In my research on services to disable on my new Windows 2008 box, I stumbled across a hidden security feature added to Windows 2008…. per-service security identifier (SID).

In previous operating systems if two services were running as “Local Service” then they could each access each others files. With per-service SIDs the services can still both run as “Local Service” but restrict access to their files/resources so that one another can not access them. This is because the OS is essentially creating its own identity for the service. This eliminates the administrative headache of creating a separate domain account for each service.

If you want to grant a service access to a specific file/registry key simply browse for NT SERVICE\<service name> and add it to the ACL list like you would for any normal account.

The simplest way to set this on a service is to use the sc.exe command to set the per-service SID to one of three modes. These modes are:

None – The service will not have a per-service SID (default)
Unrestricted – The service will have a per-service SID
Restricted – the service has a per-service SID and a write-restricted token.

Setting a service named MyCustomService to have an unrestricted per-service SID:
sc.exe sidtype MyCustomService Unrestricted

Setting a service named MyCustomService to have an Restricted per-service SID:
sc.exe sidtype MyCustomService Restricted

Viewing the settings of a service:
sc.exe qsidtype MyCustomService

Under the Restricted model the service can only write to files it has been explicitly been given access to. If your service only writes to one file then this is fairly easy but if it is a lot of files it can be quite time consuming.

Now I have not played with this much yet but I am a big fan of sand boxing applications to limit what they can do if exploited. My next windows 2008 service will definitely be using this great feature.

Well I just got my new Windows 2008 server setup and going. One of the key components to security has always been the approach of doing things in a minimal fashion. To that end one of the things I do is disable unnecessary services.

Now Windows 2008 ships with fewer services that set to automatically start up than previous operating systems but seems to still have a lot of services setup to start manually that I will never need. For a server OS I think a lot of these things should be off by default and turned on when you add the proper role/feature to windows. On the other hand shipping with the print spooler off will probably generate a lot of support calls.

Automatic Services

Here are all the services I disabled that were set to automatic startup. By disabling these services I limit my attack surface area which can prevent or limit exploitation of the server.

DHCP Client 
DHCP is used to auto configure a computers IP settings. Most servers will have a static IP address so this service is unnecessary.

DNS Client
The Domain Name System Client service caches the result of domain name lookups and registers the server with its parent DNS server. Turning this off will slow DNS lookups but could also be used against us in a DNS cache poisoning attack. Note that turning this service off still allows the computer to do DNS lookups.

Distributed Link Tracking Client  
Distributed links are things like shell shortcuts and OLE links. This service will track if a linked file has been moved/renamed. As linked files would be more common on a desktop OS I disabled this.

Human Interface Device Access
Allows keyboard/mouse/other hot buttons and other multimedia devices to interact with windows

IP Helper
Provides IPv6 connectivity over an IPv4 network. As I am still strictly IPv4 right now I disabled this service.

Print Spooler
Server has no printers.

Remote Registry
This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.

***Secondary Login***
This service allows the “run as” command to run a service as a different user. I am not sure how this affects UAC in windows 2008 so I have left it on for now but may disable this one in the future.

Server
Supports file,print, and named-pipe sharing. Something this server should not do.

TCP/IP NetBIOS Helper
This allows NetBIOS communications over a routed network. As this server is stand alone and should not need to do NetBIOS communications it has been disabled.

Workstation
Maintains client network connections via the SMB protocol.

Windows Error Reporting Service
This service facilitates the notification and reporting of errors to Microsoft.

Windows Remote Management
WinRM is a remote management protocol running over web services

Manual Services

These services are not running by default. Instead when a program or application requests their functionality they will startup. These should be harder to exploit but I have still disabled them as this server should not need the functionality they provide.

Terminal Services Configuration
This service allows TS/Remote desktop to do activities that require the “SYSTEM” context.

Application Management
Processes software management requests deployed via group policy.

Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote name.

Remote Access Connection Manager
Manages VPN connections to remote networks.

Resultant Set Of Policy Provider
Simulates the application of Group Policy settings.

Smart Card
Manages access to smart cards readers.

Smart Card Removal Policy
Allows the system to lock the computer when the smart card is removed.

Special Administration Console Helper
Allows administrators to remotely access a command prompt.

Telephony
Provides TAPI support for programs.

WinHTTP Web Proxy Auto-Discovery Service
This allows applications that use WinHTTP to send HTTP requests to use the proper configuration.

Application Layer Gateway Service
Provides 3rd party plugins for Internet Connection Sharing

Certificate Propagation
Propagates certificates from smart cards

Function Discovery Provider Host 
Allows resources to be published over the network. This main use for this is with the Media Centre Extender Service.

Function Discovery Resource Publication
Publishes computer+resources so that they can be discovered over the network

Link-Layer Topology Discovery Mapper
Creates a network map of devices and PCs on the network.

Microsoft iSCSI Initiator Service
Allows the management of Internet SCSI sessions. This is usually used with storage area networks

Microsoft Fibre Channel Platform Registration Service
I could not find much on this. I don’t have and fibre devices so I felt this was safe to disable.

Multimedia Class Scheduler
Enables prioritization of work mainly for multimedia applications.

NetLogon
Maintains a channel between computer and domain controller.

Portable Device Enumerator Service
Enables applications to synchronize content with removable devices.

Secure Socket Tunnelling Protocol Service
Provides SSL Tunnelling to remote servers.

SNMP Trap
Receives messages over the Simple Network Management Protocol and routes them to SNMP software on the computer.

Web Management Service
enables remote management of the web server, sites, and applications on this machine.

Windows Audio
Manages audio.

Windows Audio Endpoint Builder
Manages audio devices.

Windows Colour System
Third party colour management.

One of the first things I do when I setup a new server is create a new administrator account and disable the original administrator account. This makes it much harder for an attacker to gain entry to your systems as now they have to guess both the account name AND the password.

Now many people/sites recommend to rename the administrator account. While this does increase the complexity to get in the Administrators ID in the security database is fixed (I think in the NT 4.0 days the administrator always had an ID of 500). If I gain access to that database it is trivial to find out what the password has been renamed too. Hence why I create a brand new account.

Another thing with the default Administrator account is that there is not an account lockout policy. This means that an attacker could try to brute force the administrator password without ever getting locked out. This is done because members of the Administrator role would need to be able to log in to unlock an account. If there was a lockout policy on the Administrator account I could deny access to you by purposely failing my logins.

One really neat thing I found out though is that when you forget the password or lockout the new admin account, you can reboot the system in safe mode and login as the Administrator account. If the system is in safe mode is disregards the “account is disabled” flag.

What I have done with my servers is give them all the Administrator accounts the same password and disable them. Then I set each server to have a different password for the custom named administrator account. If I forget one of these passwords all I need to do is reboot into safe mode and login with my common admin password. 

Granted, having a unique Administrator password would be even better I would never remember them all. So this is my balance between security and usability.