Securing Windows services to prevent hacker attacks

Yes, there are problems involved with disabling services, but they can usually be worked around with better security in mind. So, for example, although Microsoft Exchange requires TCP 135 open for MAPI clients, there are methods to make this more secure, the easiest being to not use MAPI clients and go for Outlook Web Access instead. Failing that, use RPC over HTTP on TCP 593, which is safer.

Windows advanced options: Using the Windows Vista Firewall
The Windows Vista Firewall, via the advanced security interface, actually does a good job of filtering these services under the public profile and allows for Windows Group Policy control of inbound connectivity, so make use of it. This means not going through the usual control panel route to fire up the Windows Firewall, but instead executing wf.msc to access the Windows Firewall with Advanced Security MMC control panel.

Disabling NetBIOS over TCP/IP does not block SMB access; all this does is block TCP 139 while leaving an SMB listener open on TCP 445. In Vista, disable File and Printer Sharing for Microsoft Networks via the local area connection properties dialogue to prevent null sessions over both TCP 139 and 445 (although the former will still be visible, connectivity is disabled).

Windows services security: Ask SID about service accounts
Service accounts are, generally speaking, used by Windows to launch automated routines that are implemented by the operating system itself. Though they are something of a necessary evil, that doesn't mean they cannot be hardened. Indeed, Vista and Server 2008 do this already with service-specific SIDs (security identifiers) that assign unique SIDs to processes as they start. Run sc.exe with the showsid modifier to discover the allocated SIDs for any service. These service-specific SIDs, restricted SID lists in Vista and Server 2008 help reduce the domino effect whereby one service running as LocalService is compromised and can then compromise the integrity of others executing as the same user. To discover which services are restricted, or otherwise, run sc.exe with the qsidtype modifier.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech tips Considerations for buying and implementing DLP solutions Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors Cross-site scripting explained: How to prevent XSS attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment User Identities and Provisioning Data security in financial services, IT security jobs in UK on the rise Using Windows software restriction policies to stop executable code Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Endpoint and NAC Protection In any given app for smartphone, security risks are being neglected Microsoft issues temporary fix for Windows Shell zero-day Attackers target Windows Shell zero-day via USB sticks Perimeter defenses deemed ineffective against modern security threats Market snapshot: PC virtual desktops on a USB Apple iPad security debated as U.K. launch approaches Microsoft to issue two critical bulletins, SharePoint to remain vulnerable Logical and physical security integrated by U.K. startup Panel debates 'buy vs. build' mobile device security policy management How to configure IIS authorization and manager permissions RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.