June 24, 2008, 11:49 AM — Nearly every server that you have in your environment is running some sort of service. These services provide access to data, resources, applications, and other important areas of the server and network functionality. If these services are not protected, they become ideal candidates for an attacker. When a service is attacked, access to the server and potentially the network is at stake. The possibility of the service being sabotaged is also at stake, which could result in down time and loss of money due to the server performing the services functions. With Windows Server 2008 Microsoft has added some fantastic new control over services. When you combine all of the control that Microsoft provides for services in a Group Policy Object, you can ensure that your services are protected.
Service Security Areas
Services are inherently dangerous to your servers and network due to the fact that they provide holes in the server for users, applications, and other servers to access resources. When the hole is too large or the service is not protected, an attacker could be granted access to the server with elevated privileges. Therefore, it is essential that services be protected so that access is only granted to what the service is designed for.
When evaluating what needs to be protected, you need to look beyond the basic holes that are created and think about the potential attacks that can be performed against services and their related settings. The following is a list of potential areas related to services that need to be protected:
- Access Control List of the service
- Startup mode for the service
- Service account for the service
- Service account password for the service
All of these security related areas of the service can now be controlled using Group Policy in a Windows Server 2008/Vista enterprise. For more information on how to use Group Policy and the new Group Policy Preferences, refer to:
Accessing GPOs
In order for you to take full advantage of the settings discussed in this article, you need to have one of the following running on your network:
- Windows Server 2008 domain controller
- Windows Vista SP1, with the Remote Server Administrative Tools installed, running in a Windows Active Directory domain
Once you have one of these computers running, you will then use the Group Policy Management Console (GPMC) to manage and edit GPOs from this computer. You won’t be able to see the new settings from a different computer not running the above listed criteria.
Access Control List of the Service
In order for you to control the Access Control list of the service, you will need to use the Services node in a GPO, which can be found at: Computer Configuration\Policies\Windows Settings\Security Settings\System Services, as shown in Figure 1.
