Attackers frequently attack services as a way to exploit a computer. Services, by their very definition, accept incoming connections and frequently accept network connections. If malicious attackers can exploit a service, they usually end up with the security permissions the service was running in — usually LocalSystem. This chapter discusses services and how they work in detail, including how to tighten services and secure them.
Services should be reviewed and tightened to present less attack surface, to lessen the risk of buffer overflows, to reduce the risk of denial-of-service (DoS) attacks, and to decrease overall management effort.
Every service is a potential attack vector for the attacker. It can end up allowing unauthorized access, have unintended consequences, allow DoS attacks, and generally lead to full system compromise. As the number of services increases, so does the risk of compromise. As Table 7-1 shows, every newer version of Windows adds more services. Many service accounts associated with services have full access to the local system. Some have full admin access to the entire network. If an attacker cracks those accounts, it can mean complete system or network compromise.
OS | Total | Enabled by Default | Startup Type | Service Account | ||||
---|---|---|---|---|---|---|---|---|
Automatic | Disabled | Manual | Local System | Local Service | Network Service | |||
W2K | 56 | 30 | 24 | 3 | 29 | 56 | 0 | 0 |
XP | 79 | 41 | 35 | 4 | 40 | 65 | 10 | 4 |
W2K3 | 83 | 32 | 29 | 21 | 33 | 67 | 10 | 6 |
W2K3 DC | 84 | 37 | 33 | 19 | 22 | 68 | 10 | 6 |
Table 7-1 reflects fully patched 32-bit domain member computers with default services installed, unless otherwise noted. |
Worse yet, many services cannot be disabled, even in a critical attack, without adversely affecting the legitimate processes of the operating system. Windows depends on many services to do its job. For example, during the Blaster worm attack, which attacked the Remote Procedure Call (RPC) service, turning off the RPC service would have effectively disabled Windows. It wasn't until Microsoft released a new patch in Service Pack 2 (many months later) that RPC was given additional protections to prevent Blasterlike attacks.