Application Compatibility: Named Pipe Hardening
Named Pipe Hardening
Brief Description
In Windows Vista® and Windows Server® 2008, many services are running under lesser privileged accounts like NetworkService (NS) or LocalService (LS) rather than Local System. Service hardening is an initiative to improve the compartmentalization between the services such that if one service is compromised, it cannot easily attack other services on the system. Windows Vista and Windows Server 2008 harden the named pipes used by RPC servers to prevent other processes from being able to hijack them.
Under Windows XP®, an RPC server creates a named pipe, and the ACL on the pipe grants LS or NS Full Control, which includes the ability to create "server instances" of the pipe so clients can connect. The only process that should create instances of a pipe is the process that initially created the pipe. Microsoft's ACL change restricts the ability to create server instances to the process that created the pipe initially.
Manifestation
The following services have been affected: services that run as LS or NS, services that opt-in to using service SIDs, and services using RPC over named pipes that request the "default" named pipe security descriptor.
Services that opt-in to using service SIDs means no third-party service will be affected by default. Service SIDs are a new feature in Windows Vista and Windows Server 2008 that require opt in by setting a DWORD value in the service configuration. When developers opt in, they have the opportunity to test with the new service hardening behavior; this change would be one of those behaviors.
Services using RPC over named pipes that request the "default" named pipe security descriptor means that if a RPC server is specifying a custom security descriptor because of special needs, they will see no change. The following is a list of the affected pipes:
Epmapper
Eventlog
Dav rpc
Keysvc
Winreg
Tapserv
W32time_alt
Termsvcapi
Ctx_winsta
Hydralspipe