Saturday, February 1, 2014

Windows Session 0 Isolation



In this article/blog we talk about Session 0 isolation which is a part of the User Account Control set. It is highly recommended that the reader goes through the pre-requisite articles regarding the involved concepts of Session, Window Station and Desktops here. Also the difference between Service and Application explained here to understand why services need special care and treatment. Below we will discuss the Why and What of the Windows Session 0 Isolation.

Problem: Why was session 0 isolation of service needed?
Before windows vista it was possible to run services in an ‘interactive mode’ which allowed services to interact with the use. This was done by using the with SERVICE_INTERACTIVE_PROCESS flag when launching the service. The Interactive services were started and attached to Winsta0, but had to run with the system privileges, because only two users have privileges to winsta0, the current logged on user or system.
This allowed the user applications and services to interact from the same Window Station, which gave rise to two main problems.
The first main problem was related to security: It was possible for messages to be sent to the service by a malicious application and that could lead to a full computer compromise since the interactive services run with TCB privileges of SYSTEM.
                                            Figure1- Interactive Service in Windows XP (click to enlarge)
The second main problem was related to functionality: Since interactive sessions were bound only to session 0, it was possible that the user who was supposed to interact with the service connects to the server using terminal services on session 1, he/she will never get to interact with the service since the service is expecting interaction from session 0/Winsta0.
Since services run at the ‘system’ privilege they need to be isolated from the user space so that they cannot access resources of the services.
Note:To block interactive services: In Windows XP and windows Server 2003 the interactive services can be blocked by setting NoInteractiveServices registry value to 1 under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows. After setting this even if the interactive services is started it will not be attached to Winsta0.

Solution: What is Session 0 Isolation?
Amongst the many security solutions implemented by design in Windows Vista is the Session 0 Isolation Control which ensures that session 0 is not passed messages from any application on the other sessions used by users.
 If an interactive service is installed in Vista or Windows server 2008, it will not be able to interact with any application from the user land as shown in the diagram below:
                                         Figure2- Session 0 Isolation in Windows NT 6.0 (Vista, Server 2008)
In order to communicate across sessions we can use named pipes, sockets and global events, it will not be possible to communicate across sessions using windows messages and local events due to UIPI as discussed in a previous article/blow: http://securityinternals.blogspot.ae/2014/01/user-interface-privilege-isolation.html
since Desktops belong inside window stations and window stations belong inside sessions, the this also implies that processes cannot communicate across Desktops in different sessions.
Windows hooks can only be installed at the same privilege level at the same desktop.

About the Author: Saquib Farooq Malik, is a senior Information Security Specialist. Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.

No comments:

Post a Comment