Friday, October 4, 2013

Windows Services ...

Good day
Many IT professionals do not know much about services, they know that it is an application that run in background and able to run even without user login.
This is correct (as a very basic definition), but there are more than this.
Today I will talk about Windows Services.

Windows Services in Windows Vista /7/ Server 2008 work in a different way that Windows XP and Server 2003.
Here are some changes happened to Windows Services:
-         SID: Each service had its own SID, so you can track the service and set restriction on it. You can get the service SID by using the command sc showsid “Service Name”.

The SID will be identical on all windows machine, this is because the SID is generated using the service name, you can even know the SID for a service that is no installed, try the same command but insted of w32time use any other name like "NoSuchName".
But How Windows know a SID for a non existing service??:
o   A Service SID is computed by taking the service’s UNICODE name (all in upper case)
o   Run the result through SHA-1 hash
o   Add S-1-50-80- (always the service account start with S-1-50-80-)
-         Session 0: I will talk more about session 0 below
-         Protection: Windows Services are protected with System Integrity , Data Execution prevention, and registry virtualization disabled

Session 0:
When Windows XP Start, the services are also started in the same session that the user use. Services can interact with the user (showing message box – forms …).
In Windows Vista and Server 2008, Windows Services are no longer using the same session; instead, they are isolated in Session0. The first session is always for Windows Services. All other user use session 1 or 2 …, no more direct interaction between users or application and Windows Services. This will protect windows services from attack like RPC attack, also all the services running in this session protected with System integrity and DEP.
You may install old Windows software (for Windows XP) that install a service, and this service need to communicate with the user direct like displaying a message box, this service will fail to show the user the message box and the application will appear to be not responding for the user, as the service is waiting for user interaction in session0, but the user is in session1 and can not see the message box, so what you can do ??
If you want to be notified for any event in Session0, you can start a service named “Interactive Services Detection” ui0detect, this service will inform you for any request that generated from the service and need a user interaction. (enable and start this service if you are planning to use old software that using old services).
So how services can communicate with the user, simply the vendor need to recode their service to use RPC, COM or Named pipes

Service Account:
All Windows Service need to login. Most of Windows Vista are using the Local System account, This account is so powerful, its like Windows administrator and can take full control of the system.
Here are a list of Service account that windows use:

Local System:
-         The Highest privilege account on a computer; has access to all resources
-         Has no password
-         Access the network by using the computer account (PC$)
Network Service
-         Similar to limited users
-         Has no password
-         Access the network by using the computer accont
Local Service
-         Similar to limited user
-         Has no password
-         Access the network by using anonymous credential

Service Privileges and permission:
There are a lot of Windows Service running by default also when you install some application, they create their own services, but the question is what privileges this service have ?
The answer is using SC command “sc qprivs w32time” this command will list all the privileges this service needs, in this case its W32Time.

But what if you want to give a service access to a local folder using NTFS permission ?
Dont forget that each service had its own SID, so you can add the service to any securable object. They can treated as a normal windows user but from another domain. Try the following:
-         Create a new folder
-         Right click on the folder and select Properties
-         Go to Security and click add
-         Now write NT Services\w32time and press OK
-         You will notice that the service is listed as a user, and you can give it the required permission like read access or write or whatever your application need

Service Control (at the root): its know that you can control the service using the Serviecs.msc conosole or using the SC.exe command, but if you want to make a look at the service root, then you will need to use Windows registry
Open Windows Regedit and navigate to the following key HKLC\System\CurrentControlSet\Services, here you will find all the services and the used windows driver, each key is a service or a driver that hold several values in it:
The installation location of the service
The privilege required by this service
The Type of the SID and it can be 0-1-2
  • 0 = None
  • 1=Unrestricted
  • 2=Restricted

The startup type for the service
  • 4= Disabled
  • 3=Manual
  • 2= Automatic
  • 1 and 0 are for drivers

RequiredPrivilege: are the privileges this service will use, each services must declare what it will need to access, and if it try to access an undeclared privilege, it will fail.

I hope you find these information useful

No comments: