Enabling Only Essential Windows Server 2003 Components and Services
Applies To: Windows Server 2003, Windows Server 2003 with SP1
The attack surface of the Web server is also affected by the other Windows components and services that are enabled in Windows Server 2003. When you install Windows Server 2003 as a dedicated Web server, the default components and services are configured to provide the smallest possible attack surface. In some cases, you might have installed Windows Server 2003 for other purposes, such as a file server, print server, or computer running SQL Server, so you are installing IIS 6.0 on an existing server. In this situation, you need to reevaluate the components and services that are currently running on the Web server to ensure that only the components and services that you need are enabled.
To enable and disable services, change the startup type of the service. You can configure the startup type of the service to one of the following:
Automatic. The service starts automatically when the operating system starts.
Manual. The service can be started by an administrator, a related operating system service, a system device driver, or an action in the user interface that is dependent on the manual service.
Disabled. The service cannot be started automatically or manually; to start a disabled service, you must change the startup type to Automatic or Manual.
Table 3.1 lists the Windows Server 2003 services, as well as the default startup type, the recommended startup type, and comments about the services.
For each of the Windows Server 2003 services that are listed in Table 3.1, complete the following steps:
- Review the recommended startup type to determine whether you need to change the default startup type.
Determine, based on the information provided in the comments, if the recommendation applies to your Web server.
Configure the startup type for the service based on the decisions made in the previous steps.
For more information about how to change the startup type of Windows Server 2003 services, see Configure Windows Server 2003 Services.
Table 3.1 Recommended Service Startup Types on a Dedicated Web Server
Service Name | Default Startup Type | Recommended Startup Type | Comment |
---|---|---|---|
Alerter |
Disabled |
No change |
Notifies selected users and computers of administrative alerts. |
Application Layer Gateway Service |
Manual |
No change |
Provides support for application-level plug-ins and enables network and protocol connectivity. |
Application Management |
Manual |
See comment |
Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel. On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software. |
Automatic Updates |
Automatic |
See comment |
Provides the download and installation of critical Windows updates, such as security patches and hotfixes. This service can be disabled when automatic updates are not performed on the Web server. |
Background Intelligent Transfer Service |
Manual |
See comment |
Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches). This service can be disabled when automatic updates are not performed on the Web server. |
ClipBook |
Disabled |
See comment |
Enables the Clipbook Viewer to create and share data that can be reviewed by remote users. |
COM+ Event System |
Manual |
No change |
Provides automatic distribution of events to COM+ components. |
COM+ System Application |
Manual |
No change |
Manages the configuration and tracking of COM+-based components. |
Computer Browser |
Automatic |
No change |
Maintains the list of computers on the network, and supplies the list to programs that request the list. |
Cryptographic Services |
Automatic |
No change |
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates. |
DHCP Client |
Automatic |
No change |
Required to automatically obtain IP configuration and to dynamically update records in the Domain Name System (DNS). |
Distributed File System |
Automatic |
Disable |
Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN). On a dedicated Web server, disable Distributed File System (DFS). |
Distributed Link Tracking Client |
Automatic |
Disabled |
Maintains links between NTFS V5 file system files within the Web server and other servers in the domain. On a dedicated Web server, disable Distributed Link Tracking. |
Distributed Link Tracking Server |
Manual |
Disabled |
Tracks information about files that are moved between NTFS V5 volumes throughout a domain. On a dedicated Web server, disable Distributed Link Tracking. |
Distributed Transaction Coordinator |
Automatic |
No Change |
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. |
DNS Client |
Automatic |
No change |
Allows resolution of DNS names. |
Error Reporting Service |
Automatic |
See comment |
Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults. On a dedicated Web server, disable Error Reporting Service. |
Event Log |
Automatic |
No change |
Writes event log messages that are issued by Windows-based programs and components to the log files. |
Fax Service |
Manual |
Disabled |
