Identifying Essential Windows Services: Part 1
Pages: 1, 2
Comparing the Recommendations
Comparing the recommendations of the Security RK with the Security Guide, while allowing for a number of new services in the newer platform, leads to some interesting questions. For example, is the Automatic Updates service essential or not? The RK doesn't mention it as essential but the Guide does, and in fact the Guide is correct unless you plan to keep your servers patched using a third-party tool instead of using Microsoft patch management solutions like SUS/WUS or SMS.
What about the Computer Browser service? This service maintains the browse list that lets Windows-based computers view network domains and resources, and in fact it can usually be safely disabled if your network is running Active Directory and all your Windows servers and clients are running Windows 2000 or later.
Both the RK and Guide recommend that the DHCP Client service be set to Automatic, but in fact it can be set to Disabled on servers that have static IP addresses configured. If you use reservations instead of static addressing however, be sure to leave this service running on your servers.
The RK recommends that Logical Disk Manager be set to Automatic but the Guide suggests Manual instead. This service monitors PnP events to detect new drives and here the Guide provides better advice since this service only needs to run when you add or remove disks, create new volumes, and perform other disk-related tasks, so setting this service to Manual works out fine.
What about IPSec Services? In Windows 2000 this service is called IPSec Policy Agent, and if you know you aren't going to be using it then configure it for Manual startup. The Guide probably assumes that you'll be using IPSec in a network environment where security is important, but this assumption is not necessarily correct.
The NTLM Security Support Provider won't be needed if all your clients are Windows 2000 or later, as these clients support Kerberos authentication. By default, Windows Server 2003 member servers configure this service for Manual startup, and while the Guide recommends Automatic there's no clear reason to do so if your clients all support Kerberos.
The Guide also recommends that Terminal Services be set for Automatic startup, and this is necessary if you plan to manage servers remotely using the Remote Desktop feature of Windows XP/2003, which was called Terminal Services in Remote Administration Mode on the earlier Windows 2000 platform.
Secure by Default?
Finally, Microsoft says that Windows Server 2003 was designed to be "secure by default." Comparing the recommendations of the Windows Server 2003 Security Guide with the default startup settings for services on that platform shows that this design goal was not completely met. To see why, here is a list of services that the Guide recommends you set to Disabled but which are actually configured by default for either for Manual or Automatic startup on a freshly installed Windows Server 2003 member server with no server roles added:
- Application Layer Gateway Service
- Application Management
- COM+ System Application
- Distributed File System
- Distributed Link Tracking Client
- Distributed Link Tracking Server
- Distributed Transaction Coordinator
- Error Reporting Service
- File Replication
- Help and Support
- Portable Media Serial Number
- Print Spooler
- Remote Access Auto Connection Manager
- Remote Access Connection Manager
- Remote Desktop Help Session Manager
- Remote Procedure Call (RPC) Locator
- Resultant Set of Policy Provider
- Secondary Logon
- Shell Hardware Detection
- Smart Card
- Special Administration Console Helper
- Task Scheduler
- Uninterruptible Power Supply
- Upload Manager
- Virtual Disk Service
- WinHTTP Web Proxy Auto-Discovery Service
- Wireless Configuration
The Security Guide recommends that all these services be disabled on a standard member server with no server roles defined. Obviously you will need to enable a few of these services on servers that have specific roles defined, such as file/print server or web server, but we'll cover that in a future article. For now, let's note two things:
- Windows Server 2003 is not completely "secure by default" at least as far as the recommendations in the Security Guide are concerned. In fact, there are more than two dozen services that the Guide recommends be disabled which are in fact configured to either Manual or Automatic startup on a freshly installed Windows Server 2003 system.
- Disabling all the services that the Guide recommends can make your job more difficult as an administrator. For example, disabling the Task Scheduler service means you won't be able to schedule backups on your server using Ntbackup.exe; disabling Help and Support means you won't be able to access the Help and Support feature on the server console; disabling the Uninterruptible Power Supply service means that a UPS device attached to that server may not function properly; and so on. As someone once said, "Security and functionality are opposing goals" and this is certainly sometimes the case when considering which services to disable on Windows servers for added security.
Return to the Windows DevCenter.