Sécurité des Services Windows : Guide Complet

La sécurisation des services Windows est un aspect crucial de la cybersécurité. Ce guide explore les techniques avancées de protection et de gestion des services.

1. Gestion des Services

Configuration de Base

# Désactivation des services non essentiels
sc config RemoteRegistry start= disabled
sc config Telnet start= disabled
sc config TFTP start= disabled

# Configuration des permissions
sc sdset RemoteRegistry D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

Services Critiques

# Identification des services critiques
$criticalServices = @(
    "RemoteRegistry",
    "Telnet",
    "TFTP",
    "SNMP",
    "IISADMIN",
    "W3SVC"
)

# Désactivation sécurisée
foreach ($service in $criticalServices) {
    if (Get-Service $service -ErrorAction SilentlyContinue) {
        Stop-Service $service
        Set-Service $service -StartupType Disabled
    }
}

2. Sécurisation des Permissions

Configuration des ACLs

# Configuration des permissions des services
$servicePath = "C:\Windows\System32\services.exe"
$acl = Get-Acl $servicePath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
Set-Acl $servicePath $acl

# Protection des dossiers de services
$serviceFolders = @(
    "C:\Windows\System32\drivers",
    "C:\Windows\System32\config",
    "C:\Windows\ServiceProfiles"
)

foreach ($folder in $serviceFolders) {
    $acl = Get-Acl $folder
    $acl.SetAccessRuleProtection($true, $false)
    Set-Acl $folder $acl
}

Gestion des Droits

# Configuration des droits de service
$serviceRights = @{
    "SeServiceLogonRight" = "SERVICE_LOGON"
    "SeAssignPrimaryTokenPrivilege" = "ASSIGN_PRIMARY_TOKEN"
    "SeIncreaseQuotaPrivilege" = "INCREASE_QUOTA"
}

# Application des droits
foreach ($right in $serviceRights.GetEnumerator()) {
    $policy = New-Object System.Security.Principal.NTAccount("NT AUTHORITY\SYSTEM")
    $privilege = [System.Security.Principal.Privilege]::$($right.Value)
    $policy.AddPrivilege($privilege)
}

3. Monitoring des Services

Surveillance Active

# Script de monitoring des services
function Monitor-Services {
    $services = Get-Service | Where-Object {$_.Status -eq "Running"}
    foreach ($service in $services) {
        $process = Get-Process -Name $service.Name -ErrorAction SilentlyContinue
        if ($process) {
            Write-Host "Service: $($service.Name) - PID: $($process.Id) - CPU: $($process.CPU) - Memory: $($process.WorkingSet64/1MB) MB"
        }
    }
}

Détection d’Anomalies

# Script de détection d'anomalies
function Detect-ServiceAnomalies {
    $baseline = @{
        "svchost.exe" = @(100, 200)  # Plage de PIDs normale
        "services.exe" = @(500, 600)
    }
    
    $current = Get-Process | Where-Object {$_.ProcessName -in $baseline.Keys}
    foreach ($proc in $current) {
        if ($proc.Id -lt $baseline[$proc.ProcessName][0] -or $proc.Id -gt $baseline[$proc.ProcessName][1]) {
            Write-Host "Anomalie détectée: $($proc.ProcessName) avec PID $($proc.Id)"
        }
    }
}

4. Protection contre les Attaques

Détection de Services Malveillants

# Script de détection de services malveillants
function Detect-MaliciousServices {
    $suspiciousPatterns = @(
        "cryptominer",
        "miner",
        "botnet",
        "backdoor"
    )
    
    $services = Get-Service
    foreach ($service in $services) {
        foreach ($pattern in $suspiciousPatterns) {
            if ($service.DisplayName -match $pattern -or $service.Name -match $pattern) {
                Write-Host "Service suspect détecté: $($service.Name)"
            }
        }
    }
}

Protection contre l’Injection

# Configuration de la protection contre l'injection
$protectionSettings = @{
    "EnableLUA" = 1
    "EnableVirtualization" = 1
    "EnableInstallerDetection" = 1
}

foreach ($setting in $protectionSettings.GetEnumerator()) {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name $setting.Key -Value $setting.Value
}

