Government Security
Network Security Resources

Jump to content

Photo

Disabling Unnecessary Services

- - - - -
  • Please log in to reply
27 replies to this topic

#1 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 15 August 2003 - 12:04 PM

Disabling unnecessary and potentially dangerous services

Windows XP comes with Terminal Services, IIS, and RAS that can open holes into your operating system. It's often convenient to enable Terminal Services to allow remote control functions for the help desk or administering servers, but you have to make sure it's configured correctly. There are also several malicious programs that can run quietly as services without anyone knowing. Be aware of all the services that all run on your servers and audit them periodically.

Below is a list of the common services found on Windows XP, though don't be surprised if the vast majority are not present on your system. This is an almost complete list from Microsoft. Please read this and keep the running services to only those that you need. A useful tip is that instead of disabling something you are unsure of, set it to manual. When you restart your machine if that service has started then it is probably required by one of your components or software products. If it is still OFF then consider disabling it for greater protection.

Here are a list of the services that you "may" see when in the Windows XP services control panel, along with our recommendation for use in a home environment - please note, that we do specify a HOME environment. These settings may not be appropriate for work-based workstations, though in all likelihood the majority of the recommendations apply there too.

Alerter - notifies selected users and computers of administrative alerts. If this service is turned off, applications that use the NetAlertRaise or NetAlertRaiseEx APIs will be unable to notify a user or computer (by a Message Box from the Messenger service) that the administrative alert took place.
Recommendation: Disabled.

Application Layer Gateway Service - Provides support for 3rd party plug-ins for Internet Connection Sharing/Internet Connection Firewall. Required if using Internet Connection Sharing/Internet Connection Firewall to connect to the internet.
Recommendation: Automatic if using ICS, Disabled if not.

Application Management - Used for Assign, Publish and Remove software services. If you can not modify your software installation of certain applications, put this service in to Automatic or Manual.
Recommendation: Disabled


Automatic Updates - Used to check up to see if there is any critical or otherwise updates available for download. It is very important that if you decide to disable this service, you check the Windows Update site often to ensure the latest patches are installed. Manual (and Automatic) update via Windows Update web site Requires Cryptographic Services to be running.
Recommends: Automatic if you do not wish to use Windows Update manually.


Background Intelligent Transfer Service - Used to transfer asynchronous data via http1.1 servers. According to Microsoft's site, Windows Update uses this "feature." It "continues" a download if you log off or shutdown the system (that is, when you log back in.) Manual update via Windows Update web site Requires Cryptographic Services to be running.
Recommendation: Disabled

ClipBook - enables the Clipbook Viewer to create and share "pages" of data to be viewed by remote computers.
Recommendation: Disabled

COM+ Event System - provides automatic distribution of events to subscribing (Component Object Model) COM components.
Recommendation: Disabled

COM+ System Application - as above
Recommendation: Disabled

Computer Browser - maintains an up-to-date list of computers on your network, and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that need to view network domains and resources. Not required unless you attach to a network of Windows computers.
Recommendation: Disabled

Cryptographic Services - Confirms signatures of Windows files. You may always get a dialog box complaining about uncertified drivers if this is disabled. Required for Windows Update to function in manual and automatic mode. Windows Media Player may also require this service to function.
Recommendation: Automatic

DHCP Client - Dynamic Host Configuration Protocol Client manages network configuration by registering and updating IP addresses and Domain Name Server (DNS) names. If you are only dialling up to ISP via modem, cable, etc. If you have a network card in your PC and attach out via a router or sharing device then this may be required. Set to manual if unsure then check on reboot if it has started. If not then disable.
Recommendation : Automatic if required. Disabled if not.

Distributed Link Tracking Client - maintains links between the NTFS file system files within a computer or across computers in a network domain.
Recommendation: Disabled

Distributed Transaction Coordinator - coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers.
Recommendation: Disabled

DNS Client - resolves and caches (Domain Name Server) DNS names. The DNS client service must be running on every computer that will perform DNS name resolution.
Recommendation: Disabled

Error Reporting Service - Calls home to Microsoft when errors occur. Spyware?
Recommendation: Disabled

Event Log -logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems.
Recommends: Automatic


Fax Service - enables you to send and receive faxes. Disabling this service will render the computer unable to send or receive faxes. Not used by most people.
Recommendation: Leave not installed or Disabled

Telephony - provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. If you never use a dial-up modem on a PC but connect via a router then disable.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) Disabled otherwise


FTP Publishing Service -Not available on Windows XP Home. Not installed by default on Windows XP Pro,provides (file transfer protocol) FTP connectivity and administration through the Internet Information Service (IIS) snap-in. Big security risk!
Recommendation: Leave not installed or Disabled

Help and Support - Required for Microsofts online help documents.
Recommendation: Disabled.

