Windows

Tighten server security by disabling Windows 2000 services

Lock down Windows 2000 by turning off unneeded services.

For a long time now, Microsoft has recommended disabling any services that are not actively being used on Windows servers and workstations. The rationale behind this is that the more services that are running on a machine, the greater the chance that one or more of the services contain a vulnerability that can be exploited. In addition to posing security risks, running unnecessary services also degrades your system’s performance because the system must allocate resources such as CPU time and memory to processes you don't need. Here are the services you should consider eliminating.

Don’t trust the Microsoft Baseline Security Advisor
To assist you in determining what services to disable, Microsoft has created tools such as the Microsoft Baseline Security Advisor. However, even the advisor has its limits. The last time I ran this tool, it recommended disabling five services: FTP Publishing, Remote Access Connection Manager, Simple Mail Transfer Protocol (SMTP), Telnet, and World Wide Web Publishing. 

While this sounded like a good recommendation, the strategy has some flaws. First, a couple of the services were already disabled. Therefore, I repeated the test on other workstations, and the same five services were always recommended regardless of what was actually running on the machine. What bothers me about this is there are many other services that could be disabled to address potential security weaknesses.

Furthermore, the Microsoft Baseline Security Advisor doesn’t bother to tell you why you should disable these services. Therefore, in the sections that follow, I'll be putting in my two cents' worth about many of the services. Remember, though, that there’s absolutely nothing wrong with having a service enabled if you’re actually using it. I just want to point out the security risks that exist when you're running various services.

Setting the default services
Dozens of services are installed by default when you install Windows 2000. After the installation, some of these services are set to Automatic and others to Manual. Most of the time, if a service is configured to use a Manual startup, it's safe to disable it.

Recently, I was explaining this strategy to a friend who asked, “Why bother disabling a service that’s set to Manual if the service isn’t started anyway?” The reason is because a manual service isn’t started when Windows boots; it can, however, be started by a user or an application.

Therefore, if a Trojan virus were to make its way onto your system, and it needed to exploit a service that was set to Manual, the Trojan would have no trouble starting the service. On the other hand, a service that’s disabled can’t be started until it has been enabled (set to Manual or Automatic). Therefore, it would be much more difficult for an automated script, such as those used in a Trojan, to launch the service.

By default, the following services are set to Manual when Windows is installed:
  • Application Management (AppMgmt)
  • Clip Book (ClipSrv)
  • COM+ Event System (EventSystem)
  • Distributed Link Tracking Server (TrkSrv)
  • Fax (Fax)
  • File Replication (NtFrs)
  • Indexing (Cisvc)
  • Internet Connection Sharing (SharedAccess)
  • Logical Disk Manager Administrative (Dmadmin)
  • NetMeeting Remote Desktop Sharing (Mnmsrvc)
  • Network Connections (Netman)
  • Network DDE (NetDDE)
  • Network DDE DSDM (NetDDEdsdm)
  • NTLM Security Support Provider (NtLmSsp)
  • Performance Logs and Alerts (SysmonLog)
  • QoS Admission Control (RSVP)
  • Remote Access Auto Connection Manager (RasAuto)
  • Remote Procedure Call Locator (Rpclocator)
  • Smart Card (ScardSvr)
  • Smart Card Helper (ScardDrv)
  • Telephony (TapiSrv)
  • Telnet (TIntSvr)
  • Uninterruptible Power Supply (UPS)
  • Utility Manager (UtilMan)
  • Windows Installer (MSIServer)
  • Windows Management Instrumentation (WinMgmt)
  • Windows Management Instrumentation Driver Extensions (WMI)

Most of these services can be safely disabled, and in most cases should be. Remember, though, that there are legitimate cases for running each of these services. For example, if your machine is attached to an uninterruptible power supply, you certainly wouldn’t want to disable the UPS service. In fact, you’d probably set it to Automatic. However, UPS is actually one of the services that Microsoft recommends disabling. It isn’t so much that the UPS service contains some known security vulnerability as it is a precautionary technique. The philosophy is, why take a chance on a service that you aren’t using when the service may have an undiscovered security vulnerability?

