Security Considerations for File Upload: Guidelines for secure file upload: Some useful references:
Before discussing the security considerations for file upload it is better to have a look how the files can be uploaded to the server in ASP.NET.
<html>
<head></head>
<body>
<form runat="server" enctype="multipart/form-data">
/* HTML input control that is used to upload file has a simple type of file */
Select a file to upload : <input type="file" id="myFile" runat="Server">
<p> <input type="submit" id="Upload" runat="Server” value="Upload File"
OnServerClick="Upload_Click"></p>
</form>
</body>
</html>
void Upload_Click(Object sender, EventArgs e) {
/* Get a reference to PostedFile object */
System.Web.HttpPostedFile uploadedFile = myFile.PostedFile;
if (uploadedFile != null) {
try {
/* Get size of uploaded file */
int fileLen = uploadedFile.ContentLength;
/* Allocate a buffer for reading of the file */
byte[] fileData = new byte[fileLen];
/* Read file data from the Stream */
uploadedFile.InputStream.Read(fileData, 0, fileLen);
/* Create a file * /
FileStream fs = new FileStream(uploadedFile.FileName, FileMode.Create);
/* Just we are writing to the current folder. If you want to other folder just append the path. Now write the data to the File */
fs.Write(fileData, 0, fileData.Length);
/* Close file */
fs.Close();
/* Or simply you can save the file to the disk with the following statement
myFile.PostedFile.SaveAs("D:\\MyFolder\\" + myFile.PostedFile.FileName); */
}
catch (Exception ex)
{
/* Log the exception */
}
}
Well, now we discuss the security considerations for file upload.
If the files are uploaded to the database as a blob then the data that resides on the file will not be validated thus may lead to injection attacks. For example an attacker may use this vulnerability to inject malicious data in to the database and use it later to perform other attacks. So, it is always a better way to upload the files to a file-share instead of the database as a blob.
An attacker might be able to exhaust free space on the system drive or the web site drive, resulting in unexpected behavior by the OS or the web site.
Alternately, if the attacker can do a directory-traversal attack, then the attacker might be able to replace system or web site files, thereby compromising the web server system.
Allowing a user to upload the files either to a system drive or website partition may lead to DOS attacks.
Allowing client-supplied files in the web site directory tree might result in an attacker being able to upload a malicious .asp file, and then navigate to it using an HTTP GET request. This would cause the server to execute the attacker-supplied page using the identity of the web application account.
Alternately, an attacker might upload a file containing malicious script, and then lure a victim user to access the same file via GET, effectively resulting in a cross-site script exploit.
When using the PUT method, you need to take extra care to ensure that user-supplied files cannot be accessed with other methods such as GET.
This would result in the same cross-site script attack described above.
Allowing client-supplied files to be uploaded to a server without a virus scan might result in an attacker being able to upload malicious files such as viruses.
Make sure that the well known industry standard virus scanner is used on the server and the virus signatures are up to date.
Ensure all incoming/outgoing Files are scanned and they are scanned on real time basis.
Never assume that files which pass a virus scan are completely safe, they may contain a malicious code that could help the attacker to perform other attacks like code injection.
Attackers who can upload extremely large files can potentially deplete or exhaust server resources, resulting in unexpected behavior by the server or web site.
Ensure application checks for the length so that it doesn’t potentially deplete or exhaust server resources.
By depriving attackers of the ability to influence how your application performs file-level I/O, you all but eliminate a number of possible attacks, such as directory traversal, induced filename collisions, and more.
If it is necessary to store the file on disk using a user-supplied name, you should do the following:
a. Use the Path.GetFilename() method to safely retrieve a valid filename from the client-supplied value.
b. Use a directory path you choose yourself, without allowing user input to influence the directory path.
Upload share directory should be properly ACL’ed.
Verify that the file is of the type the user is permitted to upload.
Discard any file which does not have an extension or name that is explicitly allowed or expected by your application.
Also consider inspecting the internal contents of the file to ensure that it is of the type advertised by the user-supplied name or extension.
http://blogs.msdn.com/ace_team/archive/2007/09/19/asp-net-file-upload-how-to-prevent-network-clogging.aspx
File Uploading in ASP.NET 2.0:
http://www.15seconds.com/issue/061116.htm
Uploading Files Using the File Field Control:
http://msdn.microsoft.com/en-us/library/aa478971.aspx
File Upload with ASP.NET:
http://www.codeproject.com/KB/aspnet/fileupload.aspx
Friday, October 31, 2008
Security Considerations for File Upload
Tuesday, August 12, 2008
Disabling unnecessary services: Part Two
Disabling unnecessary and potentially dangerous services: Part Two N P R S T U V W Conclusion: Refer Part One for other services :<<Part One>>
Short Name: Netlogon
Process Name: lsass.exe
Depends on: Workstation
Components depend on this: None
Purpose: It allows pass-through authentication to take place between a client and a domain controller or between domain controllers; required for domain participation.
Consequence: If this service is disabled, the server will be unable to properly participate in the domain and will reject NT LAN Manager (NTLM) requests.
Recommendation: Enable (Manual).
Service Name: NetMeeting Remote Desktop Sharing
Short Name: mnmsrvc
Process Name: mnmsrvc.exe
Depends on: None
Components depend on this: None
Purpose: It enables an authorized user to access this machine remotely by using Microsoft NetMeeting over a corporate intranet. This is a very dangerous service that allows remote access to your server. So, only use it if absolutely essential and if running effective firewall.
Consequence: If this service is stopped /disabled, remote desktop sharing will be unavailable.
Recommendation: Disable
Service Name: Network Connections
Short Name: Netman
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Purpose: It manages the network and dial-up connections for the server, including network status notification and configuration. Simply, it manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections.
Consequence: If disabled, network configuration will not be possible; new connections can't be created and services that need network information may fail.
Recommendation: Enable (Manual).
Service Name: Network DDE
Short Name: NetDDE
Process Name: netdde.exe
Depends on: Network DDE DSDM
Components depend on this: Clipbook
Purpose: It provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers.
Consequence: If disabled, DDE transport and security will be unavailable.
Recommendation: Disable
Service Name: Network DDE DSDM
Short Name: NetDDEdsdm
Process Name: netdde.exe
Depends on: None
Components depend on this: Network DDE, Clipbook
Purpose: It manages Dynamic Data Exchange (DDE) network shares.
Consequence: If disabled, DDE network shares will be unavailable.
Recommendation: Disable
Service Name: Network Location Awareness (NLA)
Short Name: NLA
Process Name: svchost.exe -k netsvcs
Depends on: AFD Networking Support Environment, TCP/IP Protocol Driver
Components depend on this: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Purpose: It collects and stores network configuration and location information and notifies applications when this information changes. This service is a part of Internet Connection Sharing.
Consequence: If disabled, services such as ICS & ICF will not function.
Recommendation: Disable. Enable if this computer has Internet Connection Sharing enabled or if you are using the Internet Connection Firewall.
Service Name: Network News Transfer Protocol (NNTP)
Short Name: NNTPSVC
Process Name: INETINFO.EXE
Depends on: Event Log, IIS Admin Service, Security Accounts Manager, Remote Procedure Call
Components depend on this: None
Purpose: NNTP is a member of the TCP/IP suite of protocols used to distribute network news messages to NNTP servers and clients (newsreaders) on the Internet. NNTP is designed so that news articles are stored on a server in a central database, thus enabling a user to select specific items to read.
Consequence: If the service is stopped or disabled, client computers will not be able to retrieve and read posts. If the IIS Admin service is stopped, the NNTP service will stop as well.
Recommendation: Disable. Enable if this computer is a NNTP server.