Provides the ability to send and receive faxes through fax resources that are available on the Web server and network. On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server. |
File Replication Service |
Manual |
No change |
Enables files to be automatically copied and maintained simultaneously on multiple servers. |
Help and Support |
Automatic |
No change |
Enables Help and Support Center to run on the Web server. |
HTTP SSL |
Manual |
No change |
Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any Web sites require SSL. |
Human Interface Device Access |
Disabled |
No change |
Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. |
IMAPI CD-Burning COM Service |
Disabled |
No change |
Manages CD recording by using the Image Mastering API (IMAPI). |
Indexing Service |
Manual |
See comment |
Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language. On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content. |
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) |
Disabled |
No change |
Provides network address translation (NAT), addressing and name resolution, and intrusion detection when connected through a dial-up or broadband connection. On a dedicated Web server, disable to prevent inadvertent enabling of NAT, which would prevent the Web server from communicating with the remainder of the network. |
Intersite Messaging |
Disabled |
No changes |
Required by DFS. |
IPSec Services |
Automatic |
No change |
Provides management and coordination of Internet Protocol security (IPsec) policies with the IPsec driver. |
Kerberos Key Distribution enter |
Disabled |
No change |
Provides the ability for users to log on using the Kerberos V5 authentication protocol. |
License Logging Service |
Disabled |
No change |
Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server. On a dedicated Web server, this service can be disabled. |
Logical Disk Manager |
Automatic |
No change |
Required to ensure that dynamic disk information is up to date. |
Logical Disk Manager Administrative Service |
Manual |
No change |
Required to perform disk administration. |
Messenger |
Disabled |
No change |
Transmits net sends and Alerter service messages between clients and servers. |
Microsoft Software Shadow Copy |
Manual |
No change |
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. On a dedicated Web server, this service can be disabled when volume shadow copies are not used. |
Net Logon |
Manual |
No change |
Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain and trusted domains. |
NetMeeting Remote Desktop Sharing |
Manual |
Disabled |
Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting. |
Network Connections |
Manual |
No change |
Manages objects in the Network Connections directory. |
Network Dynamic Data Exchange (DDE) |
Disabled |
No change |
Provides network transport and security for Dynamic Data Exchange for programs running on the Web server. This service can be disabled when no DDE applications are running locally on the Web server. |
Network DDE Distributed Share Database Manager (DSDM) |
Disabled |
No change |
Used by Network DDE. This service can be disabled when Network DDE is disabled. |
Network Location Awareness (NLA) |
Manual |
No change |
Collects and stores network configuration and location information, and notifies applications when this information changes. |
NTLM Security Support Provider |
Manual |
No change |
Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol. |
Performance Logs and Alerts |
Manual |
See comment |
Collects performance data for the domain controller, writes the data to a log, or generates alerts. This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on. |
Plug and Play |
Automatic |
No change |
Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input. |
Portable Media Serial Number Service |
Manual |
No change |
Retrieves the serial number of any portable media player that is connected to the computer. |
Print Spooler |
Automatic |
See comment |
Manages all local and network print queues and controls all print jobs. On a dedicated Web server, this service can be disabled when no printing is required. |
Protected Storage |
Automatic |
No change |
Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. This service is used on a dedicated Web server for smart card logon. |
Remote Access Auto Connection Manager |
Manual |
See comment |
Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated. |
Remote Access Connection Manager |
Manual |
See comment |
Manages VPN and dial-up connection from the Web server to the Internet or other remote networks. On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated. |
Remote Desktop Help Sessions Manager |
Manual |
Disabled |
Manages and controls Remote Assistance. On a dedicated Web server, this service can be disabled. Use Terminal Services instead. |
Remote Procedure Call (RPC) |
Automatic |
No change |
Serves as the RPC endpoint mapper for all applications and services that use RPC communications. |
Remote Procedure Call (RPC) Locater |
Manual |
See comment |
Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database. This service can be disabled if no applications use the RpcNs* APIs. |
