Running unnecessary Windows XP services can increase your vulnerability to exploits that might use those services as attack vectors. In this IT Dojo video, I discuss five services that you should consider turning off and show you how to disable them.
Original blog post:
http://blogs.techrepublic.com.com/itdojo/?p=120
But, unnecessary services are only one potential attack vector. Many argue that most home users' proclivity for accessing Windows XP through the administrator account is one of, if not the, biggest Windows XP security hole. Although Windows Vista attempts to plug this hole, UAC can be such an annoyance that users may simply say "yes" to every security message whether they understand the risk or not.
So, is overuse of the administrator account still Windows' biggest security hole? With the release of Windows Vista, has another vulnerability taken its place? Has a larger security hole always existed within Windows?
Discussion on:
View:
Show:
Net send is one of those irritating service a computer wannabe will use to show off in an office or a local network environment...but often than not using net use * will basically send that message to all members of the workgroup/domain, even up to the CEO's computer who might think it's either a virus or a hack. He/She might get quite irritated about it, so much for the bragging rite when they see the computer owner popping together with message ...better turn it off before it makes a mess.
A strong second to comments
made in 7.1.1 and 9 -- being
limited to dialup -- not by
choice but by location --
makes videos unusable.
-- JW --
made in 7.1.1 and 9 -- being
limited to dialup -- not by
choice but by location --
makes videos unusable.
-- JW --
I agree and I have broadband. There is no reason to have a video for an article like this.
Please don't stop the videos. A picture is worth a thousand words.
Yeah, i'm with you, please, people if you think is worthless, then don't watch 'em, there's another lot of people who appreciate the videos
A picture != video.
I agree it's a horrible waste of bandwidth (multicast helps only with the broadcaster's bandwidth bill, not with overall 'net congestion).
And no everyone does NOT have access to broadband. Cable's not everywhere, telcos are not required to offer it even if you live within a mile of the switching office, the satellite services and cell-data sources have clauses hidden in the fine print about limiting your bandwidth if you use more than the 'average' amount (the average amount will never increase because they choke off your pipe to dialup speeds if you're exceeding the average... so essentially you're paying $100/month for dialup bandwidth with those services), and WiMAX is being rolled out only in metro areas, NOT in areas that currently have no broadband access.
I agree it's a horrible waste of bandwidth (multicast helps only with the broadcaster's bandwidth bill, not with overall 'net congestion).
And no everyone does NOT have access to broadband. Cable's not everywhere, telcos are not required to offer it even if you live within a mile of the switching office, the satellite services and cell-data sources have clauses hidden in the fine print about limiting your bandwidth if you use more than the 'average' amount (the average amount will never increase because they choke off your pipe to dialup speeds if you're exceeding the average... so essentially you're paying $100/month for dialup bandwidth with those services), and WiMAX is being rolled out only in metro areas, NOT in areas that currently have no broadband access.
I could have read all that info in about 30 seconds. The video took over 3 minutes to watch.
I know video is cool, but it's also a time-suck.
I know video is cool, but it's also a time-suck.
Thanks for the tips in this video - I had no idea this could be done. I found this very useful and interesting!
A good way to improve performance, is to go to system properties, then to advanced tab, then to system performance, and visual effects. Adjust all of the settings under custom to improve performance.
www.computer-answers.com
www.computer-answers.com
Simple File Sharing
SSDP Discovery Service
Universal Plug and Play Device Host
are needed for GeekSticks
SSDP Discovery Service
Universal Plug and Play Device Host
are needed for GeekSticks
I know for sure Simple File Sharing isn't required, 'cause I have that turned off on all my XP Pro machines and my cruzer micros used to autorun U3 just fine. But I also recently disabled autorun on everything, CD/DVD drives and removable (thanks to the malware on Sony CDs). To make loading U3 easier I added it to the Removable Disk dialog using My Computer->Autoplay->Handlers in the powertoy TweakUI for XP... so when the computer scans the thumbdrive and asks what I want to do I just choose Load U3 and click OK. 
What, no bloopers this time? Those are the best part! Thanks for the tips, Bill.
Unfortunately for the blooper lovers out there, this episode had a pretty clean shoot without many bloopers. But don't despair, there will be plenty more bloopers in future episodes.
Some more details on the services would be helpful.
Thanks!
