Saturday, August 05, 2006 3:57 AM
Why Vista? Changes to services part 2 (Security, Stability, System Integrity)
What else has changed with services in Vista?
The user contexts that services run under has changed dramatically in Windows Vista. Instead of running as LocalSystem, many services now run as lower privileged Network Service or Local Service for most of the time. The following chart compares Windows XP SP2 to the planned release of Vista:
But Windows Vista hasn't been rearchitected in a way that low privileged accounts can all of sudden do what required elevated privileges before. Instead a when a privileged operation is required to be undertaken, an authenticated call is made that loads additional service code. Once that privileged code is finished doing what needs to be done, it is unloaded from memory so that it does not remain in memory to be a possible target for exploit later down the track.
And lastly, the window station that services run in has changed in Windows Vista. In Windows XP services and the interactive user (the console session) ran in Session0. This gave rise to the possibility of "Shatter" attacks. In essense, services that interacted with the desktop and had hwnds could be sent messages from less privileged process running in the same session, opening up the possibility of compromise. For detailed information on Shatter attacks, see MS KB327618 and >Larry Osterman's blog.
As services now run in a separate session, this eliminates the risk of such shatter attacks. Of course, this does prevent you using the "interact with the desktop" privilege to popup dialogues for the interactive user, however there are techniques that allow you to get responses from the user in the Vista SDK. I'll elaborate on these if there's any demand.