Before enabling any service, develop a plan for keeping the service up to date. Service programs generally run for long periods of time waiting for requests. The services commonly monitor communication ports for requests and respond anytime they receive messages. Attackers know which services are in widespread use and they also know how to find out if you are running any services of interest. Whenever attackers uncover new vulnerabilities, they generally share the information with other potential attackers and start looking for vulnerable systems.

Once a new vulnerability surfaces, it is important to mitigate it as soon as possible. You can mitigate many vulnerabilities using compensating controls. The best way to address a vulnerability is to remove it. Many updates to service software do just that. Keep current on the latest releases available for any services you run. Keeping Windows updated with the latest service packs will keep many services up to date, but will not address any non-Microsoft services you run. If you run any non-Microsoft services, such as the Apache web server or an Oracle database, you’ll need to consult their websites for update information. Keeping your services up to date will help maintain your environment’s security.

Windows defines rights and permissions based on user accounts. Windows runs every program as a specific user. That means even services run as a user. By default, many services run as a local admin account. If an attacker can exploit a vulnerability and compromise a service, it is possible the attacker could assume the identity of the user running the service. For this reason, it is important to run each service as a user that possesses the minimum privileges necessary to perform the service’s functions.

Carefully review the user account used for each service. You can see which user Windows uses for each service in the Services Microsoft Management Console (MMC) snap-in. You can use these steps to access the Service Properties:

1. Choose the Windows Start button, then select Administrative Tools > Services.

2. Select a service, right-click to open the context menu, and then, select Properties.

3. Choose the Log On tab to view or change the user account Windows uses to run the service.

Instead of using default accounts for services, create one or more user accounts that limit what services can do. Here are guidelines for creating secure accounts for services:

• Create a new account, with leading underscores in the name, which makes it easier to identify service accounts.

• Use strong passwords.

• Revoke all logon rights for local and remote logons.

• Set the Password Never Expires property.

• Set the User Cannot Change Password property.

• Remove the user from all default groups.

• Assign the minimum privileges necessary to run services.

These guidelines will help create user accounts that are safer for services. Any service compromise will have less impact than a service using a local or domain admin account. Be sure to test the new accounts extensively. Be sure to grant sufficient permission to the user for the service to perform all the necessary tasks.

The best way to secure a specific service is to disable, or even remove it. If the service isn’t running, it isn’t providing any functionality. If a service is not needed on a computer, stop it from running. It is important to disable unused services. Since a service monitors one or more communications ports, each service is a potential point of attack. Start only the necessary services.

For Windows Server computers, enable only the role(s) you need the computer to perform. Windows will not install services that do not fit a specific role. For example, if you don’t need a web server running on a computer, don’t enable the web server role. A server that doesn’t have Internet Information Services (IIS) installed is immune to IIS vulnerabilities. For both Windows client and server computers, review all of the services in the Services MMC snap-in. Ensure that you need each running service.

If a service is not needed, there are several steps you can take:

• Stop it—Stop a service in the Services snap-in. Change its Startup Type to Manual to disable the service from starting automatically when the system boots.

• Disable it—Change the Startup Type to Disabled to tell Windows not to start a service.

• Remove it—If an unneeded service is installed on a computer, remove the software for the service. The procedure to remove a service depends on the type of service.

• FIGURE 9-7 shows the startup options in the Services MMC snap-in.

Regardless of your mitigation actions, take the time to review all of the services your computers run. Ensure each running service is necessary for that computer to accomplish its goals. Stop any unnecessary services. Each service you stop removes another potential attack point from your environment.