Impact of Least Privilege in System Services

Of all security changes in Vista, UAC with its spit token and MIC is for obvious reasons getting most attention. But there are a lot of other areas that have been tightened up for security reasons and we keep finding new ones that impact customers. One of them is detailed in the document on service changes in Vista. The specific session is called Running with Least Privilege.

In Vista you can have NT services explicitly have only the privileges they need. You can view them with "sc qpriv" or just go to the registry (HKLM\SYSTEM\CurrentControlSet\Services under RequiredPrivileges). This is a good thing because you no longer have to get all the other privileges that for example Local System has if you only need one or two. For example "sc qprivs rpcss" will give you only three privileges on Vista.

As with pretty much any change, there are impacts. For example, if your MSI package had a custom action (CA) that was assuming the Windows Installer service had the SeBackupPrivilege, you will be unpleasantly surprised. Checking it with "sc qpriv msiserver" shows that SeBackupPrivilege is no longer there. This was done to reduce the attack surface of the Windows Installer service.

Let us know if this or another service missing a privilege is impacting you.

Thanks to Christopher for pointing this out.

Maarten