Tip

Deploying secure domain controllers - Part 4

Click here to read Part 1, Part 2 and Part 3

    Requires Free Membership to View

of this tip.

I can't count the number of times I've been asked about the default services that are installed on a Windows 2003 Server system and what the best settings are for security. Well, here is a hit list that hopefully will answer most of those queries.

There are 84 services that will appear on a Windows 2003 Server system when a new fresh installation is performed. If an upgrade install from Windows 2000 Server is performed, an additional six services are present. All of the default services of Windows 2003 Server are listed in the following table. The six post-upgrade services are indicated by an asterisk. The settings relevant to an upgrade server rather than a fresh installation server are also indicated by an asterisk.

This table indicates the default settings of a Windows 2003 Server just after it has been promoted to a domain controller. This table assumes that the system will be used exclusively as a domain controller. If the system is to be a host to any other network service or application, you may not be able to lock down as many services without compromising functionality.

The Secure Settings column are my recommendations to improve the overall security of the system. The label of "consider setting to Disabled or Manual" means to inspect the system to see if any other applications or functions require this service. If not, the service can be disabled or set to manual in order to increase security. If you discover something fails to operate after making such a change, revert the setting back to its default.

The default settings of services on a member server Windows 2003 Server are indicated with a carrot sign (^).

ServiceDefault SettingSecure Setting
AlerterDisabledalready secure
Application Layer Gateway ServiceManualalready secure
Application ManagementManualconsider setting to Disabled or Manual
Automatic UpdatesAutomaticconsider setting to Disabled or Manual
Background Intelligent Transfer ServiceManualconsider setting to Disabled or Manual
ClipBookDisabledalready secure
COM+ Event SystemManualalready secure
COM+ System ApplicationManualalready secure
Computer BrowserAutomaticconsider setting to Disabled or Manual
Cryptographic ServicesAutomaticalready secure
DHCP ClientAutomaticconsider setting to Disabled or Manual
Distributed File SystemAutomaticalready secure
Distributed Link Tracking ClientManual
Automatic^
Disabled
Distributed Link Tracking ServerDisabled
Automatic*
already secure
Disabled*
Distributed Transaction CoordinatorManual
Automatic^
already secure
DNS ClientAutomaticalready secure
DNS ServerAutomaticconsider setting to Disabled or Manual
Error Reporting ServiceAutomaticconsider setting to Disabled or Manual
Event LogAutomaticalready secure
Fax*Automatic*Disabled*
File Replication ServiceAutomaticalready secure
Help and SupportAutomaticalready secure
HTTP SSLManualalready secure
Human Interface Device AccessDisabledalready secure
IIS Admin Service*Automatic*Disabled*
IMAPI CD-Burning COM ServicesDisabledalready secure
Indexing ServiceDisabled
Manual*
already secure Disabled*
Internet Connection Firewall (ICF)/
Internet Connection Sharing (ICS)
Disabled
Manual*
already secure
Disabled*
Intersite MessagingAutomaticalready secure
IPSec ServicesAutomaticalready secure
Kerberos Key Distribution CenterDisabledalready secure
License Logging Disabled
Automatic*
already secure
Disabled*
Logical Disk ManagerAutomaticalready secure
Logical Disk Manager Administrative ServiceManualalready secure
MessengerDisabledalready secure
Microsoft Software Shadow Copy ProviderManualconsider setting to Disabled or Manual
Net LogonAutomatic
Manual^
already secure
NetMeeting Remote Desktop SharingDisabled
Manual*
already secure
Disabled*
Network ConnectionsManualalready secure
Network DDE(Disabled)already secure
Network DDE DSDM(Disabled)already secure
Network Location Awareness (NLA) Manualalready secure
NTLM Security Support ProviderManualalready secure
Performance Logs and AlertsManualconsider setting to Disabled or Manual
Plug and PlayAutomaticalready secure
Portable Media Serial Number Service ManualDisabled
Print SpoolerAutomaticconsider setting to Disabled or Manual
Protected StorageAutomaticalready secure
Remote Access Auto Connection ManagerManualconsider setting to Disabled or Manual
Remote Access Connection ManagerManualconsider setting to Disabled or Manual
Remote Desktop Help Session ManagerManualalready secure
Remote Procedure Call (RPC) Automaticalready secure
Remote Procedure Call (RPC) LocatorManualconsider setting to Disabled or Manual
Remote Registry Automaticalready secure
Removable StorageManual
Automatic*
consider setting to Disabled or Manual
Resultant Set of Policy ProviderManualalready secure
Routing and Remote AccessDisabledalready secure
Secondary LogonAutomaticalready secure
Security Accounts ManagerAutomaticalready secure
Server Automaticalready secure
Shell Hardware DetectionAutomaticDisabled
Simple Mail Transfer Protocol (SMTP) *Automatic*Disabled*
Smart CardManualalready secure
Smart Card Helper*Manual*already secure*
Special Administrator Console HelperManualDisabled
System Event NotificationAutomaticalready secure
Task SchedulerAutomaticalready secure
TCP/IP NetBIOS HelperAutomaticalready secure
TelephonyManualconsider setting to Disabled or Manual
TelnetDisabled
Manual*
already secure
Disabled*
Terminal Services(Manual) consider setting to Disabled or Manual
Terminal Services Session DirectoryDisabledalready secure
ThemesDisabledalready secure
Uninterruptible Power Supply(Manual)consider setting to Disabled or Manual
Upload ManagerManualDisabled
Utility Manager*Manual*Disabled*
Virtual Disk ServiceManualalready secure
Volume Shadow CopyManualconsider setting to Disabled or Manual
WebClientDisabledalready secure
Windows AudioAutomatic
Disabled*
Disabled
already secure*
Windows Image AcquisitionDisabledalready secure
Windows InstallerManualalready secure
Windows Management InstrumentationAutomaticalready secure
Windows Management Instrumentation Driver ExtensionsManualalready secure
Windows TimeAutomaticalready secure
WinHTTP Web Proxy Auto-Discovery ServiceManualalready secure
Wireless ConfigurationAutomaticconsider setting to Disabled or Manual
WMI Performance AdapterManualalready secure
WorkstationAutomaticalready secure
World Wide Web Publishing Service*Disabled*already secure*

As always, make your changes one service at a time, reboot twice, then thoroughly test the environment and all functions before moving on to the next service. Failing to make changes systematically will make troubleshooting more difficult.

Next tip, I'll dive into secure configuration settings for a domain controller.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in March 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.