|TABLE OF CONTENTS
Service logons and passwords
Every service in Windows is necessary to someone -- Microsoft didn't include any
services that do nothing all the time in every environment. By unnecessary services, I'm referring
to services that provide features or capabilities that many environments don't utilize. Why
disable these services? History tells us that eventually a bug will be discovered in one of these
services that will allow attackers to perform any number of heinous acts on the computer. By
disabling services that you're not utilizing, you'll help prevent these services from becoming an
attack vector in the future.
Disabling a service is easy. Simply right-click My Computer, select Manage, then open the
Services node in the left-hand tree view. You can double-click any service to change its startup
type to Disabled, and you'll be able to stop the service if it's running. Once set to Disabled, a
service can't be started unless its startup type is first changed to Automatic or Manual.
|For even more security, uninstall the service if possible. For example, rather than just
disabling Internet Information Services (IIS), uninstall it from the Add/Remove Windows Components
utility in the Control Panel (accessed through Add/Remove Programs). Most built-in services can't
be removed in this fashion, but some can, and by removing the software you'll eliminate the
potential for someone to re-enable and start the service.
The following list of services -- some of which are disabled by default -- I recommend disabling
(and, if possible, removing):
|A few of the services exist only on server computers; to ensure network security, they are
included in this list for your reference.
- Alerter: This service allows the computer to send and display certain types of alerts;
primarily used with older software from the Windows NT days.
- Application Layer Gateway Service: This service is not required after Windows XP SP2 is
- ClipBook: This service is an extension of the Windows Clipboard functionality and is
disabled by default.
- Computer Browser: This service maintains a listing of network computers and resources;
servers will typically provide this functionality, and clients shouldn't typically run this
service. If you have a good DNS infrastructure and your users aren't accustomed to "browsing" the
"network neighborhood," disable this service on all machines.
- Error Reporting Service: This service provides a pop-up dialog box that offers to
transmit errors and application crashes to Microsoft; it is unnecessary.
- FTP Publishing: This service is part of IIS. It is generally not appropriate for a
client computer to be hosting an FTP site, so this service can be disabled and uninstalled.
- Human Interface Device Access: Usually disabled by default anyway, this service is
necessary only for certain complex keyboards and other interface devices.
- IIS Admin: Part of IIS and rarely needed on client computers, this service can be
disabled and uninstalled.
- Indexing Service: This service provides indexing of files on the local drive for faster
searching; it is rarely used by most users and is therefore a good candidate for disabling.
- IPSec Services: This service is necessary only if you're using IPSec or L2TP Virtual
Private Networks (VPNs).
- Message Queuing: This service is necessary only for applications that utilize Microsoft
Message Queue (MSMQ) services.
- Messenger: This service is not MSN Messenger or Windows Messenger; it is a separate
service used with the NET SEND command and can almost always be disabled.
- MS Software Shadow Copy Provider: Microsoft Backup tries to use this service; the
service is not usually necessary if you aren't using Backup.
- Net Logon: This service is not usually required on a standalone system; it is required
to log on to a domain controller.
- Network DDE: This service is not required by most systems.
- Network DDE DSDM: This service is not required by most systems.
- Network Location Awareness: This service is not required after Windows XP SP2 is
- Network Provisioning Service: This service is used with domain controllers and XML
configuration files; it is not required for standalone computers, but might be needed in a domain
- Peer Name Resolution Protocol: This service is disabled (or removed) after Windows XP
SP2 is installed; rarely needed and used primarily by IPv6.
- Peer Networking: This service is disabled (or removed) after Windows XP SP2 is
installed; rarely needed and used primarily by IPv6.
- Peer Networking Group Authentication: This service is disabled (or removed) after
Windows XP SP2 is installed; rarely needed and used primarily by IPv6.
- Peer Networking Identity Manager: This service is disabled (or removed) after Windows XP
SP2 is installed; rarely needed and used primarily by IPv6.
- Performance Logs and Alerts: This service is rarely used on client computers and can be
disabled; enable it if you specifically need to create performance logs and alerts.
- Portable Media Serial Number Service: This service is generally used only by Windows
Media Player's Digital Rights Management and can often be disabled with no ill effects.
- Remote Desktop Help Session Manager: If you don't use Windows XP's Remote Assistance
feature, this service can be disabled.
- Remote Registry Service: This service provides remote access to the registry; if you
don't need that (keeping in mind that Windows Management Instrumentation -- WMI -- provides an
alternative method for remotely accessing the registry), disable this service.
- Routing and Remote Access: This service is usually disabled by default because client
computers don't typically accept incoming connections.
- Secondary Logon: If you don't utilize the "Run As" command to run applications under
alternate credentials, disable this service.
