Securing Windows 2000 Server

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Appendix A: Purpose of Microsoft Windows 2000 Services

Published: November 17, 2004 | Updated : May 31, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

Alerter. Notifies selected users and computers of administrative alerts. If this service is turned off, applications that use the NetAlertRaise or NetAlertRaiseEx application programming interfaces (APIs) will be unable to notify a user or computer (by a message box from the Messenger service) that the administrative alert took place.

Application Management. Provides software installation services for applications deployed through Add/Remove Programs. This service (known as appmgmts) processes requests to enumerate, install, and remove applications deployed through an organization's network. When the Add button in Add/Remove Programs is pressed on a computer joined to a domain, the applet calls in to the service to retrieve the list of deployed applications.

Automatic Updates. Provides the download and installation of critical Windows updates, such as security patches or hotfixes. This service can be disabled when automatic updates are not performed on the server.

Background Intelligent Transfer Service. Provides a background file transfer mechanism and queue management. This service is used by Automatic Update to automatically download programs (such as security patches). Background Intelligent Transfer Service can be disabled when automatic updates are not performed on the server.

Boot Information Negotiation Layer (BINL). Provides the ability to install Microsoft® Windows® 2000 Professional on Pre Execution Environment (PXE) remote boot-enabled client computers. The BINL service, the primary component of Remote Installation Services (RIS), answers PXE clients, checks the Active Directory® directory service for client validation, and passes client information to and from the server. The BINL service is installed when you either add the RIS component from Add/Remove Windows Components, or select it when initially installing the operating system.

Certificate Services. Creates, manages, and removes X.509 certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME) and Secure Sockets Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.

ClipBook. Enables the Clipbook Viewer to create and share pages of data to be reviewed by remote users. This service depends on the NetDDE/Network Dynamic Data Exchange (DDE) service to create the actual file shares that can connect to other computers. The Clipbook application and service allow users to create the pages of data to share.

Cluster Service. Defines a cluster as a group of independent computer systems, referred to as nodes, that work together to provide a unified computing resource. There are two different types of cluster solutions in the Windows platform that support different application styles: Server clusters and Network Load Balancing (NLB) clusters. Server clusters provide a highly available environment for long-running applications such as database or file servers by providing failover support with tightly integrated cluster management.

COM+ Event Services. Provides automatic distribution of events to Component Object Model (COM) components. COM+ Events extend the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system. Instead of repeatedly polling the server, the event system notifies interested parties as information becomes available.

Computer Browser. Maintains the list of computers on the network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that need to view network domains and resources.

Computers designated as browsers maintain browse lists, which contain all shared resources used on the network. Earlier versions of Windows applications, such as My Network Places, the NET VIEW command, and Microsoft Windows NT® Explorer, all require browsing capability.

For example, opening My Network Places on a computer running Windows 95 displays a list of domains and computers, which is accomplished by the computer obtaining a copy of the browse list from a computer designated as a browser. The Contoso servers in the Contoso scenario use the Computer Browser service to enumerate services within the domain.

DHCP Client. Manages network configuration by registering and updating IP addresses and DNS names. When this service is running, it is not necessary to manually change the IP settings when a client, such as a roaming user, travels throughout the network.

The client is automatically given a new IP address regardless of the subnet it reconnects to—as long as a DHCP server is accessible from each of those subnets. Required to update records in Dynamic DNS. Dynamic DNS enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur.

DHCP Server. Allocates IP addresses and allows the advanced configuration of network settings such as DNS servers, Windows Internet Naming Service (WINS) servers, and so on to DHCP clients automatically. If the DHCP Server service is turned off, DHCP clients will not receive IP addresses or network settings automatically.

Distributed file system. Manages logical volumes distributed across a local or wide area network (WAN) and is required for the Active Directory SYSVOL share. Distributed file system (Dfs) is a distributed service that integrates disparate file shares into a single logical namespace.

This namespace is a logical representation of the network storage resources that are available to users on the network. If the Dfs service is turned off, users will be unable to access network data through the logical namespace. Users would need to know the names of all the servers and shares in the namespace and access each of these targets independently.

