Security Advisor

Windows Services à la Carte

Windows Server 2003 installs fewer services by default, and installs others in a disabled state. Here’s a guide to what they do, and whether you might need them or not.

I generally like eating at airport restaurants. The service is usually brisk, as the waitstaff doesn’t try to chat you up. They know they’ll get better tips and more of them if they get the order fast, serve the food fast, bring the bill fast. Just the basics. No six-course meals, no violin serenade, no complicated menu and no extra silverware.

Sort of like Windows Server 2003. Many things are locked down or not allowed by default. Dozens of Windows Services are disabled by default or not installed, period, like IIS 6.0. I like that. However, before you assume my complete satisfaction or relax security vigilance, read this list of ingredients. Browse over to the Services console in a fresh install of Windows 2003 Server and—wait, what’s this? Yes, lots of services are disabled, but what are all these new ones that aren’t? What have you done now to make it harder for me to do more with less, Microsoft?

It seems we still have a job to do. Securing Windows 2003 boxes will still require knowing what each service does and what it does when disabled. Simply choosing services that seem innocuous and disabling them may end up keeping you up late at night with a stomachache, like ingesting bad seafood.

Hi, I’m Roberta, and I’ll be Your Waitress
So what’s the answer here? Is there one that won’t involve years of testing? I have visions of you ensconced in basement labs disabling this service, running that test, disabling another, crashing servers and tearing your hair out. Or maybe you’ll follow someone else’s advice and do this in your production network, only to find out that disabling the DHCP client service causes certain network cards to fail.

There’s no simple answer, but I can offer a bit of help. Then later in the column, I provide a list of Windows 2003 services that Microsoft says are not required in order for a Windows 2003 server to run.

Caution! I am not telling you to disable all the services described here. Just because a service isn’t required for the server to run doesn’t mean it’s not required for your server to run and do what you want it to do. There may be sound performance, stability or security reasons for running it. Follow best practices by using this list in your baseline security policy for all servers, then create a policy for each server role that enables the services you need for each server to do its job. For more information on how to implement such a strategy, download the Windows 2003 Security Guide at www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/ prodtech/windows/win2003/w2003hg/ sgch00.asp.

The Rest of the Help
Now that I’ve escorted you to the table, it’s important to meet the rest of your wait staff. There’s a bit of good news here. Though some services must use the Local System Account, many new services use lesser privileged accounts—specifically, the Local Service and Network Service accounts. By using an account with fewer privileges, you still get the service you need, but there’s much less danger in someone putting his or her insider knowledge and privileges to malicious use.

 Local System. This account has full access to the system and acts on the network using the local computer account. If a service running on a DC uses this account, well, let’s just say you don’t want it to be used for evil, because it has access to the entire domain. Though you may be tempted to replace this account with one of lesser privilege, don’t. The service, at least as far as I can tell, requires some privileges that the Local System has. Changing the service account may mean the service can’t run.

 Local Service. Don’t confuse this with Local System. I know it sounds and even looks very similar but they aren’t even first cousins. Unlike the Local System account, it acts somewhat like an ordinary user account. In fact, it has access to the system similar to that of the Users group. This means, if compromised, it can do similar—read: limited—damage. It’s meant for services whose activity is local in scope. However, it can access the network. To do so it uses anonymous credentials.

 Network Service. A sibling of Local Service, Network Service also has default access similar to that of the Users group. When it accesses the network, it uses the local computer account as credentials.

The Menu
Your tables are ready. But keep in mind that these two tables—installed and not installed services—aren’t a comprehensive list of Windows 2003 services; they’re just a list of enabled services that can be disabled without breaking the system. When writing security policies, be sure to disable services even if they’re not installed by default. Then, if they’re accidentally or maliciously installed, they won’t run.

If the service is required, you can change its status. Meanwhile, turn ’em off. Turn them back on only when needed.

Note on the RPC Locator service: The “Windows Server 2003 Security Guide” says that this service is required by DCs. The “Threats and Countermeasures Guide” at www.microsoft.com/technet/treeview/default.asp? url=/technet/security/topics/hardsys/ TCG/TCGCH00.asp says that Windows doesn’t use this service, and it’s only necessary if third-party applications do.

