Managing System Services

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By William R. Stanek

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 3, Windows NT Administrator's Pocket Consultant .

Services provide key functions to Windows NT workstations and servers. To manage system services, you'll use the Services utility, which is started as follows:

In the Control Panel: by double-clicking on the Services icon. This is used to manage services on the local system.
From Server Manager: by selecting the computer you want to work with and then choosing Services from the Computers menu. This is used to manage services on remote systems.

Figure 3-4 shows the Services dialog box. The key fields of this dialog box are used as follows:

Service The name of the service. Only services installed on the system are listed here. Double-click on an entry to configure its startup options. If a service you need isn't listed, you can install it via the Services tab of the Network utility.
Status The status of the service as started, paused, or stopped. (Stopped is indicated by a blank entry.)
Startup The startup setting for the service. Automatic services are started at bootup. Manual services are started by users or other services. Disabled services are turned off and cannot be started.

Figure 3-4: Use Services to manage services on Windows NT workstations and servers.

Note: Services can be disabled by the operating system and by users. Generally, Windows NT disables services if there is a possible conflict with another service.

Common Windows NT Services

Table 3-1 shows the services that are installed by default on Windows NT systems. Keep in mind that the type and number of services running on a Windows NT system depend on its configuration. For a list of additional services you can install, as well as for installation instructions, see the section of Chapter 12 titled "Configuring Additional TCP/IP Services."

Table 3-1 Default Services That May Be Installed on Windows NT Systems

Service Name	Description
Alerter	Sends administrative alert messages to designated recipients. Depends on the messenger service. For more information, see the section of Chapter 2 titled "Setting Up Alerts."
ClipBook Server	Enables remote viewers to see local pages with ClipBook Viewer.
Computer Browser	Enables computer browsing; maintains a list of resources used for network browsing.
Directory Replicator	Enables directory and file replication. For details, see the section of Chapter 2 titled "Managing Replication."
EventLog	Used to log system, application, and security events.
License Logging Service	Used to track license usage and compliance.
Messenger	Relays messages sent by the Alerter service and Send Message from Server Manager.
Net Logon	Authenticates user logons. On domain controllers, the service also is used to synchronize the domain user database.
Network DDE	Supports DDE (dynamic data exchange) between applications.
Network DDE DSDM	DSDM (data share database manager) manages dynamic data exchanges on the network.
NT LM Security	Supports security services for RPC applications Support Provider that don't use name pipes.
Plug and Play	Supports automatic configuration updates when you add or remove components from a system.
Remote Procedure Call (RPC) Locator	Locates RPC clients and servers on the network.
Remote Procedure Call (RPC) Service	The RPC name service for distributed applications.
Schedule	Enables job scheduling with the At service.
Server	Provides services for Windows NT servers including file sharing, printer spooling, and named pipes.
Spooler	Enables printer spooling.
UPS	Enables UPS (uninterruptible power supply) support.
Workstation	Provides services for Windows NT workstations.

Starting, Stopping, and Pausing Services

As an administrator, you'll often have to start, stop, or pause Windows NT services. To start, stop, or pause, follow these steps:

In Server Manager, select the computer you want to work with.
Select Services from the Computer menu. This opens the Services utility for the selected computer.
Choose the Service you want to manipulate, and then select Start, Stop, or Pause as appropriate. After you pause a service, select the service and click Continue to resume normal operation.

Note: When services that are set to start automatically fail: the status is listed as blank, and you'll usually receive notification in a pop-up dialog box. Service failures can also be logged to the system's event logs.

Configuring Service Startup

Windows NT services can be set to start manually or automatically. They can also be turned off permanently by disabling them. You configure service startup as follows:

In Server Manager, select the computer you want to work with.
Select Services from the Computer menu. This opens the Services utility for the selected computer.
Choose Startup to display a dialog box similar to the one shown in Figure 3-5. In this example, the Telephony Service was selected.
Select the service startup option using the Startup Type radio button. Use Automatic to start services at bootup. Use Manual to allow the services to be started manually. Use Disabled to turn off the service.
Click OK.

Figure 3-5: This dialog box is used to configure service startup options.

Configuring Service Logon

Key Windows NT services can be configured to log on as a system account or as a specific user. To do this, follow these steps:

In Server Manager, select the computer you want to work with.
Select Services from the Computer menu. This opens the Services utility for the selected computer.
Temporarily stop the service by clicking Stop.
Choose Startup to display the dialog box shown previously in Figure 3-5.
Select System Account if the service should log on using the system account (which is the default for most services).
Select This Account if the service should log on using a specific user account. Be sure to enter an account name and password in the fields provided. Use the ellipsis button to search for a user account if necessary.
Click OK.
Restart the service by clicking Start.

Auditing System Resources

Auditing is the best way to track what is happening on your Windows NT systems. You can use auditing to collect information related to resource usage, such as file access, system logon, and system configuration changes. Anytime an action occurs that you've configured for auditing, the action is written to the system's security log, where it is stored for your review. The security log is accessible from Event Viewer.

Note: For most auditing changes, you'll need to be logged on using an account that is a member of the Administrators group.

