Chapter 7: Tightening Services

Attackers frequently attack services as a way to exploit a computer. Services, by their very definition, accept incoming connections and frequently accept network connections. If malicious attackers can exploit a service, they usually end up with the security permissions the service was running in — usually LocalSystem. This chapter discusses services and how they work in detail, including how to tighten services and secure them.

Why Tighten Services?

Services should be reviewed and tightened to present less attack surface, to lessen the risk of buffer overflows, to reduce the risk of denial-of-service (DoS) attacks, and to decrease overall management effort.

Less Attack Surface

Every service is a potential attack vector for the attacker. It can end up allowing unauthorized access, have unintended consequences, allow DoS attacks, and generally lead to full system compromise. As the number of services increases, so does the risk of compromise. As Table 7-1 shows, every newer version of Windows adds more services. Many service accounts associated with services have full access to the local system. Some have full admin access to the entire network. If an attacker cracks those accounts, it can mean complete system or network compromise.

Worse yet, many services cannot be disabled, even in a critical attack, without adversely affecting the legitimate processes of the operating system. Windows depends on many services to do its job. For example, during the Blaster worm attack, which attacked the Remote Procedure Call (RPC) service, turning off the RPC service would have effectively disabled Windows. It wasn't until Microsoft released a new patch in Service Pack 2 (many months later) that RPC was given additional protections to prevent Blasterlike attacks.