Services Installed on Windows Server 2003
Service Default Comments

Application Layer Gateway Service

Manual

A subcomponent of the Internet Connection Sharing/Internet Connection Firewall service, it provides support for ISVs to write their apps so they punch through the firewall. You don’t have to know the ports used for their app or do the configuration. Could be useful for home users, but not on a server.
Application Management Manual Helps application installation. Ever used Add/Remove Program? That app uses this service. You probably use other ways to install apps to large numbers of boxes. If this service is disabled, a rogue admin can’t use it to install some types of applications. However, if your organization uses IntelliMirror, it may adversely affect those operations.
COM+ System Application Manual Tracks and manages configuration of COM+ components. When turned off, most COM+ modules won’t function properly. While you don’t need it to run the server, you may find you need it for many server roles. Don’t confuse this with COM+ Event System; if you turn that one off, the System Event Notification service dies, among other things.
Distributed File System Automatic Manages logical volumes across LANs or WANs. Creates a single namespace.
Distributed Link Tracking Client Automatic Maintains links between NTFS files. This service keeps track of where files are moved, so users’ shortcuts and OLE links still work.
Distributed Link Tracking Server Manual on DCs Tracks links for the domain.
Distributed Transaction Coordinator Automatic Coordinates distributed transactions for applications like databases, message queues and the file system.
Error Reporting Service Automatic Reports application errors to Microsoft. This provides Redmond with tons of useful information, and we all benefit from more stable and possibly more secure systems. However, there’s a danger in allowing systems to connect across the Internet and provide information of a possibly sensitive nature. What if, for example, the cryptographic services failed? Do you want that information broadcasted?
File Replication Manual Used in synchronization of data. Specifically used to support replication of security configuration among DCs. If you have a baseline policy for DCs, leave this one alone.
Help and Support Automatic Allows the Help and Support Center to run.
HTTP SSL Manual Only necessary on an IIS Server.
Infrared Monitor (Installed when infrared device is detected) Allows file sharing via infrared. Not an issue for most servers, as, of course, infrared capability would have to be on the system. However, if disabled in the baseline, should the computer have this hardware, the service will be disabled.
Portable Media Serial Number Manual Retrieves the number of a portable music player connected to the computer.
Print Spooler Automatic Manages print queues. Required for print servers.
Remote Access Auto Connection Manager Manual If a remote DNS or NetBIOS name or address can’t be accessed, this service offers to use dial-up or a Virtual Private Network (VPN).
Remote Access Connection Manager Manual Manages dial-up and VPN connections.
Remote Desktop Help Session Manager Manual Manages and controls the Remote Assistance feature.
Remote Procedure Call (RPC) Locator Manual (automatic on a DC) Allows RPC clients to find RPC servers. Manages RPC name service. Only required if third-party applications that use it are present.
Removable Storage Manual Manage and catalog remote storage such as tapes and CD-ROM.
Resultant Set of Policy Provider Manual Connects to a DC and accesses the WMI database for the computer. A useful service for troubleshooting and planning but not necessary on every server.
Secondary Logon Automatic Used to create contexts using different security principals. This is a recommended practice for administration directly from the console. Some security devices, such as some biometrics, may not work with this service. In some cases that could mean no access to certain privileges; in other cases it may mean a way to "get around" the security device.
Shell hardware detection Automatic Monitors and notifies for AutoPlay hardware events such as music or video files on removable media or devices. Without this service, hardware autoplay functionality is lost.
Not required unless smart cards are used.
Smart Card Manual Not required unless smart cards are used.
Special Administration Console Helper

Manual

Remote management tasks can be performed by this service, if the server stops functioning because of a Stop error message.
Task Scheduler Automatic Enables configuration and scheduling of automatic tasks on the computer.
Telephony Manual TAP support from telephony devices and VoIP.
Uninterruptible Power Supply Manual Manages UPSs connected to the computer.
Upload Manager Manual Manages transfer of drivers between clients and servers. Driver data is anonymously uploaded from clients to Microsoft and used to help users find drivers. Not a good idea to share.
Virtual Disk Service Manual Manage block storage virtualization, used by RAID or in OS software, and so on.
WinHTTP Web Proxy Auto-Discovery service Manual WPAD protocol for HTTP services. Allows client to discover a proxy configuration.
Wireless configuration Automatic (manual on Web server) Auto-configuration of 802.11 wireless adapters and communication.

