A system service is normally a background process that runs to support specific functions, such as the Messenger service that is used to send and receive messages throughout the system. In the past, services have been able to be exploited because once they were breached they basically opened the door to the system for the malware creator. Now, WSH focuses on using the least-privileged accountfor example, LocalService. To further understand how this works consider that the hardened service would be protected via service SID access via ACLs. The service would use an SID, an ACL, and a write-restricted token to further harden and protect the system from exploitation.
Microsofts system services have been the base for many attacks because of the high level of privileges these services run with. If exploited, some services can give unfettered access to the entire system. The malware can then run with the highest possible system privileges, or LocalSystem privileges. Once the system has been exploited, the attacker can run exploits on the system with administrator privileges. Worms such as Slammer exploited known system service holes. System services are kept secure with Windows Vista through the use of restricted services.
This article is excerpted from Vista for IT Security Professionals. To order this book, please visit Syngress.
This is done by running the services used with the least privilege needed, which reduces the risk of a threat. Using restricted services minimizes the number of exploitable services that are running and helps to secure the ones that do run. Windows services are run under service profiles that help to classify the service further so that the Vista OS has full control over its own services, further limiting malware exploitation.
Used in conjunction with the newly updated Windows Firewall, inbound and outbound network ports that the services are allowed to use are now under Vistas control. If a system service attempts to send and receive network data on a specific port, the firewall will block access. The commonly exploited Remote Procedure Call (RPC) service is an example. When RPC is needed, it will be loaded and restricted to doing only certain things. No longer can it be used to replace system files and other data, modify the system Registry, and so on.
WSH is important to Vistas overall security because even if you cannot prevent your system from being infected by malware, at least now you have a good feeling that if the system does get infected, the payload will not be as extreme as it used to be with older versions of the Windows OS. WSH also opens the door for independent software vendors (ISVs) to develop components and programs that are secure and will not cause issues for Windows Vista.
WSH (in conjunction with other new security features) provides an additional layer of protection which builds on the defense in depth principle. Defense in depth is a general security term that means applying many levels of security to enhance your security posture. Do not rely on one form of security, such as a firewall, to protect you. Incorporate other forms of security so that you do not have all your eggs in one basket. With WSH, Vista adds another layer of security to the system, which can help thwart future attacks and exploits even further.
Network Access Protection (NAP)
NAP is used to prevent clients from connecting to the network if they are infected with malware. NAP is a policy enforcement platform incorporated into Windows Vista as well as Windows Server 2007 (codenamed Longhorn). By enforcing compliance with very specific system health requirements, Vista is able to help prevent malware from accessing the rest of the network and attached systems.
NAP can help verify that each computer connected to the network is malware-free; if it is not, it will not be allowed to connect to the network and further infect other systems. Until the system checks out as malware-free, it will not be allowed to use the network or its services.
Vista supports NAP with limited functionality. You will need to use Windows Server 2007 to provide full network access protection because this is used as the NAP policy server.