Human Interface Device Access - If all your devices function then disable it. Seems new with no devices for it as yet.
Recommendation: Disabled.

IIS Admin - Not available on Windows XP Home. Not installed by default on Windows XP Proallows administration of Internet Information Services (IIS). If this service is not running, you will not be able to run Web, FTP, NNTP, or SMTP sites, or configure IIS. See also World Wide Web Publishing Service. Not usually required unless you are running a local web server. If you are then make sure that if no external access is required that you firewall protect port 80 to only local traffic! Do not even consider running a public web server unless you are 100% sure of the implications - use an ISP server.
Recommendations: Leave not installed or Disabled unless you understand the implications.

IMAPI CD-Burning COM Service - Used for the "drag and drop" CD burn capability. You will need this service to burn CD's.If you still can not burn a CD with it on Manual, switch to Automatic and feel safe that it will only be used when "needed."
Recommendation : Disabled if you do not burn CD's otherwise set to Manual or Automatic.

Indexing Service - indexes contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language.
Recommendation: Disabled

Internet Connection Firewall and Internet Connection Sharing - provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection. Not required unless you are sharing a dial-up connection with other PC's on your network - not recommended! Far better to use a router or gateway firewall software for this purpose. Consider using a higher specification firewall like Kerio Winroute if sharing your connection.
Recommendation: Automatic if sharing connection, Disabled if not required.

IPSEC Services - manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. Only leave on if you are using IPSec. Opens Port 500.
Recommendation: Disabled


Logical Disk Manager - watches Plug and Play events for new drives to be detected and passes volume and/or disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management snap-in display will not change when disks are added or removed. Turn it on only if you add additional disks and then disable again.
Recommendation: Disabled

Logical Disk Manager Administrative Service - as above
Recommendation: Disabled

Message Queuing - A messaging infrastructure and development tool for creating distributed messaging applications for Windows. Not available on Windows XP Home. Not installed by default on Windows XP Pro. Most home users will never need this service.
Recommendation: Leave not installed or Disabled

Message Queuing Triggers - Not available on Windows XP Home. Not installed by default on Windows XP Pro. Required only if you use Message Queuing service.
Recommendation: Leave not installed or Disabled

Messenger - sends and receives messages to or from users and computers, or those transmitted by administrators or by the Alerter service. Nothing to do with MSN Messenger
Recommendation: Disabled

MS Software Shadow Copy Provider - Used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services so you will need it if you use that. You will receive Event Log entry complaining about not having this service running if Disabled.
Recommendation: Disabled

NetMeeting Remote Desktop Sharing - allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet by using Microsoft NetMeeting®. Very dangerous - allows remote access to your PC. Only use if absolutely essential and if running effective firewall.
Recommendation: Disabled

Network Connections -manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections.
Recommendation: Automatic.

Network DDE - Useless service unless you use remote ClipBook.
Recommendation: Disabled

Network DDE DSDM - as above
Recommendation: Disabled

Network Location Awareness (NLA) - Required for use with the Internet Connection Sharing Service (server only.)
Recommendation: Disabled unless running ICS/ICF, not required for using an ICS sharer.

NT LM Security Support Provider - enables users to log on to the network using the NTLM authentication protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Recommendation: Disabled

Performance Logs and Alerts - configures performance logs and alerts.
Recommendation: Disabled

Plug and Play - enables a computer to recognize and adapt to hardware changes with little or no user input.
Recommendation: Automatic

Portable Media Serial Number - Retrieves serial numbers from portable music players connected to your computer.
Recommendation: Disabled

Print Spooler - queues and manages print jobs locally and remotely. If you don't have a printer attached then disable.
Recommendation: Automatic if needed, Disabled otherwise.

Protected Storage - provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services processes or users.
Recommendation: Disabled

QoS RSVP - provides network signalling and local, traffic-control, set-up functionality for (Quality of Service) QoS-aware programs and control applets.
Recommendation: Disabled

Remote Access Auto Connection Manager - creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabling the service has no effect on the rest of the operating system. You will have to set up connections to remote computers manually. Whilst this process is convenient, unauthorised applications (such as Trojans) could bring up your network connection without your explicit request. Far better to manually dial.
Recommendation: Disabled.