5. Audit et Logging

Configuration de l’Audit

# Activation de l'audit des services
auditpol /set /category:"System" /success:enable /failure:enable
auditpol /set /category:"Security" /success:enable /failure:enable

# Configuration des logs
wevtutil sl System /maxsize:4294967296 /retention:true
wevtutil sl Security /maxsize:4294967296 /retention:true

Analyse des Logs

# Script d'analyse des logs de services
function Analyze-ServiceLogs {
    $events = Get-EventLog -LogName System -Source "Service Control Manager" -After (Get-Date).AddHours(-24)
    foreach ($event in $events) {
        if ($event.EntryType -eq "Error" -or $event.EntryType -eq "Warning") {
            Write-Host "Problème détecté: $($event.TimeGenerated) - $($event.Message)"
        }
    }
}

6. Maintenance et Mises à Jour

Gestion des Mises à Jour

# Script de mise à jour des services
function Update-Services {
    # Vérification des mises à jour Windows
    $updateSession = New-Object -ComObject Microsoft.Update.Session
    $searcher = $updateSession.CreateUpdateSearcher()
    $searchResult = $searcher.Search("IsInstalled=0")
    
    if ($searchResult.Updates.Count -gt 0) {
        $installer = $updateSession.CreateUpdateInstaller()
        foreach ($update in $searchResult.Updates) {
            $installer.Updates.Add($update)
        }
        $installer.Install()
    }
}

Nettoyage des Services

# Script de nettoyage des services
function Cleanup-Services {
    # Suppression des services orphelins
    $orphanedServices = Get-Service | Where-Object {
        $servicePath = (Get-WmiObject Win32_Service -Filter "Name='$($_.Name)'").PathName
        -not (Test-Path $servicePath)
    }
    
    foreach ($service in $orphanedServices) {
        Stop-Service $service.Name
        sc delete $service.Name
    }
}

7. Scripts de Sécurité

Vérification de Sécurité

# Script de vérification de sécurité des services
function Test-ServiceSecurity {
    $issues = @()
    
    # Vérification des services critiques
    $criticalServices = @("RemoteRegistry", "Telnet", "TFTP")
    foreach ($service in $criticalServices) {
        if ((Get-Service $service -ErrorAction SilentlyContinue).Status -eq "Running") {
            $issues += "Service critique $service est en cours d'exécution"
        }
    }
    
    # Vérification des permissions
    $servicePath = "C:\Windows\System32\services.exe"
    $acl = Get-Acl $servicePath
    if (-not ($acl.Access | Where-Object {$_.IdentityReference -eq "NT AUTHORITY\SYSTEM"})) {
        $issues += "Permissions incorrectes sur services.exe"
    }
    
    return $issues
}

Maintenance Automatique

# Script de maintenance des services
function Update-ServiceSecurity {
    # Désactivation des services non essentiels
    $nonEssentialServices = @(
        "RemoteRegistry",
        "Telnet",
        "TFTP",
        "SNMP"
    )
    
    foreach ($service in $nonEssentialServices) {
        if (Get-Service $service -ErrorAction SilentlyContinue) {
            Stop-Service $service
            Set-Service $service -StartupType Disabled
        }
    }
    
    # Mise à jour des permissions
    $serviceFolders = @(
        "C:\Windows\System32\drivers",
        "C:\Windows\System32\config"
    )
    
    foreach ($folder in $serviceFolders) {
        $acl = Get-Acl $folder
        $acl.SetAccessRuleProtection($true, $false)
        Set-Acl $folder $acl
    }
}

Conclusion

La sécurisation des services Windows nécessite :

• Une gestion stricte des services
• Une configuration appropriée des permissions
• Un monitoring constant
• Des mises à jour régulières
• Une documentation précise

Points clés à retenir :

• Désactiver les services non essentiels
• Maintenir des permissions minimales
• Surveiller les anomalies
• Effectuer des audits réguliers
• Suivre les bonnes pratiques de sécurité