Κατανόηση Vista παραθύρων της σκλήρυνσης υπηρεσιών
Η Microsoft Vista παραθύρων ως ασφαλέστερα παράθυρα πάντα. Υποστήριξη ότι η αξίωση, Microsoft έχει περιλάβει διάφορα νέα χαρακτηριστικά γνωρίσματα ασφάλειας στο λειτουργικό σύστημα. Αυτά τα νέα χαρακτηριστικά γνωρίσματα σχεδιάζονται για να εξετάσουν μερικών από τα κοινά διανύσματα από τα οποία οι προηγούμενες εκδόσεις των παραθύρων έχουν μειωθεί στους ανώνυμους αγύρτες και άλλους εγκληματίες.
Ένα τέτοιο νέο χαρακτηριστικό γνώρισμα Vista παραθύρων είναι γνωστό ως σκλήρυνση υπηρεσιών παραθύρων. Στις παλαιότερες εκδόσεις των παραθύρων, οι υπηρεσίες δεν έτρεξαν απαραιτήτως με τα λιγότερα πιθανά προνόμια. Στην πραγματικότητα, οι υπηρεσίες παραθύρων έτρεξαν συχνά στο πλαίσιο των απολογισμών με πολύ υψηλού επιπέδου της πρόσβασης, όπως LocalSystem απολογισμός. Περαιτέρω, οι χρήστες δεν γνωρίζουν συχνά τις υπηρεσίες που τρέχουν στα συστήματά τους, και δεν συνειδητοποιούν ότι μερικές υπηρεσίες είναι ασφαλείς να θέσουν εκτός λειτουργίας. Τέλος, οι εφαρμογές υπηρεσιών και χρηστών έτρεξαν στο ίδιο διάστημα, το οποίο θα μπορούσε να οδηγήσει στην ακατάλληλη πρόσβαση. Ως συνέπεια οι υπηρεσίες που τρέχουν με τα προνόμια που δεν ταιρίαξαν με την ανάγκη, και τις υπηρεσίες που τρέχουν που οι χρήστες δεν απαίτησαν, υπολογιστές γραφείου παραθύρων αφέθηκαν πιό τρωτές στην επίθεση.
Τι η υπηρεσία παραθύρων σκληραίνει;
Vista η υπηρεσία που σκληραίνει έχει ως σκοπό να μετριάσει μερικών από αυτές τις ανεπάρκειες. Το χαρακτηριστικό γνώρισμα χρησιμοποιεί τέσσερις μεθόδους για να επιτύχει τους στόχους του:
- Απομόνωση υπηρεσιών
- Λιγότερο προνόμιο
- Περιορισμένη πρόσβαση στο δίκτυο
- Σύνοδος 0 απομόνωση
Θα μιλήσουμε για κάθε μια από αυτές τις μεθόδους ασφάλειας με κάποιες λεπτομέρειες.
Απομόνωση υπηρεσιών
Πριν από Vista παραθύρων, όταν χρειάστηκε μια υπηρεσία την πρόσβαση σε ένα αντικείμενο που απαίτησε ένα υψηλό επίπεδο της ασφάλειας, η μια από δύο μεθόδους θα μπορούσε να υιοθετηθεί:
- Η υπηρεσία θα μπορούσε να οργανωθεί χρησιμοποιώντας έναν απολογισμό που χορήγησε ένα υψηλό επίπεδο των δικαιωμάτων στο σύστημα. LocalSystem ο απολογισμός, παραδείγματος χάριν, θα παρείχε αυτό το επίπεδο υπηρεσίας. Αυτό είναι η μέθοδος που ο συνηθέστερα υιοθετήθηκε αλλά όχι απαραίτητα άνοιξε το σύστημα στην πιθανή επίθεση.
- Η διαμόρφωση ασφάλειας για το αντικείμενο στο οποίο η πρόσβαση απαιτήθηκε θα μπορούσε να μετατραπεί για να επιτρέψει την πρόσβαση από έναν πρόσθετο απολογισμό με λιγότερα προνόμια. Εκτός από τη δημιουργία ενός διοικητικού εφιάλτη (φανταστείτε να πρέπει να δημιουργήσει έναν απολογισμό υπηρεσιών για κάθε απολογισμό και έπειτα τους κωδικούς πρόσβασης για εκείνους τους απολογισμούς), αυτή η προσέγγιση θα παρείχε σε έναν επιτιθέμενο ένα άλλο διάνυσμα από το οποίο να επιτεθεί σε ένα σύστημα.
Εισάγετε την απομόνωση υπηρεσιών. Η απομόνωση υπηρεσιών είναι μια μέθοδος με την οποία μια Vista υπηρεσία μπορεί να έχει πρόσβαση σε ένα απαραίτητο αντικείμενο χωρίς να πρέπει να πηδήσει μέσω των διοικητικών στεφανών ή να χρησιμοποιηθεί ένας απολογισμός έξοχος-διοικητών όπως LocalSystem. Οι εργασίες απομόνωσης υπηρεσιών με την εξασφάλιση ενός αντικειμένου â στόχων€» όπως ένα ληξιαρχείο βασικό ※ με μια πρόσβαση ελέγχουν την είσοδο που περιέχει μια ταυτότητα ασφάλειας This ID is referred to as a “service identity”, “per-service SID” or, in some documentation, just “SID”, which should not be confused with the phrase “security identifier” (also known as the SID) used by Windows and Active Directory. This SID is unique to the service and is derived from the service name.
Once the SID is created and assigned for use by a service, an object’s (for example, a registry key to which a service needs to write information) access control list can be modified to include the new SID, thus allowing the service to access the object without giving away the privilege farm.