Service Name: NT LM Security Support Provider
Short Name: NtLmSsp
Process Name: lsass.exe
Depends on: services.exe
Components depend on this: Telnet, Windows Internet Name Service (WINS), RPC, LPC, Kerberos
Purpose: It provides security to RPC programs that use transports other than named pipes. It enables users to log on to the network using the NTLM authentication protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Consequence: If disabled, users with versions of Windows prior to Windows 2000 will be unable to log in to the network.
Recommendation: Disable unless this computer needs to log on to pre-Windows 2000 computers or domains.
Service Name: .NET Framework Support Service
Short Name: CORRTSvc
Purpose: It provides the CLR - the Common Language Runtime - for .NET applications.
Consequence: If disabled, .NET applications will have trouble running.
Recommendation: Enable (Automatic).
Short Name: SysmonLog
Process Name: smlogsvc.exe
Depends on: None
Components depend on this: None
Purpose: It collects performance data for the computer or other computers and writes it to a log or displays it on the screen.
Consequence: If disabled, performance information will no longer be logged or displayed.
Recommendation: Disable
Service Name: Plug and Play
Short Name: PlugPlay
Process Name: services.exe
Depends on: None
Components depend on this: Fax, Logical Disk Manager, Logical Disk Manager Administrative Service, Smartcard, Messenger, Telephony, Remote Access Auto Connection Manager, Remote Access, Connection Manager, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Virtual Disk Service, Windows Audio
Purpose: It allows an administrator to add hardware to a server and have the server automatically detect and configure it. Simply, it enables a computer to recognize and adapt to hardware changes with little or no user input.
Consequence: If disabled, the system will be unstable and incapable of detecting hardware changes.
Recommendation: Enable (Automatic).
Service Name: Portable Media Serial Number
Short Name: WmdmPmSN
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It retrieves the serial number of any portable media player connected to this computer.
Consequence: If disabled, protected content might not be downloaded to the device.
Recommendation: Disable
Service Name: Print Spooler
Short Name: Spooler
Process Name: spoolsv.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: Fax, TCP/IP Print Server
Purpose: It manages all local and network print queues and controls all printing jobs. It loads files to memory for later printing.
Consequence: If disabled, printing on the local machine will be unavailable.
Recommendation: Disable this service if you don't have a printer attached.
Service Name: Protected Storage
Short Name: ProtectedStorage
Process Name: lsass.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It protects sensitive information such as private keys from exposure except to allowed persons and services.
Consequence: If disabled, protected information will be inaccessible.
Recommendation: Enable (Automatic).
Short Name: RasAuto
Process Name: svchost.exe -k netsvcs
Depends on: Remote Access Connection Manager, Telephony
Components depend on this: None
Purpose: It detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. It creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabling the service has no effect on the rest of the operating system; only thing is you will have to set up connections to remote computers manually. With this process, unauthorized applications (such as Trojans) could bring up your network connection without your explicit request. So, it is far better to manually dial.
Consequence: If disabled, users will have to set up connections to remote computers manually.
Recommendation: Disable unless if using Dial-Up Networking and VPN (Better to manually dial).
Service Name: Remote Access Connection Manager
Short Name: RasMan
Process Name: svchost.exe -k netsvcs
Depends on: Telephony, Plug and Play, Remote Procedure Call (RPC)
Components depend on this: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Remote Access Auto Connection Manager
Purpose: It manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. This service is run on demand by the Remote Access Manager.
Consequence: If disabled, the operating system might not function properly.
Recommendation: Enable (Automatic) if using Dial-Up Networking and VPN, otherwise Disable.
Service Name: Remote Administration Service
Short Name: SrvcSurg
Process Name: Srvcsurg.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and controls Remote Assistance.
Consequence: If disabled, remote Assistance will be unavailable.
Recommendation: Disabled.
Service Name: Remote Desktop Help Session Manager
Short Name: RDSessMgr
Process Name: sessmgr.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and controls Remote Assistance. If you don't plan to use Remote Administration, disable this service. Please note that it could create a major security hole so enable it only when absolutely required.
Consequence: If disabled, remote assistance will be unavailable. Before stopping this service, see the Depends on tab of the Properties dialog box.
Recommendation: Disable
Service Name: Remote Procedure Call
Short Name: RpcSs
Process Name: svchost -k rpcss
Depends on: None
Components depend on this: Background Intelligent Transfer Service, Cluster Service, COM+ Event System, COM+ System Application, Cryptographic Services, DHCP Server, Distributed Link Tracking Client, Distributed Link Tracking Server, Distributed Tracking Coordinator, DNS Server, Error Reporting Service, Fax, File Replication, Help and Support, Human Device Interface Access, IIS Admin Service, Indexing Service, Internet Authentication Service, IPSEC Services, IPv6 Helper Service, Kerberos Key Distribution Center, Logical Disk Manager, Logical Disk Administrator Service, Messenger, MS Software Shadow Copy Provider, Network Connections, Print Spooler, Protected Storage, Remote Desktop Help Session Manager, Remote Registry, Removable Storage, Resultant Set of Policy Provider, Routing and Remote Access, Security Accounts Manager, Shell Hardware Detection, Task Scheduler, Telephony, Telnet, Terminal Services, Terminal Services Session Directory, Terminal Services Licensing, Upload Manager, Volume Shadow Copy, Web Element Manager, Windows Audio, Windows Image Acquisition (WIA), Windows Installer, Windows Internet Name Service (WINS), Windows Management Instrumentation, Windows Media Services, Wireless Configuration, WMI Performance Adapter, World Wide Web Publishing Service
Purpose: Allows processes to communicate internally and across the network with each other. It serves as the endpoint mapper and other miscellaneous RPC services like COM Service Control Manager. It is absolutely essential. It's a fact that a multitude of the other services depend on this service running.
Consequence: If disabled, the system will not boot. So, don't disable this service. Programs using COM or RPC services will not function properly
Recommendation: Enable (Automatic). If you kill it off then your system won’t boot.
Service Name: Remote Procedure Call (RPC) Locator
Short Name: RpcLocator
Process Name: locator.exe
Depends on: Workstation
Components depend on this: None
Purpose: It manages the RPC name service database. In simple words, it provides RPC name services similar to DNS services for IP.
Consequence: If disabled, systems that are running third-party utilities looking for RPC information will be unable to find it. OS components do not use this service, but programs such as Exchange do.
Recommendation: Disabled (It depends on what applications you have installed).
Service Name: Remote Registry Service
Short Name: RemoteRegistry
Process Name: svchost.exe -k regsvc
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides a mechanism to remotely manage the system registry. In simple words, this service lets users connect to a remote registry and read and/or write keys to it Ofcourse they need to have the required permissions. Do -you- want someone editing -your- registry remotely? In security perspective, I didn't think so.
Consequence: Remote systems will be unable to connect to the local registry. Hfnetchk uses this mechanism. Disabling it can affect the patch utility's operation.
Recommendation: Disable (Some programs require this functionality in order to operate).
Service Name: Remote Server Manager
Short Name: AppMgr
Process Name: APPMGR.EXE
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: WMI provider for Remote Administration Alerts. It holds the Remote Administration alert information. It provides an interface for raising, clearing and enumerating Remote Administration alerts, and provides an interface for executing Remote Administration tasks.
Consequence: If disabled, Server management may be affected.
Recommendation: Disable
Service Name: Removable Storage
Short Name: NtmsSvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and catalogs removable media and operates automated removable media devices. This service maintains a catalogue of identifying information for removable media used by a system, including tapes, CDs, and so on.
Consequence: If disabled, programs that are dependent on Removable Storage, such as Backup and Remote Storage, will operate more slowly.
Recommendation: Enable (Automatic). Disable this service if you are not planning to use any programs that dependent on Removable Storage.
