Application Compatibility: Session 0 Isolation
High (frequency: low)
In Windows XP®, Windows Server® 2003, and earlier versions of the Windows® operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents that are looking for a means to elevate their own privilege levels.
The Windows Vista® and Windows Server® 2008 operating systems mitigate this security risk by isolating services in Session 0 and making Session 0 non-interactive. In Windows Vista and Windows Server 2008, only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This approach means that services never run in the same session as users' applications and are therefore protected from attacks that originate in application code.
Specific examples of affected driver classes include:
Printer drivers, which are loaded by the spooler service.
All drivers authored with the User Mode Driver Framework (UMDF) because these drivers are hosted by a process in Session 0.
Application classes affected by this feature include:
Services that create UI.
A service that tries to use window-message functions such as SendMessage and PostMessage to communicate with an application.
Applications creating globally named objects.
If a service belonging to an application throws a UI, the application is waiting on the service, and the UI is not displayed in the user session.
If the application's service uses a UI, a built-in mitigation in Windows Vista and Windows Server 2008 allows the user to interact with the Session 0 UI in a special desktop. This desktop will make available the UI specific to the application, rather than the entire Session 0 desktop.
If the application creates globally named objects, use the Windows XP compatibility mode to ensure that the application will continue to work with the Session 0 services.
Test and verify the application on Windows XP in a Terminal Server mode or a Fast User Switching (FUS) mode. If the application works properly on Windows XP in these scenarios, it is very likely to work under Windows Vista and Windows Server 2008.
Verify that the application functions properly after applying the Windows XP compatibility mode, which contains mitigation for some of the Session 0 issues.
Test the driver in Windows Vista and Windows Server 2008 to ensure that it runs properly. If such a test is not possible, test the driver in Windows XP with FUS enabled and multiple users logged on. If the driver works correctly for the second and subsequent logged-on users, it is not likely to be affected by the Session 0 changes in Windows Vista and Windows Server 2008. The only issues that this test does not detect are those related to the absence of the video driver in Session 0 in Windows Vista and Windows Server 2008.
Leverage Windows Vista and Windows Server 2008 capability:
Use client or server mechanisms such as remote procedure call (RPC) or named pipes to communicate between services and applications.
Use the WTSSendMessage function to create a simple message box on the user’s desktop. This allows the service to give the user a notification and request a simple response.
For more complex UI, use the CreateProcessAsUser function to create a process in the user's session.
Explicitly choose either the Local\ or Global\ namespace for any named objects, such as events or mapped memory that the service makes available.