Service permission (Services Hardening related)

[Andre]

Hello guys, I need a help, please.

I am trying to set permissions for a service in my Windows Vista Ultimate,
more specifically, the Apache HTTP Server. I don't want it to have SYSTEM
user access to some of my personal files. So, I was trying to create a new
user just to run Apache, but I've read that this is not necessary on Vista
anymore (awesome)!

http://www.microsoft.com/technet/technetmag/issues/2007/01/SecurityWatch/

The problem is: the permissions I set for this service are not being
enforced. I have created a new permission entry for the NT SERVICE\Apache
service, Explorer accepts it (I click on Check Names and Explorer underlines
it) and I can change permissions for this entry without any problems. But the
Apache service is still capable of accessing folders I have explicitly denied
full control permissions (Deny permissions should have precedence, right?).

Am I doing something wrong? What else do I need to do so that the service
permissions become effective?

Thank you very much for your attention,
Andre

 

[Jesper]

Can you run this command on the files/folders that you have secured and copy
and paste the output into a reply?
cacls <foldername> /s /t

I don't think you are quite using the service hardening properly. The idea
with it is not to deny access to that particular service which is otherwise
running very elevated. In fact, you would never be able to efficiently deny
access to everything. Rather, the idea is that you can selectively permit a
single service to access certain information even though it may be running in
the same user account as several other services. In other words, if you have
multiple services running as the foo account, you can grant ServiceA
permission to a resource that ServiceB does not get to see by creating the
ACE for ServiceA instead of the foo account. Primarily, this is used with
firewall ports. The usecase you are trying to build was not what it was
designed for. In your case you have a service running as the most privileged
account there is and you are trying to restrict it from accessing just a few
resources. While you may be able to restrict it from getting to those
resources easily, virtually everything else is wide open and if the service
is compromised it can very easily circumvent your changes.

What you should instead do is create a special service account for Apache
and then grant that service account permission on resources it needs and
nothing more. I have never done that for Apache, but in Protect Your Windows
Network (http://www.amazon.com/exec/obidos/ASIN/0321336437/protectyourwi-20)
I demonstrate how to do it for SQL Server.

 

[Andre]

Here is

cacls D:\Home\www /s /t

d:\Home\www
"DAI(D;OICI;FA;;;S-1-5-80-1587432422-1360026459-2077270796-930904293-1035582572)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;BU)"

This is where my web files are. I tested it setting deny full control
permissions for the Apache service with NT SERVICE\Apache user. But it can
still read those files.

Thank you for your relpy, Jesper. I've read your book, it is very good. I
really liked the suggestion you gave on how to use sysinternal's tools to set
permissions for the _sql service user. I believe the Apache service is much
simpler than the SQL Server, so I don't think I would lose functionality as
you mentioned. Even if I did, my solution here is very simple, I don't think
I would lose anything important. Anyway, I thought I could tighten the
secutiry without creating a new user, but I think I can't.

I am setting this server on my home computer. I need it to access some
information while I am away. My initial idea was actually to create a new
account just to run Apache. The problem is, I don't know how to create a new
"hidden" account. I didn't want the Apache service user to appear in the
welcome / login screen together with my family accounts. I have even posted a
question, "Hidden / System accounts", in the other discussion group. Do you
have any suggestion? Thank you.

And thank you again for your tip. I think I'll follow your book's suggestion
and do as you said. At least until Vista SP1 comes out with a stable FastCGI
to run PHP pages on IIS. As far as I have read, the IIS service respects the
IIS_IUSRS group permissions, doesn't it?

Andre

 

[Jesper]

Well, the ACEs are ordered properly. That indicates that the Service SID is
not present in the token of whatever process is accessing the data. More than
likely Apache does not ask for a service SID in its configuration. Run this
to see:
sc qsidtype <servicename>

Here is an example. I had an HP print driver installed, and its service did
not have a Service SID configured so I changed the config:
C:\Windows\system32>sc qsidtype "Pml Driver HPZ12"
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: Pml Driver HPZ12
SERVICE_SID_TYPE: NONE

C:\Windows\system32>sc sidtype "Pml Driver HPZ12" unrestricted
[SC] ChangeServiceConfig2 SUCCESS

C:\Windows\system32>sc qsidtype "Pml Driver HPZ12"
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: Pml Driver HPZ12
SERVICE_SID_TYPE: UNRESTRICTED

Cyril Voisin has a great blog post about this at:
http://blogs.technet.com/voy/archive/2007/03/22/per-service-sid.aspx

Thanks for the comment about the book. Today I would of course use
Process Monitor to do this, but the procedure remains the same.

Creating an account that is hidden from the logon screen is really simple.
Just run this command from an elevated command prompt:
reg add "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon\SpecialAccounts\UserList" /v foo /t REG_DWORD /d 0

Substitute the name of your account for foo. Here is some more details:
http://support.microsoft.com/kb/942956.