Thanks!
Our download, "Windows XP services that can be disabled," contains a complete list of Windows XP services that can be disabled. This reference sheet lists each Windows XP service, describes each service's function, specifies whether you can safely disable the service, and outlines the ramifications of doing so.
Download:
http://downloads.techrepublic.com.com/abstract.aspx?docid=172521
Download:
http://downloads.techrepublic.com.com/abstract.aspx?docid=172521
You might rethink the recommendation on DNS Client. I don't believe it's required the way your PDF file says it is. Try it... turn it to manual and stop it, then reboot (check to make sure the service is stopped) and do some domain surfing. It will still surf around just fine without DNS Client service running.
DHCP CLient service should be also stop ,if you are assign Static IP Address.
No body should turn off DHCP Client in a corporate environment, unless you aren't using DHCP... Which would be a serious mistake from an administrative standpoint...
The DHCP client isn't only for DHCP...It provides the mechanism for automatic DNS updates.
It is not clear to me what is the gain of shutting these services down. How big is the difference in performance when they are shut down?
Hi there a lot of people (TECHS) do not realise that msconfig can be used to turn off unnnessery apps from running why not give a little run down on it Please
Regards Martin Ayres
mayres@eircom.net
ps enjoyed it dojo
Regards Martin Ayres
mayres@eircom.net
ps enjoyed it dojo
i guess this video was sorta helpful, but i think most enterprise IT guys know these already.
For a much better run down of Win services and possible settings to improve performance, ive found this site to be useful...
http://www.optimizingpc.com/optimize/windowsservices.html
- mark
For a much better run down of Win services and possible settings to improve performance, ive found this site to be useful...
http://www.optimizingpc.com/optimize/windowsservices.html
- mark
Some of us, for one reason or another, don't like to bother with videos. My regular system is deliberately not set up with sound, and it's mildly annoying to find I'll need to take a lot of extra effort to follow a topic that might be interesting because it turns out to be a video.
What WERE the five points?
What WERE the five points?
I found that I liked the videos. It kept me interested and I was able to listen while working on other things!
I'm pretty good but have to admit I slipped on having my SSDP Discovery Service on. Good learn here.
I'm pretty good but have to admit I slipped on having my SSDP Discovery Service on. Good learn here.
What is the benefit of killing Messenger?
A breakdown of which tweeks are for security and which are for performance would be helpful as well.
Also, a transcript in a PDF of the content in the video would be a good addition.
Thanks,
jd
A breakdown of which tweeks are for security and which are for performance would be helpful as well.
Also, a transcript in a PDF of the content in the video would be a good addition.
Thanks,
jd
Hello there -
Was one of the big things in XP SP2 that Messenger was turned off when you installed SP2?
JD - I had to shut down messenger back in 2003 because web-based attackes can occur if you leave it on. Basically I was getting hundreds and hundreds of popups - even when I was not surfing the net. I mean HUNDREDS of pop ups - all claiming to want to sell me a fix for the popups! Turns out the fix is to simply disable Messenger service. Messenger service simply allows for you to do net send messages within a LAN
Was one of the big things in XP SP2 that Messenger was turned off when you installed SP2?
JD - I had to shut down messenger back in 2003 because web-based attackes can occur if you leave it on. Basically I was getting hundreds and hundreds of popups - even when I was not surfing the net. I mean HUNDREDS of pop ups - all claiming to want to sell me a fix for the popups! Turns out the fix is to simply disable Messenger service. Messenger service simply allows for you to do net send messages within a LAN
For sake I cannot read your typing on drive c: and it showed blurring. So I agreed that it is good idea to include PDF for this video content. Or I cannot hear your sound so what about captions?
Thanks, CM, CT
Thanks, CM, CT
The Messenger Service was can be a security risk for home users. Prior to SP2, the service was enabled by default and allowed Internet spammers to send unsolicited messages to uses without a firewall. Even though Windows XP included a firewall, most home users disabled it. Messenger was such a concern, that SP2 disables it by default. SP2 also enables the firewall. Although Messenger is less of a problem than it once was, it's still worth checking and disabling if not already turned off.
For more information on Windows services, check out our download:
http://downloads.techrepublic.com.com/abstract.aspx?docid=172521
For more information on Windows services, check out our download:
http://downloads.techrepublic.com.com/abstract.aspx?docid=172521
Only one service needs to be turned off. The power switch of
your Windows PC.