Remote Access Connection Manager - creates a network connection.
Recommendation: Automatic if using Dial-Up Networking, Disabled otherwise.


Remote Desktop Help Session Manager - Manages and controls Remote Assistance. Could create a MAJOR security hole so disable it unless absolutely necessaty.
Recommendation: Disabled

Remote Procedure Call (RPC) - provides the endpoint mapper and other miscellaneous RPC services. Absolutely essential.
Recommendation: Automatic.

Remote Procedure Call (RPC) Locator - Manages the RPC name service database. Useless service
Recommendation: Disabled

Remote Registry Service - Not available on Windows XP Home. allows remote registry manipulation. This service lets users connect to a remote registry and read and/or write keys to it-providing they have the required permissions. Hacker could use this to attack other PC's.
Recommendation: Disabled

Removable Storage - manages removable media drives and libraries. This service maintains a catalogue of identifying information for removable media used by a system, including tapes, CDs, and so on.
Recommendation: Disabled

RIP Listener - Not installed by default.
Recommendation: Leave not installed or Disabled

Routing and Remote Access - offers routing services in local area and wide area network environments. Shouldn't be required on a home PC.
Recommendation: Leave not installed or Disabled

Secondary Logon - allows you to run specific tools and programs with different permissions than your current logon provides.
Recommendation: Disabled

Security Accounts Manager -start-up of this service signals other services that the Security Accounts Manager subsystem is ready to accept requests.
Recommendation: Disabled unless needed.

Server - provides RPC support and file print and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. You should carefully consider the full implications of enabling this!
Recommendation: Disabled unless absolutely needed. Better still REMOVED.

Shell Hardware Detection - Used for the auto play of devices like memory cards, some CD drives, etc. Set to Automatic if you are experiencing problems with laptop docking stations.
Recommendation: Disabled unless required.

Simple Mail Transport Protocol (SMTP) - Not available on Windows XP Home. Not installed by default on Windows XP Pro. Transports e-mail across the network.

If you are using the built-in mail server for receiving mail then leave on automatic. If not, as would be usual in a home environment, then disable.
Recommendation: Leave not installed or Disabled

Simple TCP/IP Services - Not installed by default, implements support for a number of IP protocols.
Recommendation : Leave not installed or Disabled

Smart Card - manages and controls access to a smart card inserted into a smart card reader attached to the computer. If not using a smart card reader then disable.
Recommendation: Disabled

Smart Card Helper - provides support for earlier smart card readers attached to the computer. As above.
Recommendation: Disabled

SNMP Service - allows incoming (Simple Network Management Protocol) SNMP requests to be serviced by the local computer.
Recommendation: Leave not installed or Disabled

SNMP Trap Service - receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer.
Recommendation: Leave not installed or Disabled

SSDP Discovery Service - Used to locate UPnP devices on your home network. Used in conjunction with Universal Plug and Play Device Host, it detects and configures UPnP devices on your home network. For security reasons Disable this service. Please read the section in the guide on UPnP. Please note that even the FBI recommends disabling and preferably deinstalling this!!
Recommendation: Disabled for security reasons, better still removed totally as per the Steve Gibson instructions in the UPnP section.

System Event Notification - tracks system events such as Windows logon network and power events. Notifies COM+ Event System subscribers of these events. SENS is an AutoStarted service that depends on COM+ EventSystem service.
Recommendation: Disabled

System Restore Service - Creates system snap shots or restore points for returning to at a later time. Big resource overhead! Forget about it!
Recommendation: Disabled

Task Scheduler - enables a program to run at a designated time. Can be very dangerous. If you must run scheduled tasks then consider disabling all users other than administrator from running tasks. Can create major security problems and allow a hacker to comprimise your system by scheduling trojans to run.
Recommends: Disabled unless absolutely required

TCP/IP NetBIOS Helper Service - enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Only required if you need to share files with others.
Recommendation: Disabled

TCP/IP Printer Server - Not installed by default, but if needed, you may install it later off of the WinXP CD. Used for setting up a local UNIX print server. If you do not need this function, leave it uninstalled.
Recommendation: Leave not installed or Disabled

Telephony - provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. If you never use a dial-up modem on a PC but connect via a router then disable.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) Disabled otherwise

Telnet - Not available on Windows XP Home and for good reason!! allows a remote user to log on to the system and run console programs by using the command line. Very dangerous. .
Recommendation: Disabled, preferably deinstall

Terminal Services - provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server. Big security risk!
Recommendation: Disabled, preferably deinstall

Themes - Used to display all those new XP themes and colors on your desktop. Lots of space needed.
Recommendation: Disabled

Uninterruptible Power Supply - manages communications with a UPS connected to the computer by a serial port.
Recommendation: Disabled

Universal Plug and Play Device Host - Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network. For security reasons Disable this service immediately.Please read the section in the guide on UPnP. Please note that even the FBI recommends disabling and preferably deinstalling this!!
Recommendation: Disabled for security reasons, better still removed totally as per the Steve Gibson instructions in the UPnP section.