- Security Center: This service monitors Automatic Updates, the Windows Firewall, and
other features; disabling this service simply removes the ability for Windows to alert you when,
say, your virus definitions are out of date (something your antivirus software will likely do for
you on its own anyway).
- Server: This service is used for file and print sharing; if your client computers don't
share files and printers, disable this service. Doing so doesn't stop users from connecting to
shared files or printers on servers.
- Simple Mail Transport Protocol (SMTP): This service is part of IIS and should usually be
removed if you're not using the machine as a mail server.
- Simple TCP/IP Services: This service is a rarely used minor TCP/IP service; it can
usually be disabled.
- Smart Card: Not using smart cards? Disable this service.
- SNMP Service: If you're not using SNMP, disable this service.
- SNMP Trap Service: Disable this service if you're not using SNMP.
- SSDP Discovery Service: This service is used as part of Universal Plug-n-Play and
detects and configures UPnP devices on a home network; it is rarely used in a corporate
environment. MSN Messenger does rely on this service on certain types of networks to get outside
- TCP/IP NetBIOS Helper Service: If you're not using WINS, you can disable this service.
- TCP/IP Printer Server: This service provides TCP/IP-based print sharing and can usually
be disabled on client computers.
- Telnet: This service is usually not appropriate for client computers and can be
- Uninterruptible Power Supply: It's rare for a client computer to have a smart UPS -- one
that can shut down the computer if the UPS is on battery power and is running low; thus, this
service can usually be disabled.
- Volume Shadow Copy: This service can generally be disabled on a client computer.
- WebClient: This service can be disabled and isn't currently used by anything that I'm
aware of on client computers.
- World Wide Web Publishing: Again, part of IIS, this service is not generally appropriate
for a client.
So how do you go about enforcing your disabled service decisions across your enterprise? Group
Policy is a start. As Figure 2.4 shows, you can use a GPO to enforce the startup type for any of
the built-in services.
Figure 2.4: Disabling services through Group Policy.
|Several services' names changed in Windows XP SP2; be sure you've got the proper GPO templates
on your domain controllers so that the list shown will reflect the version of Windows XP you're
using in your environment.
Although Group Policy lets you decide which services will be allowed to run, it does nothing for
helping you manage two important aspects of services:
- The account they will run under
- The password for that account
Many services, for example, are configured to run under the all-powerful Local System account;
such is especially true on server computers on which additional services for SQL Server, Exchange
Server, and other add-on applications are running. Even on client computers, however, you might
want to alter the account that a service is using to reduce its permissions to a more reasonable
level. More importantly, any service not running as Local System will be logging on using a
password, and that password will need to be changed on a regular and fairly frequent basis, just
like any user password.
|If your company must remain compliant -- for example, with the Sarbanes Oxley Act -- and your
company policy is to change user passwords every 45 days, you must include the often-neglected
service accounts if you are to maintain regulatory compliance.
Changing a service's password involves two steps: Changing the password of the user account
(which, if it's a local account, can be a time-consuming task without some kind of tool to help
out), then telling the service itself to use the new password. That latter step can be exceedingly
painful, especially if the service is installed on many computers.
Obviously, this area is where many administrators will write (or download) a script of some kind
to do the job. Although this solution is okay, it typically assumes that you know which computers
are running the service in question. To be on the safe side, you really need a tool that can first
find all computers running the service, then reconfigure the service's password. ScriptLogic
Service Explorer, which Figure 2.5 shows, has a search function that will search entire domains or
workgroups for specified services, then allow you to configure those services en masse.
Figure 2.5: Searching for the Application Layer Gateway Service.
Service Explorer has several helpful built-in searches, as well, such as one that looks for non-
Microsoft services and another that displays all services that use a particular user account to log
on. This type of search is useful when you're changing a password: Find every service actually
using the account in question!
A similar tool, Lieberman Software's Service Account Manager, works similarly. As Figure 2.6
shows, Service Account Manager provides a single view of all services on a given machine. It can
also locate machines running a particular service, and when updating a service's logon password, it
can update the locally cached credentials for the service, allowing it to log on and continue
running even if the computer temporarily loses connectivity with a domain controller (for services
logging in under a domain account).
Figure 2.6: Service Account Manager provides centralized service management.
The bottom line is that managing services is perhaps one of the most-overlooked client security
problems, and there are tools that can help you solve the problem very, very easily. Getting your
services locked down and your service logon passwords under control is a great step toward a more
secure Windows enterprise.
Click for the next excerpt in this series: Local
Click for the book
excerpt series or visit cc.realtimepublishers.com for the
entire eBook, "The Definitive Guide to Securing Windows in the Enterprise."