I'm not sure what you mean by "IIS service respectes the IIS_IUSRS group
permissions"? The impersonation identity used by IIS to access web content
stored in the file system is a member of IIS_IUSRS. Is that what you mean? It
is not that IIS respects any permissions. It is that it spawns a process
running as a low-privileged user and then accesses data as that user. That is
all documented in the books too.

 

[Andre]

You are absolutely right. Apache's sidtype was set to NONE.

C:\Windows\system32>sc qsidtype Apache2.2
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: Apache2.2
SERVICE_SID_TYPE: NONE

So I tried setting to UNRESTRICTED and Apache won't start.

Faulting application httpd.exe, version 2.2.6.0, time stamp 0x46deb625,
faulting module libapr-1.dll, version 1.2.11.0, time stamp 0x46deb5c1,
exception code 0xc0000005, fault offset 0x000038dc, process id 0x1664,
application start time 0x01c8546211dbeb42.

Fault bucket 521614349, type 1
Event Name: APPCRASH
Response: None
Cab Id: 0

Problem signature:
P1: httpd.exe
P2: 2.2.6.0
P3: 46deb625
P4: libapr-1.dll
P5: 1.2.11.0
P6: 46deb5c1
P7: c0000005
P8: 000038dc
P9:
P10:

I haven't set any permission to the Apache service user in Apache's
installation files. So I guess Apache developers didn't have Windows in mind
when they developed it. Then I'll create a user for it and follow your
steps.

Cyril Voisin has a great blog post about this at:
http://blogs.technet.com/voy/archive/2007/03/22/per-service-sid.aspx

Those were awesome posts about new Windows Vista security! I've read them
all. I really liked the new security measures on the new OS. Thank you
Microsoft for that!

Thanks for the comment about the book. Today I would of course use
Process Monitor to do this, but the procedure remains the same.

Creating an account that is hidden from the logon screen is really simple.
Just run this command from an elevated command prompt:
reg add "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon\SpecialAccounts\UserList" /v foo /t REG_DWORD /d 0

You're welcome. I didn't know Process Monitor showed access to registry
as well. I will give it a try. And thank you for the tip on how to hide the
user account. That would be extremely useful.

I'm not sure what you mean by "IIS service respectes the IIS_IUSRS group
permissions"? The impersonation identity used by IIS to access web content
stored in the file system is a member of IIS_IUSRS. Is that what you mean? It
is not that IIS respects any permissions. It is that it spawns a process
running as a low-privileged user and then accesses data as that user. That is
all documented in the books too.

I am sorry, I wasn't so clear. I 've read about IIS in your book too (and on
iis.net website). IIS uses the Application Pools to separate worker process
and their "users". So these users are added to the IIS_IUSRS group when the
worker process is created. But I still need to study a little deeper how all
that works. You see, when I used IIS as my webserver, my web applications
(written in PHP) could access my entire computer, even folders that didn't
have explicit permissions set to the IIS_IUSRS group.

My web application is used to password protect files so I can download them
anywhere. These files are not located in the web folder (where the .php and
..html files are), so they can't be directly accessed with a URL. These files
are in a completely separated folder in my computer where PHP reads them and
handles the download. Now, I fear there could be a security breach on the php
that would allow someone to modify my files (since PHP can handle any normal
file operation and even run system commands!). Specially because it wasn't
entirely written by me (think like MediaWiki and how it deals with file
download). So I am desperately trying to block any write access to my files.
I did several tests with both IIS and Apache. My problem with IIS was that
even when I set IIS_IUSRS deny full control on my files, the PHP could still
read and modify them (I used a special script of mine for testing). Could
that be due to the CGI binary and its permission? And now it is the same with
Apache and NT SERVICE\Apache user because of its sid type. The only test it
worked was when I created a new user for Apache and I've got access denied
for both reading and writing when setting deny full control for the Apache
user. So I guess this is the way to go.

As I said before, I am still waiting for Vista SP1 to try IIS and FastCGI
again (I've had issues with it). My testing with IIS was before I read your
book so I think I still have some work to do to make it secure. I confess
I haven't read your book completely yet, I'll give it a good read when put my
testing into practice.

Thank you very much for your help.

Sincerely,
Andre

 

[Jesper]

So I tried setting to UNRESTRICTED and Apache won't start.

Faulting application httpd.exe, version 2.2.6.0, time stamp 0x46deb625,
faulting module libapr-1.dll, version 1.2.11.0, time stamp 0x46deb5c1,
exception code 0xc0000005, fault offset 0x000038dc, process id 0x1664,
application start time 0x01c8546211dbeb42.

Yet another reason to use IIS.

