This tip will be part of a series of articles on Windows security strategies. Make sure to check back each week for new Windows "how-to" advice.
Windows password security: Systems tools and policy
Securing Windows services to prevent hacker attacks
How to prevent SQL Server and Internet Explorer hack attacks
How to detect and remove rootkits with Windows encryption
Windows security: Remote Desktop, hosts file and keyboard lock down
When it comes to the Windows operating system, any Windows OS, what do hackers want? The answer is access to valid account names and resource shares, particularly ones that have not been hardened.
Luckily for them, not so for most enterprises, poorly protected or unprotected accounts and resource shares are in plentiful supply. Let's discuss what can be done to secure Windows services.
Securing Windows services: Disabled access
To start, address the problem of Windows services, a host of which (no pun intended) make the discovery of such information pretty easy for both the seasoned hacker and the kiddie scripter with the right tools.
To counteract the threat, an organization should, unless it is absolutely sure it needs them, disable the following services:
- TCP 53 -- DNS Zone Transfer
- TCP 135 -- RPC Endpoint Mapper
- TCP 139 -- NetBIOS Session Service
- TCP 445 -- SMB Over TCP
- TCP 3389 -- Terminal Services
- UDP 137 -- NetBIOS Name Service
- UDP 161 -- Simple Network Management Protocol
TCP/UDP 389 -- Lightweight Directory Access Protocol
Yes, there are problems involved with disabling services, but they can usually be worked around with better security in mind. So, for example, although Microsoft Exchange requires TCP 135 open for MAPI clients, there are methods to make this more secure, the easiest being to not use MAPI clients and go for Outlook Web Access instead. Failing that, use RPC over HTTP on TCP 593, which is safer.
Windows security advanced options: Using the Windows Vista Firewall
The Windows Vista Firewall, via the advanced security interface, actually does a good job of filtering these services under the public profile and allows for Windows Group Policy control of inbound connectivity, so make use of it. This means not going through the usual control panel route to fire up the Windows Firewall, but instead executing wf.msc to access the Windows Firewall with Advanced Security MMC control panel.
Disabling NetBIOS over TCP/IP does not block SMB access; all this does is block TCP 139 while leaving an SMB listener open on TCP 445. In Vista, disable File and Printer Sharing for Microsoft Networks via the local area connection properties dialogue to prevent null sessions over both TCP 139 and 445 (although the former will still be visible, connectivity is disabled).
Windows services security: Ask SID about service accounts
Service accounts are, generally speaking, used by Windows to launch automated routines that are implemented by the operating system itself. Though they are something of a necessary evil, that doesn't mean they cannot be hardened. Indeed, Vista and Server 2008 do this already with service-specific SIDs (security identifiers) that assign unique SIDs to processes as they start. Run sc.exe with the showsid modifier to discover the allocated SIDs for any service. These service-specific SIDs, restricted SID lists in Vista and Server 2008 help reduce the domino effect whereby one service running as LocalService is compromised and can then compromise the integrity of others executing as the same user. To discover which services are restricted, or otherwise, run sc.exe with the qsidtype modifier.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.
This was first published in October 2008