Windows 2000 Server Services, Part 2

By Jordan Ayala

Tools and tips for managing fundamental components of the Windows architecture

This article is from the November 2001 issue of Windows & .NET Magazine.

By default, Windows 2000 Server, Standard Edition (without service packs applied) installs 65 services. (The other Windows 2000 Server products and Windows 2000 Professional install different services. For descriptions of the 65 default services that Windows 2000 Server, Standard Edition installs, see Web Table 1 at https://www.win2000mag.com, InstantDoc ID 22762.) In " Win2K Server Services, Part 1," November 2001, I provide a definition of those services and what they do as well as tools and tips for how to manage them. With that foundation, you can begin to evaluate the services running on your system and tune them to your ideal configuration.

On This Page

What Installs Which Services?
What Can You Afford to Lose?
Security Tune-Up
Tune Up or Tune Out

What Installs Which Services?

To see which services Windows 2000 Server installs by default, I started with a clean Windows 2000 Server installation and accepted all the default settings (except that I opted to install the management and monitoring tools, which Windows 2000 Server doesn't install by default). Next, I ran the Active Directory Installation Wizard (dcpromo.exe) and accepted all the default settings. Using the wizard, I made the server the first domain controller (DC) in the new domain homedomain.com, and I installed DNS locally. The Active Directory (AD) installation process installed only one new service, the DNS Server service, which answers DNS name queries and update requests.

Although the AD installation added only one new service, the installation changed the status of some of the Windows 2000 Server default services from manual or disabled to automatic. Table 1 shows the services that AD requires but that don't run in a default standalone server configuration unless you manually turn them on.

Table 1 Services that Change Status After AD Installation

Service

Startup Type

New Startup Type

Distributed Link Tracking Server

Manual

Automatic

File Replication

Manual

Automatic

Intersite Messaging

Disabled

Automatic

Kerberos Key Distribution Center

Disabled

Automatic

Net Logon

Manual

Automatic

NTLM Security Support Provider

Manual

Manual

RPC Locator

Manual

Automatic

Telephony

Manual

Manual

Windows Installer

Manual

Manual

Windows Management

Manual

Automatic

Instrumentation (WMI)

 

 

Windows Time

Manual

Automatic

Finally, using the Control Panel Add/Remove Programs applet, I installed every possible native Windows service and accepted all the default configuration parameters. (Under most circumstances, I would never take this step on a production server. I did so in this case simply to research the services and their options.) This installation added 24 services to my system and changed the Startup Type parameter of the already installed Windows 2000 Server Terminal Services from Disabled to Automatic. Table 2 lists and describes the 24 services that this step added.

Table 2 Optional Windows 2000 Services

Service

Description

Status

Startup Type

Logon Account

Boot Information Negotiation Layer

Lets you install Windows 2000 Pro on Preboot Execution Environment (PXE) remote boot-enabled client computers.

Not started

Manual

Local System

Certificate

Issues and revokes X.509 certificates for public key-based cryptography technologies.

Started

Automatic

Local System

DHCP Server

Provides dynamic IP address assignment and network configuration for DHCP clients.

Started

Automatic

Local System

File Server for Macintosh

Lets Macintosh users store and access files on the local server.

Started

Automatic

Local System

Internet Authentication Service (IAS)

Enables authentication, authorization, and accounting of dial-up and VPN users. IAS supports the Remote Authentication Dial-In User Service (RADIUS) protocol.

Started

Automatic

Local System

Message Queuing

Provides a communications infrastructure for distributed asynchronous messaging applications.

Started

Automatic

Local System

Network News Transfer Protocol (NNTP)

Transports network news across the network.

Started

Automatic

Local System

Online Presentation Broadcast

No description available.

Not started

Manual

Local System

Print Server for Macintosh

Lets Macintosh users send print jobs to a spooler on a Windows 2000 server.

Started

Automatic

Local System

Remote Storage Engine

Coordinates the services and administrative tools used for storing infrequently used data.

Started

Automatic

Local System

Remote Storage File

Manages operations on remotely stored files.

Started

Automatic

Local System

Remote Storage Media

Controls the media that stores remote data.

