WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


AddThis Social Bookmark Button

Identifying Essential Windows Services: Part 1

by Mitch Tulloch, author of Windows Server Hacks
11/29/2005

An important part of hardening Windows servers against attack is disabling any unnecessary services on your machines. A freshly installed member server running Windows Server 2003 with no specific roles defined (that is, not a file server or a print server or a web server, and so on) has more than 80 installed services visible in the Services console. These services are configured by default in various ways, with some configured for Automatic startup and therefore running by default, some configured for Manual startup and either stopped or running, and some configured as Disabled and therefore stopped.

By comparison, Windows 2000 servers have fewer installed services by default, but more of these configured for Automatic startup and are therefore running by default. The result is that Windows Server 2003 machines are more secure out of the box than Windows 2000 servers, so if you're still running the earlier platform you need to do a bit more work to ensure that only those services that are needed are running on your server.

But even with servers running Windows Server 2003 it's still valid to ask whether the default configuration of services is secure enough. The logical place to start is to ask which services are essential to normal operation of Windows servers, then go further and ask which additional services are needed when servers are fulfilling specific roles on your network such as file/print servers or web servers. I'll address the first question in this article and consider the second question in Part 2 later.

Bare Minimum Services

The Microsoft Windows Security Resource Kit is probably a pretty reliable source of information on securing Windows servers (we would hope!). In general, for all Windows 2000 and Windows XP machines this book recommends that the following minimum services be configured.

Services that should be configured to start automatically on Windows 2000 member servers:

  • DHCP Client
  • DNS Client
  • Event Log
  • Logical Disk Manager
  • Netlogon
  • Plug and Play
  • Protected Storage
  • Remote Procedure Call (RPC)
  • Remote Registry Service
  • Security Accounts Manager
  • Server
  • System Event Notification (SENS)
  • TCP/IP NetBIOS Helper Service
  • Windows Time Service (W32Time)
  • Workstation

Services that should be configured to start manually on Windows 2000 member servers:

  • Logical Disk Manager Administrative Service
  • Network Connections
  • Performance Logs and Alerts
  • Windows Management Instrumentation Driver Extensions

Most of these services are pretty obviously needed by servers running in a low or medium security environment, but before you start disabling everything else on your servers and end up with broken applications or other unexpected results, we should dig a little deeper into this subject by considering the recommendations of another important piece of Microsoft documentation: the Windows Server 2003 Security Guide. This document is a little more up to date than the Security RK, so let's see what the Security Guide recommends for minimum services needed on bare member servers, that is, member servers without any specific server roles defined.

Services that should be configured to start automatically on Windows Server 2003 member servers:

  • Automatic Updates
  • Computer Browser
  • Cryptographic Services
  • DHCP Client
  • DNS Client
  • Event Log
  • IPSec Services
  • Netlogon
  • NTLM Security Support Provider
  • Plug and Play
  • Protected Storage
  • Remote Procedure Call (RPC)
  • Remote Registry Service
  • Security Accounts Manager
  • Server
  • System Event Notification
  • TCP/IP NetBIOS Helper Service
  • Terminal Services
  • Windows Installer
  • Windows Management Instrumentation
  • Windows Time
  • Workstation

Services that should be configured to start manually on Windows Server 2003 member servers:

  • Background Intelligent Transfer Service
  • COM+ Event System
  • Logical Disk Manager
  • Logical Disk Manager Administrative Service
  • Microsoft Software Shadow Copy Provider
  • Network Connections
  • Network Location Awareness (NLA)
  • Performance Logs and Alerts
  • Remote Administration Service
  • Removable Storage
  • Volume Shadow Copy
  • Windows Management Instrumentation Driver Extensions
  • WMI Performance Adapter

Pages: 1, 2

Next Pagearrow