Shared Services

Nynaeve » Blog Archive » How least privilege is that service, anyway (or much ado about impersonation) - part 1

Mon, 06 Aug 2007 15:00:19 GMT

PingBack from http://www.nynaeve.net/?p=154

Breaking Up (shared services) Is(n't) Hard To Do

Larry Osterman's WebLog — Mon, 12 Sep 2005 20:58:10 GMT

The last time I wrote, I talked about shared services. One of the problems of working with shared services...

re: Shared Services

Cheong — Mon, 12 Sep 2005 09:36:21 GMT

Yes. There is security consideration on allowing a process that run with high privellege to interact with user. That what causing me think to lowering it(i.e. a normal user account will do in many case).

And controlling the behaviour within the same application is much more simple than using another program to control it.

re: Shared Services

Larry Osterman [MSFT] — Sat, 10 Sep 2005 17:23:27 GMT

CPAU will continue to work, it doesn't have the security problems that interactive services have.

re: Shared Services

Ben — Sat, 10 Sep 2005 16:47:56 GMT

>>You don't want to EVER pop UI up from a service. <<

What about launching another "normal" program from a service, perhaps using CreateProcessAsUser? Does the same rule apply? Any implications from Vista on that?

re: Shared Services

Andreas Häber — Sat, 10 Sep 2005 15:04:44 GMT

Interactive services are not available anymore in Vista. From the release notes[1]:
"The concept of interactive services is being phased out, starting with Windows Vista versions of Windows. Session 0 is now reserved for services and system processes, and users can no longer interactively log on to session 0. Services that assume session 0 is an interactive session might no longer work correctly. Windows and dialog boxes that were displayed directly from services will not be visible to the user, and the service might stop responding if the user interface (UI) requires user input."

One thing I like with interactive services are for global hotkeys. For example I have one interactive service which registers a hotkey for the ctrl+| (pipe) keys. When this hotkey is fired then the service will move the current window from one monitor over to another one. You could do this with an application running from the taskbar too, but I really dislike using the taskbar for stuff which are supposed to be running in the background.

[1] http://www.microsoft.com/technet/windowsvista/relnotes.mspx

re: Shared Services

Larry Osterman [MSFT] — Sat, 10 Sep 2005 06:01:57 GMT

Cheong, do a google search for "shatter attack" before you consider deploying a service with the SERVICE_INTERACTIVE_PROCESS flag.

Also note that the SERVICE_INTERACTIVE_PROCESS flag doesn't work correctly in FUS scenarios (the UI only pops up on session 0).

For Vista, your service is highly unlikely to work correctly do to some significant security work that's been done to mitigate shatter attacks. You don't want to EVER pop UI up from a service.

re: Shared Services

Cheong — Sat, 10 Sep 2005 05:14:30 GMT

After reading the MSDN page of CreateService, may I ask one question?

The article states that the "SERVICE_INTERACTIVE_PROCESS" attribute requires LocalSystem security context. But is it possible to create serivce that can be interactive with desktop, yet just run in normal user account?

For example, if I'm writing a FTP server, I think a normal user account for that ftproot folder could be enough.

re: Shared Services

Shiv — Sat, 10 Sep 2005 04:50:13 GMT

I've noticed the same problem as Stephen Viess and have come to the conclusion that perhaps the benefit of running many services in one svchost.exe aren't as great as touted. Once I also had the "svchost -k netsvcs" process running away with more memory than usual. I thought that perhaps restarting the offending service would fix it. But how does one find out which one is the culprit? After hunting around with various tools I gave up and started restarting all the services inside it one by one. Guess what? Just like Stephen mentioned it didn't make any difference! The memory usage remained the same (actually increased by a few %). Something isn't quite right in the svchost mechanism. There should be tools to figure out which service is running away and some way to reclaim its resources. Without that IMHO it might be better to have more processes. After all RAM is cheap these days :) It might make sense to do svchost for some common related services. But IMO "svchost -k netsvcs" is quite the extreme counterproductive example.

re: Shared Services

Larry Osterman [MSFT] — Sat, 10 Sep 2005 00:52:56 GMT

Stefan, that's a good question. The answer is that people would start putting 3rd party code in the same process as the built-in services.

And that in turn turns into a reliability nightmare - when an instance of svchost.exe goes down, it takes out all the services within the svchost, which can totally tank a system.