Windows Session 0 Isolation

In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console.  This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated […]

In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console.  This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are looking for a means to elevate their own privilege level.

The Microsoft Windows Vista operating system mitigates this security risk by isolating services in Session 0 and making Session 0 non-interactive.  In Windows Vista (and Windows Longhorn Server), only system processes and services run in Session 0.  The user logs on to Session 1.  On Windows Longhorn Server, subsequent users log on to subsequent sessions (Session 2, Session 3 etc).  This means that services never run in the same session as users' applications and are therefore protected from attacks that originate in application code.

Specific examples of affected driver classes include:

  • Printer drivers, which are loaded by the spooler service
  • All drivers authored with the User Mode Driver Framework (UMDF), because these drivers are hosted by a process in Session 0

Application classes affected by this feature:

  • Services that create a UI
  • A service that tries to use window message functions such as SendMessage and PostMessage to communicate with an application
  • Applications creating globally named objects

Sessions in Windows XP / 2003
OK - so we've already mentioned that Session 0 poses a security risk because services run at elevated privilege.  The first user on the console also runs in Session 0 - which provides the most common attack vector used to target unsuspecting users.

View: Full post

Additional Resources:

microsoft, windows, windows operating system, windows xp, windows server 2003, windows vista, services, session 0, isoloation, session 0 isolation, knowledgegase, troubleshooting, security, appcompat