Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Identifying Essential Windows Services: Part 2

by Mitch Tulloch, author of Windows Server Hacks
12/13/2005

In a previous article we looked at the bare minimum services that need to be running on a member server running Windows Server 2003 or Windows 2000 Server. These minimum services are those required for normal server operation and do not provide support for any specific role such as file/print server or web server that the member server may need to have.

In this follow-up article, we'll look at what additional services need to be running on servers that are configured with some specific role. In particular, we'll examine the additional services needed by the following server roles:

The recommendations below are incremental, that is, add them to the general recommendations in the previous article for bare member servers. For further details concerning these recommendations, see the Windows Server 2003 Security Guide, the Microsoft Windows Security Resource Kit, and other sources of information on Microsoft.com.

Domain Controllers

Domain controllers require that the following additional services be set for Automatic startup:

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

The DNS Server service is required only if your domain controller is also configured in the role of a name server, but this is the usual approach in Windows server environments and makes life simpler than running BIND name servers to support Active Directory. The other services are pretty obviously needed by domain controllers if they are to function properly in their role as seats of network authentication and directory access.

Infrastructure Servers

While this term usually suggests the inclusion of DNS servers, in this context we'll restrict it to mean DCHP and WINS servers, that is, servers that support addressing and naming on the network (DNS is usually rolled into domain controller roles in Active Directory environments). The following services are required to be configured for Automatic startup on infrastructure servers as needed:

File Servers

The only additional service that file servers may need set to Automatic is the Distributed File System service, and this is required only in environments where DFS is implemented to simplify access to shared folders and volumes, or to support replication of DFS roots for fault tolerance in Windows Server 2003 environments.

Print Servers

Print servers naturally require that the Print Spooler service be configured for Automatic startup, otherwise the servers won't be able to create and manage print queues for printers on the network. An interesting aside here is that if you enable SMB packet signing on print servers, users will still be able to print to the server but won't be able to view or manage their documents in the print queue.

Web Servers

Web servers (IIS servers) need some additional services configured for Automatic startup as well:

If a web server is running within your corporate network as an intranet server, then adding these services to the list of essential member server services is sufficient. But if your web server lies on your perimeter network and has the role of a bastion host, which in this case means a public-facing Internet server, then you need to tighten security on your server by modifying the startup for many of the services normally set to Manual or Automatic on bare member servers. In particular, the Windows Server 2003 Security Guide recommends that you disable the following services on a bastion host:

Putting this in perspective, if we combine the recommendations for bastion hosts above with the recommended minimum services for bare member servers described in my previous article, we find that a public-facing Windows Server 2003 web server only needs the following services configured:

Services that should be configured to start automatically:

Services that should be configured to start manually:

Every other service on a public-facing web server running Windows Server 2003 should be set to Disabled.

Conclusion

The recommendations in this article and the previous one are based on official Microsoft documentation and are assumed to be reliable. But consider these three things before you start disabling "unnecessary" services on your Windows servers:

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.