Windows service resilience and defense - ToddMaxey/Technical-Documentation GitHub Wiki

Note: In this document the Event log service is used as the example. This can apply to any service.

Filter RPC traffic with Windows Firewall

Set a Windows Firewall rule to drop/disallow traffic that is for the event log service:

  1. Open the Windows Firewall by going to the Control Panel and selecting "System and Security" and then "Windows Firewall".

  2. Click on the "Advanced settings" link on the left side of the Windows Firewall window.

  3. In the Windows Firewall with Advanced Security window, click on the "Inbound Rules" option on the left side of the window.

  4. Click on the "New Rule" option on the right side of the window.

  5. In the New Inbound Rule Wizard, select the "Custom" rule type and click on the "Next" button.

  6. In the "Program" step, select the "All programs" option and click on the "Next" button.

  7. In the "Protocol and Ports" step, select the "TCP" protocol and enter "135,445" in the "Local port" field. Click on the "Next" button.

Note: The Event log service is addressable remotely through socketed RPC (TCP 135) and via Named Pipes (TCP 445) \.\pipe\eventlog

  1. In the "Scope" step, you can specify the remote IP addresses that you want to block. If you want to block all remote IP addresses, leave the default settings and click on the "Next" button.

  2. In the "Action" step, select the "Block the connection" option and click on the "Next" button.

  3. In the "Profile" step, select the profiles that you want the rule to apply to and click on the "Next" button.

  4. In the "Name" step, enter a name for the rule and click on the "Finish" button.

To set a Windows Firewall rule to drop/disallow traffic that is for the event log service except for specific IP address/CIDR block address/machine name, you can follow the same steps as above, but in the "Scope" step, you can specify the remote IP addresses that you want to allow by entering them in the "Remote IP address" section. You can enter individual IP addresses, a range of IP addresses, or a CIDR block. You can also specify a machine name by clicking on the "Add" button and selecting the "Predefined set of computers" option. Then, select the "Remote Computer" option and enter the machine name.

Configuring Automatic Service Restart Using the Service Snap-in

Introduction

In this article, we'll walk you through configuring a Windows service to automatically restart on first, second, and subsequent failures. By adjusting the service settings directly within the Service Snap-in, you can enhance system reliability and minimize downtime.

Prerequisites

Before proceeding, ensure that you have administrative privileges on the affected system.

Step-by-Step Guide

  1. Open the Services Snap-in:

    • Press Win + R, type services.msc, and hit Enter.

    • The Services window will open, displaying a list of all services on your system.

  2. Locate the Windows Event Log Service:

    • Scroll through the list of services or use the search bar.

    • Find the "Windows Event Log" service.

  3. Access Service Properties:

    • Right-click on the Windows Event Log service and select Properties.

    • The Properties dialog box for the service will appear.

  4. Configure Recovery Options:

    • Navigate to the "Recovery" tab.

    • Here, you can set actions for the service to take on different types of failures:

      • First failure: Choose "Restart the Service" from the drop-down menu.

      • Second failure: Again, select "Restart the Service".

      • Subsequent failures: You can choose to restart the service or take other actions (e.g., run a program, reboot the computer).

  5. Set Delay Options (Optional):

    • If desired, configure the "Restart service after" delay. This prevents immediate restarts, allowing time for any underlying issues to stabilize.

  6. Apply and Save Changes:

    • Click OK to save your settings.

  7. Testing and Monitoring:

    • To test the configuration, intentionally stop the Windows Event Log service (e.g., via the Services Snap-in).

    • Observe whether the service automatically restarts after the specified failures.

  8. Review Event Logs:

    • Check the Event Viewer for any related events. Look for service restart events.

Configuring Automatic Service Restart Using Task Scheduler

Overview

The Windows Event Log service plays a critical role in logging system events, security incidents, and application-related information. However, a recent zero-day vulnerability has highlighted the need for proactive measures to ensure the service remains operational even in the face of potential crashes. In this article, we'll guide you through setting up automatic restarts for the Windows Event Log service to mitigate the impact of this vulnerability.

Prerequisites

Before proceeding, ensure that you have administrative privileges on the affected system.

Steps to Configure Automatic Service Restart

  1. Open Task Scheduler:

    • Press Win + R, type taskschd.msc, and hit Enter.

    • The Task Scheduler window will open.

  2. Create a New Task:

    • In the left pane, navigate to Task Scheduler Library.

    • Right-click and select Create Basic Task.

    • Follow the wizard to create a new task.

  3. Task Details:

    • Provide a meaningful name for the task (e.g., "Windows Event Log Restart").

    • Add a description if desired.

  4. Trigger Configuration:

    • Choose the trigger that suits your needs. For automatic restarts after service failures, consider using:

      • "On an event": Trigger the task when a specific event occurs.

        • Select Custom and configure the following settings:

          • Log: System

          • Source: Service Control Manager

          • Event ID: 7031 (service stopped unexpectedly)

      • Adjust other trigger settings as needed.

  5. Action Configuration:

    • Choose "Start a program" as the action.

    • In the program/script field, enter: powershell.exe.

    • In the arguments field, enter:

      
-ExecutionPolicy Bypass -File "C:\Path\To\RestartEventLogService.ps1"

      Replace C:\Path\To\RestartEventLogService.ps1 with the actual path to a PowerShell script that restarts the service. You can create this script (see next step).

  6. Create the PowerShell Script:

    • Open Notepad or any text editor.

    • Create a new file named RestartEventLogService.ps1.

    • Add the following content:

      
# Restart Windows Event Log service 

Restart-Service -Name "EventLog" -Force

    • Save the script to a secure location.

  7. Security Options:

    • Set the task to run with highest privileges.

    • Configure the task to run whether the user is logged on or not.

  8. Review and Finish:

    • Review your settings and click Finish.

Testing and Monitoring

  1. Test the Task:

    • Manually trigger the task to ensure it restarts the Windows Event Log service.

  2. Monitor Event Logs:

    • Regularly check the event logs for any service restart events.

    • Investigate any recurring issues.

Conclusion

By configuring automatic service restarts, you enhance the resilience of the Windows Event Log service. Remember to stay informed about official patches and updates from Microsoft to address the underlying vulnerability and remember this approach applies not only to the Windows Event Log service but to other critical services as well. Regularly review and adjust these settings based on your organization's needs.

Stay vigilant and keep your systems resilient! 🛡️🔒