Windows Server 2008: Windows Service Hardening

Windows Service Hardening restricts critical Windows services from doing abnormal activities in the file system, registry, network or other areas that could be exploited by malware.  From the perspective of "always-on" code on the operating system, Windows services represent a large percentage of the overall attack surface on the system, especially if you consider the […]

Windows Service Hardening restricts critical Windows services from doing abnormal activities in the file system, registry, network or other areas that could be exploited by malware.  From the perspective of "always-on" code on the operating system, Windows services represent a large percentage of the overall attack surface on the system, especially if you consider the privilege level of that code.  Windows Server 2008 limits the number of services that are running and operational by default.  Windows Service Hardening reduces the damage potential of a compromised service by introducing several changes to Windows Services on both Windows Vista and Windows Server 2008:

Introduction of a per-service security identifier (SID):  A per-service SID creates, in essence, an identity for each service which enables access control using the existing Windows access control model.  Services can now apply explicit access control lists (ACL's) to resources that are private to the service - preventing other services as well as the user from accessing that resource.  A per-service SID may be assigned during the service installation via the ChangeServiceConfig2 API or by using the SC.EXE command with the sidtype verb.  There are three possible values:

  • None (0x0) - the service will not have a per-service SID.  This is the default configuration for a service
  • Unrestricted (0x1) - the service has a per-service SID
  • Restricted (0x3) - the service has a per-service SID and a write-restricted token.

So if you wanted to create a per-service you could use the following command syntax:  sc sidtype <service name> <restricted | unrestricted>.  If you want to view the configuration of a service you could use the following command: sc qsidtype <service name>.  The screenshot below shows an example of an unrestricted and a restricted service.

Full Article

Additional Resources:

WS20008, Windows Server 2008, Windows Services, Windows Vista, Architecture, Security, Troubleshooting, Microsoft, Knowledgebase, Article