Service Name: Resultant Set of Policy Provider
Short Name: RSoPProv
Process Name: RSoPProv.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It enables a user to connect to a remote computer, access the Windows Management Instrumentation database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied.
Consequence: If disabled, remote verification will be unavailable.
Recommendation: Enable (Automatic).
Service Name: Routing and Remote Access
Short Name: RemoteAccess
Process Name: svchost.exe -k netsvcs
Depends on: NetBios Interface, NetBIOSGroup, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It offers routing services in local area and wide area network environments. That is it enables multiprotocol LAN-to-LAN, LAN-to-WAN, virtual private network (VPN), and network address translation (NAT) routing services for clients and servers on this network.
Consequence: If disabled, Routing and Remote Access services will be unavailable.
Recommendation: Disable. Better yet, don't install this service at all.
Short Name: seclogon
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. When Microsoft says 'Alternate Credentials' they are talking about the [Run As...] command which appears on the context menu, allowing a Limited User to run an executable as a higher level user.
Consequence: If disabled, Users will be unable to use the "Run As" feature to elevate privileges.
Recommendation: Disable
Service Name: Security Accounts Manager
Short Name: SamSs
Process Name: lsass.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: DHCP Server, Distributed File System, Distributed Transaction Coordinator, IIS Admin Service, FTP Publishing Service, HTTP SSL, Intersite Messenger Service, Message Queuing, Message Queuing Downlevel Client Support, Message Queuing Triggers, Microsoft POP3 Service, Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Windows Internet name Services (WINS), World Wide Web Publishing Service
Purpose: It stores account information for local security accounts, which, when started, allows other services to access the SAM.
Consequence: If disabled, services that rely on requests to the SAM database will not function properly.
Recommendation: Enable (Automatic). If you don't use DHCP to obtain an IP address, this service can be disabled.
Service Name: Server
Short Name: lanmanserver
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: Computer Browser, Distributed File System, Remote Installation
Purpose: It provides RPC support and file print and named pipe sharing over the network. This service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. You should carefully consider the full implications of enabling this!
Consequence: If disabled, resources can't be shared, RPC requests will be denied, and named pipe communication will fail.
Recommendation: Disable (This service must be enabled on Windows XP computers that share files or printers).
Service Name: Shell Hardware Detection
Short Name: ShellHWDetection
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: Windows Image Acquisition (WIA)
Purpose: It is used for the auto play of devices like memory cards, some CD drives, etc. Set to Automatic if you are experiencing problems with laptop docking stations.
Consequence: If disabled, devices like CDROMs, digital cameras will not automatically function.
Recommendation: Enable (Automatic). It is much easier to leave this enabled, and not much of a security risk.
Service Name: Simple Mail Transport Protocol
Short Name: SMTPSVC
Process Name: inetinfo.exe
Depends on: IIS Admin Service, Remote Procedure Call (RPC), Security Accounts Manager, Event Log
Components depend on this: None
Purpose: It transports electronic mail across the network.
Consequence: If disabled, mail will not be transported across the network.
Recommendation: Disable. If you are using the built-in mail server for receiving mail then leave on automatic.
Service Name: Simple TCP/IP Services
Short Name: SimpTcp
Process Name: tcpsvcs.exe
Depends on: AFD Networking Support Environment
Components depend on this: None
Purpose: Implements support for the Echo, Discard, Character Generator, Daytime and Quote of the Day protocols. Once this service is installed and started, all five protocols are enabled on all network adapters. There is no provision for selectively enabling specific services or enabling this service on per network adapter basis.
Consequence: Stopping or disabling this service has no effect on the rest of the operating system.
Recommendation: Do not install Simple TCP/IP Services unless you specifically need this computer to support communication with other systems that use these protocol services.
Service Name: Smart Card Service
Short Name: SCardSvr
Process Name: SCardSvr.exe
Depends on: Plug and Play
Components depend on this: None
Purpose: It manages and controls access to a smart card inserted into a smart card reader attached to the computer.
Consequence: If disabled, operating system will be unable to support smart cards.
Recommendation: If you're using a smart card reader, enable this service otherwise disable it.
Service Name: Smart Card Helper Service
Short Name: SCardDrv
Process Name: SCardSvr.exe
Purpose: It enables support for legacy non-plug and play smart-card readers used by this computer. The same as Smart Card except this is for legacy cards that don't support Plug and Play.
Consequence: If this service is stopped, the computer will not support legacy reader.
Recommendation: If you're using a legacy non-plug and play smart-card reader, enable this service otherwise disable it.
Service Name: SNMP Service
Short Name: SNMP
Process Name: snmp.exe
Depends on: Event Log
Components depend on this: None
Purpose: Allows incoming SNMP (Simple Network Management Protocol) requests to be serviced by the local computer. SNMP includes agents that monitor activity in network devices and report to the network console workstation. SNMP provides a method of managing network hosts such as workstation or server computers, routers, bridges, and hubs from a centrally-located computer running network management software. SNMP performs management services by using a distributed architecture of management systems and agents.
Consequence: If the service is stopped or disabled, the computer will no longer respond to SNMP requests. If the computer is being monitored by network management tools, the tools won’t be able to collect data from the computer or control its functionality via SNMP.
Recommendation: Disable it unless required.
Service Name: SNMP Trap Service
Short Name: SNMPTRAP
Process Name: snmptrap.exe
Depends on: Event Log
Components depend on this: None
Purpose: Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer.
Consequence: If the service is stopped or disabled, SNMP applications won’t receive SNMP traps that they are registered to receive. If this computer is being used to monitor network devices or server applications using SNMP traps, significant system occurrences could be missed.
Recommendation: Disable
Service Name: Special Administration Console Helper
Short Name: Sacsvr
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It allows administrators to remotely access a command prompt using Emergency Management Services.
Consequence: If disabled, remote command prompt access will be unavailable.
Recommendation: Disabled.
Service Name: SQLAGENT
Short Name: SQLSERVERAGENT
Process Name: SQLagent.exe
Depends on: MSSQL
Components depend on this: None
Purpose: Job scheduler for server with SQL Server installed.
Consequence: If disabled, Job scheduling will be unavailable.
Recommendation: Disabled (Enable it if you require job scheduling).
Service Name: System Event Notification
Short Name: SENS
Process Name: svchost.exe -k netsvcs
Depends on: COM+ Event System, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It tracks system events such as Windows logon network and power events. It notifies COM+ Event System subscribers of these events. In simple words, it is required to record entries in the event logs; notifies COM+ subscribers about logon and power-related events.
Consequence: If disabled, certain notifications will no longer work. For example, synchronization won't work, as it depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications.
Recommendation: Disable. Leave enabled for laptops to that power notifications are passed to the user.
Short Name: Schedule
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It enables a user to configure and schedule automated tasks on this computer. Using Task Scheduler, you can schedule any script, program, or document to run at a time that is most convenient for you. If you must run scheduled tasks then consider disabling all users other than administrator from running tasks. It can create major security problems and allow a hacker to compromise your system by scheduling Trojans to run.
Consequence: If disabled, tasks will not be run at their scheduled times.
Recommendation: It should be disabled unless absolutely required.
Service Name: TCP/IP NetBIOS Helper
Short Name: LMHosts
Process Name: svchost.exe -k LocalService
Depends on: AFD Networking Support Environment, NetBIOS Over TCP/IP
Components depend on this: None
Purpose: It provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, enabling users to share files, print, and log on to the network.
Consequence: If this service is stopped or disabled, NETBTs client s, including Server, Netlogon and Messenger, will stop responding. As a result, you may not be able to share files, printers and logon.
Recommendation: Disable. For small networks, this service may be essential if you share files with others. For larger networks with central file servers, keep disabled on desktops.
