External DNS Server Hardening
If you built your own external DNS servers for , this section has information you should know. If you are using existing external DNS servers for your solution, you can skip this part of Best Practices for Centralized Management.
Remove or Disable Unneeded Services
Because your external DNS server is running on a stand-alone computer running Windows Server 2003, most of the default services are unnecessary. The best approach is to not install services you do not need. If the service is already there, uninstall it. Not all services allow this, though. Disable the ones you cannot remove.
Services to Remove
If they exist, uninstall the following DNS server services as shown in the following table. Next to each item is an indication whether the item is part of a default Windows Server 2003 installation.
Table: DNS Server Services to Uninstall
Service | Default |
---|---|
Certificate Services |
No |
Indexing Service |
Yes |
Internet Information Services (IIS) and All Components |
Yes |
All Management and Monitoring Tools (with the Possible Exception of SNMP) |
No |
Message Queuing Services |
No |
All Networking Services Subcomponents Except DNS |
No |
All Other Network File and Print Services |
No |
Remote Installation Devices |
No |
Remote Storage |
No |
Terminal Services Licensing |
No |
Windows Media Services |
No |
Note
If you want, install Simple Network Management Protocol (SNMP) (under Management and Monitoring tools) and Terminal Services.
Disable the following services. Some are set to manual, and some are set to automatic; none of them are required, so disabling them is the safest route. (A few services, such as inter-site messaging and the Kerberos key distribution center are already disabled, so they are not listed here.)
Alerter
Application Management
ClipBook
Computer Browser
Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
Fax Service
File Replication
Internet Connection Sharing
License Logging Service
Messenger
NetMeeting Remote Desktop Sharing
Network Dynamic Data Exchange (DDE)
Network DDE Share Database Manager (DSDM)
Print Spooler
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Registry Service
RunAs Service
Smart Card
Smart Card Helper
Task Scheduler
TCP/IP NetBIOS Helper Service
Telephony
Telnet
Network Configuration
Because the DNS server does not perform any file sharing or similar activities, you should confirm that in the advanced properties of the TCP/IP protocol the following properties are disabled:
Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks
NetBIOS over TCP/IP
You perform these steps when you configure external DNS servers.