Get a Mac!!!
your Windows PC.
Get a Mac!!!
Helpful. I had forgotten about the Telnet service completely.
Do not like the video ... Use slides or text! or do not set the help. video very hard to use!
That was very helpful. We are creating images for our school and I am going to shut down all 5 services discussed. Thank you
What do you know...These are already turned off in Xp Pro
Right, let's take a look at the services mentioned in the video:
Simple File Sharing - provides blanket access to shares without exception? False. By default, a domain-connected system on a network has only two shares with XP Pro SP2: C$ and IPC$ -- both administrative shares that are useful and crucial in many ways to a knowledgable IT pro. I use the C$ share regularly on my network to push out small updates to internally-developed help software, for example, and many client-management suites out there require an administrative share in order to properly work.
SSDP Discovery Service - Used to locate PnP devices. Set to manual by default in Windows XP Pro SP2, meaning the point is once again moot.
Universal Plug and Play Device Host - Set to manual by default in Windows XP Pro SP2, meaning the point is once again moot.
Bill's reasoning? If your devices are already installed, you won't need to have them install anything again. Unfortunately, those of us who work in the real world know otherwise. Domain-connected computers are overwhelmingly operated by individuals with lowered privileges specifically for the purpose of disallowing installation of hardware and software. That is what ACLs are for in the first place. The reason the two aforementioned services are set to manual by default on a system is so that they are still accessible to administrative users who have elevated privileges. In an actual IT Pro environment, disabling these instead of leaving them on manual is done at the risk of the efficiency of the IT department. Down-time is critical in most offices, and having to take a computer down for longer periods to install something as simple as a card reader or a USB drive to back up a user's profile is unnecessarily time consuming.
Telnet Service - Are you kidding me? You mean the Telnet service that is already disabled by default on XP Pro SP2? Welcome to the past, Bill.
Windows Messenger Service - Once again, this has to be a joke. Telnet is already disabled by default if you are running Service Pack 2-- which any office running XP should be doing anyway-- so this is a fairly moot point.
Judging from the PDF list that this video post also links to on TR, I find it interesting that plagiarizing a hack like blackviper is considered a valid technical advice.
Not only does the video include already-disabled services (as in already disabled by default in SP2) like Telnet and Messenger-- seriously, guys, what year is this again?-- but the accompanying PDF actually lists things like BITS and Auto Updates as if those are perfectly valid services to disable in a professional IT setting.
I'm sorry, Bill, but I have to not only claim that some pretty weak plagiarizing is going on, but that some really bad information is being presented in this video. The services you mention in the video are not critical nor are they going to break a system by disabling them, but with at least a couple of them there is no sustainable argument for disabling something that is already set to manual and only be accessed using an appropriately privileged account is simply overkill and not adding real security. For the possible concerns relating to the services mentioned in the video, better applications for securing a system exist. For home use, simply not running as an administrator account removes the vast majority of attack vectors that aren't already covered by a firewall (which is on by defualt in SP2) and an antivirus/antispyware solution-- many alternatives out there are free for personal use. For professional environments, standard use of firewalls at the point-of-entry from the internet, managed antivirus, and domain-level ACLs are the numbers 1, 2, and 3 things that should be in place for security, regardless of operating system or hardware platform.
I understand that I may be coming off a bit strong here, but as the head of IT for a small company I would refuse to hire someone who came into an interview with the information provided in this video if they thought it was a valid security or performance measure for a company network domain. Posting technically questionable material is just bad mojo for the IT Dojo, in my humble opinion.
Simple File Sharing - provides blanket access to shares without exception? False. By default, a domain-connected system on a network has only two shares with XP Pro SP2: C$ and IPC$ -- both administrative shares that are useful and crucial in many ways to a knowledgable IT pro. I use the C$ share regularly on my network to push out small updates to internally-developed help software, for example, and many client-management suites out there require an administrative share in order to properly work.
SSDP Discovery Service - Used to locate PnP devices. Set to manual by default in Windows XP Pro SP2, meaning the point is once again moot.
Universal Plug and Play Device Host - Set to manual by default in Windows XP Pro SP2, meaning the point is once again moot.