Service Name: TCP/IP Print Server
Short Name: LPDSVC
Process Name: svchost.exe -k tapisrv
Depends on: Print Spooler, Remote Procedure Call (RPC), TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose: It enables TCP/IP-based printing using the Line Printer Daemon protocol. The LPDSVC on the server receives documents from native LPR utilities running on Unix computers.
Consequence: If this service is stopped or disabled, TCP/IP-based printing will be unavailable.
Recommendation: Disable
Service Name: Telephony
Short Name: TapiSrv
Process Name: tcpsvcs.exe
Depends on: Plug and Play, Remote Procedure Call (RPC)
Components depend on this: Fax, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Remote Access Auto Connection Manager, Remote Access Connection Manager
Purpose: It provides Telephony API (TAPI) support for clients using programs that control telephony devices and IP-based voice connections.
Consequence: If this service is stopped or disabled, any program that depends upon telephony, including modem subsystem support, will not function correctly.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) otherwise should be disabled.
Service Name: Telnet
Short Name: TlntSvr
Process Name: tlntsvr.exe
Depends on: Remote Procedure Call, NT LM Security Support Provider, TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose: It enables a remote user to log on to this computer and run programs; supports various TCP/IP Telnet clients, including UNIX- and Windows-based computers. In simple words, it allows a remote user to log on to the system and run console programs by using the command line. Having this service enabled on your system poses a serious security threats.
Consequence: If the Telnet service is stopped or disabled, remote users will not be able to connect to the computer using telnet.
Recommendation: Disable
Service Name: Terminal Server Licensing
Short Name: TermServLicensing
Process Name: LServer.exe
Depends on: Event Log, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: Installs a license server and provides registered client licenses when connecting to a Terminal Server. The Terminal Services License Service is a low-impact service that stores the client licenses that have been issued for a Terminal Server and tracks the licenses that have been issued to client computers or terminals.
Consequence: If this service is stopped or disabled, the server will be unavailable to issue Terminal Server licenses to clients when requested. If another License Server is discoverable on a domain controller in the forest, the requesting Terminal Server will attempt to use it.
Recommendation: Enable (Automatic).
Service Name: Terminal Services
Short Name: TermService
Process Name: svchost.exe -k termsvcs
Depends on: Remote Procedure Call (RPC), Infrared Monitor
Components depend on this: Fast User Switching Compatibility Services
Purpose: It allows users to connect interactively to a remote computer. Remote Desktop, Fast User Switching, Remote Assistance, and Terminal Server depend on this service. By default, Terminal Services is installed in remote administration mode. To install Terminal Services in Application Mode, use Configure Your Server or Add/Remove Windows Components to change the Terminal Services mode.
Consequence: If this service is stopped or disabled, remote users cannot use Remote Desktop. To prevent remote use of this computer, clear the check boxes in the Remote tab of the System properties control panel item.
Recommendation: Enable (Manual).
Service Name: Terminal Services Session Directory
Short Name: Tssdis
Process Name: tssdis.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It Enables a user connection request to be routed to the appropriate terminal server in a cluster. In other words, it allows clusters of load-balanced Terminal Servers to properly route a user's connection request to the server where the user already has a session running. Users will be routed to the first-available Terminal Server, regardless of whether they've got a running session elsewhere in the cluster. Load Balancing pools the processing resources of several servers using the TCP/IP networking protocol. You can use this service with a cluster of terminal servers to scale the performance of a single terminal server by distributing sessions across multiple servers. Session Directory keeps track of disconnected sessions on the cluster, and ensures that users are reconnected to those sessions.
Consequence: If this service is stopped or disabled, load balancing for terminal services will not work, and connection requests will be routed to the first available server.
Recommendation: Disable
Service Name: Themes
Short Name: Themes
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It provides user experience theme management. It provides rendering support for the new Windows XP graphic user interface (GUI). A desktop theme is a predefined set of icons, fonts, colors, sounds, and other window elements that give the computer desktop a unified and distinctive look. You can switch themes, create your own theme by changing a theme and then saving it with a new name, or restore the traditional Windows Classic look as your theme. This service is disabled by default on all Windows Server 2003 operating systems products.
Consequence: If this service is stopped or disabled, the new Windows XP visual style ( windows, buttons, scrollbars and other controls) will revert back to the Windows Classic visual style.
Recommendation: Disable
Service Name: Trivial FTP Daemon
Short Name: tftpd
Process Name: tftpd.exe
Depends on: TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose: TFTP (trivial file transfer protocol) is an integral part of the Remote Installation (RIS). A Remote Installation server uses the Trivial File Transfer Protocol Daemon (TFTPD) to download the initial files required for the remote installation process to begin. The most common file downloaded to the client using TFTPD is Startrom.com, which is responsible for bootstrapping the client computer. If the user then presses F12 when prompted, the Client Installation Wizard is downloaded to begin the remote installation process.
Consequence: Stopping or disabling this service will cause RIS to fail.
Recommendation: Disable (Unless you use Remote Installation).
Service Name: Uninterruptible Power Supply
Short Name: UPS
Process Name: ups.exe
Depends on: None
Components depend on this: None
Purpose: It manages communications with an Uninterruptible Power Supply (UPS) connected to the computer by a serial port. If you have a USB UPS, you should not start this service. By default the startup type is manual and the default status is stopped, unless you install and configure a serial UPS. Once you install and configure a serial UPS, the startup type changes to automatic and the default status changes to ‘started’.
Consequence: If this service is stopped or disabled, communications with the UPS will no longer work. In the event of power loss on the alternating current (AC) line, the UPS will be unable to direct the PC to shut down while the UPS battery discharges toward a critically low state. This could result in loss of data.
Recommendation: Disable
Service Name: Upload Manager
Short Name: Uploadmgr
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks the client's permission to upload the computer's hardware profile and then search the Internet for information about how to obtain the appropriate driver or get support.
Consequence: If this service is stopped or disabled, driver data will not be uploaded to Microsoft.
Recommendation: Disable.
Short Name: VDS
Process Name: VDS.EXE
Depends on: Remote Procedure Call (RPC), Plug and Play
Components depend on this: None
Purpose: It provides a single interface for managing block storage virtualization whether done in OS software, RAID storage hardware subsystems, or other virtualization engines. In simple words, it provides software volume and hardware volume management service.
Consequence: If this service is stopped or Disabled, VDS services will no longer be available.
Recommendation: Enable (Manual).
Service Name: Volume Shadow Copy
Short Name: VSS
Process Name: vssvc.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and implements volume shadow copies used for backup and other purposes. Shadow copy backups ensure that:
•Applications can continue to write data to the volume during a backup.
• Files that are open are no longer omitted during a backup.
• Backups can be performed at any time, without locking out users.
Consequence: If this service is stopped or disabled, volume shadow copy backup functionality will no longer occur.
Recommendation: Enable (Manual). If you don’t use Windows Backup on this desktop, disable this service.
Short Name: WebClient
Process Name: svchost.exe -k LocalService
Depends on: WebDav Client Redirector
Components depend on this: None
Purpose: It allows Win32 applications to access documents on the Internet. That is, it enables Windows-based programs to create, access, and modify Internet-based files.
Consequence: Disabling the service will remove this capability, and will prevent users from using the Web Publishing Wizard to publish data to the internet for locations that use the WebDAV protocol.
Recommendation: Disable
Service Name: Web Element Manager
Short Name: ElementMgr
Process Name: Elementmgr.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It is used by the Remote Administration process to serve user interface elements and it is responsible for serving Web user interface elements for the Administration Web site at port 8098.
Consequence: If this service is stopped or disabled, the Remote Administration system won't work properly.
