Svchost
Svchost stands for Service Host Process. Svchost is essentially a "wrap-around" service shell that other DLLs can use to execute as a service, and to communicate intra-and inter-computer. Svchost is used for services that are implemented as DLLs instead of as their own executables. This allows related services to communicate with each other much more easily. However, you must remember that all services within a single Svchost process have complete control over all other services within that same process. In other words, you must not put two services that inherently have different security requirements in the same Svchost instance.
Most Windows computers have several instances of Svchost running, and each instance normally hosts one or more services. Svchost.exe always executes from %Windir%\System32. If you find Svchost anywhere else, it's malware. You can list the various programs that are running with each instance of Svchost by running Tasklist /svc at the command prompt (see Figure 1). You can also display a similar list in Windows Defender. One of the most crucial Svchost processes is RPC.
RPC
RPC stands for Remote Procedure Call. RPC is a common protocol in Windows, Linux, and other operating systems, for programs and services to communicate with each other. Although it most commonly is used over TCP/IP networks, it will work over any transport protocol. Dozens of Windows programs use RPC to communicate, both intra-computer (i.e., different programs on the same computer will use RPC to send information to each other) and inter-computer (for example, client-server). There are also protocols written on top of RPC, like the Distributed Component Object Model (DCOM).
The RPC Endpoint Mapper (called Remote Procedure Call in the services console) service runs on port 135 in Windows (an equivalent service runs on port 111 in Linux/Unix). When an RPC-enabled program starts, it will contact the RPC Endpoint Mapper service and ask for an available, open TCP port to listen on. The RPC service will query the currently open TCP ports and pick one of the unused (and not likely to be used by any other well-known program) TCP ports above 1023 and inform the program. When a client of this program needs to communicate with it, the client will query the RPC Endpoint Mapper to find out which port the program listens on. It can then connect directly to that port. In a way, the Endpoint Mapper functions as a directory service for certain ports on a host. For example, Outlook normally uses RPC to talk to Exchange in a local network environment. When Exchange wants to talk to a particular Outlook client, for instance, to notify the client that it has new e-mail messages, Exchange will query the client computer's RPC service on 135. The RPC Endpoint Mapper service will tell Exchange what port Outlook is listening on. Exchange will then disconnect from the RPC service and re-connect directly to the Outlook client.
RPC is how Windows works and is used for inter-process communications locally as well as remotely. It's crucial to normal operations. Disabling RPC will severely hamper or disable many core Windows services, including:
From the preceding list, it's easy to see that RPC can't be disabled lightly as some security guides suggest. When the MS-Blaster worm came out in August 2003, it attacked unpatched Windows computers over DCOM, which in turn used the RPC service as its transport. Early on several antivirus companies recommended that administrators disable the RPC service to stop the worm. Talk about the medicine being worse than the illness. Disabling RPC essentially disables most of Windows.
SMB/CIFS
Windows is heavily dependent on the Server Message Block (SMB) protocol for exchanging files and other information. Windows' first implementation of the SMB protocol was transported over another protocol called NetBEUI (Network Basic End User Interface). SMB over NetBEUI relies heavily on NetBIOS name resolution.
Once NetBIOS was improved so that it could be transported using TCP/IP, and expanded beyond a single network segment (as NetBEUI was limited to), it was renamed as Common Internet File System (CIFS). Throughout this chapter, when the term NetBIOS was used, CIFS would have been more technically accurate.
CIFS uses the TCP/IP protocol and can use both DNS and NetBIOS name resolution. By default, CIFS uses UDP and TCP ports 137 (for name resolution), 138 (for datagram traffic), and 139 and 445 (for session-oriented traffic). Typically, 137 and 138 are UDP ports, while 139 is TCP, and 445 can be either. SMB over native TCP/IP uses port 445. It was available in Windows 2000 and later. Other services will attempt to use 445 first, and then fall back to the earlier ports if unsuccessful over 445. Ports 137–139 are used for legacy applications.
SMB's most frequently recognized use is for File and Printer sharing, a service that allows folder, registry, and printer shares to be advertised and used remotely. Many administrators incorrectly think that SMB is used only for File and Printer sharing. Many security recommendation guides have recommended that administrators block the SMB ports using a host-based firewall if File and Printer sharing was not needed. This is usually bad advice, unless you know what you are doing. Like RPC, SMB is used extensively during normal operations, and for many other things besides sharing folders and printers, especially for remote management.