Distributed Link Tracking (DLT) Client. Maintains links between NTFS version 5 (NTFSv5) file system files within the domain controllers and other servers in the domain. The DLT Client service ensures that shortcuts and Object Linking and Embedding (OLE) links continue to work after the target file is renamed or moved.

When you create a shortcut to a file on an NTFSv5 volume, DLT stamps a unique object identifier (ID) into the target file, known as the link source. Information about the object ID is also stored within the referring file, known as the link client.

Distributed Link Tracking (DLT) Server. Tracks information so that files moved between volumes can be tracked for each volume in the domain. The DLT Server service runs on each domain controller in a domain.

This service enables the DLT Client service to track linked documents that have been moved to a location in another NTFSv5 volume in the same domain. If the DLT Server service is disabled, links maintained by the DLT Client service may become less reliable over time. The NtfsDisableDomainLinkTracking policy setting should be enabled in the File system policy group to prevent DLT clients from repeatedly trying to reach the disabled service.

Distributed Transaction Coordinator (DTC). Coordinates transactions that are distributed across multiple computer systems and resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers.

DTC is necessary if transactional components are going to be configured through COM+. COM+ is an extension to COM providing runtime and services that are readily used from any programming language or tool. It enables extensive interoperability between components regardless of how they were implemented.

It is also required for transactional queues in Message Queuing (MSMQ) and Microsoft SQL Server™ operations that span multiple systems. Disabling this service prevents these transactions from occurring.

DNS Client. Resolves and caches DNS names. The DNS Client service must be running on every computer that will perform DNS name resolution. An ability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. Running the DNS Client service is also critical for enabling location of the devices identified using DNS names.

If the DNS Client service is disabled, the computers running Windows 2000 Server in your organization may not be able to locate the domain controllers of Active Directory domains and Internet connections. The computers with disabled client service will not be able to locate the devices identified using DNS names.

DNS Server. Enables DNS name resolution by answering queries and update requests for DNS names. The presence of the DNS servers is crucial for locating devices identified using DNS names and locating domain controllers in Active Directory.

If there is no DNS that is authoritative for a particular portion of the namespace, then locating devices in that portion of the namespace will fail. Not having an authoritative DNS server or the DNS namespace used to resolve Active Directory domains results in an inability to locate the domain controllers in the domain. DNS Server is required for Active Directory-integrated DNS zones.

Event Log. Writes event log messages issued by Windows-based programs and components to the log files. Event Log reports contain information that can be useful in diagnosing problems. The reports are viewed in Event Viewer. The Event Log service writes events sent by applications, services, and the operating system to log files.

The events contain diagnostic information in addition to errors specific to the source application, service, or component. The logs can be viewed programmatically through the Event Log APIs or through the Event Viewer in the Microsoft Management Console (MMC) snap-in.

If the Event Log service is disabled, you will be unable to track events in your environment, which reduces your ability to quickly diagnose problems with your computer. In addition, you will not be able to audit security events.

Fax Service. Provides the ability to send and receive faxes through fax resources available on the domain controller and network.

File Replication. Maintains the file synchronization of file directory contents among multiple servers. File Replication is the automatic file replication service in Windows 2000. It is used to copy and maintain files on multiple servers simultaneously and to replicate the Windows 2000 system volume SYSVOL on all domain controllers.

In addition, the service can be configured to replicate files among alternate targets associated with the fault-tolerant Dfs. If this service is disabled, file replication will not occur, and server data will not be synchronized. In the case of a domain controller, stopping the File Replication service may seriously impair its ability to function.

File Server for Macintosh. Enables Macintosh computer users to store and access files on a computer running Windows 2000 Server. If this service is turned off, Macintosh clients will not be able to view any NTFS file system (NTFS) shares.

FTP Publishing Service. Provides FTP connectivity and administration through the Internet Information Service (IIS) snap-in. Features include bandwidth throttling, security accounts, and extensible logging.