Of the manually activated services that I listed above, there are some services that shouldn’t be disabled. Microsoft recommends leaving the following services set to Manual. You could disable these services, but by doing so, you risk affecting Windows' functionality:
  • COM+ Event System (EventSystem)
  • Logical Disk Manager Administrative (Dmadmin)
  • Network Connections (Netman)
  • Performance Logs and Alerts (SysmonLog)
  • Remote Procedure Call Locator (Rpclocator)—must not be disabled on domain controllers
  • Windows Management Instrumentation Driver Extensions (WMI)

As you might have figured out, the services above are considered important, low-risk system services. The main reason Microsoft didn’t set these services to Automatic by default is that they aren’t used all the time. By setting the services to Manual, Microsoft could save some CPU time and make Windows perform better. For example, the Logical Disk Manager Administrative service is automatically started when you launch the Disk Management Console (Diskmgmt.msc). If the service is disabled, the Disk Management Console can’t be started, and you can't change the system’s disk configuration.

Disabled services
Now that I've discussed the manual services, let’s take a look at the services that are disabled by default. There are only a couple of these services, one of which is Kerberos Key Distribution Center (kdc). This particular service controls the way that encryption keys are distributed throughout your organization. As such, this service should be enabled only on designated key distribution servers within a domain.

Another service that is disabled by default is Routing and Remote Access (RemoteAccess). This service allows others to access the server remotely via dial-up networking, and it should be enabled only on designated RAS servers.

Automatic services
Now let’s look at the services that are set to run automatically. Generally speaking, default Windows services that are set to Automatic startup are considered critical to the core operating system and must therefore be left enabled. But there are exceptions to every rule. Here is a list of the default Windows services that are set to Automatic:
  • Alerter (Alerter)
  • Computer Browser (Browser)
  • DHCP Client (DHCP)
  • Distributed File System (Dfs)
  • Distributed Link Tracking Client (TrkWks)
  • Distributed Transaction Coordinator (MSDTC)
  • DNS Client (DNSCache)
  • Event Log (EventLog)
  • IIS Admin service (IISADMIN)
  • IPSec Policy Agent (PolicyAgent)
  • License Logging service (LicenseService)
  • Logical Disk Manager (Dmserver)
  • Messenger (Messenger)
  • Net Logon (Netlogon)
  • Plug and Play (PlugPlay)
  • Protected Storage (ProtectedStorage)
  • Remote Procedure Call (RpcSs)
  • Remote Registry service (RemoteRegistry)
  • Removable Storage (NtmsSvc)
  • Run As service (Seclogon)
  • Security Accounts Manager (SamSs)
  • Server (Lanmanserver)
  • Simple Mail Transport Protocol (SMTPSVC)
  • Print Spooler (Spooler)
  • System Event Notification (SENS)
  • Task Scheduler (Schedule)
  • TCP/IP NetBIOS Helper service (LmHosts)
  • Windows Time (W32Time)
  • Workstation (LanmanWorkstation)
  • World Wide Web Publishing service (W3svc)

You might be surprised to learn that there are services in this list that Microsoft recommends disabling. The idea of disabling core system-level services has always seemed a little strange. Unfortunately, there is no simple reason that I can give you for disabling a number of the services in the above list. Some of the services are used only in specific circumstances and can be disabled in all other environments. Other services represent a double-edged sword in that enabling them has certain risks, but so does disabling them. Still other services tend to have more obscure reasons. In the sections below, I'll share my thoughts on disabling 15 of the services listed above.

Alerter (Alerter)
The Alerter service notifies selected computers and users about administrative alerts. I tend to ride the fence when it comes to disabling Alerter. This is one of those services that is seldom used, but when it is used, the alerts are nice to have. Microsoft recommends disabling this service, but you should make up your own mind about whether disabling the Alerter service is appropriate for your organization.

Computer Browser (Browser)
In versions of Windows other than 2000 and XP, the Computer Browser was used as one of the mechanisms for NetBIOS name resolution. The Computer Browser service is included in Windows 2000 purely for backward compatibility purposes. Therefore, if your network consists solely of Windows 2000 and Windows XP computers, you can safely disable this service. If other operating systems are present, you must leave this service enabled.

