AN INTRODUCTION TO VISTA® SERVICES
By Jose
Gallardo
Microsoft MVP - Windows Shell/User
What is a
service?
Not an easy
question to answer it in plain words but I will try it.
Even for some
experienced users, it could be an unknown subject or, at least, less known.
According to Microsoft, a service is "an application that typically starts when
the computer is booted and runs quietly in the background until it is shut
down". This definition is inaccurate because, for
example, you can run Windows Live Messenger (which can log in) when
Windows starts, it can run until it is shut down but Windows Live Messenger
is not a service. To clarify this, Microsoft adds: "strictly speaking, a
service is any Windows application that is implemented with the services API".
Suppose that needs to interact with the system. To accomplish this there exists
SCM (Service Control Manager). As the service is unable to speak directly
to SCM the service API serves as interpreter. Then we can say that a service is
an application that talks to system using service API.
Until now all this applies to Windows XP. But
Windows Vista has new features regarding to services, and of course new security
features.
What is a service used for?
I will try to explain that with a brief example.
Suppose you install an antivirus software. It needs to update its virus
databases frequently. Have you noticed that the update task takes place even in
a limited user account? It is due the fact that the updater is a service that
runs in a high-privileged account without user interaction. This is one
of the advantages of running as a service but this also carries security risks.
That high-privileged scenario implies the system to
be compromised by an attacker; take into account that that attacker would have
access to the whole system (high-privileged). There are, of course,
less-privileged accounts but the key point is that whatever be the account the
service does not need to access to all the resources the account has to (this is
the true risk). Windows Vista has new features for solving these situations.
New security improvements
Related to above, Windows Vista services can run in
a least privilege context, which is not hard to understand. The service
selects an account from the ones available (LocalService, NetworkService,
LocalSystem, domain or local), in that account it chooses the privileges it
needs and removes the remain ones. The needed privileges are recorded in the
so-called process token. The token is used by SCM to grant or deny
access. I mean, if a service requires privileges not shown in the token, the SCM
does not start the service.
Now, the resources. The services usually have to
access to systems objects. What happens if it has not privileges to do that? In
XP there were two approaches (weak from the security point of view): to run the
service in a high-privileged account (too much if the service only needs to gain
access to one resource) or to weaken the security of the object. As said, and
obviously, these approaches are weak.
There are some solutions: we can create a specific
user account for the service to work on it. It is not the best answer because of
manageability (for example, passwords which the administrator could not manage).
As a solution, Vista uses the isolation for services. What does this
mean? It is simple: the service isolates the object securing it. Each
object has an Access Control List (ACL) where there are entries
which grant access to the resource. The service puts its identification (the
SID) in the ACL so it can access.
Besides this improvement, the service can access to
the resources that the account on which logs on allows it. To mitigate it, Vista
only allows that a service be able to access to a resource only for those with
explicit grants (using what technically is called Restricted SIDs).
This new situation also works for network services.
Restrictions are implemented via service SIDs.
Windows Vista also has new improvements related to
sessions. In Windows XP (if "Fast User Switching" is enabled), the first
user to log on has Session 0 assigned, where run both services and user's
applications. That implies a security risk. Vista isolates (other isolation)
Session 0 and reserves it for services. Moreover, services and processes running
in Session 0 are "invisible" to others sessions (1, 2 and further) and cannot
interact with them. Now that process are secured and, certainly, isolated.
Now a word about performance. In Windows XP, there
are two ways to start a service: automatic (it starts when the system boots up)
and manual (it is started when it is demanded). Out of manual ones, an automatic
startup service increases the boot time, which can become long as services
number grows (remember that applications such as antivirus make use of
services). Even more, some services do not need to start at boot sequence but
cannot be manually started. To bring help, Vista has a new startup type: delayed
auto-start. This type allows a service to start shortly after the boot sequence
but not in the sequence itself.
Accessing
to services
There are not novelties. To manage them from the
user interface we have two choices:
1) Go to Start button and the click on Run. In the box, type in
services.msc. Accept the User Accounts Control warning. You will get a list
(alphabetically sorted) of Vista services. To manage one of them, click twice.
2) We can manage services from the command
line. We have to commands available. Specifically, net and sc. To
start or stop services we use net command. For example
net stop dhcp
will stop DHCP service while
net start dhcp
starts it. We can use either short or long names:
net start bits
and
net start "background intelligent transfer service"
(note the quotes) will produce the same result.
To get information about services we can use sc
command. You can try it, for example, running
sc query bits
This article does not pretend to be deep and it is
not. I only have tried to write a survey, some kind of information for starters
and users who want to know what is new in Vista services and to know their
improvements.
For experienced users and developers this paper
should be appropriate for reading:
http://www.microsoft.com/whdc/system/vista/Vista_Services.mspx
For a complete list of Vista®
Services and what they do, see
http://www.speedyvista.com/services.html
No comments:
Post a Comment