Started

Automatic

Local System

Remote Storage Notification

Notifies the client about recalled data.

Not started

Manual

Local System

Simple TCP/IP Services

Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.

Started

Automatic

Local System

Single Instance Storage Groveler

Scans Single Instance Storage volumes for duplicate files, and points duplicate files to one data storage point, conserving disk space.

Not started

Manual

Local System

Site Server Internet Locator Service (ILS)

Enables IP multicast for network conferencing.

Started

Automatic

Local System

TCP/IP Print Server

Provides a TCP/IP-based printing service that uses the Line Printer protocol.

Started

Automatic

Local System

Terminal Services Licensing

Installs a license server and provides registered client licenses when connecting to a terminal server.

Started

Automatic

Local System

Trivial FTP Daemon

Implements the Trivial FTP Internet standard, which doesn't require a username or password. Part of Remote Installation Services (RIS).

Not started

Manual

Local System

Windows Media Monitor

Monitors client and server connections to the Windows Media services.

Started

Automatic

.\NetShowServices

Windows Media Program

Groups Windows Media streams into a sequential program for the Windows Media Station service.

Started

Automatic

.\NetShowServices

Windows Media Station

Provides multicasting and distribution services for streaming Windows Media content.

Started

Automatic

.\NetShowServices

Windows Media Unicast

Provides Windows Media streaming content on demand to networked clients.

Started

Automatic

.\NetShowServices

WINS

Provides a NetBIOS name service for TCP/IP clients that must register and resolve NetBIOS-type names.

Started

Automatic

Local System

What Can You Afford to Lose?

With 90 services running on your Windows 2000 Server system, won't all that code bring your server to its knees? The answer depends on the server's horsepower. Most of these services don't drain system resources unless they're active. For example, if you don't maintain an active Web site on your server, having Microsoft IIS installed and running won't significantly slow your system's performance.

By default, many services are disabled or set to manual start, but the more services your server loads automatically, the more memory and CPU resources it uses during typical operation. Therefore, if fewer services are running, more resources are available to the system, and the system will run faster. Thus, to improve performance, you should enable applications to load automatically only when necessary and disable or remove (or set to manual start) the other services on your server.

Table 3 Services You Might Disable or Remove

Service

Considerations

Alerter

Disable only if you don't need the ability to send messages, such as Shut down now, to users.

DHCP Client

Disable only if you're statically assigning IP addresses.

Distributed File System

Disable only if you aren't using DFS volumes.

DNS Client

Disable only in a development or test environment.

IISAdmin

Disable only if you aren't running a Web server. However, be aware that many Windows 2000 components are Web based, and disabling this service might affect those components.

Messenger

Disabling this service might affect applications that need to send messages between systems or other applications.

Print Spooler

Disable only if the system isn't a print server.

Remote Registry

Disabling this service might protect your server from attack.

RunAs

Disable only if you don't need the ability to use the Run As command to start an application under a different user security context.

SMTP

Disable only if you don't need SMTP.

SNMP

Disable only if you aren't running any SNMP-based management applications. However, most management applications use SNMP.

However, be very careful about which services you disable or remove. A good rule of thumb is that if you don't know what it does, don't disable or remove it. Turning off a necessary or dependent service can crash an application, corrupt files, or cause your system to fail. Whether you can safely disable or remove a service depends on your server's configuration, but Table 3 shows services you might be able to turn off to boost performance (provided you've verified that the system or other applications aren't using the services). To properly remove a service, use the Add/Remove Programs applet. Click Add/Remove Windows Components to launch the Windows Components Wizard, which presents a list of available Windows 2000 services. Currently installed services appear with selected check boxes. To remove a service, clear the service's check box; to modify a service, select its check box, then click Next to step through configuration for the services you selected (some services include multiple components). Be sure to clear a check box only if you want to remove that service.

Should you turn on any services that don't run by default? The answer depends on your situation. For example, you might want to enable the Indexing service, but this service slows server performance every time it indexes the server's content. If you need fax capability or RRAS functionality, you should turn on those services. Table 4 lists useful system services that you might want to enable.

Table 4 Useful System Services to Enable

Service

Reason to Enable

Net Logon

Enable only if this server will support user logons.

