SECURING SERVICES (ala MacOS X style, for its daemons, via privelege levels)
1.) HARDENING & SECURING SERVICES HOW-TO (longest one of the lot but, one well worth pursuing... read on):
Many services I do not need are either cut off OR secured in their logon entity to lower privilege entities (from default, near "ALL POWERFUL" SYSTEM, to lesser ones like NETWORK SERVICE or LOCAL SERVICE).
I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...
(The reason I mention this, is, this "technique" IS a superiority of MORE MODERN Windows NT-based OS over their ancestors (especially NT 3.x-4.0) & on par w/ how this makes your Win32 NT-based OS' like 2000 (with more work), XP, Server 2003 (VISTA too if needed), very much like how MacOS X treats its daemon processes via privelege levels, which uses the same general principals)
It works, & although many service packs for Windows OS' have changed their services (not all but many nowadays) to less than SYSTEM, my list covers those they may not have in recent service packs AND 3rd party services are listed too that you may be running possibly!
This is for SERVICES YOU ACTUALLY NEED TO RUN (many, you really don't - this has always astounded me, & MS can put out "home versions" more this way imo, for gamers especially (auto-service "lean tuned turbocharged" for performance/speed/less resources consumption)).
ON THAT NOTE (for performance AND security)? CUTTING OFF SERVICES YOU DO NOT NEED TO RUN IS POSSIBLY THE BEST METHOD OF SECURING THEM, AND GAINING SPEED - AGAIN, SIMPLY SINCE YOU ARE NOT WASTING I/O, MEMORY, or OTHER RESOURCES ON THEM, PERIOD, in doing this!
Please, if you don't do this already? Hey - do consider it, when possible! It works like NO TOMORROW...
Many guides online exist for this, & I authored one of the first "back in the day" for NTCompatible.com as "Article #1" back in 1997/1998 - 2002 (early model is in URL below, much detail on registry hacks too for speed & security in it, cited in 2002 @ NeoWin):
Neowin.net - APK "A to Z" Internet Speedup & Security Text!
The latest ones are even BETTER/MORE CURRENT, as there are ones that DO EXIST FOR VISTA ONLINE ALSO!
Anyhow - on the note of 3rd party services, & many native ones (for 2000/XP/Server 2003, but not fully on VISTA as I do not run it @ home or on the job)?
I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits.
===============================================================================
LOCAL SERVICE startable list (vs. LocalSystem Logon Default):
Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service
----------
NETWORK SERVICE startable list (vs. LocalSystem Logon Default):
ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug
===============================================================================
PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.
WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!
*****************************************************************************
If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?
Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!
If that fails (shouldn't, but IF it does)? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:
ListSvc (shows services & drivers states of stopped or started)
Enable (starts up a service &/or driver)
Disable (stops a server &/or driver)
Which can turn them back on if/when needed
(ON Virtual Disk Service being removed, specifically (because it used to be in this list)): This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)
===============================================================================
SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:
STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!
Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):
The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):
Securing Windows 2000/XP/Server 2003 services HOW TO - techPowerUp! Forums
"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"
(It's easy, & it works, & is necessary for the actual steps to do this, below)
Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs!
------------------------------------------------------------
STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003
HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003
Create and Define a New Security Template
(To define a new security template, follow these steps)
1. In the console tree, expand Security Templates
2. Right-click %SystemRoot%\Security\Templates, and then click New Template
3. In the Template name box, type a name for the new template.
(If you want, you can type a description in the Description box, and then click OK)
The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.
1. To define a System Services policy, follow these steps:
a. Expand System Services
b. In the right pane, double-click the service that you want to configure
c. Specify the options that you want, and then click OK.
DONE!
APK
P.S.=> Again, this is probably the MOST lengthy & hardest of the lot, so DO NOT LET IT DISCOURAGE YOU, the rest of this article is far simpler/shorter to do, & yields benefits that are as good as THIS long step, especially in combination with it (for security) & are much shorter/simpler to do... apk
