6003 OS & Appl Security week 7 Windows Services
Windows Services
Services facilitate communication between clients and servers, whether they are located locally or remotely: - By default, all Windows computers run both workstation and server services. - The Workstation Service handles outbound connections. - The Server Service manages inbound connections.
Work Station Services
Workstations use server services for file sharing and run on both client computers and servers
Server Services
Server Services use protocols such as SMB & RPC to communicate
SMB- Server Message Block, Network used it for sharing files, printers ect
RPC - Remote Procedure Call, allows a computer program to execute procedures or functions on another computer or server over a network, as if it were a local procedure call.
Windows Service are activated
Many Windows services are activated and run by the OS on start up before a user even logs on
The service account will run under a predefined user logon account
The service/process becomes a security principal(an entity that can be authenticated and authorized within a security system.)
Most services are loaded as DLLs or .EXEs from
the %SYSTEMROOT%\system32 folder
Window Services Passwords
The operating system creates long complicated passwords for these accounts and changed them regularly , hence its virtually impossible to logon to a computer
using these service logon accounts
Windows Services which Runs Before User Logon
Services generally run on their default ports which makes them easier to enumerate(gathering information about a target system or network.)
IIS port 80 (
FTP port 21
SSH port 22
Telnet port 23
SQL Server port 1433
IIS and SQL Server are some of the most commonly attacked Windows Services
IIS -Internet Information Services-a flexible, secure, and extensible web server software developed by Microsoft for hosting websites, web applications, and services on Windows servers.
SQL- Structured Query Language, which is a domain-specific programming language used for managing and manipulating relational databases..
Disable Unused Services
Disabling the following Unused Services, helps reduce attack surfaces
FTP port 20 & 21 TCP
DNS port 53 TCP/UDP
Telnet port 23
TFTP port 69 UDP
NNTP port 119 TCP
NetBIOS ports 135 TCP/UDP, 137-138 UDP, 139 TCP
RPC ports 1025 – 1039 TCP/UDP
Service Control Manager (SCM)
Service Control Manager (SCM) controls and manges services
The SCM allows services to log on and access resources without the need of rhe administrator or a user logoning first
these Service however must have the “Log-on As A Service” right
SCM starts the services defined as auto start
Services Active Database
The Service Control Manager(SCM) reads information from the SCM database located in the registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
This database contains values for all services and drivers needed to boot the operating system
Although you shouldn’t go into the registry to set the values such as auto-start, this is where they are actually
Service Control Manager operation
Once Service Control Manager (SCM) reads rhe database then it :
- Logs the service on with the credentials listed
- Loads the services user profile
- Starts the service and Finds any dependencies and starts those if needed
3 Servive Logon Accounts used by Windows Services
Local System
- a powerful account that can do anything the operating system can do
Local Service
-It has limited access to local computer
–It has Privileges similar to a logged on user
Network Service
–It has ccess to network with a local computer account for authorization – It has Limited access to local computer
Windows Service Logon Accounts For access to network resources
Local System
– Has the security context of the local computer the account is created on
Local Service
– Connects to the network resource as null session (anonymous
account)
Network Service
– Security token contains the Everyone & Authenticated user SID
The Local System Accounts
The Local System account has the most default privileges enabled followed by
– Administrators group – Local Service
– Network Service
– Standard users
Some privileges listed for the Local System account are disabled by default but the service can enable any listed privileges
Windows Services
Windows Services is a security principal and has a security token
, which is Sometimes called a process token
Privileges of the service are listed in the token
Windos Sevices in different Operating Systems
All default built -in Windows services in Windows NT and 2000 started in Local System
– Buffer overflow in one of these default systems would give a hacker
system access
Hence WinXP & Win2003 server moved some Local System services to Local Service & Network Service which are more limited accounts
Current versions of Windows have moved even more services out of the Local System context
Windows Services in Vista and 2008
Since Vista and Server 2008, Microsoft has committed to the Principle of Least Privilege to determine the exact rights and privileges required by each service
Hence. the service logon account now has a list of default privileges and optional privileges
So If a privilege granted by the default log on account is not required for that particular service, that privilege is then removed when that service starts
Changes made to Dynamic Host Configuration Protocol (DHCP)
In Windows XP, the Dynamic Host Cobfigurarion Protocol(DHCP) client operates within the Local System context.