NetMeeting Remote Desktop Sharing

Useful for supporting remote Help desk activities.

RRAS

Lets you support dial-in and Internet logons directly.

SNMP Trap

Necessary when running management applications that use SNMP.

Telnet

Useful for server access in a mixed Windows and UNIX environment.

Windows Time

Lets other computers on the network sync their clocks to this server.

When tuning your system's services, perform a full backup before you significantly alter your server's configuration and to log configuration changes. Backups and logs are your primary vehicles for troubleshooting problems if a configuration change results in a broken application or performance degradation.

Security Tune-Up

Disabling security-related services on any server—but especially on a DC—sacrifices the system's protection and endangers your network environment. However, you can tune service settings to ease systems management.

In Part 1, I discussed how to create service accounts for applications and services. These accounts control the security context under which the applications and services run, help you control the access rights and interactivity of multiple related services, and secure the system's core management and application functions.

Using Windows 2000's native security object model, you can control access to individual server properties and actions. So, for example, you can control which services your Help desk technicians can access, what actions they can take, and even what management information they can view. By setting ACLs on individual services, you can delegate control and access rights to those services. Alternatively, you can use Microsoft BackOffice Server 2000 to determine, through logon credentials and locked-down Microsoft Management Console (MMC) files, what a technician has permission to do. For example, you can customize a context menu to display only Start Service (and not Stop). The Microsoft Windows 2000 Resource Kit Service ACL Editor tool also lets you administer services at a granular level. (For a complete list of related resource kit tools, see Part 1.)

You can set logon credentials for services, enter passwords, and set interaction with the desktop through the Log On tab of a service's Properties window. Through the logon account, you can determine which rights a service or application will have on your server. Thus, for services that are potential security risks, you can limit access to server resources. You can create a unique user account and manually assign the account to the groups that contain the permissions necessary to work with that service. When you do so, create the user account in the Local User and Groups container. (If your system is a DC, create a unique domain account rather than a local or system account.) Make sure that you limit the account's functional scope as much as possible (e.g., provide limited logon rights and no general server access unless the service requires it). Setting up service-management accounts that have different names and strong passwords will make cracking your network more difficult.

However, creating a multitude of service accounts can result in a hassle when you must change accounts' passwords (according to your company's password policies). One option is to set these accounts' passwords to never expire. This setting protects you from finding yourself with a dead server if a password times out and prevents the associated service from logging on and running. But this setting is also a security risk. Rather than create many accounts with passwords that don't expire, you can create a few, nonprivileged service accounts and develop a process for changing their passwords as needed.

Desktop interaction for a service means that the service can bring itself up in the Windows desktop environment for input by anyone logged on to the system. Selecting the Allow service to interact with desktop check box in the service's Properties window exposes the service's UI so that users can change the service's settings. Leaving this check box clear prevents logged-on users from interfering with the service. This configuration option is available only when a service is running under the Local System account. Usually, you wouldn't change the interaction settings of common Windows components and services because doing so could have detrimental effects on your server's operation. However, in a development environment or if you're running an application as a service, permitting desktop interaction might be necessary to control a service or to provide user-input settings.

What if you mess up? You mistakenly set the Server service to log on under a user account with an expired password. Now, you find that you can't log on to your system. Don't panic. Reboot the server into Safe Mode, which is a minimal service and driver configuration. Through one of the various Safe Mode startup options, you can get back into Windows and fix your error.

Tune Up or Tune Out

You've learned your way around services' administration tools and interfaces, and now you know how to apply that knowledge through enabling and disabling services and tweaking services' security-related settings. You can use these articles as a Windows 2000 services primer to ease service management, and you can consult Windows Help and the resource kit documentation for more information about tuning your system's services.

© 2002 Windows & .NET Magazine. All rights reserved.

Try a sample issue of Windows & .NET Magazine at: https://www.windowsitpro.com/sub.cfm?code=fsWI201XTN.

Windows & .NET Magazine UPDATE is a free email newsletter containing news, tips and other resources for Windows IT Professionals. Subscribe now at https://email.winnetmag.com/winnetmag/winnetmag_prefctr.asp.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Link
Click to order