The Definitive Guide to Securing Windows in the Enterprise The following excerpt series from Chapter 2 of the free eBook The Definitive Guide to Securing Windows in the Enterprise (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to cc.realtimepublishers.com.

 

Service management

Services are another area in which client computers can present security difficulties. Client computers come with several pre-enabled services, many of which can be disabled entirely. Even those services you choose to leave running, however, present security risks when configured to run as an over-privileged account or when configured to run as an account whose password is never changed. Of course, Windows doesn't make it easy to keep service accounts properly configured, so you'll need you use some creativity.

 

TABLE OF CONTENTS
    Unnecessary services
    Service logons and passwords

 

 

 

 

  Unnecessary services  Return to Table of Contents

Every service in Windows is necessary to someone -- Microsoft didn't include any services that do nothing all the time in every environment. By unnecessary services, I'm referring to services that provide features or capabilities that many environments don't utilize. Why disable these services? History tells us that eventually a bug will be discovered in one of these services that will allow attackers to perform any number of heinous acts on the computer. By disabling services that you're not utilizing, you'll help prevent these services from becoming an attack vector in the future.

Disabling a service is easy. Simply right-click My Computer, select Manage, then open the Services node in the left-hand tree view. You can double-click any service to change its startup type to Disabled, and you'll be able to stop the service if it's running. Once set to Disabled, a service can't be started unless its startup type is first changed to Automatic or Manual.

 

For even more security, uninstall the service if possible. For example, rather than just disabling Internet Information Services (IIS), uninstall it from the Add/Remove Windows Components utility in the Control Panel (accessed through Add/Remove Programs). Most built-in services can't be removed in this fashion, but some can, and by removing the software you'll eliminate the potential for someone to re-enable and start the service.

The following list of services -- some of which are disabled by default -- I recommend disabling (and, if possible, removing):

 

A few of the services exist only on server computers; to ensure network security, they are included in this list for your reference.
  • Alerter: This service allows the computer to send and display certain types of alerts; primarily used with older software from the Windows NT days.

     

  • Application Layer Gateway Service: This service is not required after Windows XP SP2 is installed.

     

  • ClipBook: This service is an extension of the Windows Clipboard functionality and is disabled by default.

     

  • Computer Browser: This service maintains a listing of network computers and resources; servers will typically provide this functionality, and clients shouldn't typically run this service. If you have a good DNS infrastructure and your users aren't accustomed to "browsing" the "network neighborhood," disable this service on all machines.

     

  • Error Reporting Service: This service provides a pop-up dialog box that offers to transmit errors and application crashes to Microsoft; it is unnecessary.

     

  • FTP Publishing: This service is part of IIS. It is generally not appropriate for a client computer to be hosting an FTP site, so this service can be disabled and uninstalled.

     

  • Human Interface Device Access: Usually disabled by default anyway, this service is necessary only for certain complex keyboards and other interface devices.

     

  • IIS Admin: Part of IIS and rarely needed on client computers, this service can be disabled and uninstalled.

     

  • Indexing Service: This service provides indexing of files on the local drive for faster searching; it is rarely used by most users and is therefore a good candidate for disabling.

     

  • IPSec Services: This service is necessary only if you're using IPSec or L2TP Virtual Private Networks (VPNs).

     

  • Message Queuing: This service is necessary only for applications that utilize Microsoft Message Queue (MSMQ) services.

     

  • Messenger: This service is not MSN Messenger or Windows Messenger; it is a separate service used with the NET SEND command and can almost always be disabled.

     

  • MS Software Shadow Copy Provider: Microsoft Backup tries to use this service; the service is not usually necessary if you aren't using Backup.

     

  • Net Logon: This service is not usually required on a standalone system; it is required to log on to a domain controller.

     

  • Network DDE: This service is not required by most systems.

     

  • Network DDE DSDM: This service is not required by most systems.

     

  • Network Location Awareness: This service is not required after Windows XP SP2 is installed.

     

  • Network Provisioning Service: This service is used with domain controllers and XML configuration files; it is not required for standalone computers, but might be needed in a domain environment.

     

  • Peer Name Resolution Protocol: This service is disabled (or removed) after Windows XP SP2 is installed; rarely needed and used primarily by IPv6.

     

  • Peer Networking: This service is disabled (or removed) after Windows XP SP2 is installed; rarely needed and used primarily by IPv6.

     

  • Peer Networking Group Authentication: This service is disabled (or removed) after Windows XP SP2 is installed; rarely needed and used primarily by IPv6.

     

  • Peer Networking Identity Manager: This service is disabled (or removed) after Windows XP SP2 is installed; rarely needed and used primarily by IPv6.

     

  • Performance Logs and Alerts: This service is rarely used on client computers and can be disabled; enable it if you specifically need to create performance logs and alerts.

     

  • Portable Media Serial Number Service: This service is generally used only by Windows Media Player's Digital Rights Management and can often be disabled with no ill effects.

     

  • Remote Desktop Help Session Manager: If you don't use Windows XP's Remote Assistance feature, this service can be disabled.