Recommendation: Enable (Automatic)
Service Name: Windows Audio
Short Name: AudioSrv
Process Name: svchost.exe -k netsvcs
Depends on: Plug and Play, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides support for sound and related Windows Audio event functions. This service manages Plug-and-Play events for audio devices such as sound cards and global audio effects (GFX) for Windows audio application program interfaces.
Consequence: This service cannot be stopped once started. If this service is disabled, audio functionality may be impacted to include the inability to hear sound or process GFXs.
Recommendation: Disable (you will get no sound without this service)
Service Name: Windows Image Acquisition (WIA)
Short Name: StiSvc
Process Name: svchost.exe -k imgsvc
Depends on: Remote Procedure Call (RPC), Shell Hardware Detection
Components depend on this: None
Purpose: It provides image acquisition services for scanners and cameras.
Consequence: If this service is disabled, events from imaging devices are neither captured nor processed. If stopped, the service will restart automatically at reboot if there is a WIA device installed. Also, this service demand starts any time a WIA enabled application is launched.
Recommendation: Disable
Service Name: Windows Installer
Short Name: MsiServer
Process Name: msiexec.exe /V
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: Windows Installer manages the installation and removal of applications by applying a set of centrally defined setup rules during the installation process. These setup rules define the installation and configuration of the installed application. In addition, you use this service to modify, repair, or remove an existing application. The Windows Installer technology consists of the Windows Installer service for the Windows operating systems and the package (.msi) file format used to hold information regarding the application setup and installations.
It manages the installation, addition, and deletion of software components, monitors file resiliency, and maintains basic disaster recovery by way of rollbacks.
Consequence: If this service is disabled, the installation, removal, repair, and modification of applications that use the Windows Installer will not succeed. Some applications use this service while running and those applications might not be able to execute.
Recommendation: Enable (Manual)
Service Name: Windows Internet Name Service (WINS)
Short Name: WINS
Process Name: wins.exe
Depends on: Event Log, NT LM Security Support Provider, Remote Procedure Call (RPC), Security Accounts Manager, COM+ Event System
Components depend on this: None
Purpose: Enables NetBIOS name resolution. Presence of the WINS server(s) is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory and all computers on the network are running Windows 2000 or later.
Consequence: If this service is disabled, older clients will be unable to obtain NT domain information and use domain resources.
Recommendation: Enable (Automatic)
Service Name: Windows Management Instrumentation
Short Name: Winmgmt
Process Name: svchost.exe -k netsvcs
Depends on: Event Log, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides system management information; required to implement performance alerts using Performance Logs and Alerts.
Consequence: If this service is disabled, System management and performance information will be unavailable and many Windows programs will be unable to function properly.
Recommendation: Enable (Automatic)
Service Name: Windows Management Instrumentation Driver Extensions
Short Name: Wmi
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: This service monitors all drivers and event trace providers that are configured to publish WMI or event trace information.
Consequence: This is extension of WMI only
Recommendation: Enable (Manual)
Service Name: Windows Media Services
Short Name: WMServer
Process Name: WMServer.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides streaming media services over IP-based networks.
Consequence: If this service is stopped, streaming media services will not be available.
Recommendation: Enable (Automatic)
Service Name: Windows System Resource Manager
Short Name: WindowsSystemResourceManager
Process Name: Wrm.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: The Windows System Resource Manager (WSRM) service is a tool to help customers deploy applications into consolidation scenarios. It provides policy-based management of CPU and memory consumption of processes running on a single operating system instance. Planned scenarios include multiple heterogeneous server applications, multiple Terminal Services users, multiple SQL server instances, multiple Internet Information Server (version 6) application pools or Exchange and IIS6 running together on the same machine. The service may only be installed and run on Windows Server 2003, Datacenter and Enterprise Edition.
Consequence: If this service stopped or disabled then the services offered by this will not available.
Recommendation: Disable
Service Name: Windows Time
Short Name: W32Time
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: Cluster Service
Purpose: It uses NTP to keep computers in the domain synchronized; critical for Kerberos authentication to consistently function.
Consequence: If this service is stopped or disabled, date and time synchronization will be unavailable in the forest or an external NTP server. Stopping W32time on a workstation prevents the workstation from synchronizing its time with another source, but has no effect on any other external server. If Kerberos authentication is implemented then it may cause Kerberos identification tokens to be marked as expired and discarded by a server, resulting in inaccessible resources.
Recommendation: Enable (Automatic)
Service Name: WinHTTP Web Proxy Auto-Discovery Service
Short Name: WinHttpAutoProxySvc
Process Name: svchost.exe –k LocalService
Depends on: AFD Networking Support Environment, TCP/IP Protocol Driver, DHCP Client, IPSec Driver
Components depend on this: Cluster Service
Purpose: It implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol to enable an HTTP client to automatically discover a proxy configuration.
Consequence: If this service is stopped or disabled, the WPAD protocol will be executed within the HTTP client's process instead of an external service process; there would be no loss of functionality as a result.
Recommendation: Enable (Manual)
Service Name: Wireless Configuration
Short Name: Wzcsvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC), NDIS Usermode I/O Protocol
Components depend on this: Cluster Service
Purpose: It enables automatic configuration for IEEE 802.11 wireless adapters for wireless communications.
Consequence: If this service is stopped, automatic wireless configuration will be unavailable. You will have to manually configure wireless networking.
Recommendation: Disable
Service Name: WMI Performance Adapter
Short Name: WmiApSrv
Process Name: wmiapsrv.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Consequence: This service runs only when Performance Data Helper is activated.
Recommendation: Enable (Manual)
Service Name: Workstation
Short Name: Lanmanworkstation
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: Alerter, Computer Browser, Distributed File System, File Server for Macintosh, Messenger, NET LOGON, Remote Procedure Call (RPC) Locater
Purpose: It provides network connections and communications using the Microsoft Network services.
Consequence: If this service is stopped, you will no longer be able to establish connections to remote servers to access files and named-pipes. This will also prevent accessing files/printers stored on other machines. Stopping or disabling this service does not affect TCP/HTTP connectivity so internet browsing and Web Client access will still work.
Recommendation: Enable (Automatic)
Service Name: World Wide Web Publishing Service
Short Name: W3SVC
Process Name: svchost.exe –k iissvcs
Depends on: HTTP SSL, IIS Admin Service, Remote Procedure Call (RPC), Security Accounts Manager
Components depend on this: None
Purpose: This service provides HTTP services for applications on the Windows platform. The service contains a process manager and a configuration manager. The process manager controls the processes in which custom applications and simple Web sites reside. The configuration manager reads the stored system configuration and ensures that Windows is configured to route HTTP requests to the appropriate application pools or operating system processes.
Consequence: If this service is stopped or disabled, the operating system will no longer be able to serve Web pages or requests.
Recommendation: Enable (Automatic)
Friday, July 25, 2008
Disabling Unnecessary Services: Part One
Disabling unnecessary and potentially dangerous services: A B C D E F H I K L M Refer Part Two for remaining services:<<Part Two>>
In security, reducing the attack surface area is the one of the important factor in protecting your assets. The minimum surface area you expose the less number of attacks possible to your application/ host/ network. One of the key elements in securing your host is disabling unnecessary and potentially dangerous services to reduce the attack surface area of your host. In this post, I am going to explain each and every service in detail and the recommended setting.
Windows 2000/2003 and other versions of Windows operating systems come with many services for different purposes by default. But, all of these services are not required in all cases. For example web server related services are not required in SQL box. Also, there are lot many services like Terminal Services, Telnet, Help & Support, Wireless Configuration, and RAS that may not require in many cases and can open holes into your operating system. Ofcourse you may require Terminal Services to allow remote control functions for the help desk or administering servers, but you have to make sure whether it is configured in proper way or not. There are also chances that several malicious programs can run quietly as services without anyone knowing. So, it is always a better idea to know all of the services that run on your servers and audit them periodically to minimize the risk of potentially dangerous services. Below is a list of the common services that you can found on your server (Windows OS). Know about each and every service and keep only those services that you require. If you are unsure about any service then instead of disabling it set it to manual. If you found that the service has started after restarting your server then it is probably required by one of your components or software products. If it is still off then disable it for greater protection.
