Protecting users from themselves
Any good security practitioner will tell you that security is a process that involves a number of different components working in concert. The elements of good Windows systems security involve hardened desktops and servers, well configured firewalls, effective use of anti-malware software and user education. Most of these same security practitioners will tell you that the last element is the hardest to pull off.
Windows is known for the power and convenience that it places in the hands of users, but sometimes too much power in the hands of those that don't fully understand the power -- and security risks that come with it -- is a recipe for disaster. While the ultimate goal of a good security implementation should be to educate users, sometimes it is best to take some of the power away from users and decrease the security exposure of the enterprise.
To that end this document examines Windows XP services that if left enabled can lead to security exposures.
Deactivating unneeded services
One of the easiest ways for crackers to exploit holes in your system is through open services. And lately, viruses have been masquerading as services listed in the Task Manager, making them harder to detect, clean and prevent. When you audit and close unused services, in addition to security benefits, you receive performance enhancement because stagnant programs aren't taking up available resources. Besides, a full security audit of your service can reveal some interesting details about your machine.
Windows XP comes with only two services that require open access to an external interface for normal operation: Terminal Services, or Remote Desktop Connection, and the Remote Access Service for answering dial-in calls.
Follow these instructions to manage services on your computer:
- Right-click My Computer, and choose Manage
- Expand the Services & Applications tab, and select Services
- Double-click a service
- Under Startup Type, select Manual to disable a service from automatically starting when the computer boots up. Click the Stop button to stop the service if it's already running
The following services ship with Windows XP. The list is not complete, but it includes the recommended state that each service shown should be in on your computer, assuming normal office functions are performed on the machine. On this list you'll see the name of the service, followed by a short description and my recommendation regarding the state of the service.
|Checklist: Deactivating unneeded services|
|Alerter: Raises administrative alerts for selected users and computers. Disabled|
|Application Layer Gateway Service: Required if you use Internet Connection Sharing (ICS) or XP's included Internet Connection Firewall to connect to the Internet. Automatic if using ICS; Disabled if not.|
|Application Management: Used to assign, publish and remove software through Group Policy. Disabled unless you participate in an Active Directory domain.|
|Automatic Updates ServiceChecks to see if any critical updates are available for download. Requires Cryptographic to be running. Automatic if you don't wish to use Windows Update manually.|
|Background Intelligent Transfer Service: Used by Windows Update to transfer data in the background using otherwise idle available network bandwidth. Disabled.|
|Clipbook: Enables the ClipBook Viewer to create and share data to be viewed by remote computers. Disabled.|
|COM+ Event System: Provides Automatic distribution of events to subscribing programmatic components. Disabled.|
|COM+ System Application: Provides Automatic distribution of events to subscribing programmatic components. Disabled.|
|Computer Browser: Maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Disabled.|
|Cryptographic Services: Confirms signatures of Windows files. Required for Windows Update to function in manual and Automatic mode and required for Windows Media Player as well. Automatic.|
|DHCP Client: Manages network configuration by registering and updating IP addresses and DNS server information. Automatic if required; Disabled if not|
|Distributed Link Tracking Client: Maintains links between the NTFS file system files within a computer or across computers in a network domain. Disabled.|
|Distributed Transaction Coordinator: Coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems or other transaction-protected resource managers. Disabled.|
|DNS Client: Resolves and caches DNS (Domain Name System) names. The DNS client service must be running on every computer that will perform DNS name resolution. Automatic.|
|Error Reporting Service: Calls home to Microsoft when errors occur. Disabled.|
|Event Log: Logs event messages issued by programs and Windows. This can be useful in diagnosing problems. Automatic.|
|Fax Service: Enables you to send and receive faxes. Disabling this service will render the computer unable to send or receive faxes. Disabled; or don't install from distribution media.|
|Telephony: Provides Java Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. Disabled unless required.|