     

  • Remote Registry Service: This service provides remote access to the registry; if you don't need that (keeping in mind that Windows Management Instrumentation -- WMI -- provides an alternative method for remotely accessing the registry), disable this service.

     

  • Routing and Remote Access: This service is usually disabled by default because client computers don't typically accept incoming connections.

     

  • Secondary Logon: If you don't utilize the "Run As" command to run applications under alternate credentials, disable this service.

     

  • Security Center: This service monitors Automatic Updates, the Windows Firewall, and other features; disabling this service simply removes the ability for Windows to alert you when, say, your virus definitions are out of date (something your antivirus software will likely do for you on its own anyway).

     

  • Server: This service is used for file and print sharing; if your client computers don't share files and printers, disable this service. Doing so doesn't stop users from connecting to shared files or printers on servers.

     

  • Simple Mail Transport Protocol (SMTP): This service is part of IIS and should usually be removed if you're not using the machine as a mail server.

     

  • Simple TCP/IP Services: This service is a rarely used minor TCP/IP service; it can usually be disabled.

     

  • Smart Card: Not using smart cards? Disable this service.

     

  • SNMP Service: If you're not using SNMP, disable this service.

     

  • SNMP Trap Service: Disable this service if you're not using SNMP.

     

  • SSDP Discovery Service: This service is used as part of Universal Plug-n-Play and detects and configures UPnP devices on a home network; it is rarely used in a corporate environment. MSN Messenger does rely on this service on certain types of networks to get outside the firewall.

     

  • TCP/IP NetBIOS Helper Service: If you're not using WINS, you can disable this service.

     

  • TCP/IP Printer Server: This service provides TCP/IP-based print sharing and can usually be disabled on client computers.

     

  • Telnet: This service is usually not appropriate for client computers and can be disabled.

     

  • Uninterruptible Power Supply: It's rare for a client computer to have a smart UPS -- one that can shut down the computer if the UPS is on battery power and is running low; thus, this service can usually be disabled.

     

  • Volume Shadow Copy: This service can generally be disabled on a client computer.

     

  • WebClient: This service can be disabled and isn't currently used by anything that I'm aware of on client computers.

     

  • World Wide Web Publishing: Again, part of IIS, this service is not generally appropriate for a client.

So how do you go about enforcing your disabled service decisions across your enterprise? Group Policy is a start. As Figure 2.4 shows, you can use a GPO to enforce the startup type for any of the built-in services.

Figure 2.4: Disabling services through Group Policy.

 

Several services' names changed in Windows XP SP2; be sure you've got the proper GPO templates on your domain controllers so that the list shown will reflect the version of Windows XP you're using in your environment.

 

  Service logons and passwords  Return to Table of Contents

Although Group Policy lets you decide which services will be allowed to run, it does nothing for helping you manage two important aspects of services:

  • The account they will run under

     

  • The password for that account

Many services, for example, are configured to run under the all-powerful Local System account; such is especially true on server computers on which additional services for SQL Server, Exchange Server, and other add-on applications are running. Even on client computers, however, you might want to alter the account that a service is using to reduce its permissions to a more reasonable level. More importantly, any service not running as Local System will be logging on using a password, and that password will need to be changed on a regular and fairly frequent basis, just like any user password.

 

If your company must remain compliant -- for example, with the Sarbanes Oxley Act -- and your company policy is to change user passwords every 45 days, you must include the often-neglected service accounts if you are to maintain regulatory compliance.

Changing a service's password involves two steps: Changing the password of the user account (which, if it's a local account, can be a time-consuming task without some kind of tool to help out), then telling the service itself to use the new password. That latter step can be exceedingly painful, especially if the service is installed on many computers.

Obviously, this area is where many administrators will write (or download) a script of some kind to do the job. Although this solution is okay, it typically assumes that you know which computers are running the service in question. To be on the safe side, you really need a tool that can first find all computers running the service, then reconfigure the service's password. ScriptLogic Service Explorer, which Figure 2.5 shows, has a search function that will search entire domains or workgroups for specified services, then allow you to configure those services en masse.

Figure 2.5: Searching for the Application Layer Gateway Service.

Service Explorer has several helpful built-in searches, as well, such as one that looks for non- Microsoft services and another that displays all services that use a particular user account to log on. This type of search is useful when you're changing a password: Find every service actually using the account in question!

A similar tool, Lieberman Software's Service Account Manager, works similarly. As Figure 2.6 shows, Service Account Manager provides a single view of all services on a given machine. It can also locate machines running a particular service, and when updating a service's logon password, it can update the locally cached credentials for the service, allowing it to log on and continue running even if the computer temporarily loses connectivity with a domain controller (for services logging in under a domain account).

Figure 2.6: Service Account Manager provides centralized service management.

The bottom line is that managing services is perhaps one of the most-overlooked client security problems, and there are tools that can help you solve the problem very, very easily. Getting your services locked down and your service logon passwords under control is a great step toward a more secure Windows enterprise.

Click for the next excerpt in this series: Local firewalls

 

Click for the book excerpt series or visit cc.realtimepublishers.com for the entire eBook, "The Definitive Guide to Securing Windows in the Enterprise."

 

This was first published in October 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top