Security Advisor
Windows Services à la Carte
Windows Server 2003 installs fewer services by default, and installs others in a disabled state. Here’s a guide to what they do, and whether you might need them or not.
- By Roberta Bragg
- 08/01/2003
I generally like eating at airport restaurants. The service is usually
brisk, as the waitstaff doesn’t try to chat you up. They know they’ll
get better tips and more of them if they get the order fast, serve the
food fast, bring the bill fast. Just the basics. No six-course meals,
no violin serenade, no complicated menu and no extra silverware.
Sort of like Windows Server 2003. Many things are locked down or not allowed by default. Dozens of Windows Services are disabled by default or not installed, period, like IIS 6.0. I like that. However, before you assume my complete satisfaction or relax security vigilance, read this list of ingredients. Browse over to the Services console in a fresh install of Windows 2003 Server and—wait, what’s this? Yes, lots of services are disabled, but what are all these new ones that aren’t? What have you done now to make it harder for me to do more with less, Microsoft?
It seems we still have a job to do. Securing Windows 2003 boxes will
still require knowing what each service does and what it does when disabled.
Simply choosing services that seem innocuous and disabling them may end
up keeping you up late at night with a stomachache, like ingesting bad
seafood.
Hi, I’m Roberta, and I’ll be Your Waitress
So what’s the answer here? Is there one that won’t involve years of testing?
I have visions of you ensconced in basement labs disabling this service,
running that test, disabling another, crashing servers and tearing your
hair out. Or maybe you’ll follow someone else’s advice and do this in
your production network, only to find out that disabling the DHCP client
service causes certain network cards to fail.
There’s no simple answer, but I can offer a bit of help. Then later in
the column, I provide a list of Windows 2003 services that Microsoft says
are not required in order for a Windows 2003 server to run.
Caution! I am not telling you to disable all
the services described here. Just because a service isn’t required for
the server to run doesn’t mean it’s not required for your server to run
and do what you want it to do. There may be sound performance, stability
or security reasons for running it. Follow best practices by using this
list in your baseline security policy for all servers, then create a policy
for each server role that enables the services you need for each server
to do its job. For more information on how to implement such a strategy,
download the Windows 2003 Security Guide at www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/ prodtech/windows/win2003/w2003hg/ sgch00.asp.
The Rest of the Help
Now that I’ve escorted you to the table, it’s important to meet the rest
of your wait staff. There’s a bit of good news here. Though some services
must use the Local System Account, many new services use lesser privileged
accounts—specifically, the Local Service and Network Service accounts.
By using an account with fewer privileges, you still get the service you
need, but there’s much less danger in someone putting his or her insider
knowledge and privileges to malicious use.
Local System. This account has full access to the system and acts on the
network using the local computer account. If a service running on a DC
uses this account, well, let’s just say you don’t want it to be used for
evil, because it has access to the entire domain. Though you may be tempted
to replace this account with one of lesser privilege, don’t. The service,
at least as far as I can tell, requires some privileges that the Local
System has. Changing the service account may mean the service can’t run.
Local Service. Don’t confuse this with Local System. I know it sounds
and even looks very similar but they aren’t even first cousins. Unlike
the Local System account, it acts somewhat like an ordinary user account.
In fact, it has access to the system similar to that of the Users group.
This means, if compromised, it can do similar—read: limited—damage. It’s
meant for services whose activity is local in scope. However, it can access
the network. To do so it uses anonymous credentials.
Network Service. A sibling of Local Service, Network Service also has
default access similar to that of the Users group. When it accesses the
network, it uses the local computer account as credentials.
The Menu
Your tables are ready. But keep in mind that these two tables—installed
and not installed services—aren’t a comprehensive list of Windows 2003
services; they’re just a list of enabled services that can be disabled
without breaking the system. When writing security policies, be sure to
disable services even if they’re not installed by default. Then, if they’re
accidentally or maliciously installed, they won’t run.
If the service is required, you can change its status. Meanwhile, turn ’em off. Turn them back on only when needed.
Note on the RPC Locator service: The “Windows
Server 2003 Security Guide” says that this service is required by DCs.
The “Threats and Countermeasures Guide” at www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/topics/hardsys/ TCG/TCGCH00.asp says that Windows
doesn’t use this service, and it’s only necessary if third-party applications
do.
| Services Installed on Windows Server 2003 |
| Service |
Default |
Comments |
| Application Layer Gateway
Service |
Manual |
A subcomponent of the Internet
Connection Sharing/Internet Connection Firewall service,
it provides support for ISVs to write their apps so they
punch through the firewall. You don’t have to know
the ports used for their app or do the configuration.