Bill's reasoning? If your devices are already installed, you won't need to have them install anything again. Unfortunately, those of us who work in the real world know otherwise. Domain-connected computers are overwhelmingly operated by individuals with lowered privileges specifically for the purpose of disallowing installation of hardware and software. That is what ACLs are for in the first place. The reason the two aforementioned services are set to manual by default on a system is so that they are still accessible to administrative users who have elevated privileges. In an actual IT Pro environment, disabling these instead of leaving them on manual is done at the risk of the efficiency of the IT department. Down-time is critical in most offices, and having to take a computer down for longer periods to install something as simple as a card reader or a USB drive to back up a user's profile is unnecessarily time consuming.
Telnet Service - Are you kidding me? You mean the Telnet service that is already disabled by default on XP Pro SP2? Welcome to the past, Bill.
Windows Messenger Service - Once again, this has to be a joke. Telnet is already disabled by default if you are running Service Pack 2-- which any office running XP should be doing anyway-- so this is a fairly moot point.
Judging from the PDF list that this video post also links to on TR, I find it interesting that plagiarizing a hack like blackviper is considered a valid technical advice.
Not only does the video include already-disabled services (as in already disabled by default in SP2) like Telnet and Messenger-- seriously, guys, what year is this again?-- but the accompanying PDF actually lists things like BITS and Auto Updates as if those are perfectly valid services to disable in a professional IT setting.
I'm sorry, Bill, but I have to not only claim that some pretty weak plagiarizing is going on, but that some really bad information is being presented in this video. The services you mention in the video are not critical nor are they going to break a system by disabling them, but with at least a couple of them there is no sustainable argument for disabling something that is already set to manual and only be accessed using an appropriately privileged account is simply overkill and not adding real security. For the possible concerns relating to the services mentioned in the video, better applications for securing a system exist. For home use, simply not running as an administrator account removes the vast majority of attack vectors that aren't already covered by a firewall (which is on by defualt in SP2) and an antivirus/antispyware solution-- many alternatives out there are free for personal use. For professional environments, standard use of firewalls at the point-of-entry from the internet, managed antivirus, and domain-level ACLs are the numbers 1, 2, and 3 things that should be in place for security, regardless of operating system or hardware platform.
I understand that I may be coming off a bit strong here, but as the head of IT for a small company I would refuse to hire someone who came into an interview with the information provided in this video if they thought it was a valid security or performance measure for a company network domain. Posting technically questionable material is just bad mojo for the IT Dojo, in my humble opinion.
If your truly paranoid about Windows security; then try these valid steps that can secure Windows to the point of virtual invulnerablilty. Here goes:
1.) Turn off Terminal Services
2.) Turn off or disable networking cards
3.) Pull out the ethernet cable or PCMCIA card/Cardbus Adapter.
4.) Last but not least; turn power off to PC/Laptop.
5.) You're done and safe an secure in the knowledge that no one can get to your PC remotely unless they come through the window at night and relieve you of your belongings.
Special note: Or you could pop in a live ditro or install Linux( w/SELinux installed).
1.) Turn off Terminal Services
2.) Turn off or disable networking cards
3.) Pull out the ethernet cable or PCMCIA card/Cardbus Adapter.
4.) Last but not least; turn power off to PC/Laptop.
5.) You're done and safe an secure in the knowledge that no one can get to your PC remotely unless they come through the window at night and relieve you of your belongings.
Special note: Or you could pop in a live ditro or install Linux( w/SELinux installed).
Wow. You offer a scathing assessment of this video and the associated download's advice. While I appreciate a healthy debate and welcome feedback, both negative and positive, I think your overall assessment of this tip's value is slightly off base.
Most of your criticisms are rooted in a belief that this tip is targeted specifically at enterprise computers in a domain environment. At no time during the video or in the blog post, do I assert that this tip is specifically designed for enterprise computers connected to a domain.
While most of TechRepublic's content is aimed explicitly at enterprise IT, we also provide information that is applicable only in small and/or home offices. Furthermore, we make no assumptions about the software or service packs our readers have installed. Nor, do we presume to know which settings they have changed, whether they have a software or hardware firewall, or if they regularly run Windows XP under the administrator account, which I would argue most non-enterprise users do. We provide guidance when necessary, but it is always the reader's responsibility to determine which tips are appropriate for their environment.
