Protecting a Windows Service from untrusted users

后端 未结 3 927
你的背包
你的背包 2020-12-18 10:17

How can I prevent users from tampering with, stopping or crashing a Windows Service that is doing work in the background that may take a while to complete?

Upon rece

相关标签:
3条回答
  • 2020-12-18 10:27

    What's your threat model? Without a threat model, it's impossible to figure out the right way to spend your effort.

    For the moment, let's just consider preventing a service from being stopped, rather than the prevention or tampering or crashing.

    T.E.D is correct in saying that if any admin wants to stop the service, you shouldn't normally try to prevent this. Otherwise how can the administrator do fault isolation, start Windows in bare-bones mode, and so on?

    As you say, the ServiceBase.CanStop property is used to prevent service stopping. This property is normally used only by OS-critical services that must run.

    In the main service thread, you could just ignore the OnStop event and loop forever. So the SCM would think the service was stopped, even though it's still running. This is rather nasty, but should work. The SCM is just issuing a stop request, not actually forcing the stop.

    0 讨论(0)
  • 2020-12-18 10:31

    Users have to have admin privs to stop services. I don't think there is a foolproof way to protect a program from someone who has admin on the box. If you don't want "untrusted users" stopping the serivce, don't give "untrusted users" admin privs.

    There seems to be some tripping over this point, so let me clarify a bit. Suppose an administrator decides she wants to uninstall your program. That's normally only a few mouse clicks. Are you going to take steps to prevent that?

    Think carefully about your answer here. Any program that purposely tries to prevent uninstallation by an administrator is by definition malware.

    I know that it has been pretty much standard since NT came out to give all home PC users admin rights, so that they can install and play games to their heart's content. However, that isn't really nessecary anymore with Vista and Win7, and people should get out of that habit. It is very bad security practice, even for a "trusted" user.

    Telling your users that they have to actually follow some security practices is not a bad thing. They will find they have to clean far less malware and viruses off their machines that way as well.

    0 讨论(0)
  • 2020-12-18 10:43

    Using Group policy will help

    try this http://social.technet.microsoft.com/Forums/en-US/2758d69a-60e8-4a5b-83dd-fc7d8e15bdc1/preventing-users-from-stopping-a-particular-service-with-a-gpo

    0 讨论(0)
提交回复
热议问题