Several attack vectors are aimed at exploiting system services. Services are applications and processes that run at system startup. These services perform many beneficial tasks, such as the Server service (File And Printer Sharing) or the World Wide Web Publishing service, required to run a web server.
Services open doorways, or ports, into a system. It is through these open ports that an attacker can attempt to penetrate your system with known, potential exploits.
Another attack vector on services is aimed at privilege escalation. All processes, including services, must run under the context of a user account. These services have an associated user account that is granted rights and permissions (known as privileges) sufficient to perform the work that the service is designed to accomplish. These user accounts are automatically “logged on” during system startup so that the services can be started, even without any human user logging onto the system.
Many services run under the context of the System account, a built-in user account that is granted quite a bit of privilege. During installation, many applications build a service account and grant that user account appropriate privileges to do the work of that application.
If an attacker can execute a successful exploit against a service, the attacker will then have access to the system at the privilege level of the user account running the service that was exploited. If this is the System account, the attacker will have quite a bit of system access and can strengthen his hold on your system. This is referred to as escalation of privilege.
For these reasons, any and all services that are not essential for the operation and performance of a system should be disabled, stopped, and locked down by Group Policies. A diligent administrator may even schedule a task to regularly kill these services, just in case an attacker has been able to get one running.
Further, service accounts for applications should be granted only the minimum level of privilege required to perform the work of the application, following the principle of least privilege. It is usually a mistake to run services under the context of the Administrator account. This account almost always has too many privileges, more than are required to perform the work of the application.
The decision on what services to have started or stopped will vary greatly and will depend on the specific requirements of the individual system being configured.
Scenario
You are configuring a new system to be used as a file and print server that will hold sensitive data. You must reduce the attack surface of the system by disabling unnecessary services and ensuring that they cannot be started inappropriately.
Scope of Task
Duration
This task should take about 90 minutes.
Setup
For this task, you will need a Windows workstation or server. Both the workstation and server versions of the Windows operating system have a Server service and may be used for file and printer sharing.
Workstation-class operating systems allow for a maximum of 10 inbound connections to the Server service. In the corporate environment, this is usually considered insufficient and therefore a server-class operating system is preferred to provide file- and printer-sharing services.
Caveat
While you want to stop any and all unnecessary services, services are created to provide good benefit to users. Disabling services will reduce the utility of a system and many potentially desirable features of a system will no longer function. It may not be immediately obvious what features will stop working as you disable a given service. Services have relationships (known as dependencies) to other services. As you look at the properties of a service, you may discover that other services are required to run this service, and that other services may require this service to be running.
You must proceed cautiously and test the system to ensure the desirable features are still functional while stopping as many nonessential services as you can.
Procedure
In this task, you will disable services that aren’t required for the given functional requirements of a system. You will minimize privilege levels and implement controls to keep nonessential services disabled.
Equipment Used
For this task, you must have:
- A Windows XP or Windows Server–class system
- A Local Administrator account
If you have access to an Active Directory environment and a Domain Administrator account, the task can be completed within Group Policy Objects (GPOs).
Details
The following sections guide you through identifying any dependencies related to a given service, both upstream and downstream. Next you will examine how to disable and stop a service. You will then identify which service account is being used for each service and consider how you might change this account to follow the principle of least privilege.
In an Active Directory environment, you can implement a GPO to further lock down a service. These GPOs refresh on a regular basis and will maintain control over the service continuously.
Finally, you will write a batch file to disable a service and schedule it to run every 4 hours, in case an attacker has been able to reconfigure a disabled service to run.
Using the Computer Management Tool
1. After logging on as a Local Administrator, launch the Computer Management tool.
For Category View: From the Start menu, select Control Panel ⇒ Performance And Maintenance ⇒ Administrative Tools ⇒ Computer Management.
For Classic View: From the Start menu, select Control Panel ⇒ Administrative Tools ⇒ Computer Management.
2. Expand Services And Applications.
3. Select Services and maximize the window. Click the Standard tab.
The services are listed in alphabetical order by default. You can click on the column title to re-sort ascending/descending by any column. Sorting lets you view what services are running, set services to start automatically, and identify the user account a service is running under. Click on the column title to sort by Startup Type to see which services are set to start automatically at system startup.
You can also build a Services Microsoft Management Console (MMC) by adding the Services snap-in. To do so, click Start ⇒ Run and type MMC. Then click OK. In the Console Root window, select File ⇒ Add/Remove Snap-in and click the Add button. Then select Services from the snap-in list and click Add. Click Finish. Click Close and then click OK.
If you have Administrative Tools installed, the Services MMC is also available by clicking Start ⇒ Programs ⇒ Administrative Tools ⇒ Services.