|FTP Publishing Service: Not available on Windows XP Home. Not installed by default on Windows XP Pro. Enables FTP service. Disabled, or don't install from distribution media.|
|Help and Support: Required for Microsoft's online help documents. Automatic.|
|Human Interface Device Access: If all your devices function, then disable it. Disabled.|
|IIS Admin: Not available on Windows XP Home. Not installed by default on Windows XP Pro. Allows administration of Internet Information Services (IIS). Disabled, or don't install from distribution media.|
|IMAPI CD-Burning COM Service: Used for the "drag-and-drop" CD-burn capability. You'll need this service to burn CDs. Automatic.|
|Indexing Service: Indexes contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. Disabled.|
|Internet Connection Firewall and Internet Connection Sharing: Provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection. Automatic if sharing connection, Disabled if not required.|
|IPsec Services: Manages IP security (IPsec) policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. Disabled.|
|Logical Disk Manager Administrative Service: See previous item's description. Manual.|
|Message Queuing: A messaging infrastructure and development tool for creating distributed messaging applications for Windows. Disabled; or don't install from distribution media.|
|Message Queuing Triggers: Required only if you use Message Queuing Service. Disabled; or don't install from distribution media.|
|Messenger: Sends and receives messages to or from users and computers, or those transmitted by administrators or by the Alerter Service.Disabled.|
|Microsoft Software Shadow Copy Provider: Used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services. Enabled.|
|NetMeeting Remote Desktop Sharing: Allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet. Disabled.|
|Network Connections: Manages objects in the Network and Dial-Up Connections folder, where you can view both network and remote connections. Automatic.|
|Network DDE: Useless service unless you use remote ClipBook. Disabled.|
|Network DDE DSDM: See previous item's description. Disabled.|
|Network Location Awareness (NLA): Required for use with the Internet Connection Sharing Service (server only). Disabled, unless running ICS or ICF.|
|NTLM Security Support Provider: Enables users to log on to the network using the NTLM Authentication Protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000. Automatic.|
|Performance Logs and Alerts : : Configures performance logs and alerts. Disabled.|
|Plug and Play: Enables a computer to recognize and adapt to hardware changes with little or no user input. Automatic.|
|Portable Media Serial Number: Retrieves serial numbers from portable music players connected to your computer. Disabled.|
|Print Spooler: Queues and manages print jobs locally and remotely. If you don't have a printer attached, then disable. Automatic.|
|Protected Storage: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized service processes or users. Disabled.|
|QoS RSVP: Provides network signaling and local traffic-control functionality. Disabled, unless required by your network administrator.|
|Remote Access Auto Connection Manager: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabled.|
|Remote Access Connection Manager: Creates a network connection. Automatic if using Dial-Up Networking; Disabled otherwise.|
|Remote Desktop Help Session Manager: Manages and controls Remote Assistance. Disabled.|
|Remote Procedure Call (RPC): Provides the endpoint mapper and other miscellaneous RPC services. Automatic.|
|Remote Procedure Call Locator: Manages the RPC name service database. Disabled.|
|Remote Registry Service: Not available on Windows XP Home. Allows users to connect to a remote Registry and read and/or write keys to it - providing they have the required permissions. Disabled.|
|Removable Storage: Manages removable media drives and libraries. This service maintains a catalog of identifying information for removable media used by a system, including tapes, CDs and so on. Disabled.|
|RIP (Routing Information Protocol) Listener: Not installed by default. Disabled; or don't install from distribution media.|
|Routing and Remote Access:Offers routing services in local area and wide area network environments. Disabled; or don't install from distribution media.|
|Secondary Logon: Allows you to run specific tools and programs with different permissions than your current logon provides.Automatic.|
|Security Accounts Manager: Startup of this service signals other services that the Security Accounts Manager subsystem is ready to accept requests. Automatic.|
|Server: Provides RPC support and file print and named pipe sharing over the network. The Server Service lets you share your local resources (such as disks and printers) so that other users on the network can access them. Automatic if you're sharing files; Disabled if not.|
| Shell Hardware Detection: Used for the autoplay of devices like memory cards, some CD drives and so on.