However, starting with Vista, the DHCP client operates within the Local Service context.
Despite being assigned fewer privileges than the Local Service logon account, this setup exemplifies the principle of least privilege, ensuring that the DHCP client runs with only the minimum necessary permissions.
Windows Service Tools
Windows can initiate services upon startup independently of user logon.
Task Manager provides visibility into these services and the associated account under which each service operates.
Any account can serve as a service account provided it is granted the “Log on as a Service Right” permission.
This permission enables interaction with the Service Control Manager and enables services to be set for automatic startup.
Windows Service tools:
Task Manager:
• Allows users to view and manage running processes, performance metrics, and resource usage.
• Provides options to end tasks, monitor system performance, and start or stop services.
Services.msc (Services Console):
• Provides a graphical interface for managing Windows services.
• Allows users to start, stop, pause, resume, and configure services.
• Provides information about the status, startup type, and dependencies of services.
General Tab (in Service Properties):
• Displays general information about a specific service, including its name, description, and status.
• Allows users to configure the startup type of the service (Automatic, Manual, Disabled).
Dependencies Tab (in Service Properties):
• Shows the dependencies of a selected service, indicating which other services it relies on and which services depend on it.
• Helps users understand the relationships between services and troubleshoot issues related to service startup or operation.
Tasklist Command:
• Command-line tool for listing all currently running processes and their details, such as process ID (PID), memory usage, and CPU time.
• Provides a way to view active processes and their properties from the command prompt.
Svchost:
• A system process (svchost.exe) responsible for hosting multiple Windows services.
• Helps manage and execute various background services required for the proper functioning of the operating system.
• Runs multiple instances simultaneously, each hosting different groups of services to improve system stability and resource utilization.
Windows Task Manager
The Windows Task Manager provides a comprehensive view of running services along with their respective owners. These owners can include:
• System (under the context of Local System)
• Local Service
• Network Service
• Administrator
• User account name
Services.msc
You can access a comprehensive list of services by using the "services.msc" command.
When you double-click on a service from the list, it opens up the properties window, allowing you to make configuration changes.
Within the properties window, you can find information such as the path to the executable, startup type (Automatic, Automatic (Delayed), Manual, Disabled), service status, and controls for starting, stopping, pausing, and resuming the service.
Services.msc Properties
The properties window in services.msc offers tabs that provide specific details about the service:
- "General": Displays general information about the service, including its description and the account it runs under, as well as options for recovery actions if the service fails (reboot, restart, run a program, or take no action).
- "Dependencies": Lists other services that are required to be running for the selected service to function properly.
Tasklist Command
The tasklist.exe command provides a comprehensive view of the programs and services currently running on a computer:
• It lists all running programs and services along with their corresponding process IDs (PIDs).
• Tasklist distinguishes whether a process started as a service or through the interactive console.
• By using the “/v” option, additional details about each process are displayed.
• Using “tasklist /svc” specifically lists the services associated with each process.
• For more information and assistance with command usage, “tasklist /?” can be used to access help documentation.
Service Host Process Svchist
Svchost, short for "Service Host Process," serves as a container for running services on Windows machines:
- While some services have their own executable (.EXE) files, many are implemented as Dynamic Link Libraries (DLLs).
- Svchost acts as a shell for these DLL-based services, allowing them to run within the operating system.
- Unlike executables, DLLs cannot be run directly by users.
- Every Windows machine typically has multiple instances of svchost running concurrently.
- Each svchost instance can host one or more services, facilitating the efficient operation of various system functions.
Svchost.exe poses a challenge as attackers often conceal malicious software within this process:
- Tasklist offers a means to identify which services are operating under a svchost.exe process.
- You can use the command "tasklist /svc /fi "imagename eq svchost.exe" to uncover the services associated with each svchost.exe instance.