Controlling Windows Services and Service Accounts
It has been a debate for years in the Microsoft community. Administrators and those concerned with security did not like the fact that Internet Information Services was started by default on Windows servers. With all of the security issues surrounding Internet Information Services, the complaint was valid (especially for domain controllers).
In Windows Server 2003 Microsoft decided to not install Internet Information Services by default. This was a huge win for the administrative community and a great decision by Microsoft.
This progress with Internet Information Services does beg to ask another question. If Internet Information Services was running by default in all Windows server versions before Server 2003, are there any other services that are running by default that might cause security issues?
To answer this question, we must look at the framework for controlling a service, to ensure that we know what we can control with regard to a service. We must also look at the essential services, to what we can and can't remove from a computer. Finally, we will look at the different ways to control services and their configurations.
The Framework of Controlling a Service
The management of controlling a service is only worthwhile if you completely understand the options that are available to control the service. There are some hidden nuggets that are available for all services, which are very difficult to see in the interface. Other service options are easy to see and understand, as long as you know where to go to look at the services.
We will start off by viewing the list of services and the immediate properties. This is done by viewing the Computer Management Console, which is easy to access by right-clicking on My Computer and selecting Manage from the menu. The result is a window that has a list of management options. If you go towards the bottom of the list, you will see Services and Applications. Expanding this node will show the option to see Services, which when selected should show all services that are available to you, as shown in Figure 1.
Figure 1: Computer Management Console is the ideal way to view the Services on your computer.
The list of services immediately shows you some of the options that you will be able to view and configure for each service. The key options that you should note from the figure above is the following:
- Startup Type
- Log On As
The status is the current state of the service. Here, you will either see Started or <blank>. The <blank> represents that the service is not started and is not currently running. The more <blank>s you have, the more secure your computer. This is obvious, since the fewer avenues for an attacker to get into your computer, the better.
Just because a service is not started, does that make the computer protected from the service? The answer is no. The reason is that each service has "the opportunity" to start, if configured to do so. This is where the Startup Type is so important. There are three options for Startup Types:
- Automatic - This will start the service when the computer boots. Most of the required services that we investigate will need to have this startup mode in order to be running during the boot process and immediately after the computer boots.
- Manual - This mode will not start the service upon the boot process. Rather, it keeps the service from running until the service is needed. The service can be started in a number of ways. There can be automatic methods such as installing an application or starting a dependent service. The service can also be manual started by an administrator right-clicking on the service and selecting Start from the menu.
- Disabled - This will not allow the service to start automatically or manually. The only way to start the service from this state is to first move the Startup Type to Automatic or Manual, then start the service.
Finally, you have the Log On As column, which is the same as the "service account" for the service. This is the account that will drive the service for the operating system. Most of the default services that are installed on a Windows 2000 and Server 2003 domain controller use the LocalSystem. The LocalSystem user account is really not a "user account" in the sense as the Administrator user account. This account is a system account controlled by the server. The LocalSystem does have system access, which is a bit above the Administrator user account.
Windows XP and Windows Server 2003 servers also use a new account, named the "Network Services" account. This account is designed specifically for use with services that need to communicate with other computers on the network. The "Network Services" account provides better security than the "LocalSystem" account by design and should be used when ever the service can function with this account.
There are two more tidbits on services which are not visible in the Computer Management Console. First, some services can be uninstalled, rather than just disabled. As you can imagine, if a service is not required, there is no need for it to be on the computer. For some services, this is just not possible. Services like Alterer, Clipbook, Messenger, and Telnet can't be uninstalled. There are other services, such as File Transfer Protocol and World Wide Publishing Service, which can be uninstalled.
The second one is the service Access Control List (ACL). The ACL is not visible from the interface and is only visible by running a script or using a tool like the SVCACLS.EXE tool from the Windows Resource Kit. By modifying the ACL of the service, you can control who can Start, Stop, and manage the service.
Which Services Do I Need?
One question that I always seem to get is "Which services do I need to run?" This is a very dynamic question and one that is very hard to nail down. However, let me give you some guidance that will allow you to answer this question. First, less is better when it comes to security. Second, more is better when it comes to functionality. As you can see, these contradict each other. So, you first need to evaluate which services are required by your server to get the job done. If administrators use Telnet to remotely administer the servers and without it the company could lose millions of dollars when the server is malfunctioning, Telnet might be a very important service to your company, even though it is very insecure.
Next, you can dig into the requirements and functionality of each service. Microsoft has developed the Windows Server 2003 Security Guide and the Windows XP Security Guide, which has been updated for Service Pack 2. These guides present you with essential information about each service and whether the service is required for basic functionality of the server. There is also a tiered security guide that indicates whether the service is suggested for low security to high security environments. Within the two suites of documentation, you will see information for the hardening of the following types of computers:
- Domain controllers
- Infrastructure servers
- File servers
- Print servers
- IIS servers
- IAS servers
- Certificate Services servers
- Bastion hosts
Controlling a Service
Now that you are aware of the different options that can be configured for a service and which services you need to run, how will you control the services efficiently? You might be a medium sized company with thousands of clients and hundreds of servers that you need to manage. Considering controlling services manually is not an option.
The first option that you should consider is using a Group Policy to control services. With the ability for Group Policy to target specific computers at one time, it is the perfect way to configure the options for services. With a Group Policy, you can configure the Startup Type and the ACL of the service, as shown in Figure 2.
Figure 2: Group Policy allows you to configure the Startup Type and ACL of an installed service.
Microsoft Group Policy settings go a long way to controlling the enterprise, but you can see that they omit configuring the service account for the services. In order to control the service account and it's password, you can use a solution like PolicyMaker Standard Edition, as shown in Figure 3.
Figure 3: PolicyMaker Standard Edition can configure service accounts and passwords.
Some services are an absolute necessity for Windows computers. However, they are also potential security holes for an attacker. Therefore, controlling which services run, who can control them (via the ACL), the service account, and the service account password is essential for protecting the servers and the network in general. Group Policy and additional extensions (from PolicyMaker) can go a long way in making all computers compliant and secure in an efficient manner.