Windows Server 2008이 나오면... (61) - Windows Server 2008 서비스 계정 보안 비교
Windows Server 2008의 보안이 향상되었다... 라는 이야기를 많이 들어보셨을 것입니다. 언제나 새로운 운영체제가 출시될 때마다, 여러 보안 사항이 강화되는데, 오늘은 눈에 띄는 보안 개선 사항을 살펴보겠습니다.
시스템 서비스중 권한이 높은 LocalSystem의 갯수가 27개에서 23개(Full 버전), 16개(Core 버전)으로 줄어들었습니다. 이러면서 당연히 사용자 권한인 NetworkService, LocalService 권한의 갯수는 늘어났겠죠. 밑의 표는 이에 대해 2003과 2008을 비교해놓은 표입니다. 서비스 이름중 *가 붙어 있는 서비스는 기본적으로 자동으로 시작되지 않는 서비스이며, -가 붙어 있는 서비스는 지연된 시작을 하게 설정되는 서비스입니다. 서비스 계정과 관련된 TechNet 아티클은 여기를 클릭하시면 찾아보실 수 있습니다.
Windows Server 2008의 보안상 특징중 하나는 Windows 방화벽 서비스가 기본적으로 시작된다는 것입니다. 이 방화벽 서비스에 의해 기본적으로 모든 서비스는 포트가 모두 오픈되는 것이 아니라, 사용하는 특정 포트 기반으로 방화벽에서 포트를 열어주게 됩니다.
|
Service Name |
Service Display Name | Windows Server 2003 R2 | Windows Server 2008 Core | Windows Server 2008 Full |
| AeLookupSvc | Application Experience | LocalSystem | LocalSystem | LocalSystem |
| BFE | Base Filtering Engine | LocalService | LocalService | |
| BITS | Background Intelligent Transfer Service | LocalSystem- | LocalSystem- | |
| Browser | Computer Browser | LocalSystem | ||
| CryptSvc | Cryptographic Services | LocalSystem | NetworkService | NetworkService |
| DcomLaunch | DCOM Server Process Launcher | LocalSystem | LocalSystem | LocalSystem |
| Dhcp | DHCP Client | NetworkService | LocalService | LocalService |
| dmserver | Logical Disk Manager | LocalSystem | ||
| Dnscache | DNS Client | NetworkService | NetworkService | NetworkService |
| DPS | Diagnostic Policy Service | LocalService | LocalService | |
| ERSvc / WerSvc | Windows Error Reporting Service | LocalSystem | LocalSystem | |
| Eventlog | Windows Event Log | LocalSystem | LocalService | LocalService |
| EventSystem | COM+ Event System | LocalSystem | LocalService | LocalService |
| gpsvc | Group Policy Client | LocalSystem | LocalSystem | |
| helpsvc | Help and Support | LocalSystem | ||
| IKEEXT | IKE and AuthIP IPsec Keying Modules | LocalSystem | LocalSystem | |
| iphlpsvc | IP Helper | LocalSystem | LocalSystem | |
| KtmRm | KtmRm for Distributed Transaction Coordinator | NetworkService- | NetworkService- | |
| lanmanserver | Server | LocalSystem | LocalSystem | LocalSystem |
| lanmanworkstation | Workstation | LocalSystem | LocalService | LocalService |
| LmHosts | TCP/IP NetBIOS Helper | LocalService | LocalService | LocalService |
| MpsSvc | Windows Firewall | LocalService | LocalService | |
| MSDTC | Distributed Transaction Coordinator | NetworkService | NetworkService- | NetworkService- |
| Netman | Network Connections | LocalSystem* | LocalSystem* | |
| netprofm | Network List Service | LocalService | LocalService | |
| Network Location Awareness | LocalSystem* | NetworkService | NetworkService | |
| nsi | Network Store Interface Service | LocalService | LocalService | |
| PlugPlay | Plug and Play | LocalSystem | LocalSystem | LocalSystem |
| PolicyAgent | IPsec Policy Agent | LocalSystem | NetworkService | NetworkService |
| ProfSvc | User Profile Service | LocalSystem | LocalSystem | |
| ProtectedStorage | Protected Storage | LocalSystem | ||
| RemoteRegistry | Remote Registry | LocalService | LocalService | LocalService |
| RpcSs | Remote Procedure Call (RPC) | NetworkService | NetworkService | NetworkService |
| SamSs | Security Accounts Manager | LocalSystem | LocalSystem | LocalSystem |
| Schedule | Task Scheduler | LocalSystem | LocalSystem | LocalSystem |
| seclogon | Secondary Logon | LocalSystem | LocalSystem | LocalSystem |
| SENS | System Event Notification Service | LocalSystem | LocalSystem | LocalSystem |
| ShellHWDetection | Shell Hardware Detection | LocalSystem | LocalSystem | |
| slsvc | Software Licensing | NetworkService | NetworkService | |
| Spooler | Print Spooler | LocalSystem | LocalSystem | |
| TermService | Terminal Services | LocalSystem* | NetworkService | NetworkService |
| TrkWks | Distributed Link Tracking Client | LocalSystem | LocalSystem | |
| TrustedInstaller | Windows Modules Installer | LocalSystem* | LocalSystem* | |
| UxSms | Desktop Window Manager Session Manager | LocalSystem | ||
| W32Time | Windows Time | LocalService | LocalService | LocalService |
| WdiSystemHost | Diagnostic System Host | LocalSystem* | ||
| WinHttpAutoProxySvc | WinHTTP Web Proxy Auto-Discovery Service | LocalService* | LocalService* | |
| winmgmt | Windows Management Instrumentation | LocalSystem | LocalSystem | LocalSystem |
| WinRM | Windows Remote Management (WS-Management) | NetworkService- | NetworkService- | |
| wuauserv | Automatic Updates or Windows Update | LocalSystem | LocalSystem- | LocalSystem- |
| WZCSVC | Wireless Configuration | LocalSystem | ||
| Totals | ||||
| Local System | 27 | 16 | 23 | |
| Local Service | 3 | 13 | 13 | |
| Network Service | 4 | 10 | 10 | |
| Grand Total | 34 | 39 | 46 | |