Note: If any of the service is disabled then any services that explicitly depend on it will fail to start.
Short Name: Alerter
Process Name: svchost.exe -k LocalService
Depends on : Workstation
Components depend on this : None
Purpose : This service notifies selected users and computers of administrative alerts.
Consequence :If this service is turned off, applications that use the NetAlertRaise or NetAlertRaiseEx APIs will be unable to notify a user or computer (by a Message Box from the Messenger service) that the administrative alert took place. In simple words, programs that use administrative alerts will not receive them.
Recommendation : Disable
Service Name: Application Layer Gateway Service
Short Name: ALG
Process Name : alg.exe
Depends on : None
Components depend on this : Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Purpose : This service Provides support for application-level protocol plug-ins that is 3rd party plug-ins for Internet Connection Sharing/Internet Connection Firewall and enables network/protocol connectivity. It is required if Internet Connection Sharing/Internet Connection Firewall is used to connect to the internet.
Consequence :If disabled, programs that rely on this service like MSN Messenger and Windows Messenger will fail to function.
Recommendation : Enable (Manual) if using ICS, if not disable it. Only enable it when using either the Windows firewall or another firewall protects your computer. Failure to do so can result in a significant security hole.
Service Name: Application Management
Short Name: AppMgmt
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose : This service is used for Assign, Publish and Remove software services. It processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If you cannot modify your software installation of certain applications, put this service in to Automatic or Manual.
Consequence :If disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs.
Recommendation : Enable (Manual) if you modify an application i.e. Add/Remove, if not disable it.
Service Name: ASP .NET State Service
Short Name: aspnet_state
Depends on: None
Components depend on this: None
Purpose : It provides support for out of process session state. Enable this service only if out of process session state of ASP.NET is used in your application to handle the sessions. If your application is using in process session state then is better to disable this service.
Consequence :If this service is stopped and out process session state is used then the ASP requests will not be processed.
Recommendation : Disable
Service Name: Automatic Updates
Short Name: wuauserv
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose : It provides support for the automatic download and installation of critical Windows updates. In simple words, it is used to check up to see if there are any critical or otherwise updates available for download. Automatic updates help keep your computer current. If you disable this service, you need to check the Windows Update site often to ensure the latest patches are installed. Manual (and automatic) update via Windows Update web site Requires Cryptographic Services to be running.
Consequence :If this service is disabled then the operating system cannot automatically install updates, but can still be manually updated at the Windows Update Web site.
Recommendation : Automatic if you do not wish to use Windows Update manually.
Short Name: BITS
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : It transfers data between clients and servers in the background. It is used to transfer asynchronous data via http1.1 servers. According to Microsoft's site, Windows Update uses this "feature". It "continues" a download if you log off or shutdown the system (that is, when you log in back).
Consequence :If this service is disabled then features such as Windows Update will not function correctly.
Recommendation : If you enabled automatic updates service then enable it and set start up type of this service to Manual otherwise disable it.
Short Name: CertSvc
Process Name: CERTSVC.EXE
Depends on: None
Components depend on this: None
Purpose : It is part of the core operating system that enables a business to act as if its own certificate authority (CA), and issue and manage digital certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IP Security (IPSEC), and smartcard log on.
Consequence :If this service is stopped or disabled, certificate requests will not be accepted and the Certificate Revocation Lists (CRLs) and delta CRLs will not be published. If this service is paused or stopped long enough for CRLs to expire, validation of existing certificates will fail.
Recommendation : Enable (Automatic)
Service Name: Client Service for NetWare
Short Name: NWCWorkstation
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose : It provides access to files and directories as well as resources on NetWare networks.
Consequence :If this service is stopped or disabled, access to file and print resources on NetWare networks will no longer function unless the Novell Client for NetWare is installed.
Recommendation : If you require to access the resources on NetWare networks then Enable it and set start up type to Automatic otherwise disable it.
Service Name: Clipbook
Short Name: ClipSrv
Process Name: clipsrv.exe
Depends on: Network DDE, Network DDE DSDM
Components depend on this: None
Purpose : It enables the Clipbook Viewer to create and share "pages" of data to be viewed by remote computers.
Consequence :If this service is disabled then ClipBook Viewer will not be able to share information with remote computers.
Recommendation : Disable
Service Name: Cluster Service
Short Name: ClusSvc
Process Name: Clussvc.exe
Depends on: Network Connections, Remote Procedure Call (RPC), Windows Time, Network Cluster Driver
Components depend on this: None
Purpose : It is used for clustering and supports for up to 8-node server clusters.
Consequence :If this service is stopped or disabled, the cluster service itself and any applications or services hosted by the cluster service will be stopped.
Recommendation : Disable (Required only in case of clustering)
Service Name: COM+ Event System
Short Name: EventSystem
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: System Event Notification, Window Internet Name Service (WINS), DHCP Server, COM+ System Application
Purpose : This service manages the configuration and tracking of Component Object Model (COM) +-based components.
Consequence :If the service is stopped, most COM+-based components will not function properly. One of the support files that you'll probably never have any use for, but if you disable it, the warning notices you receive are worse than leaving it enabled.
Recommendation : Enable (Manual)
Service Name: COM+ System Application
Short Name: COMSysApp
Process Name: dllhost.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: NonePurpose : This service manages the configuration and tracking of Component Object Model (COM) +-based components. One of the support files that you'll probably never have any use for, but if you disable it, the warning notices you receive are worse than leaving it enabled.
Consequence :If the service is stopped, most COM+-based components will not function properly. Disabling this service will generate Event Log entries noting it isn't running. It is an annoyance, but not harmful. The Manual setting avoids the Event Log entries.
Recommendation : Enable (Manual)
Service Name: Computer Browser
Short Name: Browser
Process Name: svchost.exe -k netsvcs
Depends on: Server, Workstation
Components depend on this: None
Purpose : It maintains an up-to-date list of computers on your network, and supplies the list to programs that request it. This service is used by Windows-based computers that need to view network domains and resources.
Consequence :If this service is disabled, your computer will be unable to locate other Windows computers on the network.
Recommendation : If you need to share files with other Windows computers, enable this service.
Service Name: Cryptographic Services
Short Name: CryptSvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : This service provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. You may always get a dialog box complaining about uncertified drivers if this is disabled. It is s required for Windows Update to function in manual and automatic mode. Also used by other Windows services, such as Task Manager. Windows Media Player may also require this service to function.
Consequence :If this service is disabled then Catalog Database Service, Protected Root Service, and Key Service will not function properly. Provides the annoying boxes that pop up telling you a driver you are about to install isn't digitally signed. If you disable this service you'll be flooded with uncertified driver notifications.
Recommendation : Enable (Automatic)
Short Name: Dhcp
Process Name: svchost.exe -k netsvcs
Depends on: AFD Networking Support Environment, NetBios over Tcpip, TCP/IP Protocol Driver, IPSEC driver
Components depend on this: WinHTTP Web Proxy Auto-Discovery Service
Purpose : Dynamic Host Configuration Protocol Client manages network configuration by registering and updating IP addresses and Domain Name Server (DNS) names. If you are only dialing up to ISP via modem, cable, etc. If you have a network card in your PC and attach out via a router or sharing device then this may be required. Set to manual if unsure then check on reboot if it has started. If not then disable.
Consequence :If this service is disabled, the system will be unable to obtain an IP address, WINS information, etc., from a DHCP server and will need to be configured with a static address.