Examining Dependencies Between Services
1. In the Computer Management window, double-click the Logical Disk Manager service, and select the Dependencies tab.
This tab may take a few moments to populate.
2. Observe the two fields: This Service Depends On The Following System Components and The Following System Components Depend On This Service.
It is the components in the field The Following System Components Depend On This Service that you need to be most concerned about when disabling a service. Any services listed in this field will fail to start if you disable the selected service.
3. Select additional services to get a feel for their dependencies.
4. Close all service property pages.
Disabling and Stopping Services
1. In the Computer Management tool’s Services window, double-click on the Windows Time service. The Windows Time service is used to synchronize the system clock with the system clock on its authentication server.
You must reset this service to its default configuration—Automatic and Started—at the completion of this task.
2. Select the Dependencies tab.
This tab may take a few moments to populate.
3. Observe the lower field: The Following System Components Depend On This Service. Notice that, by default, no services depend on this service. Be aware that on other services, if this field is populated the dependent service will fail as you complete this task.
4. On the General tab, select the Startup Type drop-down. Notice that the Startup Type options are Automatic, Manual, and Disabled. Automatic starts at system startup; Manual starts this service if another service or application starts that depends on this service; and Disabled means that this service will be prohibited from starting.
5. Set Startup Type to Disabled. Click Apply.
Notice that the Service status is still Started. Disabling a service does not stop the service if it has been started. You must stop the service manually.
6. Click Stop to shut down the service. You will see a progress bar as the service is being stopped.
7. Confirm that the service status is now stopped.
8. You have now successfully disabled and stopped a service.
For proper system operation, you must reset this service to its default configuration: Automatic and Started.
9. Set Startup Type to Automatic. Click Apply.
10. Click Start. You will see a progress bar as the service is being started. Confirm that Startup Type is Automatic and Service Status is Started.
11. Click OK to close the property pages for the Windows Time service.
Identifying the Service Account Used to Start a Service
1. With the Computer Management tool open, click on the Log On As column to sort its contents.
2. Scroll down this list and notice the various user accounts used to start each service. Most services run under the context of the Local Service, Local System, or the Network Service account. If your system has an application installed that requires a service account, you will see those accounts listed as well. Whatever account is utilized, it should have just the bare minimum level of privilege to perform the work of the application, process, or service. If you see the Administrator account listed here, this privilege level is probably too high and should be changed to an account of lesser but sufficient privilege.
3. As a demonstration of how to change the service Log On As account, you will use the ClipBook service.
At the end of this task, you will reset the service account to the default Local System account. Failure to reset the Log On As account may cause desirable services to fail.
Double-click the ClipBook service. Select the Log On tab. Notice that this service defaults to the Local System account.
4. Select This Account, and then click Browse.
5. Click Advanced.
6. Click Find Now and highlight the Administrator account.
Click OK twice, which selects the Administrator account as the account to be Logged On As for this service.
7. In the ClipBook Properties dialog box, select the Log On tab, type the Administrator’s password in the Password field, and then retype it in the Confirm Password field. Click Apply to complete the process.
Be aware that if this account password is changed—and it should be changed regularly—you must change the password in this dialog box as well. If you do not keep this dialog box synchronized with the account password, the service will fail to start.
You have now successfully changed the Log On As service account for a service.
For proper system operation of the ClipBook service, you must reset this service to its default configuration, Local System.
8. Set the Log On As option to the Local System account. Confirm that the Allow Service To Interact With Desktop check box is cleared. Click Apply.
9. Confirm that the Local System account is selected.
10. Click OK to close the property pages for the ClipBook service.
Locking Down Services with Group Policy Objects
Computer GPOs are applied at system startup and are refreshed by default every 90–120 minutes on member servers and workstations, and every 5 minutes on domain controllers.
This task requires access to an Active Directory (AD) environment and you must have Domain Administrator privileges. If you do not have these components, you cannot complete this task. In a well-developed AD environment, you may need to build a security group with administrators that you want to be able to manage system services. In this task, you will be granting only this elite group of administrators the privilege of managing system services on your hardened servers.
1. After logging on as a Domain Administrator on either a domain controller or on a Windows XP system with Adminpak.msi installed, select Start ⇒ Programs ⇒ Administrative Tools, and launch Active Directory Users And Computers (ADUC).
2. Expand the domain object. Select and right-click on the Users OU. Select New ⇒ Group.
3. Name the group Service Admins. Confirm that Group Scope is set to Global and that Group Type is set to Security. Click OK to create the security group. This group will now be populated with the elite group of domain administrators that you wish to allow to configure services.