Is all you did to set the SID type? It is very very strange that doing so
would cause the service to crash. The service must be reading its own token
and doing something silly with it. I haven't looked at the source code, and I
don't dare to look at it without legal advice because of the source license.

Those were awesome posts about new Windows Vista security! I've read them
all. I really liked the new security measures on the new OS. Thank you
Microsoft for that!

Yeah, Cyril does a great job. He's a good guy too.

You're welcome. I didn't know Process Monitor showed access to registry
as well. I will give it a try. And thank you for the tip on how to hide the
user account. That would be extremely useful.

Process Monitor is basically filemon and regmon, combined, with some extra
functions. It is a fantastic tool!

I am sorry, I wasn't so clear. I 've read about IIS in your book too (and on
iis.net website). IIS uses the Application Pools to separate worker process
and their "users". So these users are added to the IIS_IUSRS group when the
worker process is created. But I still need to study a little deeper how all
that works. You see, when I used IIS as my webserver, my web applications
(written in PHP) could access my entire computer, even folders that didn't
have explicit permissions set to the IIS_IUSRS group.

OK, I see. Yes, that would be the case if the application is not sandboxed.
Windows, unfortunately, does not have a chroot equivalent. Therefore, the
code you write has read access to much of the file system. Of course, the web
site itself is essentially rooted in wwwroot, which means that a web user
cannot traverse out of there (unless PHP for Windows somehow changes that
config, but I doubt it). In other words, yes, the code that you deploy to the
server has read access to a lot of stuff, but that code has to be trusted
anyway, so the risk is minimal.

My web application is used to password protect files so I can download them
anywhere. These files are not located in the web folder (where the .php and
.html files are), so they can't be directly accessed with a URL. These files
are in a completely separated folder in my computer where PHP reads them and
handles the download. Now, I fear there could be a security breach on the php
that would allow someone to modify my files (since PHP can handle any normal
file operation and even run system commands!). Specially because it wasn't
entirely written by me (think like MediaWiki and how it deals with file
download). So I am desperately trying to block any write access to my files.

I see what you mean. You can't use Terminal Services for this instead? It
seems like a simpler option. If not, you are entirely at the mercy of the
application. Another option, which I would probably investigate before the
one you are on, is an authenticated web app, or even SharePoint. Just set up
the app to deny anonymous access. Maybe that won't fit your use case though.

I did several tests with both IIS and Apache. My problem with IIS was that
even when I set IIS_IUSRS deny full control on my files, the PHP could still
read and modify them (I used a special script of mine for testing).

That must mean that PHP is not running as separate work process. Sorry, I
don't know very much about PHP on Windows, so I couldn't tell you how it
works. The best I could tell you is to use Process Monitor and report back.

Jesper

 

[Andre]

Jesper, again, thank you for all your help.

Yet another reason to use IIS.

Is all you did to set the SID type? It is very very strange that doing so
would cause the service to crash. The service must be reading its own token
and doing something silly with it. I haven't looked at the source code, and I
don't dare to look at it without legal advice because of the source license.

LOL, I will use IIS if I can, trust me.

Yes, all I did was the "sc sidtype Apache 2.2 unrestricted" command. As I
said on my last e-mail, there were no NT SERVICE\Apache2.2 permission set
anywhere (when I realised they didn't work I removed them all). Changing it
back to NONE would make Apache start. Simple as that.

Isn't Apache open-source? You should be allowed to see it, without problems.
They don't even distribute compiled binaries for Windows. Only the souce code.

OK, I see. Yes, that would be the case if the application is not sandboxed.
Windows, unfortunately, does not have a chroot equivalent. Therefore, the
code you write has read access to much of the file system. Of course, the web
site itself is essentially rooted in wwwroot, which means that a web user
cannot traverse out of there (unless PHP for Windows somehow changes that
config, but I doubt it). In other words, yes, the code that you deploy to the
server has read access to a lot of stuff, but that code has to be trusted
anyway, so the risk is minimal.

The only way Apache could do that is by modifying the httpd.conf file, so it
could set any other docroot folder on my PC. Well, that and of course
restarting itself. Modifying httpd.conf and restarting itself are two
permissions I want to keep as far away as possible from my web app. And a
hacker could only do all that by uploading his own code to my Document Root
folder. I don't see how he could do that unless exploiting a bug in the
application code. So my first measure would be no write permission on the
Document Root folder itself. But I can't do it with current permission
settings on Apache (and I couldn't do it with IIS_IUSRS group on IIS either).

I see what you mean. You can't use Terminal Services for this instead? It
seems like a simpler option. If not, you are entirely at the mercy of the
application. Another option, which I would probably investigate before the
one you are on, is an authenticated web app, or even SharePoint. Just set up
the app to deny anonymous access. Maybe that won't fit your use case though.

