I recently saw the following Knowledge Base article support.microsoft.com/kb/2761899 VMM Hyper-V Service Errors and Event ID 14050 When Dynamicportrange Is Changed in Windows Server 2012 If you want a service to have a service-specific SID, you must set the service`s SID type property to unrestricted or restricted: I will explain the difference between these two types of properties later in the section on read-only token. You can set the SID type of a service by using the SC command: NOTE The service SIDs of all services configured per process are always present in the process. Only SIDs for running services are enabled. SIDS from services that are not running are present, but in a disabled state. However, the filtering platform assumes that all SIDs are enabled, regardless of whether the service is disabled or not. The second pass is an additional AC pass that does not normally occur. During this second pass, Windows explicitly checks whether the resource`s permissions grant explicit write access to the service-specific SID or predefined logon SIDs, Everyone, or WRITE RESTRICTED ID. In addition, an entirely new mechanism specifies and enforces the rights assigned to a service. You can think of this mechanism as User Account Control (UAC) as a least privilege solution for services. (UAC is a least-privilege feature for Server 2008 and Vista, ensuring that user applications run with few privileges by default and that all users, including administrators, have only basic user-level permissions. For an overview of UAC, see “Windows Vista`s Take on Least Privilege,” October 2006, InstantDoc ID 93300.) Some services in Windows Vista and later versions are delivered as UNRESTRICTED by default, and most services cannot start if they are changed to RESTRICTED.
Third-party applications, such as antivirus software, can be designed to opt for service SIDs and can be designed to run RESTRICTED or UNRESTRICTED. If the local administrator changes an existing service SID type from NONE to UNRESTRICTED, the local administrator will receive the service with the SID type probably without regression or problems with that service. (The SID UNRESTRICTED type is sufficient to filter network traffic.) Note One assumption behind WSH is that the services to be protected will run under either the NetworkService account or the LocalService account. Services running under the LocalSystem account are omnipotent. In other words, they can disable Windows Firewall with Advanced Security or ignore its rules. And that`s why they`re not protected. Note that the rule added to the registry also appears under the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccessParametersFirewallPolicyRestrictedServicesConfigurableSystem (source: blogs.technet.com/b/voy/archive/2007/04/02/network-restrictions-for-service-hardening.aspx ) The first step is the typical access control phase, which is still running. In this phase, Windows evaluates whether to deny or grant a service access to a resource based on the resource`s permissions and the information contained in the service`s hosting process access token. The final change we`re going to look at today is to apply a read-only access token to the service process. This access token can be used when the set of objects written by the service is limited and configurable.
An attempt to write to resources that do not explicitly grant access to the service SID fails. It is important to note that a write-restricted token is limited to write operations only. It is less restrictive than a restricted token, which is restricted for all types of access. The read-only token for a restricted service has the following restrictive SIDs: the per-service SID, the logon SID, the Everyone SID, and the new read-only SID (S-1-5-33 or NT AUTHORITYWRITE RESTRICTED). The service-by-service SID and read-only SID are also added to the group SIDs. Read-only SIDs provide the following features: WSH rules are also built into the filtering process that runs when Windows Firewall with Advanced Security decides to forward or reject a packet. In other words, when making decisions about traffic to and from services, Windows Firewall rules and WSH rules work closely together to decide whether to allow or remove traffic. For more information about merging service restriction rules with Windows Firewall rules, see the “Understanding Windows Firewall Policy Storage and Merge Logic” section later in this chapter. Additionally, the Interactive Service Discovery service works only for Windows GUI-based services, not for console-based or command prompt-based services. If you enable ui0detect, the At command is not re-enabled to perform interactive tasks. Windows Service Hardening (WSH) is a feature of Windows Vista and later versions designed to protect critical network services running on a system. When a service is compromised, WSH reduces the potential damage that can occur by reducing the attack surface that could potentially be exploited by certain forms of malicious code.
Because network services (both those built into the operating system and those installed by third-party applications) are inherently exposed to the network (which itself is usually connected to the Internet), they provide a vector that attackers can use to try to compromise a system. WSH implements the following protection improvements over previous versions of Windows: It is not easy to determine which permissions are required by a service: in some cases, you may need to use trial and error. The Windows SDK documentation explains the permissions required when using specific APIs and whether these permissions must be enabled before calling the API. That said, don`t start making changes to service permissions without extensive testing in an isolated environment. Finally, there are still situations where a dedicated domain-wide user account is required, such as when a service needs to be trusted or needs access to remote resources, such as when the Performance Log and Alerts service can query a remote computer. Service-specific SIDs give administrators more control over access to service resources. However, a service-specific SID cannot prevent a service from accessing resources to which the SID of its service account has access. For example, suppose MyService runs in the security context of the local service account and has a service-specific SID. In addition to accessing objects to which the service-specific SID explicitly grants access, MyService can access all objects that the local service account can access.
If MyService were compromised, an attacker could gain access to resources unrelated to the service. When a service is configured for a service SID (whether the service is restricted or not), the service SID is calculated using a SHA-1 hash. To view the SID of a service, use the sc showid command as shown below: The fact that session 0 is marked as non-interactive does not mean that services in session 0 cannot interact with users: some applications require this functionality. Developers can use secure interprocess communication tools, such as named pipes and RPCs, to enable Session0 services to securely interact with the desktop. For more information about the impact of Session 0 isolation and how developers can manage it in their applications, services, and software drivers, see www.microsoft.com/whdc/system/vista/services.mspx the Microsoft white paper, “How Session Isolation 0 Affects Services and Drivers in Windows Vista.” Therefore, if you want to create one service per service, you can use the following command syntax: sc sidtype . If you want to view the configuration of a service, you can use the following command: sc qsidtype. The illustration below shows an example of full service and limited service. Pingback: VMMS Hyper-V Event ID 14050 – Unable to register SPN “Hyper-V Replication Service”. Возвращаясь в к проблеме регистрации SPN в Windows Server 2012 R2 | Блог IT-KB OS Hardening usually involves patching and securing a server`s operating system.
Operating system vendors such as Microsoft typically release updates, service packs, and hotfixes that users can install manually or automatically. In Windows Server 2008 and Windows Vista, Microsoft uses session isolation 0, new least privilege restrictions on services, service-specific security identifiers, read-only SIDs, and restricted network access to reduce the attack surface for services. Together, these changes are called Windows Service Hardening. In Windows Server 2008 and Windows Vista, Microsoft introduced new security measures to protect services that have long been a popular target for malware and hackers. Enhancements include Session 0 isolation, least privilege restrictions, service-specific security identifiers (SIDs), read-only SIDs and tokens, and restricted network access.