Remote Registry Service |
Automatic |
No change |
Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only members of the Administrators and Backup Operators groups can access the registry remotely. |
Removable Storage |
Manual |
See comment |
Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes. This service can be disabled when removable media devices are directly connected to the Web server. |
Resultant Set of Policy Provider |
Manual |
No change |
Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that Web server, and then either verify the current Group Policy settings or check the settings before they are applied. |
Routing and Remote Access |
Disabled |
No change |
Enables LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. |
Secondary Logon |
Automatic |
No change |
Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on. |
Security Accounts Manager |
Automatic |
No change |
A protected subsystem that manages user and group account information. |
Server |
Automatic |
No change |
Provides RPC support, file sharing, print sharing, and named pipe sharing over the network. |
Shell Hardware Detection |
Automatic |
No change |
Provides notification for AutoPlay hardware events. |
Smart Card |
Manual |
No change |
Manages and controls access to a smart card that is inserted into a smart card reader attached to the Web server. |
Special Administration Console Helper |
Manual |
No change |
Allows administrators to remotely access a command prompt by using Emergency Management Services. This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server. |
System Event Notification |
Automatic |
No change |
Monitors system events and notifies subscribers to the COM+ Event System of these events. |
Task Scheduler |
Automatic |
No change |
Provides the ability to schedule automated tasks on the Web server. |
TCP/IP NetBIOS Helper Service |
Automatic |
No change |
Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients. |
Telephony |
Manual |
See comment |
Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections. On a dedicated Web server, this service can be disabled when TAPI is not used by applications. |
Telnet |
Manual |
Disabled |
Enables a remote user to log on and run applications from a command line on the Web server. To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers). Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration. |
Terminal Services |
Manual |
See comment |
Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and running applications. To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers. |
Terminal Services Session Directory |
Disabled |
No change |
Enables a user connection request to be routed to the appropriate terminal server in a cluster. |
Themes |
Disabled |
No change |
Provides user-experience theme management. |
Uninterruptible Power Supply (UPS) |
Automatic |
No change |
Manages a UPS that is connected to the Web server by a serial port. |
Upload Managers |
Manual |
See comment |
Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support. To reduce the attack surface, disable this service on dedicated Web servers. |
Virtual Disk Services |
Manual |
No change |
Provides software volume and hardware volume management service. |
Volume Shadow Copy |
Manual |
No change |
Manages and implements volume shadow copies that are used for backup and other purposes. This service can be disabled when volume shadow copies are used on the Web server. |
WebClient |
Disabled |
No change |
Enables Windows-based programs to create, access, and modify Internet-based files. |
Windows Audio |
Disabled |
No change |
Manages audio devices for Windows-based programs. |
Windows Image Acquisition (WIA) |
Disabled |
No change |
Provides image acquisition services for scanners and cameras. |
Windows Installer |
Manual |
No change |
Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package. |
Windows Management Instrumentation (WMI) |
Automatic |
No change |
Provides a common interface and object model to access management information about the Web server through the WMI interface. |
Windows Management Instrumentation Driver Extensions |
Manual |
No change |
Monitors all drivers and event trace providers that are configured to publish WMI or event trace information. |
Windows Time |
Automatic |
No change |
Sets the Web server clock, and maintains date and time synchronization for all computers in the network. |
WinHTTP Web Proxy Auto-Discovery Service |
Manual |
See comment |
Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration. On dedicated Web servers, this service can be disabled |
Wireless Configuration |
Automatic |
See comment |
Enables automatic configuration for IEEE 802.11 adapters. On dedicated Web servers without wireless network adapters, this service can be disabled. |
WMI Performance Adapter |
Manual |
See comment |
Provides performance library information from WMI providers to clients on the network. On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled. |
Workstation |
Automatic |
No change |
Creates and maintains client network connections to remote servers. |