Gateway Service for Netware. Provides access to file and print resources on Netware networks.

IIS Admin Service. Allows administration of IIS. If this service is not running, you will not be able to run Web, File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), or Simple Mail Transfer Protocol (SMTP) sites, or configure IIS in your environment.

Indexing Service. Indexes content and file properties to provide rapid access to files through a flexible querying language. This service also enables quick document searching on local and remote computers and a search index for content shared on the Web.

The Indexing Service builds indexes of all textual information in files and documents. When the initial index build is complete, the service maintains its indexes whenever a file is created, modified, or deleted. On member servers it is disabled to prevent users from searching files and file content if sensitive files and folders are inadvertently indexed.

Internet Authentication Service. Performs centralized authentication, authorization, auditing, and accounting of users connecting to a network—either local area network (LAN) or remote—using virtual private networking (VPN) equipment, Remote Access Equipment (RAS), or 802.1x Wireless and Ethernet/Switch Access Points.

Internet Authentication Service (IAS) implements the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User Service (RADIUS) protocol, which enables the use of heterogeneous network access equipment. If IAS is disabled or stopped, authentication requests will fail over to a backup IAS server, if it is available. If no backup IAS servers are available, users will not be able to connect to the network.

Internet Connection Sharing. Provides network address translation (NAT), addressing, and name resolution. When Internet Connection Sharing is enabled, your computer becomes an "Internet gateway" on the network, enabling other client computers to share one connection to the Internet, share files, and use the same printers.

This service is turned off by default. If Internet Connection Sharing is stopped or disabled, services such as name resolution and addressing will be unavailable to clients on the network. Therefore, clients on a home or small office network may not be able to get to the Internet, and their IP addresses will expire, causing some clients to use Automatic Private IP Addressing (APIPA) for peer-to-peer networking connectivity.

Internet Connection Sharing is disabled on all servers in the environment for the Contoso scenario to prevent inadvertent enabling of NAT, which would prevent the server from communicating with the remainder of the network.

Intersite Messaging (ISM). Allows sending and receiving messages between Windows 2000 Server sites. This service is used for mail-based replication between sites. Active Directory includes support for replication between sites by using SMTP over IP transport.

SMTP support is provided by the SMTP service, which is a component of IIS. The set of transports used for communication between sites must be extensible; therefore, each transport is defined in a separate add-in dynamic-link library (DLL). These add-in DLLs are loaded into the ISM service, which runs on all domain controllers that are candidates for performing communication between sites.

The ISM service directs send and receive requests to the appropriate transport add-in DLLs, which then route the messages to the ISM service on the destination computer. This service is required only if SMTP replication is used in Active Directory.

IPsec Policy Agent (IPsec Service). Provides management and coordination of IPsec policies with the IPsec driver.

Kerberos Key Distribution Center. Provides the ability for users to log on using the Kerberos version 5 authentication protocol.

License Logging Service. Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, file and print sharing, and products that are not a part of the operating system, such as SQL Server or Microsoft Exchange Server.

Logical Disk Manager. Watches Plug and Play events to detect new drives and passes volume or disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management snap-in display will not change when disks are added or removed.

The Logical Disk Manager uses an administrator service and a watchdog service. The service should not be disabled if dynamic disks are in the computer. This service is required to ensure that dynamic disk information is up to date.

Logical Disk Manager Administrative Service. Performs an administrative service for disk management requests. This service is started only when you configure a drive or partition or when a new drive is detected. The service does not run by default, but it does get activated by whenever dynamic disk configuration changes occur or when the Disk Management MMC snap-in is open.

Such changes include converting a basic disk to dynamic, recovery of fault tolerant volumes, volume formatting, or changing your page file. The service starts, completes the configuration operation, and then exits. This service is required to perform disk administration.

Messenger. Sends messages to and receives messages from users and computers or messages transmitted by administrators or by the Alerter service. If disabled, Messenger notifications cannot be sent to or received by the computer or by users currently logged on. NET SEND and NET NAME also will no longer function.

