Network restrictions for service hardening

(This is part 5 of our series of posts on service hardening.) Last but not least a service can be (and should be) configured to have network restrictions with what is called the “Windows Service Hardening” rules in the Windows SDK (we’ll call those WSH rules for short). As a service developer, it is your…

3

Write-restricted token

(This is part 4 of our series of posts on service hardening.) A service can be configured to be write-restricted, in addition to having a per-service SID. To do so, you specify a SID type of “Restricted” when configuring your service (see our previous post “Per-service SID”). In that case the process hosting your service…

1

Per-service SID

(This is part 3 of our series of posts on service hardening.)  Under Windows Vista/Longhorn Server, your service can now have its own SID (Security Identifier), which you can then use in ACLs to protect your service resources. You configure your service to be assigned a per-service SID during its installation with the ChangeServiceConfig2 API (dwInfoLevel=…

2

Least privilege for services

This is part 2 of our series of posts on service hardening. “Need to have” and least privilege principle Executing with least privilege is a good practice of computer security.  As with the “need to know” principle for information access, there should be a “need to have” principle for privileges. If your code does not…

2

Services isolation in Session 0 of Windows Vista and Longhorn Server

You may have heard that built-in services in Windows Vista were specifically hardened by Microsoft engineers during its development process. You might be wondering what that really means, how it works and, if you are a developer, how to harden your own services the Vista way.  Jean-Yves Poublan, a Principal Security Consultant at Microsoft, and…

2

Microsoft TechDays 2007 in Paris

Yesterday, the first Microsoft Techdays ended in Paris after three days and more than 200 presentations. Thank you to all of you who honored us by their attendance! (I don’t have the final figures yet but you were about 9,000 people on the two first days alone.) If you didn’t have a chance to attend,…

0