Enterprise Server Strategies for the CIOClick here to read Part 1, Part 2 and Part 3
Requires Free Membership to View
of this tip.
I can't count the number of times I've been asked about the default services that are installed on a Windows 2003 Server system and what the best settings are for security. Well, here is a hit list that hopefully will answer most of those queries.
There are 84 services that will appear on a Windows 2003 Server system when a new fresh installation is performed. If an upgrade install from Windows 2000 Server is performed, an additional six services are present. All of the default services of Windows 2003 Server are listed in the following table. The six post-upgrade services are indicated by an asterisk. The settings relevant to an upgrade server rather than a fresh installation server are also indicated by an asterisk.
This table indicates the default settings of a Windows 2003 Server just after it has been promoted to a domain controller. This table assumes that the system will be used exclusively as a domain controller. If the system is to be a host to any other network service or application, you may not be able to lock down as many services without compromising functionality.
The Secure Settings column are my recommendations to improve the overall security of the system. The label of "consider setting to Disabled or Manual" means to inspect the system to see if any other applications or functions require this service. If not, the service can be disabled or set to manual in order to increase security. If you discover something fails to operate after making such a change, revert the setting back to its default.
The default settings of services on a member server Windows 2003 Server are indicated with a carrot sign (^).
| Service | Default Setting | Secure Setting |
|---|---|---|
| Alerter | Disabled | already secure |
| Application Layer Gateway Service | Manual | already secure |
| Application Management | Manual | consider setting to Disabled or Manual |
| Automatic Updates | Automatic | consider setting to Disabled or Manual |
| Background Intelligent Transfer Service | Manual | consider setting to Disabled or Manual |
| ClipBook | Disabled | already secure |
| COM+ Event System | Manual | already secure |
| COM+ System Application | Manual | already secure |
| Computer Browser | Automatic | consider setting to Disabled or Manual |
| Cryptographic Services | Automatic | already secure |
| DHCP Client | Automatic | consider setting to Disabled or Manual |
| Distributed File System | Automatic | already secure |
| Distributed Link Tracking Client | Manual Automatic^ | Disabled |
| Distributed Link Tracking Server | Disabled Automatic* | already secure Disabled* |
| Distributed Transaction Coordinator | Manual Automatic^ | already secure |
| DNS Client | Automatic | already secure |
| DNS Server | Automatic | consider setting to Disabled or Manual |
| Error Reporting Service | Automatic | consider setting to Disabled or Manual |
| Event Log | Automatic | already secure |
| Fax* | Automatic* | Disabled* |
| File Replication Service | Automatic | already secure |
| Help and Support | Automatic | already secure |
| HTTP SSL | Manual | already secure |
| Human Interface Device Access | Disabled | already secure |
| IIS Admin Service* | Automatic* | Disabled* |
| IMAPI CD-Burning COM Services | Disabled | already secure |
| Indexing Service | Disabled Manual* | already secure Disabled* |
| Internet Connection Firewall (ICF)/ Internet Connection Sharing (ICS) | Disabled Manual* | already secure Disabled* |
| Intersite Messaging | Automatic | already secure |
| IPSec Services | Automatic | already secure |
| Kerberos Key Distribution Center | Disabled | already secure |
| License Logging | Disabled Automatic* | already secure Disabled* |
| Logical Disk Manager | Automatic | already secure |
| Logical Disk Manager Administrative Service | Manual | already secure |
| Messenger | Disabled | already secure |
| Microsoft Software Shadow Copy Provider | Manual | consider setting to Disabled or Manual |
| Net Logon | Automatic Manual^ | already secure |
| NetMeeting Remote Desktop Sharing | Disabled Manual* | already secure Disabled* |
| Network Connections | Manual | already secure |
| Network DDE | (Disabled) | already secure |
| Network DDE DSDM | (Disabled) | already secure |
| Network Location Awareness (NLA) | Manual | already secure |
| NTLM Security Support Provider | Manual | already secure |
| Performance Logs and Alerts | Manual | consider setting to Disabled or Manual |
| Plug and Play | Automatic | already secure |
| Portable Media Serial Number Service | Manual | Disabled |
| Print Spooler | Automatic | consider setting to Disabled or Manual |
| Protected Storage | Automatic | already secure |
| Remote Access Auto Connection Manager | Manual | consider setting to Disabled or Manual |
| Remote Access Connection Manager | Manual | consider setting to Disabled or Manual |
| Remote Desktop Help Session Manager | Manual | already secure |
| Remote Procedure Call (RPC) | Automatic | already secure |
| Remote Procedure Call (RPC) Locator | Manual | consider setting to Disabled or Manual |
| Remote Registry | Automatic | already secure |
| Removable Storage | Manual Automatic* | consider setting to Disabled or Manual |
| Resultant Set of Policy Provider | Manual | already secure |
| Routing and Remote Access | Disabled | already secure |
| Secondary Logon | Automatic | already secure |
| Security Accounts Manager | Automatic | already secure |
| Server | Automatic | already secure |
| Shell Hardware Detection | Automatic | Disabled |
| Simple Mail Transfer Protocol (SMTP) * | Automatic* | Disabled* |
| Smart Card | Manual | already secure |
| Smart Card Helper* | Manual* | already secure* |
| Special Administrator Console Helper | Manual | Disabled |
| System Event Notification | Automatic | already secure |
| Task Scheduler | Automatic | already secure |
| TCP/IP NetBIOS Helper | Automatic | already secure |
| Telephony | Manual | consider setting to Disabled or Manual |
| Telnet | Disabled Manual* | already secure Disabled* |
| Terminal Services | (Manual) | consider setting to Disabled or Manual |
| Terminal Services Session Directory | Disabled | already secure |
| Themes | Disabled | already secure |
| Uninterruptible Power Supply | (Manual) | consider setting to Disabled or Manual |
| Upload Manager | Manual | Disabled |
| Utility Manager* | Manual* | Disabled* |
| Virtual Disk Service | Manual | already secure |
| Volume Shadow Copy | Manual | consider setting to Disabled or Manual |
| WebClient | Disabled | already secure |
| Windows Audio | Automatic Disabled* | Disabled already secure* |
| Windows Image Acquisition | Disabled | already secure |
| Windows Installer | Manual | already secure |
| Windows Management Instrumentation | Automatic | already secure |
| Windows Management Instrumentation Driver Extensions | Manual | already secure |
| Windows Time | Automatic | already secure |
| WinHTTP Web Proxy Auto-Discovery Service | Manual | already secure |
| Wireless Configuration | Automatic | consider setting to Disabled or Manual |
| WMI Performance Adapter | Manual | already secure |
| Workstation | Automatic | already secure |
| World Wide Web Publishing Service* | Disabled* | already secure* |
As always, make your changes one service at a time, reboot twice, then thoroughly test the environment and all functions before moving on to the next service. Failing to make changes systematically will make troubleshooting more difficult.
Next tip, I'll dive into secure configuration settings for a domain controller.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in March 2004
Join the conversationComment
Share
Comments
Results
Contribute to the conversation