Not on the Menu
The following services are installed, but disabled by default:

 Alerter

 Clipbook

 Human Interface Device Access

 IMAPI CD—Burning COM Service

 Indexing Service

 Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)

 Intersite Messaging (enabled for DC)

 Kerberos Key Distribution Center (enabled for a DC)

 License Logging Service

 Messenger

 NetMeeting Remote Desktop Sharing

 Network DDE

 Network DDE DSDM

 Routing and Remote Access

 Telnet

 Terminal Services Session Directory

 Themes

 WebClient

 Windows Audio

 Windows Image Acquisition

Tip the Hostess
This article is more an appetizer than a six-course meal. It doesn’t provide enough information to help make all the decisions you need to make. I can provide pointers and resources, but they’re hardly going to answer every question because the real world poses too many combinations.

 

Services Not Installed on Windows Server 2003
Service Comments
Aspnet_state Supports out-of-process session states for asp.net.
Certificate Services Only required on Certificate Authority servers.
Client Services for NetWare NetWare file and print services for Windows without adding the NetWare client.
Cluster Service Controls cluster services. Doesn’t control Network Load Balancing service.
DHCP Server Only required on DHCP servers.
DNS Server Only required on DNS servers.
Fax Service Only required for fax server.
File Server for Macintosh Allows Mac clients access to server files.
FTP Publishing Only required for FTP server, and only on that server.
IAS Jet Database Access Only required on the IAS server.
IISAdmin Only required on IIS.
Infrared Monitor Not installed.
Internet Authentication Service Only required on IAS server.
IP Version 6 Helper Service Provides IPv6 services over an IPv4 network.
Message Queuing Provides a messaging infrastructure. Only required for applications specifically
designed to use it.
Message Queuing Down Level Clients Active Directory access for Message queuing for down-level Windows clients.
Message Queuing Triggers Rule-based monitoring of messages arriving in a Message Queuing queue, and triggering of message processing.
Microsoft POP3 Service Mail transfer and retrieval services.

MSSQL$UDDI

Provides Universal Description Discovery and Integration service. Essentially, a way to find Web services. Only necessary on a server providing this service.
MSSQLServerADHelper Enables SQL server Active Directory publishing.
.NET Framework Support Service Provides Common Language Runtime, the runtime environment for .NET applications.
Network News Transport Protocol Only needed if the computer will be an NNTP server.
Print Server for Macintosh Only required if Mac users will print to the printer.

Remote Installation

Supports remote installation of systems. Only required on a Remote Installation Services (RIS) server.
Remote Server Manager A Windows Management Instrumentation (WMI) provider for Remote Administration Alert Objects and Remote Administration Tasks.
Remote Server Monitor Monitors critical system resources.
Remote Storage Notification Notifies when remote secondary storage media is used.
Remote Storage Server Stores infrequently used files in secondary storage.
SAP Agent Only required on an IPX network.
Simple Mail Transport Protocol Only required for an SMTP server.
Simple TCP/IP Services Echo, discard, character generator, daytime, quote of the day. Attacks do exist for some of these services.

Single INstance Storage Groveler

Only needed on a RIS server.
SNMP Service Allows the local computer to service SNMP requests.
SNMP Trap Service Only necessary for SNMP services.
SQLAgent$ (UDDI or WebDB) Job scheduler and monitoring service only necessary for SQL Server computers.
TCP/IP Print Server TCP/IP print services using the Line Printer Daemon protocol. Primarily required so Unix systems can use Windows print services.
Terminal Server Licensing Registered client licenses for Terminal Server use.
Trivial FTP Daemon Used by RIS. Doesn’t require user name or password.
Web Element Manager Serves Web user interface elements for Administration Web site.
Windows Internet Name Service NetBIOS name resolution. Only needed on WINS servers.
Windows Media Service Provides streaming video services over IP.
Windows System Resource Manager A tool for deploying applications in a consolidation scenario.
World Wide Web Publishing Server Only necessary on a Web server.

Would a central source where you could go to find information on specific services and combinations of services help? A place where you could weigh-in with knowledge that you have? A sort of “Wow, the onion rings and garlic toast were excellent, but whatever you do, don’t order the shrimp!” place? A community of diners wanting to know what’s good and what to avoid? If this would be helpful to you, let me know.

comments powered by Disqus
Most   Popular