As to your concern about plagiarism, if you have specific evidence that this download's content was copied from another source (blackviper's site, Microsoft, or someone else), please send me that evidence through the private message link on my TechRepublic profile page. Plagiarism is a serious offense that we do not tolerate. I think however, that you're overestimating the similarities between our download and other Internet material on Windows Services. Microsoft and a host of other online outlets provide information on disabling Windows XP services. Our download if an original document that offers not only a list of common Windows XP services, but descriptive information about each service and the effect shutting down each service is likely to have on the machine.
Most of your criticisms are rooted in a belief that this tip is targeted specifically at enterprise computers in a domain environment. At no time during the video or in the blog post, do I assert that this tip is specifically designed for enterprise computers connected to a domain.
While most of TechRepublic's content is aimed explicitly at enterprise IT, we also provide information that is applicable only in small and/or home offices. Furthermore, we make no assumptions about the software or service packs our readers have installed. Nor, do we presume to know which settings they have changed, whether they have a software or hardware firewall, or if they regularly run Windows XP under the administrator account, which I would argue most non-enterprise users do. We provide guidance when necessary, but it is always the reader's responsibility to determine which tips are appropriate for their environment.
As to your concern about plagiarism, if you have specific evidence that this download's content was copied from another source (blackviper's site, Microsoft, or someone else), please send me that evidence through the private message link on my TechRepublic profile page. Plagiarism is a serious offense that we do not tolerate. I think however, that you're overestimating the similarities between our download and other Internet material on Windows Services. Microsoft and a host of other online outlets provide information on disabling Windows XP services. Our download if an original document that offers not only a list of common Windows XP services, but descriptive information about each service and the effect shutting down each service is likely to have on the machine.
Bill, now you're shifting goalposts to justify the material. You claimed that messing with services could aid in performance or security, and both of those claims are red herrings that have, throughout repeated testing, been shown to be disproportionately miniscule at best and completely false at worst. Making the excuse that you don't assume which service pack a user is running isn't much of an excuse at all-- with Service Pack 3 out for XP it is not unreasonable to either assume SP2 is present or, in cases where it isn't, simply suggest that it be installed ASAP. Updating one's computer is far less risky than fooling with the services list, especially for novice users, and always has been the first step in any platform-agnostic troubleshooting to begin with. As for the excuse about not every reader/watcher not being enterprise level: the companies I run the IT departments for aren't enterprise level either, but they get the same quality of support for their business units because I hold the same standards that an enterprise level head of IT would have toward configuration management, security, and standards. The best foot for any beginner IT people is to have the fundementals down right the first time, so they don't have to unlearn bad habits as they grow in their careers, which is the primary reason I'm so vocally against the type of advice in this article. In everything from desktop support to administration to software development to department management, the fundementals of this article/video are misleading and predicates to bad habits based on misinterpretations of real-world application. If a home office user or small business user wants to improve security and avoid lowered performance over time, then just like with every other multi-user NOS currently in existence the best advice is to not run with administrative (or root) priveleges, keep regularly updated, and don't install anything extra unless it's necessary. That alone would solve the majority of the Windows (and Macintosh, and Linux) security and performance related questions for home office and SMB users.
As for your defense against accusations of plagiarism, that's your problem and not mine to figure out whether the similarities are close enough to be considered questionable in terms of originality. The same flawed argument-- that disabling services helps with performance and hardens security-- has been around on the internet since at least the beginnings of the XP launch, and no matter how many times the realities are explained the propagators of the misinformation continue to make excuses and keep spreading the flawed information.
Honestly, it's a pity that more writers like Ed Bott don't get more coverage on the topic of services (http://blogs.zdnet.com/Bott/?p=448 ), because his approach is refreshingly candid, testable, supported by actual real-world application scenarios, and weighted evenly on the question of whether or not a given service is useful for being disabled. I can vouch that while the article I point to by Mr. Bott covers Vista, the application of the concepts therein are completely compatible with XP as well (regardless of the Service Pack).
I've run similar tests to Mr. Bott's over the years regarding services, including running stress-testing apps under different service configurations, and I have consistently shown on numerous occasions throughout the years that the claims of performance increases are almost totally bogus-- startup times occasionally imiprove, but with no testable desktop performance change-- and security claims are misleading in that almost all of the risks are mitigated by a firewall in the first place.
