Deploying secure domain controllers - Part 4

Part four looks at Windows Server 2003 system's default settings and what the most secure settings would be.

Click here to read Part 1, Part 2 and Part 3 of this tip.

I can't count the number of times I've been asked about the default services that are installed on a Windows 2003 Server system and what the best settings are for security. Well, here is a hit list that hopefully will answer most of those queries.

There are 84 services that will appear on a Windows 2003 Server system when a new fresh installation is performed. If an upgrade install from Windows 2000 Server is performed, an additional six services are present. All of the default services of Windows 2003 Server are listed in the following table. The six post-upgrade services are indicated by an asterisk. The settings relevant to an upgrade server rather than a fresh installation server are also indicated by an asterisk.

This table indicates the default settings of a Windows 2003 Server just after it has been promoted to a domain controller. This table assumes that the system will be used exclusively as a domain controller. If the system is to be a host to any other network service or application, you may not be able to lock down as many services without compromising functionality.

The Secure Settings column are my recommendations to improve the overall security of the system. The label of "consider setting to Disabled or Manual" means to inspect the system to see if any other applications or functions require this service. If not, the service can be disabled or set to manual in order to increase security. If you discover something fails to operate after making such a change, revert the setting back to its default.

The default settings of services on a member server Windows 2003 Server are indicated with a carrot sign (^).

Service Default Setting Secure Setting
Alerter Disabled already secure
Application Layer Gateway Service Manual already secure
Application Management Manual consider setting to Disabled or Manual
Automatic Updates Automatic consider setting to Disabled or Manual
Background Intelligent Transfer Service Manual consider setting to Disabled or Manual
ClipBook Disabled already secure
COM+ Event System Manual already secure
COM+ System Application Manual already secure
Computer Browser Automatic consider setting to Disabled or Manual
Cryptographic Services Automatic already secure
DHCP Client Automatic consider setting to Disabled or Manual
Distributed File System Automatic already secure
Distributed Link Tracking Client Manual
Automatic^
Disabled
Distributed Link Tracking Server Disabled
Automatic*
already secure
Disabled*
Distributed Transaction Coordinator Manual
Automatic^
already secure
DNS Client Automatic already secure
DNS Server Automatic consider setting to Disabled or Manual
Error Reporting Service Automatic consider setting to Disabled or Manual
Event Log Automatic already secure
Fax* Automatic* Disabled*
File Replication Service Automatic already secure
Help and Support Automatic already secure
HTTP SSL Manual already secure
Human Interface Device Access Disabled already secure
IIS Admin Service* Automatic* Disabled*
IMAPI CD-Burning COM Services Disabled already secure
Indexing Service Disabled
Manual*
already secure Disabled*
Internet Connection Firewall (ICF)/
Internet Connection Sharing (ICS)
Disabled
Manual*
already secure
Disabled*
Intersite Messaging Automatic already secure
IPSec Services Automatic already secure
Kerberos Key Distribution Center Disabled already secure
License Logging Disabled
Automatic*
already secure
Disabled*
Logical Disk Manager Automatic already secure
Logical Disk Manager Administrative Service Manual already secure
Messenger Disabled already secure
Microsoft Software Shadow Copy Provider Manual consider setting to Disabled or Manual
Net Logon Automatic
Manual^
already secure
NetMeeting Remote Desktop Sharing Disabled
Manual*
already secure
Disabled*
Network Connections Manual already secure
Network DDE (Disabled) already secure
Network DDE DSDM (Disabled) already secure
Network Location Awareness (NLA) Manual already secure
NTLM Security Support Provider Manual already secure
Performance Logs and Alerts Manual consider setting to Disabled or Manual
Plug and Play Automatic already secure
Portable Media Serial Number Service Manual Disabled
Print Spooler Automatic consider setting to Disabled or Manual
Protected Storage Automatic already secure
Remote Access Auto Connection Manager Manual consider setting to Disabled or Manual
Remote Access Connection Manager Manual consider setting to Disabled or Manual
Remote Desktop Help Session Manager Manual already secure
Remote Procedure Call (RPC) Automatic already secure
Remote Procedure Call (RPC) Locator Manual consider setting to Disabled or Manual
Remote Registry Automatic already secure
Removable Storage Manual
Automatic*
consider setting to Disabled or Manual
Resultant Set of Policy Provider Manual already secure
Routing and Remote Access Disabled already secure
Secondary Logon Automatic already secure
Security Accounts Manager Automatic already secure
Server Automatic already secure
Shell Hardware Detection Automatic Disabled
Simple Mail Transfer Protocol (SMTP) * Automatic* Disabled*
Smart Card Manual already secure
Smart Card Helper* Manual* already secure*
Special Administrator Console Helper Manual Disabled
System Event Notification Automatic already secure
Task Scheduler Automatic already secure
TCP/IP NetBIOS Helper Automatic already secure
Telephony Manual consider setting to Disabled or Manual
Telnet Disabled
Manual*
already secure
Disabled*
Terminal Services (Manual) consider setting to Disabled or Manual
Terminal Services Session Directory Disabled already secure
Themes Disabled already secure
Uninterruptible Power Supply (Manual) consider setting to Disabled or Manual
Upload Manager Manual Disabled
Utility Manager* Manual* Disabled*
Virtual Disk Service Manual already secure
Volume Shadow Copy Manual consider setting to Disabled or Manual
WebClient Disabled already secure
Windows Audio Automatic
Disabled*
Disabled
already secure*
Windows Image Acquisition Disabled already secure
Windows Installer Manual already secure
Windows Management Instrumentation Automatic already secure
Windows Management Instrumentation Driver Extensions Manual already secure
Windows Time Automatic already secure
WinHTTP Web Proxy Auto-Discovery Service Manual already secure
Wireless Configuration Automatic consider setting to Disabled or Manual
WMI Performance Adapter Manual already secure
Workstation Automatic already secure
World Wide Web Publishing Service* Disabled* already secure*

As always, make your changes one service at a time, reboot twice, then thoroughly test the environment and all functions before moving on to the next service. Failing to make changes systematically will make troubleshooting more difficult.

Next tip, I'll dive into secure configuration settings for a domain controller.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in March 2004

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close