Controlling Service Security Using Windows Server 2008

If you would like to read the next part in this article series please go to Controlling Service Security Using Windows Server 2008 (Part 2).

Introduction

Nearly every server that you have in your environment is running some sort of service. These services provide access to data, resources, applications, and other important areas of the server and network functionality. If these services are not protected, they become ideal candidates for an attacker. When a service is attacked, access to the server and potentially the network is at stake. The possibility of the service being sabotaged is also at stake, which could result in down time and loss of money due to the server performing the services functions. With Windows Server 2008 Microsoft has added some fantastic new control over services. When you combine all of the control that Microsoft provides for services in a Group Policy Object, you can ensure that your services are protected.

Service Security Areas

Services are inherently dangerous to your servers and network due to the fact that they provide holes in the server for users, applications, and other servers to access resources. When the hole is too large or the service is not protected, an attacker could be granted access to the server with elevated privileges. Therefore, it is essential that services be protected so that access is only granted to what the service is designed for.

When evaluating what needs to be protected, you need to look beyond the basic holes that are created and think about the potential attacks that can be performed against services and their related settings. The following is a list of potential areas related to services that need to be protected:

  • Access Control List of the service
  • Startup mode for the service
  • Service account for the service
  • Service account password for the service

All of these security related areas of the service can now be controlled using Group Policy in a Windows Server 2008/Vista enterprise. For more information on how to use Group Policy and the new Group Policy Preferences, refer to:

Accessing GPOs

In order for you to take full advantage of the settings discussed in this article, you need to have one of the following running on your network:

  • Windows Server 2008 domain controller
  • Windows Vista SP1, with the Remote Server Administrative Tools installed, running in a Windows Active Directory domain

Once you have one of these computers running, you will then use the Group Policy Management Console (GPMC) to manage and edit GPOs from this computer. You won’t be able to see the new settings from a different computer not running the above listed criteria.

Access Control List of the Service

In order for you to control the Access Control list of the service, you will need to use the Services node in a GPO, which can be found at: Computer Configuration\Policies\Windows Settings\Security Settings\System Services, as shown in Figure 1.

 
Figure 1: System Services Policy to control Access Control List of Service

To use this policy, you will need to find the service that you want to control in the list on the right hand pane, then select it. When you right-click on the service name, you will be able to edit the properties of the service. When editing the properties of the service, you will see the dialog Properties dialog box, as shown in Figure 2.

 
Figure 2: System Services Properties dialog box

To modify the Access Control List for the service, select the Define this policy setting check box and then click on the Edit Security button. After clicking the button, you will see the a dialog box similar to that in Figure 3.

 
Figure 3: Security dialog box to manage the Access Control List of a service

Notice that you have some standard permissions that you can set on the service, such as:

Full control
Read
Start, stop, and pause
Write
Delete

You can also establish a custom list of permissions by selecting the Advanced button, which gives you up to 14 detailed security permissions that you can set on each service.

Startup mode for the service

The startup mode for the service is critical for services that you can’t uninstall or don’t want to uninstall, but want to ensure don’t start when the system starts up. There are three levels of startup mode for services, only one of which really protects the computer.

Automatic
Manual
Disabled

The Automatic and Manual modes can have a service start at any time, depending on how the service is designed. These two modes allow the service to still be started with a call to the service.

However, when a service is set to disabled, the service will not start until it is set to Automatic or Manual from within the service. Thus, you are protecting the server from the service running, until it is triggered by an administrator to start. Using the startup mode in conjunction with the Access Control List can be a power combo, as the permissions can restrict which user can start or modify the service.

You will control the startup mode in the same policy as you do the Access Control List. Figure 2 listed above illustrates the three startup mode options.

Service account for the service

Many services require that a service account be used. The reason for this is to allow the service to not only access the computer where the service is running, but also other computers on the network. In these cases the Network Service or Local System accounts will not work.

In the past, configuration of the service account had to be performed on the computer where the service was running. Now, with Group Policy Preferences, you can control which service account is used from Active Directory using Group Policy.

The setting that you will want to configure resides under Computer Configuration\Preferences\Control Panel Settings\Services, as shown in Figure 4.

 
Figure 4: Service account name can be configured using Group Policy Preferences

To configure a policy to control your service, you will right-click on the Services node and select New – Service. From here, you will be able to select the service that you want to configure from the Services dialog box, as shown in Figure 5.

 
Figure 5: Group Policy Preferences Services policy dialog box

Clicking on the ellipses will allow you to browse through the list of services and select the service that you want to control. Then, after you have selected the service, choose the This account radio button and search for the service account that you want to use from Active Directory. When you are done, you will have completed the configuration of the service account for the service on each computer that falls under the scope of management of the GPO containing the policy setting.

Service account password for the service

In the previous step, we only configured the service account, but you can clearly see in Figure 5 that you can also configure the service account password. This is a very powerful setting, since historically you could only do this on the computer where the service was running or using a remote administrative tool to connect to that server.

Using the Group Policy Preferences Services policy, you can ensure that the service account configured in your service has the correct password that you configured in the Active Directory database for the account. This also means that once you reset the password for the service account in AD, you only need to update this policy and the password for the account to have it synch the passwords together, as shown in Figure 6.

 
Figure 6: Service account passwords can be synched with AD by using a GPO

This adds incredible protection of the service account, due to the fact that most service account have elevated privileges and need to have added protection.

Summary

By using the new control features available in Windows Server 2008 and Windows Vista, services on your network can now be protected. The security of services is essential as they provide access to the server and key data stored on those servers. Security can be obtained by controlling the permissions, startup mode, service account and service account password. By using the Group Policy settings available to you in a Windows Active Directory domain, you can protect all of these areas for any service running on servers within the domain.

If you would like to read the next part in this article series please go to Controlling Service Security Using Windows Server 2008 (Part 2).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top