A Windows 2000 or Windows NT service is a process that runs independently, regardless of whether a user is logged on. As a result, service security is important to overall network security. The choices you make as a programmer can have a strong impact on the security of your users’ networks. One of the most important decisions to make is the user context that a service will use. There are three options: LocalSystem, a local user account, and a domain user account. Each option has associated compromises, and you need to be careful when deciding which choice is right for your service.
Attackers can use services to compromise your network security in two ways. First, the
service might have programming flaws that let attackers execute their own code. This type
of attack might occur through buffer overruns or as a result of some capability of the
service to execute local command-line applications. Numerous examples of both exist in the CERT archives or any good security
mailing list. The second type of attack is more sophisticated and involves taking
advantage of the distributed nature of authentication on some networks. This attack
involves finding a service that is running as a high-level user on several systems and
then locating one that the attacker can compromise. The attacker can then typically
escalate privilege from that point. This type of attack is not limited to Windows networks
and is not a flaw in OS design. Any network using a distributed authentication system (NIS
would be a common example for a UNIX network) can encounter problems with this method of
attack. Rather, these attacks occur when the network administrator is not aware of this
issue and is not properly securing the network to prevent it. Windows networks give you
several options in terms of service user context and how those options affect our ability
to counter typical attacks on services. . . .
Register