Restricted SIDs
Even when a service is using one of these service-specific SIDs, the service is still able to access other resources because the service’s process token also contains the SID for the service account (ie, LocalService or NetworkService). If the service is compromised, a potential attacker can cause additional damage by accessing the resources that are not related to the service, but are accessible to the LocalService account.
Windows Vista tries to help you here, too. In an attempt to limit the potential damage caused by a compromised service, Windows Vista combines write-restricted tokens and per-service SIDs to establish restricted SIDs for services. If a service enables a restricted SID, then that service’s per-service SID is combined with both the normal and restricted SID list of the write-restricted service access token. Now, the service can write only to objects that have been specifically granted write access to one of the SIDs in the restricted list.
Let’s look at an example.
Suppose that a particular service runs using the LocalService account and also has a service SID enabled. As a result, the service has access to objects that have been granted per-service access, but the service also has access to all objects that provide access to the LocalService account. By enabling restricted SIDs, this can no longer write to any object that grants access to LocalService account. Why? Those objects do not grant write access to the per-service SID of your service.
Least privilege
The LocalSystem account provides the keys to every aspect of a system. This is also the account under which many Windows services run. Therefore, these services are favourites among hackers since a successful exploit against one of these services can provide wide and deep access to a system.
In order to protect a system, a best practice is to run each service using an account with the least privileges necessary to accomplish the service’s goals. Although Windows provides other accounts that have significantly fewer rights, some services require privileges provides only by the LocalSystem account.
Under older versions of Windows, the LocalSystem account provided carte blanche access. Under Windows Vista, services requiring LocalSystem-only rights can still use the LocalSystem account, but can be configured to be granted only those rights that are required for the service to operate, and no more. LocalSystem is not the only account that can use this new feature. The following accounts or account types can also use this least privilege mechanism:
- LocalService account: The LocalService account has minimum rights on the local computer and uses anonymous credentials on the network. This account has reduced privileges and acts in a similar fashion to an authenticated local user account. Use of this account is useful when the LocalSystem account provides too much access for services that do not need deep access to a system.
- NetworkService account: The NetworkService account is similar to the LocalService account in that this account provides lesser rights than LocalSystem. Where NetworkService differs from LocalService is in cases during which the service needs to access remote resources. Whereas LocalService provides anonymous credentials for access to remote resources, NetworkService accesses remote resources using the credentials of the computer account.
- Domain accounts: User accounts created in the Active Directory domain.
- Local accounts: User accounts created on the local computer.
Under Windows Vista, when a service starts, the service requests specific privileges — not all privileges — provided by the LocalSystem account. Rights that are not specifically requested in some way are removed from the service’s access token. If a service has not been designed with this new security feature, the service is assigned all of the rights granted by LocalSystem. This helps to maintain backward compatibility for older services. For shared-process services, all processes in the group are assigned all of the rights requested by each of the individual processes.
It’s important to note that this principle of least privilege does not limit a hacker’s ability to exploit a flaw in a service. It does, however, limit the damage that can be wrought by an attacker’s successful breach of your other defences.
Service network access restrictions
Over the years, services running in Windows have become more and more dependent on being accessible to the network or accessible by other computers on your network. Services that face the network in this way are more vulnerable to attack since, in order to work their magic, these services are just waiting for remote connections, making them more susceptible to malicious activity.
Under Windows Vista, a developer can restrict a service’s access by TCP/UDP port, protocol, or even by the direction that network traffic is flowing. When restrictions like these are in place, attempts to access a service using other methods will be blocked, protecting that service from some attack vectors.
Windows Vista services can also be configured to not allow network access in which case the service cannot be remotely exploited, but neither can the service make connections to remote services. However, not every service really needs network access.
Windows Vista’s service-level network access restrictions hardening feature works in a similar fashion, as the service isolation feature in that the restrictions are implemented through the use of service-level SIDs.
Session 0 isolation
For this section, the assumption is that you are using Vista as a desktop, and not as a server serving remote users.
Under Windows XP, when a user logs into the console, all services and applications run in what is called Session 0. When Fast User Switching is enabled in Windows XP, the first user’s applications are assigned to Session 0, along with all of the system’s running services. As additional users log into the system via Fast User Switching, each additional user’s applications are run inside a new session. So the second user’s applications run in Session 1, and the third user’s applications run in Session 2. However, regardless of how many people log in to the system, all services, as well as the original user’s applications, continue to run in Session 0.
Mixing services, many of which run with considerable privileges, with user applications can create significant security issues. If an application is poorly written, falls victim to an exploit, or if that application is running in the same session as services, those services are more vulnerable to compromise than they would be if the applications were running in a separate box.
In order to combat this potential threat, Windows Vista does not allow any user applications to be run in Session 0. All other applications must run in Session 1 or higher. Only services and other non-user-facing applications run in Session 0, thus maintaining isolation between services and user applications.
New and improved service security
Through these changes to the Windows Vista service model, Windows Vista aims to better protect your system in the event of a breach. With the exception of Session 0 Isolation, Vista’s Service Hardening features are not necessarily designed to block attacks on services hosted in Vista. Instead, Vista’s Service Hardening features are designed to limit the potential damage that can be done when a service is breached.
Service Hardening, when combined with other Vista services, such as its new firewall, can provide a formidable defence. Between these and other services, Vista provides multiple layers of defence, designed to keep your system safe and secure.
[ via — ]
Popularity: 1%
Written by Madhukara H. Read more great feeds at is source WEBSITE
no comments.
Read more articles on Damage.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