Setting Auditing Policies for System Security

Auditing policies for system security are essential to ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You can configure system security settings as follows:

For the entire domain (domain-wide auditing):

When you configure domain-wide auditing, you set auditing policies for the entire domain. Afterward, all Windows NT domain controllers in the domain will use these auditing policies.
For an individual workstation or server (system-level auditing):

When you configure system-level auditing policies, you set auditing policies on an individual Windows NT workstation or server. Afterward, these policies are only used on that system.

To set security auditing policies, follow these steps:

Start User Manager for Domains.
To set domain-wide auditing policies, choose the domain you want to work with, using the Select Domain option of the User menu.
To set system-level auditing policies, choose the individual computer you want to work with, using the Select Domain option of the User menu. Be sure to enter the double backslashes before the computer name, such as \\ZETA.
Select Audit from the Policies menu to display the dialog box shown in Figure 3-6.
Choose Audit These Events, then select the Success or Failure check boxes, or both, for each of the events you want to audit. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts. The events you can audit are
- Logon and Logoff Tracks events related to user logon, logoff, and remote connections to network systems.
- File and Object Access Tracks system resource usage for files, directories, shares, and system-level objects.
- Use of User Rights Tracks the use of user rights, such as the right to back up files and directories. User rights are configured with the User Rights option on the User menu.
  
  Note: Use of User Rights does not track system access-related events, such as the use of the right to log on interactively or the right to access the computer from the network. These events are tracked with the Logon and Logoff auditing.
- User and Group Management Tracks account management via User Manager or User Manager For Domains. Events are generated anytime user or group accounts are created, modified, or deleted.
  
  Figure 3-6: Set domain-wide and system-level auditing policies using the Audit Policy dialog box.
- Security Policy Changes Tracks changes to user rights, auditing, and trust relationships.
- Restart, Shutdown, and System Tracks system startup, shutdown, and restart as well as actions that affect system security or the security log.
- Process Tracking Tracks system processes and the resources they use.
Click OK when you are finished.

Auditing for Directory and File Security

If you configure a domain or system to audit file and object access, you can set the level of auditing for individual directories and files as well. This allows you to precisely control how directory and file usage is tracked. Auditing of this type is only available on NTFS volumes.

To configure directory and file auditing, follow these steps:

In Windows NT Explorer, right-click on the directory or file to be audited.
Select Properties from the pop-up menu.
Choose the Security tab, then click Auditing. For directories, this opens the dialog box shown in Figure 3-7. A similar dialog box is used for files.
If you want to audit the same events for all subdirectories of the current directory, select Replace Auditing On Subdirectories.
If files in these directories should have the same auditing, select Replace Auditing On Existing Files.
Use the Name list box to select the users whose actions you want to audit. To add specific users, click on the Add button, then select the user names to add. To remove a user, select the user in the Name list box, and then click Remove.

Figure 3-7: Set directory and file auditing policies using the Directory Auditing dialog box.

Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups and/or users you want to audit.
Select the Success or Failure check boxes, or both, for each of the events you want to audit. Success logs successful events, such as successful file reads. Failure logs failed events, such as failed file deletions.
Choose OK when you're finished.

The actions that are audited depend on whether you are working with files or directories.

Actions Audited with Directory Events

The following actions are audited with directory events:

Read Audits display of filenames, attributes, permissions, and owner.
Write Audits changes to attributes, display of permissions and owner, and creation of subdirectories and files.
Execute Audits changes to subdirectories and display of attributes, permissions, and owner.
Delete Audits deletion of a directory.
Change Permissions Audits changes to directory permissions.
Take Ownership Audits changes to directory ownership.

Actions Audited with File Events

The following actions are audited with file events:

Read Audits display of file data, attributes, permissions, and owner.
Write Audits changes to file data or attributes and display of permissions and owner.
Execute Audits running programs and display of attributes, permissions, and owner.
Delete Audits deletion of the file.
Change Permissions Audits changes to file permissions.
Take Ownership Audits changes to file ownership.

Auditing for Printer Security

With printer auditing, you can track events related to printer usage and printer administration. Printer auditing is only enabled if you configure a domain or system to audit file and object access.

You can configure printer auditing by completing the following steps:

In Control Panel, double-click on the Printers folder. This opens the Printers folder.

Figure 3-8: Set printer auditing policies using the Printer Auditing dialog box.
Right-click on the printer you want to audit, and then select Properties from the pop-up menu.
Choose the Security tab, then click Auditing. This opens the dialog box shown in Figure 3-8.
Use the Name list box to select the users whose actions you want to audit. To add specific users, click on the Add button, then select the user names to add. To remove a user, select the user in the Name list box, then click Remove.

Note: To audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups and/or users you want to audit.
Select the Success or Failure check boxes, or both, for each of the events you want to audit. Success logs successful events, such as successful printing. Failure logs failed events, such as failed print jobs.
Choose OK when you're finished.

Auditing Printer Events

The printer events that can be audited are

Print Tracks document printing.
Full Control Tracks changes to printer and document settings in Print Manager.
Delete Tracks when a printer is deleted.
Change Permissions Tracks changes to permissions.
Take Ownership Tracks when a user takes ownership of a printer.

Click to order