4. In ADUC, select the domain name. Then right-click on the domain name and select New ⇒ Organizational Unit.
5. Name the new organizational unit (OU) Hardened Servers. Click OK. Place into this OU the computer account objects for all servers you are attempting to harden with these GPOs.
6. Right-click on the Hardened Servers OU and select Properties. Select the Group Policy tab.
7. Click New and rename the new GPO Services Lockdown.
8. Click Edit.
9. Inside the new Services Lockdown GPO, in the left pane expand Computer Configuration ⇒ Windows Settings ⇒ Security Settings. Select System Services.
10. In the right pane, double-click the ClipBook service.
11. Select Define This Policy Setting, and then select Disabled. This configures the ClipBook service to Disabled during system startup.
12. Click Edit Security. You must first add your elite group of administrators—the Service Admins global group—and then remove the administrators from the access control list (ACL). To do so, first click Add.
13. In the resulting dialog box, click Advanced, then click Find Now and select the Service Admins global group.
14. Click OK twice. This adds the Service Admins global group to the Security For ClipBook ACL. Confirm that all Allow permissions are selected, except Special Permissions.
15. Select the Administrators Group in the Group Or User Names field. Click Remove.
16. Click OK to close the Security For ClipBook dialog box. Click OK in the ClipBook Properties dialog box.
17. Close the GPO.
You have now successfully created a GPO that will, at startup, reset the ClipBook service on all computers in the Hardened Servers OU to Disabled, and only the members of the Service Admins security group have the privilege to make any changes to the Startup Type and Service Status values for this service.
You have configured only one service: ClipBook. If you were hardening a system, you would configure this GPO with additional service settings defined for all services you wish to control.
Resetting Services with Task Scheduled Scripts
1. In Windows Explorer, create a new folder called Scripts in the root of C:
2. Open the Scripts folder. In the right-hand pane, right-click the white space in the Scripts folder and select New ⇒ Text Document.
3. Rename the text document StopAlerter.cmd. Notice that there are no spaces in the filename. You will be prompted with a warning about changing the file’s extension. Click Yes to accept the filename with the new extension.
4. Right-click StopAlerter.cmd and select Edit. If prompted, select Notepad as the application used to open this document.
5. In the Notepad application, type the command net stop alerter, and then press Enter.
To determine the name of the services on a system, launch Regedit (Start ⇒ Run, type Regedit, and click OK). In the Registry Editor application, expand the Registry to HKEY_LOCALMACHINE ⇒ SYSTEM ⇒ CURRENTCONTROLSET ⇒ SERVICES. The folder names in this folder are (usually) the correct service names to use with the NET STOP command. Test these at a command prompt to be certain. Another option for locating service names is to boot into Recovery Console and type the command LISTSVC. Then scroll through the services available on the system to identify the service name.
6. Select File ⇒ Save, and then close Notepad.
7. In the Control Panel (Start ⇒ Settings ⇒ Control Panel), select Scheduled Tasks ⇒ Add Scheduled Task.
8. Build a scheduled task to run the StopAlerter script every 4 hours. When the Task Scheduler Wizard launches, click Next.
9. Browse to C:ScriptsStopAlerter.cmd. Click Next.
10. Schedule the task to run daily. (You’ll fix this later.) Click Next.
11. Set the start time to 9:00 a.m. every day and set the start day to tomorrow’s date. Click Next.
12. Enter the credentials (username and password, which you enter twice) of the local administrator, the domain administrator, or, in the case of a service controlled by the Services Lockdown GPO, the credentials of a member of the Service Admins security group (someone with a privilege level sufficient to configure the service). Click Next.
13. Select Open Advanced Properties and click Finish.
14. In the dialog box for the StopAlerter task, select the Schedule tab.
15. Click Advanced, and then select the option to repeat the task every 4 hours and set the duration to 24 hours.
16. Click OK twice.
You have now scheduled the StopAlerter task to run every 4 hours, every day. If an attacker managed to get this service to start, this task would stop the service when it runs. This means that the attacker would have to break into your system every 4 hours and restart this service (assuming he could accomplish such a feat!), essentially starting over with his devious activities.
You should carefully consider resetting all changes that you’ve made to their original default configuration. You have stopped and disabled services. You have locked down services, perhaps to a point where desirable system operations may fail. You have scheduled a task that stops a service to run every 4 hours, forever. Evaluate the changes you’ve made and determine whether you should undo these changes before you proceed.
Criteria for Completion
You have completed this task when you know how to determine a service’s dependencies, how to disable and stop services, how to set the service account to a user account with the minimum level of privilege to run the service, how to lock down the services by GPO, and how to regularly stop services in case they do somehow get started.