1 / 12

Windows Services

Windows Services. Security Seminar March 1, 2006. Windows Services. Windows Services are programs that run in the background and provide some functionality or service. They can be running even if there is no one logged into the machine. Why do we care?.

jeremy-potts
Download Presentation

Windows Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Services Security Seminar March 1, 2006

  2. Windows Services • Windows Services are programs that run in the background and provide some functionality or service. They can be running even if there is no one logged into the machine.

  3. Why do we care? • Unneeded services should be disabled, as they are just another vector that an attacker could potentially utilize to compromise security. • Administrators need to be aware of common services in order to spot out-of-place services.

  4. Example • http://www.frsirt.com/english/advisories/2006/0417 • UPnP problems (SSDP)

  5. Helpful tools • Services snap-in • Autoruns – (http://www.sysinternals.com) • Tasklist • sc • delserv

  6. Enumerating Information • Services snap-in • Name • Status • Executable path and options • Privilege/User to execute under • Action to take if/when there is service failure • Dependencies for service

  7. Automatic, Manual, Disable? • Automatic – Starts by itself • Manual – User can start the service • Program can start the service if needed • Disable – Service cannot be started

  8. Enumerating Information Cont. • Autoruns • Allows one to easily associate a service with it’s entry in the registry • See the permissions on a service • Tasklist • net command(s) • sc command

  9. Simple Attacks - simplified • Install a service to perform some task • Modify existing service to perform task • Use existing service to elevate privileges

  10. Attacks a bit more in depth • && trick • Poor permissions - http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf • Svchost obfuscation • Etc.

  11. Services to Disable • Help and Support • Messenger • Portable Media Serial Number ? • Remote Registry • Secondary Logon ? • Server ? • System Restore Service? • Themes • Wireless Zero Configuration • SSDP Discovery Service • … ?

  12. Resources • http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/svrxpser_7.mspx • http://www.theeldergeek.com/services_guide.htm#Services • http://www.sysinternals.com/ • http://cio.uiowa.edu/itsecurity/

More Related