Identifying Essential Windows Services: Part 2by Mitch Tulloch, author of Windows Server Hacks
In a previous article we looked at the bare minimum services that need to be running on a member server running Windows Server 2003 or Windows 2000 Server. These minimum services are those required for normal server operation and do not provide support for any specific role such as file/print server or web server that the member server may need to have.
In this follow-up article, we'll look at what additional services need to be running on servers that are configured with some specific role. In particular, we'll examine the additional services needed by the following server roles:
- Domain controllers
- Infrastructure servers
- File servers
- Print servers
- Web servers (intranet or bastion host)
The recommendations below are incremental, that is, add them to the general recommendations in the previous article for bare member servers. For further details concerning these recommendations, see the Windows Server 2003 Security Guide, the Microsoft Windows Security Resource Kit, and other sources of information on Microsoft.com.
Domain controllers require that the following additional services be set for Automatic startup:
- Distributed File System
- DNS Server
- File Replication
- Intersite Messaging
- Kerberos Key Distribution Center
- Remote Procedure Call (RPC) Locator
The DNS Server service is required only if your domain controller is also configured in the role of a name server, but this is the usual approach in Windows server environments and makes life simpler than running BIND name servers to support Active Directory. The other services are pretty obviously needed by domain controllers if they are to function properly in their role as seats of network authentication and directory access.
While this term usually suggests the inclusion of DNS servers, in this context we'll restrict it to mean DCHP and WINS servers, that is, servers that support addressing and naming on the network (DNS is usually rolled into domain controller roles in Active Directory environments). The following services are required to be configured for Automatic startup on infrastructure servers as needed:
- DHCP Server
The only additional service that file servers may need set to Automatic is the Distributed File System service, and this is required only in environments where DFS is implemented to simplify access to shared folders and volumes, or to support replication of DFS roots for fault tolerance in Windows Server 2003 environments.
Print servers naturally require that the Print Spooler service be configured for Automatic startup, otherwise the servers won't be able to create and manage print queues for printers on the network. An interesting aside here is that if you enable SMB packet signing on print servers, users will still be able to print to the server but won't be able to view or manage their documents in the print queue.
Pages: 1, 2