There was such a positive response to my previous tip on locking down services running Windows XP workstation clients...
that my editor requested that I write a similar tip for Windows Server 2003. After all, the "fewest services possible" paradigm most certainly applies to servers as well -- perhaps even more so than workstations.
The caveat is that most server machines are running more software that generally needs clients with the ability to remotely connect to it, and thus you'll need to lock down some different services and perhaps leave a few more open than you would on a workstation. Additionally, there are many more possible services that can be installed on a Windows Server 2003 machine -- antivirus, mail, DNS and Web services are all possibilities -- so it's more difficult to issue blanket recommendations. In order to limit the scope a bit and still be able to provide definitive advice in this tip, I'll discuss the top 10 services on Windows Server 2003 to watch for.
As a reminder, to manage services on your Windows Server 2003 machine, do the following:
- From the Start menu, select Administrative Tools.
- Click on Services to open that applet.
- Double-click a service.
- Under Startup Type, select Manual to disable a service from Automatically starting upon computer bootup. Click the Stop button to stop the service if it's already running.
Here are the 10 most important services to consider when locking down services on a Windows Server 2003 computer:
- Automatic Updates Services: This service is used to check if any critical updates are available for download. The automatic download may be inappropriate in an enterprise environment. Automatic if you don't wish to use Windows Update manually; Disabled otherwise.
- Fax Service: Disabling this service will render the computer unable to send or receive faxes, which is the appropriate setting for any Internet-connected server. The Fax Service has previously been exploited and it's risky in all but the rarest contexts. Disabled; or don't install from distribution media.
- IIS Admin: This service is used to administer IIS. You should ensure this service is turned off unless you are administering an IIS installation located on the same machine as the IIS Admin service. Disabled unless running IIS; or don't install from distribution media.
- Messenger: Sends and receives messages to or from users and computers, or those transmitted by administrators or by the Alerter Service. This is all but deprecated, considering most modern service-based programs write events to the Event Log or send e-mail. Disabled.
- Simple Mail Transport Protocol (SMTP): Transports e-mail across the network, but this service can be abused if you don't configure it properly (remember open relay spam?) If you do need the ability to send outgoing e-mail, make sure you set this service properly. Disabled except for outgoing or incoming mail servers; or don't install from distribution media.
- Task Scheduler: Enables a program to run at a designated time. It's better to leave this one off unless you're running backups regularly. Disabled unless absolutely required.
- Telnet: Allows a remote user to log on to the system and run console programs by using the command line. Windows Server 2003 wasn't really designed to be administered through Telnet, and neither were its predecessors. There are better ways to remotely manage a machine -- Telnet is cleartext and unencrypted. Disabled; or don't install from distribution media.
- Terminal Services: Provides a multisession environment that allows client devices to access a virtual desktop session and Windows-based programs running on the server. If you don't ever administer a server remotely, then turn this one off. If you do, use it with care. Disabled; or don't install from distribution media.
- Universal Plug and Play Device Host: Used in conjunction with Simple Service Discovery Protocol (SSDP) Discovery Service, it detects and configures UPnP devices on your home network. You shouldn't need this on Windows Server 2003. Disabled.
- World Wide Web Publishing Service: Provides HTTP services for applications on the Windows platform. Turn this off if you're not publishing pages. Disabled; or don't install from distribution media.
Bonus: Check out the Security Configuration Wizard for Windows Server 2003. If you're running Service Pack 1, the wizard takes care of a lot of this manual security work for you. I've written a tip describing in detail how to use the wizard; here's a link to it.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.