Microsoft Message Queuing (MSMQ). A messaging infrastructure and development tool for creating distributed messaging applications for Windows-based computers. Such applications can communicate across heterogeneous networks and can send messages between computers that may be temporarily unable to connect to each other.

MSMQ provides guaranteed message delivery, efficient routing, security, support for sending messages within transactions, and priority-based messaging. MSMQ provides both Microsoft Win32® and COM APIs for all programmatic functionality including administration and management.

Disabling MSMQ affects a number of other services including COM+ Queued Component (QC) functionality, some parts of WMI, and the MSMQ Triggers service.

Net Logon Service. Supports pass-through authentication of account logon events for computers in a domain. This service is started automatically when a computer is a domain member. It is used to maintain a secure channel to a domain controller that the computer can use to authenticate users and services running on it.

In the case of a domain controller, Net Logon handles the registration of the computer's DNS names specific to domain controller locator discoveries and allows pass-through authentication from other domain controllers running Net Logon that is forwarded to the destination domain controller where the logon credentials are validated.

If this service is turned off, the computer will not operate properly in a domain. Specifically, the computer may deny NTLM authentication requests and, in the case of the domain controller, client computers will not be able to discover the domain controller.

NetMeeting Remote Desktop Sharing. Allows authorized users to remotely access your Windows desktop from another personal computer over your organization's intranet by using Microsoft NetMeeting®. The service must be explicitly enabled by NetMeeting and can be disabled in NetMeeting or shut down by means of a Windows tray icon.

Disabling the service unloads the NetMeeting display driver used for application sharing. Remote desktop sharing is a potential security threat and is disabled on all servers.

Network Connections. Manages objects in the Network Connections folder, in which you can view both network and remote connections. This service takes care of network configuration (client side) and displays status in the notification area on the desktop (the area on the taskbar to the right of the taskbar buttons). You may also access configuration parameters through this service.

Network DDE. Provides network transport and security dynamic data exchange (DDE) for applications running on the same computer or computers. You can create Network DDE "shares" programmatically or by using DDEshare.exe on your computer, and make them visible to other applications and computers.

Traditionally, the user creating the share will create and run a server process to handle incoming requests from client processes or applications (running on the same computer or remotely). After they are connected, these processes can exchange any kind of data over a secure network transport. The service can be disabled when no DDE applications are running locally on the computer.

Network DDE DSDM. Manages shared DDE used by Network DDE. This service is used only by Network DDE to manage shared DDE conversations. You can create and "trust" DDE shares by using DDEshare.exe to allow remote computers and applications to connect and share data.

This service maintains a database of these DDE shares, including information on which ones are trusted. For each request for a connection from, or "conversation" with, an application, this service queries the database and validates your security settings to determine whether the request should be granted. Used by Network DDE. This service can be disabled when Network DDE is disabled.

Network News Transport Protocol (NNTP). Allows computers running Windows 2000 Server to act as a news server. Clients can use a news client, such as Microsoft Outlook® Express messaging client to retrieve newsgroups from the server and read headers or bodies of the articles in each newsgroup.

The clients can then post back to the server. NNTP is an Internet standard. The version included in Windows 2000 does not support feeds, in which two news servers replicate their contents between each other. However, the version included in Exchange 2000 does include this functionality. If the service is turned off, client computers will not be able to connect and read or retrieve posts.

NTLM Security Support Provider. Provides security to remote procedure call (RPC) programs that use transports other than named pipes and enables users to log on using the NTLM authentication protocol. Contoso servers in the Contoso scenario run a Microsoft Operations Manager (MOM) agent that is dependent on this service.

On-Line Presentation Broadcast. Links audio and video with Microsoft PowerPoint® presentation program slides as you deliver a presentation. This linkage can occur either in real time (people on the other end), or asynchronously while you are working on your computer preparing a presentation to be stored on a server for later viewing. There are no other dependencies on this service.

Performance Logs and Alerts. Collect performance data for the server, write the data to a log, or generate alerts. This can be configured to automatic when wanting to log performance data or generate alerts without an administrator logged on.