Upload Manager - As with BITS, this service manages file transfers between clients and servers on the network. This service is NOT required for basic File and Print sharing.
Recommendation: Disabled

Volume Shadow Copy - Used in conjunction with the MS Software Shadow Copy Provider Service. Microsoft Backup uses these services.
Recommendation: Disabled

WebClient - Disable this for security reasons.
Recommendation: Disabled

Windows Audio - This service is Required if you wish to hear any audio at all. If your computer does not have a sound card, Disable this service.
Recommendation: Automatic unless you do not have a sound card, then set it to Disabled.

Windows Image Acquisition (WIA) - Used for some scanners and cameras. If, after Disabling this service, your scanner or camera fails to function properly, enable this service.
Recommendation: Disabled

Windows Installer - installs, repairs, or removes software according to instructions contained in .MSI files provided with the applications
Recommendation: Manual

Windows Management Instrumentation - provides system management information. WMI is an infrastructure for building management applications and instrumentation shipped as an integral part of the current generation of Microsoft operating systems.
Recommendation: Automatic

Windows Management Instrumentation Driver Extension - Not available on Windows XP Home. Tracks of all of the drivers that have registered WMI information to publish.
Recommendation: Manual

Windows Time - sets the computer clock. W32Time maintains date and time synchronization on all computers running on a Microsoft Windows network. NTP can be dangerous. Not worth the risk.
Recommendation: Disabled

Wireless Zero Configuration - Automatic configuration for wireless network devices. If you do not have any wireless network devices in use, Disable this service.
Recommendation: Disabled

WMI Performance Adapter - ??
Recommendation: Disabled

Workstation - provides network connections and communications. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks. Use if you require drive-mapping connections to other Windows PC's.
Recommendation : Disabled, Automatic if required

World Wide Web Publishing Service - Not available on Windows XP Home. Provides HTTP services for applications on the Windows platform. Required if you are running a web server, but consider firewalling such a local web server so it is not visible to the world. Use an ISP web server for greatest security. Most commeon entry point for hackers!
Recommendation : Leave not installed or Disabled


As you can see from the above, not very much is actually needed to keep your Windows XP installation functioning in a home environment. All the enabled services just pose an enormous security risk, bring little or no benefit, consume resources and can be safely turned off.

credits :

uksecurityonline
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#2 Dillinja

Dillinja

    Specialist

  • Sergeant Major
  • 1,015 posts

Posted 15 August 2003 - 03:03 PM

Brilliant article ComSec!

Cheers mate! :D

#3 virus

virus

    Specialist

  • Members
  • 506 posts

Posted 15 August 2003 - 07:28 PM

Damn, I had this thing covered and was almost done with it. I found out the registry keys associated with each service and put them in a batch file so that u can enable or disable them as desired. Anywayz ... an excellent post ComSec :)

#4 virus

virus

    Specialist

  • Members
  • 506 posts

Posted 15 August 2003 - 09:36 PM

Well I re-touched the batch file that I made after ComSec's post. Now its ready to rock .... U can make the necessary changes to the batch file I made, but do not remove the name of the author, PLEASE !

Attached Files



#5 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 15 August 2003 - 09:42 PM

thanks digger...sorry for spoiling your tut mate....fancy doing one one firwall protection ?

thanks for the file also ..i shall check it out ;)
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#6 virus

virus

    Specialist

  • Members
  • 506 posts

Posted 15 August 2003 - 10:14 PM

thanks digger...sorry for spoiling your tut mate....fancy doing one one firwall protection ?

*Gulp ....
firewall protection?

