service Detection Service prompts users to accept new application installations, effectively preventing automatic malware installation.