Plug and Play. Enables a computer to recognize and adapt to hardware changes with little or no user input. With Plug and Play, a user can add or remove devices, without any intricate knowledge of computer hardware, and without being forced to manually configure hardware or the operating system.

For example, a user can plug in a universal serial bus (USB) keyboard, and Plug and Play will detect the new device, find a driver for it, and install it. Or, a user can dock a portable computer and use the docking station's Ethernet card to connect to the network without changing the configuration.

Later, the user can undock the same computer and use a modem to connect to the network—again without making any manual configuration changes. Stopping or disabling this service will result in system instability.

Print Server for Macintosh. Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 Server. If this service is stopped, printing will be unavailable to Macintosh clients.

Print Spooler. Manages all local and network print queues and controls all print jobs. When this service is disabled on client computers, those computers will be unable to print documents. The error messages that appear in Windows 2000 when a user attempts to connect to a printer or print a document can be confusing.

Protected Storage. Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, process, or users.

QoS Admission Control (RSVP). Provides network signaling and local, traffic-control, setup functionality for Quality of Service (QoS)-aware programs and control applets.

QoS RSVP. Invoked when an application uses the Generic Quality of Service (GQoS) API requesting a specific quality of service on the end-to-end connection that it uses. The services signals its peer, and they agree (or not) on the parameters.

The RSVP messages can also be intercepted by routers that can veto the resource request if they cannot guarantee that level of service. After a successful negotiation happens, the service then sets up appropriate flows with the Packet Scheduler, which then ensures that a packet rate for that specific flow does not exceed the negotiated rate.

If disabled or removed, QoS is not guaranteed to the application, and it must then decide whether to accept the best-effort (the default) or refuse to run. QoS RSVP can be disabled when QoS is not used to allocate network bandwidth in network infrastructure.

Remote Access Auto Connection Manager. Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. This service (sometimes called the autodial service) detects an attempt to resolve the name of a remote computer or share, or an unsuccessful attempt to send packets to a remote computer or share.

The service is activated only when there is no network access. In that case, the service brings up a dialog box that offers to make a dial-up or VPN connection to the remote computer. It can be disabled on servers where no VPN or dial-up connections are initiated.

Remote Access Connection Manager. Manages VPN and dial-up connections from the server to the Internet or other remote networks. It can be disabled on servers where no VPN or dial-up connections are initiated.

Remote Procedure Call (RPC). Serves as the RPC endpoint mapper for all applications and services that use RPC communications. Required for internal processes in Windows 2000.

Remote Procedure Call (RPC) Locator. Enables RPC clients using the RpcNs family of APIs to locate RPC servers and manage the RPC name service database. It can be disabled if no applications use the RpcNs APIs.

Remote Registry Service. Enables remote users to modify registry settings on the domain controller, provided the remote users have the required permissions. By default, only Administrators and Backup Operators can access the registry remotely. This service is required for the MBSA utility. Microsoft Baseline Security Analyzer is a tool that allows you to verify which patches are installed on each of the servers in your organization. We recommend the use of this tool in Chapter 8, "Patch Management."

Remote Storage Engine. Migrates infrequently used data to tape. It leaves a marker on a disk allowing data to be recalled automatically from tape if you attempt to access a file.

Remote Storage File. Manages operations on remotely stored files.

Remote Storage Media. Controls the media used to store date remotely.

Remote Storage Notification. Allows Remote Storage to notify you when you have accessed an offline file. Because it takes longer to access a file that has been moved to tape, Remote Storage will notify you if you are attempting to read a file that has been migrated and will allow you to cancel the request.

If the service is turned off, you will not receive additional notification when you try to open offline files, nor will you be able to cancel an operation that involves an offline file.

Removable Storage. Manages and catalogs removable media and operates automated removable media devices, such as tape auto loaders or CD jukeboxes. It can be disabled when removable media devices are directly connected to the server.

Routing and Remote Access. Enables LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services.

RunAs Service. Allows users to run specific tools and programs with different permissions than their current logon provides.