Could be useful for home users, but not on a server. |
| Application Management |
Manual |
Helps application installation.
Ever used Add/Remove Program? That app uses this service.
You probably use other ways to install apps to large numbers
of boxes. If this service is disabled, a rogue admin can’t
use it to install some types of applications. However,
if your organization uses IntelliMirror, it may adversely
affect those operations. |
| COM+ System Application |
Manual |
Tracks and manages configuration
of COM+ components. When turned off, most COM+ modules
won’t function properly. While you don’t need
it to run the server, you may find you need it for many
server roles. Don’t confuse this with COM+ Event
System; if you turn that one off, the System Event Notification
service dies, among other things. |
| Distributed File System |
Automatic |
Manages logical volumes across
LANs or WANs. Creates a single namespace. |
| Distributed Link Tracking Client |
Automatic |
Maintains links between NTFS
files. This service keeps track of where files are moved,
so users’ shortcuts and OLE links still work. |
| Distributed Link Tracking Server |
Manual on DCs |
Tracks links for the domain. |
| Distributed Transaction Coordinator |
Automatic |
Coordinates distributed transactions
for applications like databases, message queues and the
file system. |
| Error Reporting Service |
Automatic |
Reports application errors to
Microsoft. This provides Redmond with tons of useful information,
and we all benefit from more stable and possibly more
secure systems. However, there’s a danger in allowing
systems to connect across the Internet and provide information
of a possibly sensitive nature. What if, for example,
the cryptographic services failed? Do you want that information
broadcasted? |
| File Replication |
Manual |
Used in synchronization of data.
Specifically used to support replication of security configuration
among DCs. If you have a baseline policy for DCs, leave
this one alone. |
| Help and Support |
Automatic |
Allows the Help and Support
Center to run. |
| HTTP SSL |
Manual |
Only necessary on an IIS Server. |
| Infrared Monitor |
(Installed when infrared device is detected) |
Allows file sharing via infrared. Not an
issue for most servers, as, of course, infrared capability
would have to be on the system. However, if disabled in
the baseline, should the computer have this hardware,
the service will be disabled. |
| Portable Media Serial Number |
Manual |
Retrieves the number of a portable music
player connected to the computer. |
| Print Spooler |
Automatic |
Manages print queues. Required for print
servers. |
| Remote Access Auto Connection Manager |
Manual |
If a remote DNS or NetBIOS name or address
can’t be accessed, this service offers to use dial-up
or a Virtual Private Network (VPN). |
| Remote Access Connection Manager |
Manual |
Manages dial-up and VPN connections. |
| Remote Desktop Help Session Manager |
Manual |
Manages and controls the Remote Assistance
feature. |
| Remote Procedure Call (RPC) Locator |
Manual (automatic on a DC) |
Allows RPC clients to find RPC servers.
Manages RPC name service. Only required if third-party
applications that use it are present. |
| Removable Storage |
Manual |
Manage and catalog remote storage such as
tapes and CD-ROM. |
| Resultant Set of Policy Provider |
Manual |
Connects to a DC and accesses the WMI database
for the computer. A useful service for troubleshooting
and planning but not necessary on every server. |
| Secondary Logon |
Automatic |
Used to create contexts using different
security principals. This is a recommended practice for
administration directly from the console. Some security
devices, such as some biometrics, may not work with this
service. In some cases that could mean no access to certain
privileges; in other cases it may mean a way to "get
around" the security device. |
| Shell hardware detection |
Automatic |
Monitors and notifies for AutoPlay hardware
events such as music or video files on removable media
or devices. Without this service, hardware autoplay functionality
is lost.
Not required unless smart cards are used. |
| Smart Card |
Manual |
Not required unless smart cards are used. |
| Special Administration Console Helper |
Manual
|
Remote management tasks can be performed
by this service, if the server stops functioning because
of a Stop error message. |
| Task Scheduler |
Automatic |
Enables configuration and scheduling of
automatic tasks on the computer. |
| Telephony |
Manual |
TAP support from telephony devices and VoIP. |
| Uninterruptible Power Supply |
Manual |
Manages UPSs connected to the computer. |
| Upload Manager |
Manual |
Manages transfer of drivers between clients
and servers. Driver data is anonymously uploaded from
clients to Microsoft and used to help users find drivers.