|Simple Mail Transport Protocol (SMTP): Transports e-mail across the network. Disabled; or don't install from distribution media.|
|Simple TCP/IP Services: Implements support for a number of IP protocols. Disabled; or don't install from distribution media.|
|Smart Card: Manages and controls access to a smart card inserted into a smart card reader attached to the computer. Disabled unless using a smart card reader.|
|Provides support for earlier smart card readers attached to the computer. Disabled unless using a smart card reader.|
|SNMP Service: Allows Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. Disabled; or don't install from distribution media.|
|SNMP Trap Service: Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer. Disabled; or don't install from distribution media.|
|SSDP Discovery:Used to locate UPnP (Universal Plug and Play) devices on your home network. Disabled.|
|System Event Notification:Tracks system events such as Windows logon network and power events. Disabled.|
|System Restore Service:Creates system snapshots or restore points for returning to at a later time. Disabled.|
|Task Scheduler:Enables a program to run at a designated time. Disabled unless absolutely required.|
|TCP/IP NetBIOS Helper:Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Only required if you need to share files with others. Disabled unless sharing is enabled.|
|TCP/IP Printer Server:Used for setting up a local Unix print server. Disabled, or don't install from distribution media.|
|Telephony:Provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are also running the service. Disabled.|
|Telnet:Allows a remote user to log on to the system and run console programs by using the command line. Disabled, or don't install from distribution media.|
|Terminal Services: Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server. Disabled, or don't install from distribution media.|
|Themes: Used to display all those new XP themes and colors on your desktop. Lots of space needed. Automatic or manual, depending on your preferences|
|Uninterruptible Power Supply (UPS): manages communications with a UPS connected to the computer by a serial port. Disabled unless using a UPS.|
|Universal Plug and Play Device Host: Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network. Disabled.|
|Upload Manager:As with BITS, this service manages file transfers between clients and servers on the network. This service is not required for basic File and Print sharing. Disabled.|
|Volume Shadow Copy: Used in conjunction with the Microsoft Software Shadow Copy Provider Service. Microsoft Backup uses these services. Disabled.|
|WebClient:Disable this for security reasons. Disabled|
|Windows Audio:Used to produce audio. Automatic.|
|Windows Image Acquisition (WIA):Used for some scanners and cameras. If, after disabling this service, your scanner or camera fails to function properly, enable this service. Disabled.|
|Windows Installer: Installs, repairs or removes software according to instructions contained in MSI files provided with the applications. Manual.|
|Windows Management Instrumentation (WMI) Provides system management information. WMI is an infrastructure for building management applications and instrumentation shipped as an integral part of the current generation of Microsoft operating systems. Automatic.|
|Windows Management Instrumentation Driver Extension: Tracks all of the drivers that have registered WMI information to publish.Manual.|
|Windows Time: Sets the computer clock. W32Time maintains date and time synchronization on all computers running on a Windows network. Automatic.|
|Wireless Zero Configuration:Automatic configuration for wireless network devices. Disabled.|
|WMI Performance Adapter: Optimizes the speed of WMI queries. Disabled|
|Workstation:Provides network connections and communications. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks. Automatic.|
|World Wide Web Publishing: Provides HTTP services for applications on the Windows platform. Disabled; or don't install from distribution media.|
As you can see from the list, you don't need very much to keep your Windows XP installation functioning, at least in a non-domain environment. Most of the enabled services just pose an unfavorable security risk compared to the reward, bring little or no benefit, consume resources and can be safely turned off.
While disabling unnecessary services is an excellent and fundamental step to hardening Windows, there are some other necessary items to accomplish to further secure the services that remain and any services that you may add in the future.
Peruse the following list of best practices and consider implementing them.
- Give strong passwords to service accounts. When you install applications that require services to run, you are typically given the option to choose an account under which the service is to be run. Use 15+ character passwords, and remember that you must set these passwords both in Active Directory Users and Computers or Computer Management (depending on your operating environment) and in the Log-On tab of the service's property sheet.
- Never let users log on using service accounts. This particularly applies to the Administrator account -- never assign the Administrator account to a service, and never distribute any service account name and password to any users. There is absolutely no reason to do so, and if users can access systems in these contexts, they can wreak more havoc than you could imagine. Just don't do it.
- Do not allow network access to service accounts. For one, this means don't create domain accounts for services. Wherever possible, use a local account on the server where the service is located. Also, check the "Deny Access to this Computer from the Network" right within the service account's property sheet to eliminate network access for that account.
- Use accounts of least privilege for service accounts. Windows XP includes a great set of built-in accounts, collectively called the Network Service and Local Service. They are specifically designed to be used for services that require different amounts of network connectivity. Use these where possible to decrease the attack surface of services.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.