Monday, October 27, 2008

Session Isolation for Services and Devices

While reviewing a software design specification this morning, I noted that Windows Vista enables session isolation for services and drivers. This is just another way that Vista provides a more secure operating environment than earlier versions of Windows, including Windows Server 2003 and Windows XP. Here is a link to a useful whitepaper if you'd like a high level understanding of how to modify application and driver services to run in Windows Vista.

Prior to Windows Vista, all services would run in the session of the first user who logs onto the machine. The first session is called session 0 and the unfortunate side effect is that applications have ready access to services that are running with elevated permissions. Windows Vista mitigates this security risk by isolating services in session 0 and making this session non-interactive. The first user who logs onto the machine is granted session 1, as shown in the diagram below. Services running in session 0 do not have access to the video driver, so any attempt to render graphics fails. This is one reason why many print services did not initially work in Windows Vista.

Services and applications must communicate using remote protocols, such as RPC, rather than via Windows Messages. However, Windows Vista provides some basic APIs that allow session 0 services to create a message box on a user desktop and to create a process in an interactive session. Obviously, this architecture shift created some compatibility problems for many software vendors but the net affect is a more secure operating environment.


Cyril Voisin has published an excellent article on this subject if you require a deeper understanding.

No comments:

Post a Comment