With Windows Server 2008 Microsoft has added some new control over services. When you combine all of the control that Microsoft provides for services in a Group Policy Object you can ensure that your services are protected.
Services are inherently dangerous to your servers and network due to the fact that they provide holes in the server for users, applications, and other servers to access resources. When the hole is too large or the service is not protected, an attacker could be granted access to the server with elevated privileges. Therefore, it is essential that services be protected so that access is only granted to what the service is designed for.
When evaluating what needs to be protected, you need to look beyond the basic holes that are created and think about the potential attacks that can be performed against services and their related settings. The following is a list of potential areas related to services that need to be protected:
- Access Control List of the service
- Startup mode for the service
- Service account for the service
- Service account password for the service
All of these security related areas of the service can now be controlled using Group Policy in a Windows Server 2008/Vista enterprise. For more information on how to use Group Policy and the new Group Policy Preferences, refer to: