Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

Enabling Only Essential Windows Server 2003 Components and Services

Updated: August 22, 2005

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The attack surface of the Web server is also affected by the other Windows components and services that are enabled in Windows Server 2003. When you install Windows Server 2003 as a dedicated Web server, the default components and services are configured to provide the smallest possible attack surface. In some cases, you might have installed Windows Server 2003 for other purposes, such as a file server, print server, or computer running SQL Server, so you are installing IIS 6.0 on an existing server. In this situation, you need to reevaluate the components and services that are currently running on the Web server to ensure that only the components and services that you need are enabled.

To enable and disable services, change the startup type of the service. You can configure the startup type of the service to one of the following:

  • Automatic . The service starts automatically when the operating system starts.

  • Manual . The service can be started by an administrator, a related operating system service, a system device driver, or an action in the user interface that is dependent on the manual service.

  • Disabled . The service cannot be started automatically or manually; to start a disabled service, you must change the startup type to Automatic or Manual.

Table 3.1 lists the Windows Server 2003 services, as well as the default startup type, the recommended startup type, and comments about the services.

For each of the Windows Server 2003 services that are listed in Table 3.1, complete the following steps:

  1. Review the recommended startup type to determine whether you need to change the default startup type.

  • Determine, based on the information provided in the comments, if the recommendation applies to your Web server.

  • Configure the startup type for the service based on the decisions made in the previous steps.

For more information about how to change the startup type of Windows Server 2003 services, see Configure Windows Server 2003 Services.

Table 3.1 Recommended Service Startup Types on a Dedicated Web Server

Service Name Default Startup Type Recommended Startup Type Comment

Alerter

Disabled

No change

Notifies selected users and computers of administrative alerts.

Application Layer Gateway Service

Manual

No change

Provides support for application-level plug-ins and enables network and protocol connectivity.

Application Management

Manual

See comment

Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel.

On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software.

Automatic Updates

Automatic

See comment

Provides the download and installation of critical Windows updates, such as security patches and hotfixes.

This service can be disabled when automatic updates are not performed on the Web server.

Background Intelligent Transfer Service

Manual

See comment

Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches).

This service can be disabled when automatic updates are not performed on the Web server.

ClipBook

Disabled

See comment

Enables the Clipbook Viewer to create and share data that can be reviewed by remote users.

COM+ Event System

Manual

No change

Provides automatic distribution of events to COM+ components.

COM+ System Application

Manual

No change

Manages the configuration and tracking of COM+-based components.

Computer Browser

Automatic

No change

Maintains the list of computers on the network, and supplies the list to programs that request the list.

Cryptographic Services

Automatic

No change

Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates.

DHCP Client

Automatic

No change

Required to automatically obtain IP configuration and to dynamically update records in the Domain Name System (DNS).

Distributed File System

Automatic

Disable

Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN).

On a dedicated Web server, disable Distributed File System (DFS).

Distributed Link Tracking Client

Automatic

Disabled

Maintains links between NTFS V5 file system files within the Web server and other servers in the domain.

On a dedicated Web server, disable Distributed Link Tracking.

Distributed Link Tracking Server

Manual

Disabled

Tracks information about files that are moved between NTFS V5 volumes throughout a domain.

On a dedicated Web server, disable Distributed Link Tracking.

Distributed Transaction Coordinator

Automatic

No Change

Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.

DNS Client

Automatic

No change

Allows resolution of DNS names.

Error Reporting Service

Automatic

See comment

Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults.

On a dedicated Web server, disable Error Reporting Service.

Event Log

Automatic

No change

Writes event log messages that are issued by Windows-based programs and components to the log files.

Fax Service

Manual

Disabled

Provides the ability to send and receive faxes through fax resources that are available on the Web server and network.

On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server.

File Replication Service

Manual

No change

Enables files to be automatically copied and maintained simultaneously on multiple servers.

Help and Support

Automatic

No change

Enables Help and Support Center to run on the Web server.

HTTP SSL

Manual

No change

Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any Web sites require SSL.

Human Interface Device Access

Disabled

No change

Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.

IMAPI CD-Burning COM Service

Disabled

No change

Manages CD recording by using the Image Mastering API (IMAPI).

Indexing Service

Manual

See comment

Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language.

On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content.

Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)

Disabled

No change

Provides network address translation (NAT), addressing and name resolution, and intrusion detection when connected through a dial-up or broadband connection.

On a dedicated Web server, disable to prevent inadvertent enabling of NAT, which would prevent the Web server from communicating with the remainder of the network.

Intersite Messaging

Disabled

No changes

Required by DFS.

IPSec Services

Automatic

No change

Provides management and coordination of Internet Protocol security (IPsec) policies with the IPsec driver.

Kerberos Key Distribution enter

Disabled

No change

Provides the ability for users to log on using the Kerberos V5 authentication protocol.

License Logging Service

Disabled

No change

Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server.

On a dedicated Web server, this service can be disabled.

Logical Disk Manager

Automatic

No change

Required to ensure that dynamic disk information is up to date.

Logical Disk Manager Administrative Service

Manual

No change

Required to perform disk administration.

Messenger

Disabled

No change

Transmits net sends and Alerter service messages between clients and servers.

Microsoft Software Shadow Copy

Manual

No change

Manages software-based volume shadow copies taken by the Volume Shadow Copy service.

On a dedicated Web server, this service can be disabled when volume shadow copies are not used.

Net Logon

Manual

No change

Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain and trusted domains.

NetMeeting Remote Desktop Sharing

Manual

Disabled

Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting.

Network Connections

Manual

No change

Manages objects in the Network Connections directory.

Network Dynamic Data Exchange (DDE)

Disabled

No change

Provides network transport and security for Dynamic Data Exchange for programs running on the Web server.

This service can be disabled when no DDE applications are running locally on the Web server.

Network DDE Distributed Share Database Manager (DSDM)

Disabled

No change

Used by Network DDE. This service can be disabled when Network DDE is disabled.

Network Location Awareness (NLA)

Manual

No change

Collects and stores network configuration and location information, and notifies applications when this information changes.

NTLM Security Support Provider

Manual

No change

Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol.

Performance Logs and Alerts

Manual

See comment

Collects performance data for the domain controller, writes the data to a log, or generates alerts.

This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on.

Plug and Play

Automatic

No change

Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input.

Portable Media Serial Number Service

Manual

No change

Retrieves the serial number of any portable media player that is connected to the computer.

Print Spooler

Automatic

See comment

Manages all local and network print queues and controls all print jobs.

On a dedicated Web server, this service can be disabled when no printing is required.

Protected Storage

Automatic

No change

Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users.

This service is used on a dedicated Web server for smart card logon.

Remote Access Auto Connection Manager

Manual

See comment

Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection.

On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.

Remote Access Connection Manager

Manual

See comment

Manages VPN and dial-up connection from the Web server to the Internet or other remote networks.

On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.

Remote Desktop Help Sessions Manager

Manual

Disabled

Manages and controls Remote Assistance.

On a dedicated Web server, this service can be disabled. Use Terminal Services instead.

Remote Procedure Call (RPC)

Automatic

No change

Serves as the RPC endpoint mapper for all applications and services that use RPC communications.

Remote Procedure Call (RPC) Locater

Manual

See comment

Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database.

This service can be disabled if no applications use the RpcNs* APIs.

Remote Registry Service

Automatic

No change

Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only members of the Administrators and Backup Operators groups can access the registry remotely.

Removable Storage

Manual

See comment

Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes.

This service can be disabled when removable media devices are directly connected to the Web server.

Resultant Set of Policy Provider

Manual

No change

Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that Web server, and then either verify the current Group Policy settings or check the settings before they are applied.

Routing and Remote Access

Disabled

No change

Enables LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services.

Secondary Logon

Automatic

No change

Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on.

Security Accounts Manager

Automatic

No change

A protected subsystem that manages user and group account information.

Server

Automatic

No change

Provides RPC support, file sharing, print sharing, and named pipe sharing over the network.

Shell Hardware Detection

Automatic

No change

Provides notification for AutoPlay hardware events.

Smart Card

Manual

No change

Manages and controls access to a smart card that is inserted into a smart card reader attached to the Web server.

Special Administration Console Helper

Manual

No change

Allows administrators to remotely access a command prompt by using Emergency Management Services.

This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server.

System Event Notification

Automatic

No change

Monitors system events and notifies subscribers to the COM+ Event System of these events.

Task Scheduler

Automatic

No change

Provides the ability to schedule automated tasks on the Web server.

TCP/IP NetBIOS Helper Service

Automatic

No change

Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients.

Telephony

Manual

See comment

Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections.

On a dedicated Web server, this service can be disabled when TAPI is not used by applications.

Telnet

Manual

Disabled

Enables a remote user to log on and run applications from a command line on the Web server.

To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers). Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration.

Terminal Services

Manual

See comment

Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and running applications.

To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers.

Terminal Services Session Directory

Disabled

No change

Enables a user connection request to be routed to the appropriate terminal server in a cluster.

Themes

Disabled

No change

Provides user-experience theme management.

Uninterruptible Power Supply (UPS)

Automatic

No change

Manages a UPS that is connected to the Web server by a serial port.

Upload Managers

Manual

See comment

Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support.

To reduce the attack surface, disable this service on dedicated Web servers.

Virtual Disk Services

Manual

No change

Provides software volume and hardware volume management service.

Volume Shadow Copy

Manual

No change

Manages and implements volume shadow copies that are used for backup and other purposes.

This service can be disabled when volume shadow copies are used on the Web server.

WebClient

Disabled

No change

Enables Windows-based programs to create, access, and modify Internet-based files.

Windows Audio

Disabled

No change

Manages audio devices for Windows-based programs.

Windows Image Acquisition (WIA)

Disabled

No change

Provides image acquisition services for scanners and cameras.

Windows Installer

Manual

No change

Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package.

Windows Management Instrumentation (WMI)

Automatic

No change

Provides a common interface and object model to access management information about the Web server through the WMI interface.

Windows Management Instrumentation Driver Extensions

Manual

No change

Monitors all drivers and event trace providers that are configured to publish WMI or event trace information.

Windows Time

Automatic

No change

Sets the Web server clock, and maintains date and time synchronization for all computers in the network.

WinHTTP Web Proxy Auto-Discovery Service

Manual

See comment

Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration.

On dedicated Web servers, this service can be disabled

Wireless Configuration

Automatic

See comment

Enables automatic configuration for IEEE 802.11 adapters.

On dedicated Web servers without wireless network adapters, this service can be disabled.

WMI Performance Adapter

Manual

See comment

Provides performance library information from WMI providers to clients on the network.

On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled.

Workstation

Automatic

No change

Creates and maintains client network connections to remote servers.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.