SMB connections are normally made to a computer's IPC$ (Interprocess Communication Share). Various services will open Named Pipes connections. Named Pipes can be best thought of as File and Printer sharing for applications and processes. An SMB-enabled application will open up an SMB share point, with names formatted to look something like a NetBIOS share name (for example, \\servername\\pipe\servicesharename). These pipes can be accessed by clients and used as regular files to read and write data to the server. Some example Named Pipes share names are:
\\fileserver\\keysvc
\\PIPE\wkssvc
You can run the Microsoft Windows Server 2003 Resource Kit utility, Rpcdump.exe, to see some of the Named Pipes on a particular system. Services and processes use Named Pipes to send and read information, much like a user implementing a drive share.
SMB excels at distributed file locking and read and write caching to improve performance. It is used by many other OS venders and applications besides Microsoft. It can be used intra-computer or inter-computer. It supports anonymous "null sessions" and authenticated connections. SMB is made for client-server communications.
Accordingly, SMB is often used by Windows services and other third-party products. SMB is used to establish a secure channel between a domain computer and a domain controller so the computer can perform a network logon. SMB is used for remote management and to pull group policy settings from the domain controller to the local computer. Like RPC, disabling SMB or blocking those ports on a normal Windows PC is bound to cause operational problems. The three services that use SMB the most are the Computer Browser, Workstation, and Server services.
Computer Browser, Workstation, and Server Service
The Computer Browser service is used to advertise and find NetBIOS hosts and services. It is included in XP Pro and later only for computers that do not use Active Directory, or to find NetBIOS objects that do not register themselves in Active Directory. Prior to Active Directory, it was the primary way that Windows found computers, workgroups, and domains. In Vista, the Computer Browser service is an Automatic service, but may not be started. Windows starts the service when needed. Vista will try using Active Directory searches first for domain computers.
The Workstation and Server services have nothing to do with whether a PC is running a workstation or server version of Windows. Both workstation and server versions of Windows run both by default. All Windows computers have services that listen and allow connections from other hosts (using the Server service), and connect to other hosts (using the Workstation service).
The Workstation and Server services are a little bit like Svchost, RPC, and SMB in that lots of other services and applications use them to do their job. The Workstation service is used when the computer wants to use outbound SMB to connect to a (remote) listening SMB share (hosted by the Server service). The Server service is used to create inbound listening shares. The Workstation service of one client will often connect to the Server service of another.
Both the Workstation and Server services use SMB and RPC, and have been the victim of past exploits. Many security recommendation guides often recommend that Windows administrators disable these services if not needed. Like RPC, it's difficult to disable either service as Windows is very dependent upon them. If you disable the Workstation service, many applications and services will not work correctly, including:
-
File and Print Sharing (trying to connect to shares on other computers, or host them locally)
-
Group Policy (on domain controllers, clients with the Server service will still download group policies)
-
Net Logon (would not be able to log on to this computer)
-
Print Spooler
-
Computer Browser
-
Connecting to any application that uses SMB
-
Connecting to any application that uses Named Pipes
-
Remote management interfaces
-
Distributed File System (DFS)
-
Remote Procedure Call Locator
-
Fax service
-
Indexing service
-
Performance Logs and Alerts
Disabling the Server service will affect many services including:
-
File and Print Sharing (allowing others to connect to folder or print shares)
-
Group Policy (sending group policy from a domain controller)
-
Net Logon (allowing other remote computers/users to logon)
-
Allowing connections to any application that uses CIFS
-
Allowing connections to any application that uses Named Pipes (SQL Server, Certificate Services, Exchange, and so on)
If it is an RPC-enabled service (and doesn't use Named Pipes or some other transport method), there is a good chance that disabling the Server service will disable connections to the service.
It is important to understand the function of all these specialized programs and services, and what they provide to Windows. Disabling any of the services discussed will cause operational problems on most PCs and should only be done on production systems after testing application functionality and only then if there is a valid and unacceptable threat facing these computers.
Autorun Programs
After Windows boots and the core services are loaded, Windows checks many other areas for program files that have been marked to execute after each boot. There are literally over a 100 places that a program can be placed to be autorun after the computer re-starts. These locations include:
-
Registry keys
-
Startup folders
-
Files
Without a doubt, most autorun programs are executed by placing startup entries in the Windows Registry. The most common registry autorun key is HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The most common startup folder is \Users\%Userprofile\StartMenu\ Programs\Startup. Any program located in the Startup folder would be automatically executed when the user logged on. Although autorun files are not commonly used anymore, the following files will autorun programs if they contain information and are run in a 16-bit subsystem: Autoexec.nt and Config.nt.
Autorun locations are important because both legitimate and malicious programs often like to launch themselves using one of the autorun methods. Microsoft has virtualized many of the most commonly used locations in Vista so that legacy program or malicious modifications do not lead to full system compromise. You can view most of the autorun programs and their launch points using Microsoft's excellent Autoruns utility (http://www.microsoft.com/technet/sysinternals/Security/Autoruns.mspx) as shown in Figure 2.