Recommendation : Enable (Automatic). If you use don't use DHCP to obtain an IP address, this service can be disabled.
Service Name: DHCP Server
Short Name: DHCPServer
Process Name: tcpsvcs.exe
Depends on: Event Log, Remote Procedure Call (RPC), Security Accounts Manager, COM+ Event System, TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose : This service distributes TCP/IP and WINS information to requesting clients
Consequence :If this service is disabled, clients will be unable to obtain addressing information, which could result in a loss of network connectivity.
Recommendation : Enable (Automatic)
Service Name: Distributed File System
Short Name: Dfs
Process Name: dfssvc.exe
Depends on: Server, Workstation, Remote Procedure Call (RPC), Security Account Manager, MUP DFS Driver
Components depend on this: None
Purpose : Manages volumes that are replicated to other domain controllers on the network, such as the SYSVOL volume present on all domain controllers. This can be disabled on non-domain controllers, but still not a good idea.
Consequence :If this service is disabled, users will be unable to access distributed files using the Dfs namespace and will instead need to specifically target an individual server to get the required information.
Recommendation : Enable (Automatic)
Service Name: Distributed Link Tracking Client
Short Name: TrkWks
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : It maintains links between the NTFS file system files within a computer or across computers in a network domain. It enables client programs to track linked files that are moved within an NTFS volume to another NTFS volume on the same computer or to an NTFS volume on another computer
Consequence :If this service is disabled, link tracking will be unavailable. Users on other computers won't be able to track links on this computer.
Recommendation : Disable
Service Name: Distributed Link Tracking Server
Short Name: TrkSvr
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain.
Consequence :If this service is disabled, Distributed Link Tracking Client service within the same domain will not function.
Recommendation : Disable
Service Name: Distributed Transaction Coordinator
Short Name: MSDTC
Process Name: msdtc.exe
Depends on: Remote Procedure Call (RPC), Security Accounts Manager
Components depend on this: None
Purpose : It coordinates transactions that are distributed across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers.
Consequence :If this service is disabled, distributed transactions will not occur.
Recommendation : Disable (If you are using distributed transactions like MSMQ, SQL server operations that span multiple systems then enable it).
Service Name: DNS Client
Short Name: Dnscache
Process Name: svchost.exe -k NetworkService
Depends on: TCP/IP Protocol Driver
Components depend on this: None
Purpose : It resolves and caches (Domain Name Server) DNS names, allowing the system to communicate with canonical names rather than strictly by IP address. The DNS client service must be running on every computer that will perform DNS name resolution.
Consequence :If this service is disabled, the system will be unable to resolve a name and will be able to communicate only via IP address. A client may be unable to communicate with its domain controller.
Recommendation : Enable (Automatic). Stopping this service will result in the inability for the computer to resolve names to IP addresses.
Service Name: DNS Server
Short Name: DNS
Process Name: dns.exe
Depends on: Remote Procedure Call, AFD Networking Support Environment, TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose : It performs the name-to-IP address lookup both for itself and clients; required on the server to allow clients to use Active Directory services.
Consequence :If this service is disabled, access to resources must be made by IP address and not by name. There could be serious implications for Active Directory lookups.
Recommendation : Enable (Automatic).
Short Name: ERSvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : This service collects, stores, and reports unexpected application crashes to Microsoft.
Consequence :If this service is disabled, error Reporting will occur only for kernel faults and some types of user mode faults.
Recommendation : Disable
Service Name: Event Log
Short Name: Eventlog
Process Name: services.exe
Depends on: None
Components depend on this: DHCP Server, File Replication, Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), SNMP Service, SNMP Trap Service, Windows Internet Name Services (WINS), Windows Management Instrumentation
Purpose : This service logs event messages issued by programs and Windows in event log. This event Log reports contain information that can be useful in diagnosing problems. It is one of the few services that actually cannot be stopped. Event logs can be viewed through the Microsoft Management Console.
Consequence :If the event log is disabled, you will be unable to track events, which will significantly reduce the ability to successfully diagnose system problems. In addition security events will not be audited and you will not be able to view previous event logs using the MMC event viewer snap in.
Recommendation : Enable (Automatic)
Short Name: Fax
Process Name: fxssvc.exe
Depends on: Plug and Play, Print Spooler, Remote Procedure Call, Telephony
Components depend on this: None
Purpose : This service enables you to send and receive faxes.
Consequence :Disabling this service will render the computer unable to send or receive faxes. Recommendation : Leave uninstalled or Disable
Service Name: File Replication
Short Name: NtFrs
Process Name: ntfrs.exe
Depends on: Event Log, Remote Procedure Call, COM+ Event System
Components depend on this: None
Purpose : This service is used by services to replicate files to different servers on the network; used especially by the DFS (Distributed File System).
Consequence :If this service is stopped or disabled, file replication will not occur and server data will not be synchronized. Stopping the File Replication service on a domain controller may seriously impair a domain controller’s ability to function.
Recommendation : Enable (Manual)
Service Name: FTP Publishing Service
Short Name: MSFtpsvc
Process Name: inetinfo.exe
Depends on: IIS Admin Service, Remote Procedure Call, Security Accounts Manager
Components depend on this: None
Purpose : It provides (file transfer protocol) FTP connectivity and administration through the Internet Information Service (IIS) snap-in. It can pose a big security risk!
Consequence :FTP services will be unavailable.
Recommendation : Leave uninstalled or Disable.
Short Name: helpsvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : This service enables Help and Support Center to run on this computer. It is required for Microsoft’s online help documents. In security perspective enabling this service is not a good idea.
Consequence :If this service is disabled, The Help and Support Center will be unavailable.
Recommendation : Disable
Service Name: HTTP SSL
Short Name: HTTPFilter
Process Name: lsass.exe
Depends on: IIS Admin Service, Remote Procedure Call, Security Accounts Manager, HTTP
Components depend on this: World Wide Web Publishing Service
Purpose : This service Implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If you want to use HTTPS to secure Outlook Web Access or RPC over HTTP connections, you must enable this service.
Consequence :If this service is disabled, HTTPS requests for IIS will be disabled.
Recommendation : If it is a web server and secure channel is required then enable it otherwise disable.
Service Name: Human Interface Device Access
Short Name: HidServ
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
Consequence :If this service is disabled, hot buttons controlled by this service will no longer function.
Recommendation : Disable
Short Name: IASJet
Process Name: svchost.exe –k iasjet
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : The IAS Jet Database Access system service is only available on 64-bit versions of Windows Server Operating Systems. The service uses the Remote Authentication Dial in User Service (RADIUS) protocol to provide authentication, authorization, and accounting services. It only required on an IAS system. (IAS = Internet Access Security)
Consequence :Available only in 64-bit.
Recommendation : Disable
Service Name: IIS Admin Service
Short Name: IISADMIN
Process Name: inetinfo.exe
Depends on: Remote Procedure Call, Security Accounts Manager
Components depend on this: FTP Publishing Service, Simple Mail Transfer Protocol (SMTP), World Wide Web Publishing Service, HTTP SSL, Network News Transfer Protocol (NNTP), Microsoft POP3 Service
Purpose : This service enables this server to administer Web and FTP services. This service is required only in servers that run Web, FTP, NNTP, or SMTP sites and is also required to configure IIS. Not usually required unless you are running a local web server.
Consequence :If this service is disabled, the server will be unable to run Web, FTP, NNTP, or SMTP sites or configure IIS.
Recommendation : This is a required service for a web server. If it is not a web server then disable it.
Service Name: IMAPI CD-Burning COM Service
Short Name: ImapiService
Process Name: imapi.exe
Depends on: None
Components depend on this: None
Purpose : This service manages CD recording using Image Mastering Applications Programming Interface (IMAPI). Used for the "drag and drop" CD burn capability. You will need this service to burn CD's. This service can be disabled if you don't have a CDRW drive in your system.