SAP Agent. Advertises network services on an Inter Packet eXchange (IPX) network using the IPX Service Advertising Protocol (SAP) protocol. It also forwards advertisements on a multihomed host. Some products such as the File and Print Services from Microsoft for Netware rely on the SAP Agent. If this service is turned off, these products may not function correctly.

Security Accounts Manager. The Security Accounts Manager (SAM) is a protected subsystem that manages local user and group account information.

Server. Provides RPC support, file print, and named pipes sharing over the network.

Simple Mail Transport Protocol (SMTP). The SMTP service is an e-mail submission and relay agent. It can accept and queue e-mail for remote destinations and retry at specified intervals. Windows domain controllers use the SMTP service for intersite e-mail-based replication. The Collaboration Data Objects (CDO) for the Windows 2000 COM component can use the SMTP Service to submit and queue outbound e-mail.

Simple TCP/IP Services. Implements support for the following protocols:

●    Echo (port 7, RFC 862)

●    Discard (port 9, RFC 863)

●    Character Generator (port 19, RFC 864)

●    Daytime (port 13, RFC 867)

●    Quote of the Day (port 17, RFC 865)

Single Instance Storage (SIS) Groveler. An integral component of Remote Installation Services (RIS). In an effort to reduce the amount of disk space used by a RIS Server's installation folders, SIS will grovel through the partition containing the RIS installation directory, searching for redundant files, storing them centrally, and replacing them with symbolic links. Although the SIS Groveler is installed by default in Windows 2000 Server, it is configured to Disabled unless the RIS component is installed.

Site Server ILS Service. As part of IIS, this service scans TCP/IP stacks and updates directories with the most current user information. Windows 2000 is the last version of the operating system to support the Site Server ILS service.

Smart Card. Manages and controls access to a smart card inserted into a smart card reader attached to the server.

Smart Card Helper. Provides support for legacy, non-Plug and Play smart card readers.

SNMP Service. Allows incoming Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. SNMP includes agents that monitor activity in network devices and report to the network console workstation.

If the service is turned off, the computer no longer responds to SNMP requests. If the computer is being monitored by network management tools, the tools will not be able to collect data from the computer or control its functionality through SNMP. The service is required for Common Information Model (CIM) reporting to MOM. CIM is the data model that describes the objects that exist in a management environment.

SNMP Trap Service. Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer. If the service is turned off, SNMP applications will not receive SNMP traps that they are registered to receive. If this computer is being used to monitor network devices or server applications using SNMP traps, significant system occurrences could be missed.

System Event Notification. Monitors system events and notifies subscribers to the COM+ Event System of the events. Required to record entries in the event logs.

Task Scheduler. Provides the ability to schedule automated tasks on the server.

TCP/IP NetBIOS Helper Service. Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients. If this service is disabled, NetBT clients, including Redirector (RDR), SRV, Net Logon, and Messenger, will stop responding. As a result, users may not be able to share files, printers, or log on to the computer. This service is required for Group Policy (which may be used to distribute patches).

TCP/IP Print Server. Enables TCP/IP-based printing using the Line Printer Daemon protocol. If this service is stopped, TCP/IP-based printing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Telephony. Provides Telephony API (TAPI) support for programs that control telephony devices, as well as IP–based voice connections on the local computer and through the LANs on servers also running the service. The telephony service enables applications to act as clients to telephony equipment such as Private Branch Exchanges (PBXs), telephones, and modems.

The service supports the TAPI under which different wire protocols that communicate with telephony equipment can be supported. These protocols are implemented in Telephony Service Providers (TSPs).

The telephony service cannot be stopped if there is another dependent service, such as RAS, currently active. If no other dependent service is running and you stop the telephony service, it will be restarted when any application makes an initialization call to the TAPI interface. If the service is disabled, no program that depends upon it, including modem support, will be able to run.

Telnet. Enables a remote user to log on and run applications from a command line on the server. Because Telnet is inherently insecure, disable Telnet unless used for remote administration for branch offices or headless systems.