Distributed Transaction Coordinator (MSDTC)
This service processes various database transactions. If the server is a domain controller, or is running SQL Server or any other type of database, you should leave this service enabled. On an additional security note, however, it's possible to initiate a denial of service attack against the Distributed Transaction Coordinator by sending it 20,200 bytes of null data.

My general feeling about this service is that if it isn’t being used, it’s a good idea to disable it. However, I also recommend being very careful to make sure that the service really isn’t being used, since so many different types of databases use it.

IIS Admin (IISADMIN)
As the name implies, the IIS Admin service is used by IIS Server. If you aren’t using IIS on the server, you should disable this service.

IPSec Policy Agent (Policy Agent)
The IPSec Policy Agent service is designed to retrieve policy information and pass it to the other IPSec components. I completely disagree with Microsoft about disabling this service. I believe that for good security, you should be using IPSec and the necessary IPSec Policy Agent service.

Even if you have older computers in your organization that don’t support IPSec, you can use the IPSec Request Encryption setting rather than the Require Encryption setting. This will allow traffic that can be encrypted to be encrypted, while allowing other traffic to flow freely.

License Logging (LicenseService)
The License Logging service helps keep track of software licenses. If you aren’t using this service, you might as well disable it.

Messenger (Messenger)
MSN Messenger uses the Messenger service. Its main job is to facilitate the sending and receiving of instant messages, but is also used by NetMeeting. If your business needs will allow you to disable this service, then I recommend doing so.

Net Logon (Netlogon)
The Net Logon service is used to authenticate a user into a domain. So why on earth would you ever want to disable this one? Well, if a server doesn’t belong to a domain, you can safely disable Net Logon.

Removable Storage (NtmsSvc)
The Removable Storage service tends to be used mostly by large data centers. The idea is that if a hard disk is filling up, some of the files can be archived to a removable storage device. When users attempt to retrieve the files, they can see that the files are temporarily unavailable until the removable device is mounted. Most of the time, removable storage is used in conjunction with tape robots. Obviously, the vast majority of the organizations out there aren’t using this service. Therefore, most people will be able to safely disable it.

Run As (Seclogon)
The Run As service is one of those double-edged swords that I was talking about earlier. Microsoft says you should disable this service because it allows someone to run an individual application as a different user (assuming that the person has the alternate user’s login credentials available).

At the same time, however, Microsoft also says that no one in your organization should make a habit of logging in as the Administrator or as someone with administrative privileges. If administrative permissions are required for an individual operation, Microsoft states that it’s better to use the RunAs command to run that process as an Administrator than it is to log in as an Administrator. As you can see, Microsoft is giving seemingly contradictory advice. I recommend making up your own mind on this one. Personally, I leave the Run As service enabled on my servers.

Simple Mail Transport Protocol (SMTPSVC)
The SMTP service is used by IIS and Exchange Server to send e-mail across the Internet. Many third-party applications also use this service for sending mail. Included in those third-party applications are viruses, spyware, and Trojans. Therefore, if your server doesn’t need to be able to send e-mail, this is one service that you really should disable.

Print Spooler (Spooler)
If you think disabling the Print Spooler service prevents you from printing, you’re absolutely right. The catch is that not every server functions as a print server. If you have a server that doesn’t host a print queue, you can safely disable the Print Spooler service and save yourself some system overhead as well as reduce the server’s security risks.

Task Scheduler (Schedule)
The Task Scheduler is simply a mechanism for executing a command at a scheduled time. The Task Scheduler is often used for backup software or for various maintenance utilities, such as a utility for defragmenting your hard disk

Windows Time (W32Time)
The Windows Time service is basically a time synchronization mechanism. This service absolutely must be enabled if the server belongs to a domain. Computer clocks have a tendency to gain or lose time. Windows requires that all servers within a domain have their clocks synchronized within plus or minus five minutes of each other. This service makes that synchronization possible. However, if the server that you are securing isn’t a part of a domain, there’s no reason to run the Windows Time service.

World Wide Web Publishing (W3svc)
This one is a security no-brainer. The World Wide Web publishing service allows the machine to host Web content with IIS. Unless you need IIS for hosting a Web site or Exchange’s Outlook Web Access (or something like that), disable this service.
0 comments

Editor's Picks