Consequence :If this service is disabled, the server will be unable to record CDs.
Recommendation : Disable
Service Name: Indexing Service
Short Name: cisvc
Process Name: cisvc.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : This service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. Indexing can speed up searching.
Consequence :If this service is disabled, Files will not be indexed.
Recommendation : Disable (Uninstall this service if you don't plan to use it).
Service Name: Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)
Short Name: SharedAccess
Process Name: svchost.exe -k netsvcs
Depends on: Application Layer Gateway Service, Network Connections, Network Location Awareness, Remote Access Connection Manager, Remote Access Auto Connection Manager, Remote Procedure Call, Telephony, Plug and Play, AFD Networking Support Environment, TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose : This service provides network address translation (NAT), addressing and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection. Not required unless you are sharing a dial-up connection with other PC's on your network - not recommended! It is far better to use a router or gateway firewall software for this purpose. Consider using a higher specification firewall if sharing your connection.
Consequence :If this service is disabled, networking services such as Internet sharing, name resolution, addressing and/or intrusion prevention will be unavailable.
Recommendation : Disable. Set it to Automatic if sharing connection (Not recommended).
Service Name: Intersite Messaging
Short Name: IsmServ
Process Name: ismserv.exe
Depends on: Remote Procedure Call, Security Accounts Manager
Components depend on this: None
Purpose : It enables messages to be exchanged between computers running Windows Server sites.
Consequence :If this service is disabled, messages will not be exchanged, nor will site routing information be calculated for other services.
Recommendation : Disable
Service Name: IPSec Policy Agent (IPSec Service)
Short Name: PolicyAgent
Process Name: lsass.exe
Depends on: Remote Procedure Call (RPC), IPSEC Driver, TCP/IP Protocol Driver
Components depend on this: None
Purpose : It provides end-to-end security between clients and servers on TCP/IP networks. It manages IP security (IPSec) policy, starts the Internet Key Exchange (IKE) and coordinates IPSec policy settings with the IP security driver. Only leave on if you are using IPSec. It opens Port 500. If you are connecting over an IPSec secured connection, don't disable this service.
Consequence :If disabled, TCP/IP security between clients and servers on the network will be impaired.
Recommendation : Disable it unless you are connecting over an IPSec secured connection.
Short Name: Kdc
Process Name: lsass.exe
Depends on: Remote Procedure Call, AFD Networking Support Environment
Components depend on this: None
Purpose : It allows users with an appropriate client to log on to the network using Kerberos v5. For the domain controller role, this is a must-have service.
Consequence :If this service is disabled, users will be unable to log in to the domain.
Recommendation : Disable it unless the server is a Domain Controller and Kerberos is used.
Short Name: LicenseService
Process Name: llssrv.exe
Depends on: None
Components depend on this: None
Purpose : It monitors and records client access licensing for portions of the operating system (such as IIS, Terminal Server, and File/Print) as well as for products that aren't part of the OS, like SQL and Exchange Server.
Consequence :If this service is disabled, licensing will be enforced but will not be monitored.
Recommendation : Disable
Service Name: Logical Disk Manager
Short Name: dmserver
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC), Plug and Play
Components depend on this: Logical Disk Manager Administrative Service
Purpose : It waits for new drives to be added and passes required information to the LDM administrative service; required to ensure dynamic disk information is up to date. In simple words, it watches Plug and Play events for new drives to be detected and passes volume and/or disk information to the Logical Disk Manager Administrative Service to be configured.
Consequence :If disabled, the Disk Management snap-in display will not change when disks are added or removed. That is new disks will not be detected by the system. Dynamic disk status and configuration information may become out of date. Leaving this service enabled makes it easy to add new drives to the system. In a very high security environment, this should not be allowed. So, turn it on only if you add additional disks and then disable again.
Recommendation : Disable. Turn it on only if you add additional disks and then disable again.
Service Name: Logical Disk Manager Administrative Service
Short Name: dmadmin
Process Name: dmadmin.exe /com
Depends on: Remote Procedure Call (RPC), Plug and Play, Logical Disk Manager
Components depend on this: None
Purpose : Starts and allows configuration to take place when a new drive is detected or a partition/drive is configured. This is dependent on Logical Disk Manager Service.
Consequence :None; it runs only when needed that is this service runs only when new disks are added, this service will be called by Logical Disk Manager Service.
Recommendation : It gets started by the Logical Disk Manager service only when needed. Do not disable if you have the Logical Disk Manager Service enabled.
Short Name: Msmq
Process Name: mqsvc.exe
Depends on: RMCAST (Pgm) Protocol Driver, Remote Procedure Call, Security Accounts Manager, Message Queuing Access Control, NT LM Security Support Provider
Components depend on this: None
Purpose : A messaging infrastructure and development tool for creating distributed messaging applications for Windows.
Consequence :Message queuing will be unavailable.
Recommendation : Leave uninstalled or Disable.
Service Name: Message Queuing Triggers
Short Name: MSMQTriggers
Process Name: mqtgsvc.exe
Depends on: Distributed Transaction Coordinator, Message Queuing Access Control, NT LM Security Support Provider, Remote Procedure Call (RPC), Security Accounts Manager, RMCAST (Pgm) Protocol Driver, TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose : Associates the arrival of incoming messages at a queue with functionality in a COM component or a stand-alone executable program. These triggers can be used to define business rules that can be invoked when a message arrives at the queue without doing any additional programming. Not installed by default. It is required only if you use Message Queuing service.
Recommendation : Leave uninstalled or Disable.
Service Name: Messenger
Short Name: Messenger
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC), NetBIOS Interface, Plug and Play, Workstation
Components depend on this: None
Purpose : This service transmits net send and alerter service messages between clients and servers. This service is not related to Windows Messenger.
Consequence :Alerter messages will not be transmitted.
Recommendation : Disable
Service Name: Microsoft POP3 Service
Short Name: POP3SVC
Process Name: pop3svc.exe
Depends on: IIS Admin Service, Security Account Manager, Remote Procedure Call (RPC)
Components depend on this: None
Purpose : The POP3 service provides e-mail transfer and retrieval services. Administrators can use the POP3 service to store and manage e-mail accounts on the mail server.
Consequence :If this service is disabled, users will be unable to pop mail.
Recommendation : It is a required service on Mail Servers. Disable it in all other servers.
Service Name: MS Software Shadow Copy Provider
Short Name: SwPrv
Process Name: svchost.exe -k swprv
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose : It manages software-based volume shadow copies taken by the Volume Shadow Copy service. This service is used in conjunction with the Volume Shadow Copy Service. Microsoft Backup uses these services so you will need it if you use Microsoft Backup. If disabled, you will receive Event Log entry complaining about not having this service running.
Consequence :If this service is disabled, software-based volume shadow copies cannot be managed.
Recommendation : Disabled (Set it to Manual if you intend to use Windows Backup).
Service Name: MSSQL$UDDI
Short Name: SQLSERVR
Process Name: SQLSERVR.EXE – sUDDI
Depends on: None
Components depend on this: SQLAgent$UDDI
Purpose : The full name of this service is Universal Description Discovery and Integration service. This service is used to locate web services.
Consequence :If disabled, web service discovery will be limited or stopped.
Recommendation : Do not stop this service unless you want to disable the functionality it provides.
Service Name: MSSQLserverADHelper
Short Name: MSSQLserverADHelper
Process Name: sqladhlp.exe
Depends on: None
Components depend on this: None
Purpose : It enables SQL Server publishing into Active Directory.
Consequence :SQL Server information cannot be published into AD.
Recommendation : Disable unless it is used as a SQL Server.
Posts