#7 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 16 August 2003 - 03:47 AM

yeah a sort of review taken from various disto's

(ie)

kerio= review
sygate
atguard
tiny
outpost

and so on

only say top ten rated...cut and pasted from reviews

just a general review of various software firewalls on the market...helps members decide on a selection.

gives me a chance to do one on security hints/tip blah blah

if not i shall do one .. thanks ;)
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#8 virus

virus

    Specialist

  • Members
  • 506 posts

Posted 16 August 2003 - 05:06 AM

Alrite cheif *salutes
I'll try me best to finish it by monday ;)

#9 Guest_Security Guru_*

Guest_Security Guru_*
  • Guests

Posted 16 August 2003 - 07:09 AM

Disabling unnecessary and potentially dangerous services


This has to be one of the best threads I seen on the internet in a very long time. Excellent post COMSEC :D

#10 guinn3ss

guinn3ss

    Private First Class

  • Members
  • 50 posts

Posted 26 March 2004 - 11:23 AM

very usefulll thx Comsec

#11 Guest_karonn_*

Guest_karonn_*
  • Guests

Posted 28 March 2004 - 06:01 AM

[QUOTE=ComSec,Aug 15 2003, 08:04 PM] Disabling unnecessary and potentially dangerous services

<snip>
___________________________________________
Comsec.. good post to alert ppl to the security risks. Haven't made it on awhile, as have been ill, and when did get on. Sheeesh, my Yahoo email was hijacked. :angry: To top it off went thru my ISP to get to me. Last ISP, I kept telling em they were being attacked..and at the time they were hosting Tucows. LOL..wasn't long they were down. I did find out who it is. Have emailed, called ppl. The so called techs are morons. Have no understanding of security. A good post of sites to try and hack. Now, is there anyone who wants to hack the moron who hijacked my Yahoo account. Since ill, had to have a so called tech work on PC. Idiot takes the easiest way out and installs everything. Told him, to look at PCLite. Yahoo <Yahell> is full of morons anyway. And ISP's <they have kindergarten kids IMHO>java script:emoticon(':ph34r:')
java script:emoticon(':ph34r:') Has been a while since hacked anyone and lost my scripting skills and tools. Sight is flaky.. I know my buds on here will love to attempt this..hehe. And get my Yahoo account back. So will the real person pri email, or message me. Will send em all the info I have. Nuttin like Micro$h**. Dang, wish had all the stuff and knowledge I had. PC is screwed up now. These idiots are intimidated when we tell em stuff. Can't C to even set a dang jumper.
~karonn~ :blink: :angry: :ph34r: :ph34r: :ph34r: :ph34r: :ph34r:

#12 -8-

-8-

    Private

  • Members
  • 5 posts

Posted 07 May 2004 - 04:44 AM

Hi guys,

My first post - Yeah!!!

I found this topic and thought of a website. This website explains all the services XP installs by default and gives recommendations on whether it should be turned off or not.

SO WHATS NEW ABOUT THAT?? i hear you ask...

Well it also has a registry file maker, so all you do is select what you want on, off and left to default you hit go, and it creates you your file. Hey Presto, bobs yer uncle, mary may well be yer aunt, but you took one small step for yer computer and a giant leap for security!!!

www.blackviper.com/WinXP/

Enjoy,
Prits

#13 Glyph

Glyph

    General of the Army

  • GSO Management
  • 1,603 posts

Posted 17 January 2006 - 11:26 AM

Nice read. Good Depth. Can we see something about firewalls? No, not the software kind. The kind that's it's own piece of Hardware :)

#14 thchog

thchog

    Specialist

  • Sergeant Major
  • 129 posts

Posted 09 February 2006 - 06:10 PM

The site to this link is down, it was also the first thing I thought of when I began reading this thread. As of 2 minutes ago you can access the archives here:

http://web.archive.o...blackviper.com/

another good read:

http://theeldergeek....vices_guide.htm

Hi guys,

My first post - Yeah!!!

I found this topic and thought of a website. This website explains all the services XP installs by default and gives recommendations on whether it should be turned off or not.

SO WHATS NEW ABOUT THAT?? i hear you ask...

Well it also has a registry file maker, so all you do is select what you want on, off and left to default you hit go, and it creates you your file. Hey Presto, bobs yer uncle, mary may well be yer aunt, but you took one small step for yer computer and a giant leap for security!!!

www.blackviper.com/WinXP/

Enjoy,
Prits



#15 Terminal

Terminal

    Sergeant First Class

  • Sergeant Major
  • 536 posts

Posted 10 February 2006 - 09:17 AM

along with this keep ipsec service enables and make a policy to disable incoming conn's to port 135,137,139,445,1025 ,etc.,etc. if u dont want netbios . Or use wwdc.exe from firewallleaktester.com