In this article/blog we talk about Session 0 isolation which
is a part of the User Account Control set. It is highly recommended that the
reader goes through the pre-requisite articles regarding the involved concepts
of Session, Window Station and Desktops here. Also the difference between
Service and Application explained here to understand why services need special
care and treatment. Below we will discuss the Why and What of the Windows
Session 0 Isolation.
Problem: Why was session 0 isolation of service needed?
Before windows vista it was possible to run services in an ‘interactive
mode’ which allowed services to interact with the use. This was done by using
the with SERVICE_INTERACTIVE_PROCESS flag when launching the service. The Interactive
services were started and attached to Winsta0, but had to run with the system
privileges, because only two users have privileges to winsta0, the current
logged on user or system.
This allowed the user applications and services to interact
from the same Window Station, which gave rise to two main problems.
The first main
problem was related to security: It was possible for messages to be sent to
the service by a malicious application and that could lead to a full computer
compromise since the interactive services run with TCB privileges of SYSTEM.
Figure1- Interactive Service in Windows XP (click to enlarge)
The second main
problem was related to functionality: Since interactive sessions were bound
only to session 0, it was possible that the user who was supposed to interact
with the service connects to the server using terminal services on session 1,
he/she will never get to interact with the service since the service is
expecting interaction from session 0/Winsta0.
Since services run at the ‘system’ privilege they need to be
isolated from the user space so that they cannot access resources of the
services.
Note:To block interactive
services: In Windows XP and windows Server 2003 the interactive services can
be blocked by setting NoInteractiveServices registry value to 1 under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows.
After setting this even if the interactive services is started it will not be
attached to Winsta0.
|
Solution: What is Session 0 Isolation?
Amongst the many security solutions implemented by design in
Windows Vista is the Session 0 Isolation Control which ensures that session 0 is
not passed messages from any application on the other sessions used by users.
If an interactive
service is installed in Vista or Windows server 2008, it will not be able to
interact with any application from the user land as shown in the diagram below:
Figure2- Session 0 Isolation in Windows NT 6.0 (Vista, Server 2008)
In order to communicate across sessions we can use named
pipes, sockets and global events, it will not be possible to communicate across
sessions using windows messages and local events due to UIPI as discussed in a
previous article/blow: http://securityinternals.blogspot.ae/2014/01/user-interface-privilege-isolation.html
since Desktops belong inside window stations and window stations belong inside sessions, the this also implies that processes cannot communicate across Desktops in different sessions.
since Desktops belong inside window stations and window stations belong inside sessions, the this also implies that processes cannot communicate across Desktops in different sessions.
Windows hooks can only be installed at the same privilege
level at the same desktop.
About the Author: Saquib Farooq Malik, is a senior
Information Security Specialist.
Saquib Specializes in Vulnerability Assessment and Penetration Testing,
implementations of ISO 27001 in different corporate environments in the Middle
East.
He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.
Hello Dear,
ReplyDeleteI Like Your Blog Very Much. I see Daily Your Blog, is A Very Useful For me.
You can also Find medical privacy screensMaintain the privacy of doctor-patient confidentiality with Omnimed privacy screens today. Shop our extensive store of medical products online today.
Please Visit at: https://omnimedstore.com/privacy-screens/