Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Identifying Essential Windows Services: Part 1

by Mitch Tulloch, author of Windows Server Hacks
11/29/2005

An important part of hardening Windows servers against attack is disabling any unnecessary services on your machines. A freshly installed member server running Windows Server 2003 with no specific roles defined (that is, not a file server or a print server or a web server, and so on) has more than 80 installed services visible in the Services console. These services are configured by default in various ways, with some configured for Automatic startup and therefore running by default, some configured for Manual startup and either stopped or running, and some configured as Disabled and therefore stopped.

By comparison, Windows 2000 servers have fewer installed services by default, but more of these configured for Automatic startup and are therefore running by default. The result is that Windows Server 2003 machines are more secure out of the box than Windows 2000 servers, so if you're still running the earlier platform you need to do a bit more work to ensure that only those services that are needed are running on your server.

But even with servers running Windows Server 2003 it's still valid to ask whether the default configuration of services is secure enough. The logical place to start is to ask which services are essential to normal operation of Windows servers, then go further and ask which additional services are needed when servers are fulfilling specific roles on your network such as file/print servers or web servers. I'll address the first question in this article and consider the second question in Part 2 later.

Bare Minimum Services

The Microsoft Windows Security Resource Kit is probably a pretty reliable source of information on securing Windows servers (we would hope!). In general, for all Windows 2000 and Windows XP machines this book recommends that the following minimum services be configured.

Services that should be configured to start automatically on Windows 2000 member servers:

Services that should be configured to start manually on Windows 2000 member servers:

Most of these services are pretty obviously needed by servers running in a low or medium security environment, but before you start disabling everything else on your servers and end up with broken applications or other unexpected results, we should dig a little deeper into this subject by considering the recommendations of another important piece of Microsoft documentation: the Windows Server 2003 Security Guide. This document is a little more up to date than the Security RK, so let's see what the Security Guide recommends for minimum services needed on bare member servers, that is, member servers without any specific server roles defined.

Services that should be configured to start automatically on Windows Server 2003 member servers:

Services that should be configured to start manually on Windows Server 2003 member servers:

Comparing the Recommendations

Comparing the recommendations of the Security RK with the Security Guide, while allowing for a number of new services in the newer platform, leads to some interesting questions. For example, is the Automatic Updates service essential or not? The RK doesn't mention it as essential but the Guide does, and in fact the Guide is correct unless you plan to keep your servers patched using a third-party tool instead of using Microsoft patch management solutions like SUS/WUS or SMS.

What about the Computer Browser service? This service maintains the browse list that lets Windows-based computers view network domains and resources, and in fact it can usually be safely disabled if your network is running Active Directory and all your Windows servers and clients are running Windows 2000 or later.

Both the RK and Guide recommend that the DHCP Client service be set to Automatic, but in fact it can be set to Disabled on servers that have static IP addresses configured. If you use reservations instead of static addressing however, be sure to leave this service running on your servers.

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

The RK recommends that Logical Disk Manager be set to Automatic but the Guide suggests Manual instead. This service monitors PnP events to detect new drives and here the Guide provides better advice since this service only needs to run when you add or remove disks, create new volumes, and perform other disk-related tasks, so setting this service to Manual works out fine.

What about IPSec Services? In Windows 2000 this service is called IPSec Policy Agent, and if you know you aren't going to be using it then configure it for Manual startup. The Guide probably assumes that you'll be using IPSec in a network environment where security is important, but this assumption is not necessarily correct.

The NTLM Security Support Provider won't be needed if all your clients are Windows 2000 or later, as these clients support Kerberos authentication. By default, Windows Server 2003 member servers configure this service for Manual startup, and while the Guide recommends Automatic there's no clear reason to do so if your clients all support Kerberos.

The Guide also recommends that Terminal Services be set for Automatic startup, and this is necessary if you plan to manage servers remotely using the Remote Desktop feature of Windows XP/2003, which was called Terminal Services in Remote Administration Mode on the earlier Windows 2000 platform.

Secure by Default?

Finally, Microsoft says that Windows Server 2003 was designed to be "secure by default." Comparing the recommendations of the Windows Server 2003 Security Guide with the default startup settings for services on that platform shows that this design goal was not completely met. To see why, here is a list of services that the Guide recommends you set to Disabled but which are actually configured by default for either for Manual or Automatic startup on a freshly installed Windows Server 2003 member server with no server roles added:

The Security Guide recommends that all these services be disabled on a standard member server with no server roles defined. Obviously you will need to enable a few of these services on servers that have specific roles defined, such as file/print server or web server, but we'll cover that in a future article. For now, let's note two things:

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.