oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Identifying Essential Windows Services: Part 2
Pages: 1, 2

Web Servers

Web servers (IIS servers) need some additional services configured for Automatic startup as well:

  • IIS Admin Service
  • World Wide Web Publishing Service

If a web server is running within your corporate network as an intranet server, then adding these services to the list of essential member server services is sufficient. But if your web server lies on your perimeter network and has the role of a bastion host, which in this case means a public-facing Internet server, then you need to tighten security on your server by modifying the startup for many of the services normally set to Manual or Automatic on bare member servers. In particular, the Windows Server 2003 Security Guide recommends that you disable the following services on a bastion host:

  • Automatic Updates
  • Background Intelligent Transfer Service
  • Computer Browser
  • DHCP Client
  • Network Location Awareness (NLA)
  • NTLM Security Support Provider
  • Performance Logs and Alerts
  • Remote Administration Service
  • Remote Registry Service
  • Server
  • TCP/IP NetBIOS Helper Service
  • Terminal Services
  • Windows Installer
  • Windows Management Instrumentation Driver Extensions
  • WMI Performance Adapter

Putting this in perspective, if we combine the recommendations for bastion hosts above with the recommended minimum services for bare member servers described in my previous article, we find that a public-facing Windows Server 2003 web server only needs the following services configured:

Services that should be configured to start automatically:

  • Cryptographic Services
  • DNS Client
  • Event Log
  • IPSec Services
  • Netlogon
  • Plug and Play
  • Protected Storage
  • Remote Procedure Call (RPC)
  • Security Accounts Manager
  • System Event Notification
  • Windows Management Instrumentation
  • Windows Time
  • Workstation

Services that should be configured to start manually:

  • COM+ Event System
  • Logical Disk Manager
  • Logical Disk Manager Administrative Service
  • Microsoft Software Shadow Copy Provider
  • Network Connections
  • Removable Storage
  • Volume Shadow Copy
  • WMI Performance Adapter

Every other service on a public-facing web server running Windows Server 2003 should be set to Disabled.


The recommendations in this article and the previous one are based on official Microsoft documentation and are assumed to be reliable. But consider these three things before you start disabling "unnecessary" services on your Windows servers:

  • Some applications and/or special networking environments may require additional services configured for Manual or Automatic startup, so a good approach is to disable "unnecessary" services one at a time. After disabling each service, you should test your network applications to ensure they still work properly.
  • It's a good idea to isolate server roles on separate machines as much as possible. For example, you normally don't want a web server also to be functioning as a DNS server, or a domain controller to be configured as a root certificate authority, and so on.
  • And finally, remember again that the more services you disable, the more difficult it may become to manage your server, especially in a remote branch office environment.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.

Return to the Windows DevCenter.