Services and Service Accounts Security Planning Guide
Overview
This guide is an important resource to plan strategies to run services securely under the Microsoft Windows Server 2003 and Windows XP operating systems. It addresses the common problem of Windows services that are set to run with highest possible privileges, which an attacker could compromise to gain full and unrestricted access to the computer or domain, or even to the entire forest. It describes ways to identify services that can run with lesser privileges, and explains how to downgrade those privileges methodically. This guide can help you assess your current services infrastructure and make some important decisions when you plan for future service deployments. Microsoft has already tested the services included with the Windows Server 2003 and Windows XP operating systems to run with their default logon accounts, to ensure that they run at the lowest possible privilege level and are sufficiently secure. These services should not need modification. The main focus of this guide is to secure the services that are not provided with the operating system, such as those supplied as a component of other Microsoft server products: for example, Microsoft SQL Server or Microsoft Operations Manager (MOM). Services installed with third-party software applications and line-of-business applications developed in-house might need additional security enhancements. The main goal of this guide is to help administrators reduce the effect of a compromised service on a host operating system. The guidance is based on Microsoft Security Center of Excellence (SCoE) experience in customer environments and represents a Microsoft best practice. On This Page
OverviewOrganizations should ensure that they run services as securely as possible. If organizations have policies and best practices in place, they can help protect unsecured services from exploitation. These exploits can provide access to the user names and passwords that a service employs for authentication when the service starts up, or when the service connects to other computers in the domain. In a worst-case scenario, an unauthorized user can gain domain-level administrator access. Windows services are executable programs that run in sessions outside of the currently logged on user's session. They run in the background, independent of any user session. Services can start automatically when the computer starts, can be paused and restarted, and do not show any user interface (UI) themselves, although they typically communicate with a UI to control and administer the service. Because of this behavior, services are ideal for use on a server or whenever you need long-term functionality that does not interfere with other users who are working on the same computer. In addition to services that Microsoft has created, many third-party vendors design products to be deployed as services running continuously in the background. The security vulnerability of services originates with how organizations have traditionally deployed them. Services, like users, require a means of authentication to use computer or network resources. Prior to the release of the Windows 2000 operating system, services that accessed resources on a network were required to use a domain user account to authenticate themselves to each remote server they used, because the Local System account could not authenticate across the network. With the release of Windows 2000, the Local System account was modified to allow authentication to network resources, just like domain user accountsbut it uses computer credentials for authentication instead. Remember, a computer account is essentially just a user account that does not have the UserAccountControl attribute, so computer accounts can log on and access resources just like a user account can. Because of these changes, the Local System account became one of the more common accounts to use for service deployment. With the release of Windows Server 2003, the situation changed again when two new built-in account types similar to Local System were added: the Network Service account and the Local Service account. The new Network Service account also uses the computer's credentials when it authenticates remotely, but has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges. The new Local Service account has the same reduced privileges as the Network Service account, but as the name suggests, it does not have the ability to authenticate to network resources. Running services more securely is an important initiative for organizations that seek to help secure their network assets. Why Run Services More Securely?You can achieve significant business benefits if you run services more securely. When you improve the security of services, you can quickly reduce the size of the surface attack area of your computers, improve your overall organizational security, and help protect your critical and confidential data. Your computers will be more stable, and your system uptime will improve. You can reduce your administrative overhead and thereby reduce the cost of ownership of your organization's servers. This guide can help you assess your current services infrastructure and help you make some important decisions when you plan future service deployments. Who Should Read This GuideThe intended audience for this guide includes consultants, security specialists, systems architects, and IT professionals who are responsible for the planning stages of application or infrastructure development and the deployment of Windows Server 2003. Some common job descriptions for these roles are:
Although written primarily for these roles, The Services and Service Accounts Security Planning Guide can also be helpful to IT generalists in medium and large organizations, and the Infrastructure, Operations, and Security team roles identified in the Microsoft Operations Framework (MOF) team model. Planning Guide OverviewThis guide consists of the following chapters: Chapter 1: Introduction This chapter provides an executive summary, introduces the business challenges and benefits, suggests the recommended audience for the guide, and provides an overview of the chapters in this guide. Chapter 2: The Approach to Running Services More Securely This chapter provides an overview of the account types used to log on to services and describes the principles and strategies to apply when you plan your program to run services more securely. Chapter 3: How to Run Services More Securely This chapter describes how to run services more securely with the principles and strategies discussed in the previous chapter. It also covers the new Security Configuration Wizard in Windows Server 2003 Service Pack 1, which is an indispensable resource in your plan to run services more securely. Chapter 4: Summary This chapter summarizes the guidance provided and the problems addressed in this guide. It provides links to additional relevant reading materials. Related ResourcesRead other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team. Give Us Your FeedbackThe Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions. Have an opinion? Let us know on the Security Solutions Blog for the IT Professional. Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox. We look forward to hearing from you.
|
In This Article
|