If you seriously continue to disagree on this issue of disabling services, Bill, I'll make you an offer: you choose the services, you choose the benchmarking/testing software, and I'll perform the tests to those specifications and provide complete documentation for the entire experiment to you. If you like, I can even provide to you a brief summary and commentary of the tests as they are performed, the basics of what is being tested in each case, and ultimately what the results mean in a clear and understandable language. I can provide it for you easily-- screenshots, statistics, and summaries for each service configuration you choose. I'd even happily sign all of the results over to you so that you don't even have to reference my name if you so choose to publish the material at a later date, because the principle of promoting accurate and relevant information is more important than my ego.
So, now the offer is there, Bill. I'm not only pointing out what I see as flaws this time-- I'm also offering to you a reasonable, testable, documentable compromise to put to the test the very concepts put forth in the video and accompanying article and document. I'm willing to put my figurative money where my mouth is on this issue because I've consistently had the same results over the last six years I've vetted this subject. There are specific cases where disabling the basic functions of an operating system are warranted, but as a general all-purpose rule the approach should address the sources of risk or the underlying causes of bottlenecks, not treating a network operating system as one might a disk operating system of fifteen years ago.
As for your defense against accusations of plagiarism, that's your problem and not mine to figure out whether the similarities are close enough to be considered questionable in terms of originality. The same flawed argument-- that disabling services helps with performance and hardens security-- has been around on the internet since at least the beginnings of the XP launch, and no matter how many times the realities are explained the propagators of the misinformation continue to make excuses and keep spreading the flawed information.
Honestly, it's a pity that more writers like Ed Bott don't get more coverage on the topic of services (http://blogs.zdnet.com/Bott/?p=448 ), because his approach is refreshingly candid, testable, supported by actual real-world application scenarios, and weighted evenly on the question of whether or not a given service is useful for being disabled. I can vouch that while the article I point to by Mr. Bott covers Vista, the application of the concepts therein are completely compatible with XP as well (regardless of the Service Pack).
I've run similar tests to Mr. Bott's over the years regarding services, including running stress-testing apps under different service configurations, and I have consistently shown on numerous occasions throughout the years that the claims of performance increases are almost totally bogus-- startup times occasionally imiprove, but with no testable desktop performance change-- and security claims are misleading in that almost all of the risks are mitigated by a firewall in the first place.
If you seriously continue to disagree on this issue of disabling services, Bill, I'll make you an offer: you choose the services, you choose the benchmarking/testing software, and I'll perform the tests to those specifications and provide complete documentation for the entire experiment to you. If you like, I can even provide to you a brief summary and commentary of the tests as they are performed, the basics of what is being tested in each case, and ultimately what the results mean in a clear and understandable language. I can provide it for you easily-- screenshots, statistics, and summaries for each service configuration you choose. I'd even happily sign all of the results over to you so that you don't even have to reference my name if you so choose to publish the material at a later date, because the principle of promoting accurate and relevant information is more important than my ego.
So, now the offer is there, Bill. I'm not only pointing out what I see as flaws this time-- I'm also offering to you a reasonable, testable, documentable compromise to put to the test the very concepts put forth in the video and accompanying article and document. I'm willing to put my figurative money where my mouth is on this issue because I've consistently had the same results over the last six years I've vetted this subject. There are specific cases where disabling the basic functions of an operating system are warranted, but as a general all-purpose rule the approach should address the sources of risk or the underlying causes of bottlenecks, not treating a network operating system as one might a disk operating system of fifteen years ago.
According you, I claimed that disabling Windows XP services would improve performance. "You claimed that messing with services could aid in performance or security," you wrote. However, you dedicated nearly all of your response to the issue of performance. You cite an Ed Bott article on TechRepublic's sister site ZDNet as proof that disabling Windows services does little, if anything, for performance. You even offer to submit benchmark tests to validate your assertion.
For once, I'm inclined to agree with you. There's just one problem. You're arguing against a point I never made. If you read the blog post or watch the video again, you'll find no reference to improved performance. I never made that claim.
For once, I'm inclined to agree with you. There's just one problem. You're arguing against a point I never made. If you read the blog post or watch the video again, you'll find no reference to improved performance. I never made that claim.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
