With the aim to make Windows Vista an operating system which is –
- "Secure by Design"
- "Secure by Default",
- "Secure by Deployment"
One of the major concerns was making the
running on the Windows Systems secure.
But in order to make these services secure, we needed to know what made these services a security threat for the Windows systems.
Windows Services –
are actually long-running executable applications that run in their separate Windows sessions, can be started when the OS starts, can be stopped and restarted. They mostly remain hidden in the background and do not open any interface for the user. Many of these services run under
accounts, and some even have the access to the network.
These are some of the properties of Windows services that make them the most attractive targets of malware attacks like Sasser, Blaster etc.
A few years back in 2003 when Bill Gates announced Microsoft’s focus on Trustworthy Computing, Windows XP had already been released by that time. But the introduction of Windows XP SP2, did bring about significant changes related to security in the Operating System, but the basic engineering around security could not really be changed.
So in order to really increase the security around these services and the way they functioned, Microsoft did four main things as a part of its Trustworthy Computing Initiative:
- Assigning Least Privilege Access to the services for the objects they need to access.
- Service Isolation
- Restricting Network Access for many of the services
- Session 0 Isolation
Ok, now lets see first how these services traditionally worked in Windows XP.
- Many services in Windows XP run under the Local System account, which is like an administrator account for the services. Since this is a high privilege account, so if a service using this account gets infected to compromised, the attack has the ability to bring about a larger extent of damage to the system since the account it using inherently has much wider access to system resources.
- Many of the services in Windows XP are network-facing (whether its needed by them or not). So many attacks happen by making incoming calls to these services and making them to make legitimate outgoing calls to other systems thereby affecting many other systems in the network e.g. sending out the keystrokes to a designated server on the internet.
Most of the services usually run at startup, and shut down only when the system shuts down. This gives plenty of time for the malware to explore the security flaws in them and more time to do extensive damage.