Not a good idea to share. |
| Virtual Disk Service |
Manual |
Manage block storage virtualization, used
by RAID or in OS software, and so on. |
| WinHTTP Web Proxy Auto-Discovery service |
Manual |
WPAD protocol for HTTP services. Allows
client to discover a proxy configuration. |
| Wireless configuration |
Automatic (manual on Web server) |
Auto-configuration of 802.11 wireless adapters
and communication. |
|
|
Not on the Menu
The following services are installed, but disabled by default:
Alerter
Clipbook
Human Interface Device Access
IMAPI CD—Burning COM Service
Indexing Service
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)
Intersite Messaging (enabled for DC)
Kerberos Key Distribution Center (enabled for a DC)
License Logging Service
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Routing and Remote Access
Telnet
Terminal Services Session Directory
Themes
WebClient
Windows Audio
Windows Image Acquisition
Tip the Hostess
This article is more an appetizer than a six-course meal. It doesn’t provide
enough information to help make all the decisions you need to make. I
can provide pointers and resources, but they’re hardly going to answer
every question because the real world poses too many combinations.
| Services Not Installed on Windows Server 2003 |
| Service |
Comments |
| Aspnet_state |
Supports out-of-process session
states for asp.net. |
| Certificate Services |
Only required on Certificate
Authority servers. |
| Client Services for NetWare |
NetWare file and print services
for Windows without adding the NetWare client. |
| Cluster Service |
Controls cluster services. Doesn’t
control Network Load Balancing service. |
| DHCP Server |
Only required on DHCP servers. |
| DNS Server |
Only required on DNS servers. |
| Fax Service |
Only required for fax server. |
| File Server for Macintosh |
Allows Mac clients access to
server files. |
| FTP Publishing |
Only required for FTP server, and only on
that server. |
| IAS Jet Database Access |
Only required on the IAS server. |
| IISAdmin |
Only required on IIS. |
| Infrared Monitor |
Not installed. |
| Internet Authentication Service |
Only required on IAS server. |
| IP Version 6 Helper Service |
Provides IPv6 services over an IPv4 network. |
| Message Queuing |
Provides a messaging infrastructure. Only
required for applications specifically
designed to use it. |
| Message Queuing Down Level Clients |
Active Directory access for Message queuing
for down-level Windows clients. |
| Message Queuing Triggers |
Rule-based monitoring of messages arriving
in a Message Queuing queue, and triggering of message
processing. |
| Microsoft POP3 Service |
Mail transfer and retrieval services. |
MSSQL$UDDI |
Provides Universal Description Discovery
and Integration service. Essentially, a way to find Web
services. Only necessary on a server providing this service. |
| MSSQLServerADHelper |
Enables SQL server Active Directory publishing. |
| .NET Framework Support Service |
Provides Common Language Runtime, the runtime
environment for .NET applications. |
| Network News Transport Protocol |
Only needed if the computer will be an NNTP
server. |
| Print Server for Macintosh |
Only required if Mac users will print to
the printer. |
Remote Installation |
Supports remote installation of systems.
Only required on a Remote Installation Services (RIS)
server. |
| Remote Server Manager |
A Windows Management Instrumentation (WMI)
provider for Remote Administration Alert Objects and Remote
Administration Tasks. |
| Remote Server Monitor |
Monitors critical system resources. |
| Remote Storage Notification |
Notifies when remote secondary
storage media is used. |
| Remote Storage Server |
Stores infrequently used files in secondary
storage. |
| SAP Agent |
Only required on an IPX network. |
| Simple Mail Transport Protocol |
Only required for an SMTP server. |
| Simple TCP/IP Services |
Echo, discard, character generator, daytime,
quote of the day. Attacks do exist for some of these services. |
Single INstance Storage Groveler |
Only needed on a RIS server. |
| SNMP Service |
Allows the local computer to service SNMP
requests. |
| SNMP Trap Service |
Only necessary for SNMP services. |
| SQLAgent$ (UDDI or WebDB) |
Job scheduler and monitoring service only
necessary for SQL Server computers. |
| TCP/IP Print Server |
TCP/IP print services using the Line Printer
Daemon protocol. Primarily required so Unix systems can
use Windows print services. |
| Terminal Server Licensing |
Registered client licenses for Terminal
Server use. |
| Trivial FTP Daemon |
Used by RIS. Doesn’t require user
name or password. |
| Web Element Manager |
Serves Web user interface elements for Administration
Web site. |
| Windows Internet Name Service |
NetBIOS name resolution. Only needed on
WINS servers. |
| Windows Media Service |
Provides streaming video services over IP. |
| Windows System Resource Manager |
A tool for deploying applications in a consolidation
scenario. |
| World Wide Web Publishing Server |
Only necessary on a Web server. |
|
|
Would a central source where you could go to find information on specific
services and combinations of services help? A place where you could weigh-in
with knowledge that you have? A sort of “Wow, the onion rings and garlic
toast were excellent, but whatever you do, don’t order the shrimp!” place?
A community of diners wanting to know what’s good and what to avoid? If
this would be helpful to you, let me know.