Thank you for the tip. I did tried other solutions, but the web app have
always beat them. I can, for example, easily create a new user and give this
user permission (controlled by my web app, hehe) to download some of my
files. And I can control this user access and statistics, such as what he
wanted, when he wanted. Besides, a web interface is something that is easily
accessed anywhere, without the need to install (or use) new programs.

That must mean that PHP is not running as separate work process. Sorry, I
don't know very much about PHP on Windows, so I couldn't tell you how it
works. The best I could tell you is to use Process Monitor and report back.

That's right. I need to look that deeper before moving to IIS definately. I
will try reading all the information about PHP on IIS on iis.net website. But
only after FastCGI comes out.

Andre

 

[Jesper]

Isn't Apache open-source? You should be allowed to see it, without problems.

They don't even distribute compiled binaries for Windows. Only the souce code.

Yes, but with much open source there is a taint issue that affects those of
us who work on software for a living. Unless you are very careful analyzing
some open source software can cause you to lose our ability to sell your own
software. Not knowing how the license for Apache works I'd rather avoid the
problem by not looking at the source code.

So my first measure would be no write permission on the
Document Root folder itself. But I can't do it with current permission
settings on Apache (and I couldn't do it with IIS_IUSRS group on IIS either).

To do that you would set permissions on that folder that deny write access
to whichever entity you use to impersonate web users. Of course, unless the
web app has functionality to write data it would not be possible anyway.

 

[Andre]

To do that you would set permissions on that folder that deny write access
to whichever entity you use to impersonate web users. Of course, unless the
web app has functionality to write data it would not be possible anyway.

Of course, and it doesn't! But setting permissions in the OS is another
(cheap) layer of security that I think is worth using.

So, followed your suggestions, it is all fine now. Thank you for all the help.

Andre

 

[Andre]

Jesper, I was doing some testing and I came across a problem I don't know how
to solve.

After I ran some of my testing scripts I realised my webserver still had
permission to access some files. I couldn't understand how since I created a
new user, set all the group policy permissions (as you described), removed
this account from any group (the Member Of tab is empty) and the folder
security had absolutely no permission set for the service user. After some
investigation I saw that the NT AUTHORITY\Authenticated Users and the NT
AUTHORITY\Interactive are both members of the Users group, and this group
have permissions set all over my computer!!! (both Windows Default
permissions for this group as well as some of my custom permissions)

For testing purposes I removed the Authenticated Users group from the Users
group and voilá, it worked. Now Apache was completely locked in its account.
I have even broken some Apache permissions with this, so I had to go back to
Process Monitor and recheck for Access Denied errors (it was using the
"Users" group permissions).

I hate to take Windows from its default state (remove the Authenticated
Users from the Users group), though I don't think I can remove the service
user from the Authenticated Users group, can I? I don't like this
Authenticated Users group, does it break anything?

Thank you, again, very much for all your help.

Andre

 

[Jesper]

For testing purposes I removed the Authenticated Users group from the Users

group and voilá, it worked. Now Apache was completely locked in its account.
I have even broken some Apache permissions with this, so I had to go back to
Process Monitor and recheck for Access Denied errors (it was using the
"Users" group permissions).

Yes, removing Authenticated Users from Users is really not a great idea. I
would consider it on an extremely hardened (and very well documented) server,
but not on a general purpose computer.

That being said, if you consider the actual usecase for that group, the
number of scenarios where it would cause a problem should be limited,
although I cannot guarantee it. Any standard user is a member of Users, so
they would be unaffected. Any Administrator *should* have permissions to the
objects separately from a member of Users, so they *should* be unaffected.
The main purpose of Authenticated Users is to grant permissions to users from
other domains, who would not indirectly be members of the local Users group,
and on a stand-alone, you obviously do not have any of those. Therefore, the
only account type, that I can think of, that would have a problem would be
service accounts of the type you just created.

I still would not recommend removing Authenticated Users from Users. For one
thing, it is very incomplete sandboxing since Authenticated Users have
permissions in their own right, but if you cannot sandbox the service any
other way, I don't see many options.

 

[Andre]

Roger that. Well, so I won't mess around with Windows default permissions. I
know the Users group don't have write permission on system folders, that make
me relieved already. Besides, I don't know how registry permissions are set,
so I don't want to mess with that. My custom Users group settings have a lot
of write permissions on some commom folders (for all the users on my PC).
However, I will, one day, try to figure out a new permission scheme on my
computer.

For now I managed to sandbox Apache by setting Deny rules on all folders
that are accessed by my web application, just in case. I feel better this
way, no write or delete permissions whatsoever. For all other folders I will
have to trust Apache security. They claim they're the top of security and
reliability and etc, but I don't trust open-source programs for Windows
completely... I always have that sabotage feeling around... but that's a
whole different discussion.

Thank you,
Andre