Terminal Services. Allows multiple remote users to be connected interactively to the domain controller and provides the display of desktops and runs applications. All Contoso servers run Terminal Services for remote administration.

Terminal Services Licensing. Installs a license server and provides registered client licenses when connecting to a Terminal Server. The Terminal Services License Service is a low-impact service that stores the client licenses that have been issued for a Terminal server, and then tracks the licenses that have been issued to client computers or terminals.

If this service is turned off, the server will be unavailable to issue Terminal Server licenses to clients when they are requested. If another License Server is discoverable on a domain controller in the forest, the requesting Terminal Server will attempt to use it.

Trivial FTP Daemon. The Trivial File Transfer Protocol (TFTP) is an integral part of RIS that implements support for the TFTP protocol defined in the following RFCs:

  • RFC 1350 —TFTP

  • RFC 2347 —Option extension

  • RFC 2348 —Blocksize option

  • RFC 2349 —Timeout interval, transfer size options

To disable this service, uninstall RIS. Disabling the service directly will cause it to malfunction.

Uninterruptible Power Supply. Manages an uninterruptible power supply (UPS) connected to the server by a serial port.

Utility Manager. Starts and configures accessibility tools from one window. Utility Manager allows faster access to some accessibility tools and also displays the status of the tools or devices that it controls.

This program saves users time because an administrator can designate that certain features start when Windows 2000 starts. Utility Manager includes three built-in accessibility tools: Magnifier, Narrator, and On-Screen Keyboard.

Volume Snapshot. Manages volume snapshots used by backup applications. When a backup application attempts to start a backup utilizing the new snapshots infrastructure, the backup application calls methods to determine the number of writers that are running on the service, and then queries each writer to gather the required metadata.

The backup application can then collect the volumes that need to get a snapshot to ensure that a successful backup session occurs. The volumes are presented to the snapshot coordinator, and a snapshot is created. The snapshot creates volumes that match the original volumes at the time that the snapshot is taken. If turned off, no snapshot backups can be done.

Windows Installer. Adds, modifies, and removes applications provided as a Windows Installer (.msi file) package.

Windows Internet Name Service (WINS). Enables NetBIOS name resolution. The presence of the WINS servers is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory and all computers on the network are running Windows 2000.

Windows Management Instrumentation (WMI). Provides a common interface and object model to access management information about the domain controller through the WMI interface. It is required to implement performance alerts using performance logs and alerts.

Windows Management Instrumentation Driver Extensions. Monitors all drivers and event trace providers that are configured to publish WMI or event trace information.

Windows Media Monitor Service. Provides services to monitor client and server connections to Microsoft Windows Media® services.

Windows Media Program Service. Groups Windows Media streams into a sequential program for the Windows Media Station Service.

Windows Media Station Service. Provides multicasting and distribution services for streaming Windows Media content.

Windows Media Unicast Service. Provides Windows Media streaming content on-demand to networked clients.

Windows Time. Sets the computer clock W32Time to maintain date and time synchronization on all computers running on a Windows network. Workstation uses the Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or time stamp, can be assigned to network validation and resource access requests.

NTP implementation and the integration of time providers makes W32Time a reliable and scalable time service for enterprise administrators. For computers not joined to a domain, W32Time can be configured to synchronize time with an external time source.

If this service is turned off, the time setting for local computers will not be synchronized with any time service in the Windows domain, or an externally configured time service.

Workstation. Creates and maintains client network connections and communications. The workstation service is a user-mode wrapper for the Microsoft Networks redirector. It loads and performs configuration functions for the redirector, provides support for making network connections to remote servers, provides support for the WNet APIs, and furnishes redirector statistics. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks.

World Wide Web Publishing Service. Provides HTTP services for applications on the Windows platform. The service depends on the IIS administration service and kernel TCP/IP support. If this service is turned off, the operating system will no longer be able to function as a Web server.


Get the Securing Windows 2000 Server

Solution Accelerator Notifications

Sign up to stay informed


Send us your comments or suggestions