Una breve descrizione di una nuova feature che troveremo in Windows Vista: il Windows Service Hardening. Cosa farà? Impedirà ai servizi critici di Windows di eseguire attività anomale nel file system, nel registro, in rete o in altre risorse che potrebbero essere fonte di autoinstallazione o di replicazione e diffusione di malware.
Info più complete di seguito:
 
Windows Service Hardening restricts critical Windows services from doing abnormal activities in the file system, registry, network, or other resources that could be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry.
Windows services represent a large percentage of the overall attack surface in Windows—from the perspective of the quantity of overall "always-on" code footprint in the system, and the privilege level of that code. Windows Vista limits the number of services that are running and operational by default. Today, many system and third-party services run in the LocalSystem account, where any breach could lead to unbounded damage to the local machine—including disk formatting, user data access, or driver installation.
Windows Service Hardening reduces the damage potential of a compromised service by introducing new concepts which are used by Windows services:
• Introduction of a per-service security identifier (SID). It enables per-service identity which subsequently enables access control partitioning through the existing Windows access control model covering all objects and resource managers which use access control lists (ACLs). Services can now apply explicit ACLs to resources which are private to the service, which prevents other services as well as the user from accessing the resource.
 
• Moving services from LocalSystem to a lesser privileged account such as LocalService or NetworkService. This reduces the overall privilege level of the service, which is similar to the benefits derived from User Account Control.
 
• Removal of un-necessary Windows privileges on a per-service basis; for example, the ability to do debugging.
 
• Applying a write-restricted access token to the service process. This access token can be used in cases where the set of objects written to by the service is bounded and can be configured. Write attempts to resources that do not explicitly grant the Service SID access will fail.
 
• Services are assigned network firewall policy, which prevents network access outside the normal bounds of the service program. The firewall policy is linked directly to per-service SID. 
 
Fonte: Microsoft.com