oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Identifying Essential Windows Services: Part 2

by Mitch Tulloch, author of Windows Server Hacks

In a previous article we looked at the bare minimum services that need to be running on a member server running Windows Server 2003 or Windows 2000 Server. These minimum services are those required for normal server operation and do not provide support for any specific role such as file/print server or web server that the member server may need to have.

In this follow-up article, we'll look at what additional services need to be running on servers that are configured with some specific role. In particular, we'll examine the additional services needed by the following server roles:

  • Domain controllers
  • Infrastructure servers
  • File servers
  • Print servers
  • Web servers (intranet or bastion host)

The recommendations below are incremental, that is, add them to the general recommendations in the previous article for bare member servers. For further details concerning these recommendations, see the Windows Server 2003 Security Guide, the Microsoft Windows Security Resource Kit, and other sources of information on

Domain Controllers

Domain controllers require that the following additional services be set for Automatic startup:

  • Distributed File System
  • DNS Server
  • File Replication
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • Remote Procedure Call (RPC) Locator

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

The DNS Server service is required only if your domain controller is also configured in the role of a name server, but this is the usual approach in Windows server environments and makes life simpler than running BIND name servers to support Active Directory. The other services are pretty obviously needed by domain controllers if they are to function properly in their role as seats of network authentication and directory access.

Infrastructure Servers

While this term usually suggests the inclusion of DNS servers, in this context we'll restrict it to mean DCHP and WINS servers, that is, servers that support addressing and naming on the network (DNS is usually rolled into domain controller roles in Active Directory environments). The following services are required to be configured for Automatic startup on infrastructure servers as needed:

  • DHCP Server
  • WINS

File Servers

The only additional service that file servers may need set to Automatic is the Distributed File System service, and this is required only in environments where DFS is implemented to simplify access to shared folders and volumes, or to support replication of DFS roots for fault tolerance in Windows Server 2003 environments.

Print Servers

Print servers naturally require that the Print Spooler service be configured for Automatic startup, otherwise the servers won't be able to create and manage print queues for printers on the network. An interesting aside here is that if you enable SMB packet signing on print servers, users will still be able to print to the server but won't be able to view or manage their documents in the print queue.

Pages: 1, 2

Next Pagearrow