TechNet Home > TechNet Security > Guidance > Server Security

Services and Service Accounts Security Planning Guide

Chapter 1 - Introduction

Updated: June 30, 2005

Executive Summary

This guide is an important resource to plan strategies to run services securely under the Microsoft® Windows Server™ 2003 and Windows® XP operating systems. It addresses the common problem of Windows services that are set to run with the highest possible privileges, which an attacker could compromise to gain full and unrestricted access to the computer or domain, or even to the entire forest. It describes ways to identify services that can run with lesser privileges, and explains how to downgrade those privileges methodically. This guide can help you assess your current services infrastructure and make some important decisions when you plan for future service deployments.

Microsoft has already tested the services included with the Windows Server 2003 and Windows XP operating systems to run with their default logon accounts, to ensure that they run at the lowest possible privilege level and are sufficiently secure. These services should not need modification. The main focus of this guide is to secure the services that are not provided with the operating system, such as those supplied as a component of other Microsoft server products: for example, Microsoft SQL Server™ or Microsoft Operations Manager. Services installed with third-party software applications and line-of-business applications developed in-house might need additional security enhancements.

The main goal of this guide is to help administrators reduce the effect of a compromised service on a host operating system. The guidance is based on Microsoft Security Center of Excellence (SCoE) experience in customer environments and represents a Microsoft best practice.

Overview

Organizations should ensure that they run services as securely as possible. If organizations have policies and best practices in place, they can help protect unsecured services from exploitation. These exploits can provide access to the user names and passwords that a service employs for authentication when the service starts up, or when the service connects to other computers in the domain. In a worst-case scenario, an unauthorized user can gain domain-level administrator access.

Windows services are executable programs that run in sessions outside of the currently logged-on user's session. They run in the background, independent of any user session. Services can start automatically when the computer starts, can be paused and restarted, and do not show any user interface (UI) themselves, although they typically communicate with a UI to control and administer the service. Because of this behavior, services are ideal for use on a server or whenever you need long-term functionality that does not interfere with other users who are working on the same computer. In addition to services that Microsoft has created, many third-party vendors design products to be deployed as services running continuously in the background.

The security vulnerability of services originates with how organizations have traditionally deployed them. Services, like users, require a means of authentication to use computer or network resources. Prior to the release of the Windows 2000 operating system, services that accessed resources on a network were required to use a domain user account to authenticate themselves to each remote server they used, because the Local System account could not authenticate across the network. With the release of Windows 2000, the Local System account was modified to allow authentication to network resources, just like domain user accounts—but it uses computer credentials for authentication instead. Remember, a computer account is essentially just a user account that does not have the UserAccountControl attribute, so computer accounts can log on and access resources just like a user account can. Because of these changes, the Local System account became one of the more common accounts to use for service deployment. With the release of Windows Server 2003, the situation changed again when two new built-in account types similar to Local System were added: the Network Service account and the Local Service account.

The new Network Service account also uses the computer's credentials when it authenticates remotely, but has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. The new Local Service account has the same reduced privileges as the Network Service account, but as the name suggests, it does not have the ability to authenticate to network resources.

Running services more securely is an important initiative for organizations that seek to help secure their network assets.

Why Run Services More Securely?

You can achieve significant business benefits if you run services more securely. When you improve the security of services, you can quickly reduce the size of the surface attack area of your computers, improve your overall organizational security, and help protect your critical and confidential data. Your computers will be more stable, and your system uptime will improve. You can reduce your administrative overhead and thereby reduce the cost of ownership of your organization's servers.

This guide can help you assess your current services infrastructure and help you make some important decisions when you plan future service deployments.

Who Should Read This Guide

The intended audience for this guide includes consultants, security specialists, systems architects, and IT professionals who are responsible for the planning stages of application or infrastructure development and the deployment of Windows Server 2003. Some common job descriptions for these roles are:

Architects and planners who drive the architecture efforts for the clients in their organizations.

IT security specialists who provide security across the platforms within their organizations.

Enterprise architects who manage the entire enterprise rather than any one specific network.

IT managers who determine what technology should be used to solve certain business problems.

Business analysts and business decision-makers (BDMs) who have critical business objectives and requirements that depend on client support.

Consultants from Microsoft Services and partners who need detailed resources of relevant and useful information for enterprise customers and partners.  

Although written primarily for these roles, The Services and Service Accounts Security Planning Guide can also be helpful to IT generalists in medium and large organizations, and the Infrastructure, Operations, and Security team roles identified in the Microsoft Operations Framework (MOF) team model.

Planning Guide Overview

This guide consists of the following chapters:

Chapter 1: Introduction

This chapter provides an executive summary, introduces the business challenges and benefits, suggests the recommended audience for the guide, and provides an overview of the chapters in this guide.

Chapter 2: The Approach to Running Services More Securely

This chapter provides an overview of the account types used to log on to services and describes the principles and strategies to apply when you plan your program to run services more securely.

Chapter 3: How to Run Services More Securely

This chapter describes how to run services more securely with the principles and strategies discussed in the previous chapter. It also covers the new Security Configuration Wizard in Windows Server 2003 Service Pack 1, which is an indispensable resource in your plan to run services more securely.

Chapter 4: Summary

This chapter summarizes the guidance provided and the problems addressed in this guide. It provides links to additional relevant reading materials.


**
**

Download

Get the Services and Service Accounts Security Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions