Tuesday, August 12, 2008

Disabling unnecessary services: Part Two

Disabling unnecessary and potentially dangerous services: Part Two

Services:

N

Service Name: Netlogon
Short Name: Netlogon
Process Name: lsass.exe
Depends on: Workstation
Components depend on this: None
Purpose: It allows pass-through authentication to take place between a client and a domain controller or between domain controllers; required for domain participation.
Consequence: If this service is disabled, the server will be unable to properly participate in the domain and will reject NT LAN Manager (NTLM) requests.
Recommendation: Enable (Manual).

Service Name: NetMeeting Remote Desktop Sharing
Short Name: mnmsrvc
Process Name: mnmsrvc.exe
Depends on: None
Components depend on this: None
Purpose: It enables an authorized user to access this machine remotely by using Microsoft NetMeeting over a corporate intranet. This is a very dangerous service that allows remote access to your server. So, only use it if absolutely essential and if running effective firewall.
Consequence: If this service is stopped /disabled, remote desktop sharing will be unavailable.
Recommendation: Disable

Service Name: Network Connections
Short Name: Netman
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Purpose: It manages the network and dial-up connections for the server, including network status notification and configuration. Simply, it manages objects in the Network and Dial-Up Connections folder, in which you can view both network and remote connections.
Consequence: If disabled, network configuration will not be possible; new connections can't be created and services that need network information may fail.
Recommendation: Enable (Manual).

Service Name: Network DDE
Short Name: NetDDE
Process Name: netdde.exe
Depends on: Network DDE DSDM
Components depend on this: Clipbook
Purpose: It provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers.
Consequence: If disabled, DDE transport and security will be unavailable.
Recommendation: Disable

Service Name: Network DDE DSDM
Short Name: NetDDEdsdm
Process Name: netdde.exe
Depends on: None
Components depend on this: Network DDE, Clipbook
Purpose: It manages Dynamic Data Exchange (DDE) network shares.
Consequence: If disabled, DDE network shares will be unavailable.
Recommendation: Disable

Service Name: Network Location Awareness (NLA)
Short Name: NLA
Process Name: svchost.exe -k netsvcs
Depends on: AFD Networking Support Environment, TCP/IP Protocol Driver
Components depend on this: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Purpose: It collects and stores network configuration and location information and notifies applications when this information changes. This service is a part of Internet Connection Sharing.
Consequence: If disabled, services such as ICS & ICF will not function.
Recommendation: Disable. Enable if this computer has Internet Connection Sharing enabled or if you are using the Internet Connection Firewall.

Service Name: Network News Transfer Protocol (NNTP)
Short Name: NNTPSVC
Process Name: INETINFO.EXE
Depends on: Event Log, IIS Admin Service, Security Accounts Manager, Remote Procedure Call
Components depend on this: None
Purpose: NNTP is a member of the TCP/IP suite of protocols used to distribute network news messages to NNTP servers and clients (newsreaders) on the Internet. NNTP is designed so that news articles are stored on a server in a central database, thus enabling a user to select specific items to read.
Consequence: If the service is stopped or disabled, client computers will not be able to retrieve and read posts. If the IIS Admin service is stopped, the NNTP service will stop as well.
Recommendation: Disable. Enable if this computer is a NNTP server.

Service Name: NT LM Security Support Provider
Short Name: NtLmSsp
Process Name: lsass.exe
Depends on: services.exe
Components depend on this: Telnet, Windows Internet Name Service (WINS), RPC, LPC, Kerberos
Purpose: It provides security to RPC programs that use transports other than named pipes. It enables users to log on to the network using the NTLM authentication protocol. If this service is stopped, users will be unable to log on to the domain and access services. NTLM is used mostly by Windows versions prior to Windows 2000.
Consequence: If disabled, users with versions of Windows prior to Windows 2000 will be unable to log in to the network.
Recommendation: Disable unless this computer needs to log on to pre-Windows 2000 computers or domains.

Service Name: .NET Framework Support Service
Short Name: CORRTSvc
Purpose: It provides the CLR - the Common Language Runtime - for .NET applications.
Consequence: If disabled, .NET applications will have trouble running.
Recommendation: Enable (Automatic).

P

Service Name: Performance Logs and Alerts
Short Name: SysmonLog
Process Name: smlogsvc.exe
Depends on: None
Components depend on this: None
Purpose: It collects performance data for the computer or other computers and writes it to a log or displays it on the screen.
Consequence: If disabled, performance information will no longer be logged or displayed.
Recommendation: Disable

Service Name: Plug and Play
Short Name: PlugPlay
Process Name: services.exe
Depends on: None
Components depend on this: Fax, Logical Disk Manager, Logical Disk Manager Administrative Service, Smartcard, Messenger, Telephony, Remote Access Auto Connection Manager, Remote Access, Connection Manager, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Virtual Disk Service, Windows Audio
Purpose: It allows an administrator to add hardware to a server and have the server automatically detect and configure it. Simply, it enables a computer to recognize and adapt to hardware changes with little or no user input.
Consequence: If disabled, the system will be unstable and incapable of detecting hardware changes.
Recommendation: Enable (Automatic).

Service Name: Portable Media Serial Number
Short Name: WmdmPmSN
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It retrieves the serial number of any portable media player connected to this computer.
Consequence: If disabled, protected content might not be downloaded to the device.
Recommendation: Disable

Service Name: Print Spooler
Short Name: Spooler
Process Name: spoolsv.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: Fax, TCP/IP Print Server
Purpose: It manages all local and network print queues and controls all printing jobs. It loads files to memory for later printing.
Consequence: If disabled, printing on the local machine will be unavailable.
Recommendation: Disable this service if you don't have a printer attached.

Service Name: Protected Storage
Short Name: ProtectedStorage
Process Name: lsass.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It protects sensitive information such as private keys from exposure except to allowed persons and services.
Consequence: If disabled, protected information will be inaccessible.
Recommendation: Enable (Automatic).

R

Service Name: Remote Access Auto Connection Manager
Short Name: RasAuto
Process Name: svchost.exe -k netsvcs
Depends on: Remote Access Connection Manager, Telephony
Components depend on this: None
Purpose: It detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. It creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabling the service has no effect on the rest of the operating system; only thing is you will have to set up connections to remote computers manually. With this process, unauthorized applications (such as Trojans) could bring up your network connection without your explicit request. So, it is far better to manually dial.
Consequence: If disabled, users will have to set up connections to remote computers manually.
Recommendation: Disable unless if using Dial-Up Networking and VPN (Better to manually dial).

Service Name: Remote Access Connection Manager
Short Name: RasMan
Process Name: svchost.exe -k netsvcs
Depends on: Telephony, Plug and Play, Remote Procedure Call (RPC)
Components depend on this: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Remote Access Auto Connection Manager
Purpose: It manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks. This service is run on demand by the Remote Access Manager.
Consequence: If disabled, the operating system might not function properly.
Recommendation: Enable (Automatic) if using Dial-Up Networking and VPN, otherwise Disable.

Service Name: Remote Administration Service
Short Name: SrvcSurg
Process Name: Srvcsurg.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and controls Remote Assistance.
Consequence: If disabled, remote Assistance will be unavailable.
Recommendation: Disabled.

Service Name: Remote Desktop Help Session Manager
Short Name: RDSessMgr
Process Name: sessmgr.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and controls Remote Assistance. If you don't plan to use Remote Administration, disable this service. Please note that it could create a major security hole so enable it only when absolutely required.
Consequence: If disabled, remote assistance will be unavailable. Before stopping this service, see the Depends on tab of the Properties dialog box.
Recommendation: Disable

Service Name: Remote Procedure Call
Short Name: RpcSs
Process Name: svchost -k rpcss
Depends on: None
Components depend on this: Background Intelligent Transfer Service, Cluster Service, COM+ Event System, COM+ System Application, Cryptographic Services, DHCP Server, Distributed Link Tracking Client, Distributed Link Tracking Server, Distributed Tracking Coordinator, DNS Server, Error Reporting Service, Fax, File Replication, Help and Support, Human Device Interface Access, IIS Admin Service, Indexing Service, Internet Authentication Service, IPSEC Services, IPv6 Helper Service, Kerberos Key Distribution Center, Logical Disk Manager, Logical Disk Administrator Service, Messenger, MS Software Shadow Copy Provider, Network Connections, Print Spooler, Protected Storage, Remote Desktop Help Session Manager, Remote Registry, Removable Storage, Resultant Set of Policy Provider, Routing and Remote Access, Security Accounts Manager, Shell Hardware Detection, Task Scheduler, Telephony, Telnet, Terminal Services, Terminal Services Session Directory, Terminal Services Licensing, Upload Manager, Volume Shadow Copy, Web Element Manager, Windows Audio, Windows Image Acquisition (WIA), Windows Installer, Windows Internet Name Service (WINS), Windows Management Instrumentation, Windows Media Services, Wireless Configuration, WMI Performance Adapter, World Wide Web Publishing Service
Purpose: Allows processes to communicate internally and across the network with each other. It serves as the endpoint mapper and other miscellaneous RPC services like COM Service Control Manager. It is absolutely essential. It's a fact that a multitude of the other services depend on this service running.
Consequence: If disabled, the system will not boot. So, don't disable this service. Programs using COM or RPC services will not function properly
Recommendation: Enable (Automatic). If you kill it off then your system won’t boot.

Service Name: Remote Procedure Call (RPC) Locator
Short Name: RpcLocator
Process Name: locator.exe
Depends on: Workstation
Components depend on this: None
Purpose: It manages the RPC name service database. In simple words, it provides RPC name services similar to DNS services for IP.
Consequence: If disabled, systems that are running third-party utilities looking for RPC information will be unable to find it. OS components do not use this service, but programs such as Exchange do.
Recommendation: Disabled (It depends on what applications you have installed).

Service Name: Remote Registry Service
Short Name: RemoteRegistry
Process Name: svchost.exe -k regsvc
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides a mechanism to remotely manage the system registry. In simple words, this service lets users connect to a remote registry and read and/or write keys to it Ofcourse they need to have the required permissions. Do -you- want someone editing -your- registry remotely? In security perspective, I didn't think so.
Consequence: Remote systems will be unable to connect to the local registry. Hfnetchk uses this mechanism. Disabling it can affect the patch utility's operation.
Recommendation: Disable (Some programs require this functionality in order to operate).

Service Name: Remote Server Manager
Short Name: AppMgr
Process Name: APPMGR.EXE
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: WMI provider for Remote Administration Alerts. It holds the Remote Administration alert information. It provides an interface for raising, clearing and enumerating Remote Administration alerts, and provides an interface for executing Remote Administration tasks.
Consequence: If disabled, Server management may be affected.
Recommendation: Disable

Service Name: Removable Storage
Short Name: NtmsSvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and catalogs removable media and operates automated removable media devices. This service maintains a catalogue of identifying information for removable media used by a system, including tapes, CDs, and so on.
Consequence: If disabled, programs that are dependent on Removable Storage, such as Backup and Remote Storage, will operate more slowly.
Recommendation: Enable (Automatic). Disable this service if you are not planning to use any programs that dependent on Removable Storage.

Service Name: Resultant Set of Policy Provider
Short Name: RSoPProv
Process Name: RSoPProv.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It enables a user to connect to a remote computer, access the Windows Management Instrumentation database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied.
Consequence: If disabled, remote verification will be unavailable.
Recommendation: Enable (Automatic).

Service Name: Routing and Remote Access
Short Name: RemoteAccess
Process Name: svchost.exe -k netsvcs
Depends on: NetBios Interface, NetBIOSGroup, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It offers routing services in local area and wide area network environments. That is it enables multiprotocol LAN-to-LAN, LAN-to-WAN, virtual private network (VPN), and network address translation (NAT) routing services for clients and servers on this network.
Consequence: If disabled, Routing and Remote Access services will be unavailable.
Recommendation: Disable. Better yet, don't install this service at all.

S

Service Name: Secondary Logon
Short Name: seclogon
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. When Microsoft says 'Alternate Credentials' they are talking about the [Run As...] command which appears on the context menu, allowing a Limited User to run an executable as a higher level user.
Consequence: If disabled, Users will be unable to use the "Run As" feature to elevate privileges.
Recommendation: Disable

Service Name: Security Accounts Manager
Short Name: SamSs
Process Name: lsass.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: DHCP Server, Distributed File System, Distributed Transaction Coordinator, IIS Admin Service, FTP Publishing Service, HTTP SSL, Intersite Messenger Service, Message Queuing, Message Queuing Downlevel Client Support, Message Queuing Triggers, Microsoft POP3 Service, Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Windows Internet name Services (WINS), World Wide Web Publishing Service
Purpose: It stores account information for local security accounts, which, when started, allows other services to access the SAM.
Consequence: If disabled, services that rely on requests to the SAM database will not function properly.
Recommendation: Enable (Automatic). If you don't use DHCP to obtain an IP address, this service can be disabled.

Service Name: Server
Short Name: lanmanserver
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: Computer Browser, Distributed File System, Remote Installation
Purpose: It provides RPC support and file print and named pipe sharing over the network. This service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. You should carefully consider the full implications of enabling this!
Consequence: If disabled, resources can't be shared, RPC requests will be denied, and named pipe communication will fail.
Recommendation: Disable (This service must be enabled on Windows XP computers that share files or printers).

Service Name: Shell Hardware Detection
Short Name: ShellHWDetection
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: Windows Image Acquisition (WIA)
Purpose: It is used for the auto play of devices like memory cards, some CD drives, etc. Set to Automatic if you are experiencing problems with laptop docking stations.
Consequence: If disabled, devices like CDROMs, digital cameras will not automatically function.
Recommendation: Enable (Automatic). It is much easier to leave this enabled, and not much of a security risk.

Service Name: Simple Mail Transport Protocol
Short Name: SMTPSVC
Process Name: inetinfo.exe
Depends on: IIS Admin Service, Remote Procedure Call (RPC), Security Accounts Manager, Event Log
Components depend on this: None
Purpose: It transports electronic mail across the network.
Consequence: If disabled, mail will not be transported across the network.
Recommendation: Disable. If you are using the built-in mail server for receiving mail then leave on automatic.

Service Name: Simple TCP/IP Services
Short Name: SimpTcp
Process Name: tcpsvcs.exe
Depends on: AFD Networking Support Environment
Components depend on this: None
Purpose: Implements support for the Echo, Discard, Character Generator, Daytime and Quote of the Day protocols. Once this service is installed and started, all five protocols are enabled on all network adapters. There is no provision for selectively enabling specific services or enabling this service on per network adapter basis.
Consequence: Stopping or disabling this service has no effect on the rest of the operating system.
Recommendation: Do not install Simple TCP/IP Services unless you specifically need this computer to support communication with other systems that use these protocol services.

Service Name: Smart Card Service
Short Name: SCardSvr
Process Name: SCardSvr.exe
Depends on: Plug and Play
Components depend on this: None
Purpose: It manages and controls access to a smart card inserted into a smart card reader attached to the computer.
Consequence: If disabled, operating system will be unable to support smart cards.
Recommendation: If you're using a smart card reader, enable this service otherwise disable it.

Service Name: Smart Card Helper Service
Short Name: SCardDrv
Process Name: SCardSvr.exe
Purpose: It enables support for legacy non-plug and play smart-card readers used by this computer. The same as Smart Card except this is for legacy cards that don't support Plug and Play.
Consequence: If this service is stopped, the computer will not support legacy reader.
Recommendation: If you're using a legacy non-plug and play smart-card reader, enable this service otherwise disable it.

Service Name: SNMP Service
Short Name: SNMP
Process Name: snmp.exe
Depends on: Event Log
Components depend on this: None
Purpose: Allows incoming SNMP (Simple Network Management Protocol) requests to be serviced by the local computer. SNMP includes agents that monitor activity in network devices and report to the network console workstation. SNMP provides a method of managing network hosts such as workstation or server computers, routers, bridges, and hubs from a centrally-located computer running network management software. SNMP performs management services by using a distributed architecture of management systems and agents.
Consequence: If the service is stopped or disabled, the computer will no longer respond to SNMP requests. If the computer is being monitored by network management tools, the tools won’t be able to collect data from the computer or control its functionality via SNMP.
Recommendation: Disable it unless required.

Service Name: SNMP Trap Service
Short Name: SNMPTRAP
Process Name: snmptrap.exe
Depends on: Event Log
Components depend on this: None
Purpose: Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on the computer.
Consequence: If the service is stopped or disabled, SNMP applications won’t receive SNMP traps that they are registered to receive. If this computer is being used to monitor network devices or server applications using SNMP traps, significant system occurrences could be missed.
Recommendation: Disable

Service Name: Special Administration Console Helper
Short Name: Sacsvr
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It allows administrators to remotely access a command prompt using Emergency Management Services.
Consequence: If disabled, remote command prompt access will be unavailable.
Recommendation: Disabled.

Service Name: SQLAGENT
Short Name: SQLSERVERAGENT
Process Name: SQLagent.exe
Depends on: MSSQL
Components depend on this: None
Purpose: Job scheduler for server with SQL Server installed.
Consequence: If disabled, Job scheduling will be unavailable.
Recommendation: Disabled (Enable it if you require job scheduling).

Service Name: System Event Notification
Short Name: SENS
Process Name: svchost.exe -k netsvcs
Depends on: COM+ Event System, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It tracks system events such as Windows logon network and power events. It notifies COM+ Event System subscribers of these events. In simple words, it is required to record entries in the event logs; notifies COM+ subscribers about logon and power-related events.
Consequence: If disabled, certain notifications will no longer work. For example, synchronization won't work, as it depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications.
Recommendation: Disable. Leave enabled for laptops to that power notifications are passed to the user.

T

Service Name: Task Scheduler
Short Name: Schedule
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It enables a user to configure and schedule automated tasks on this computer. Using Task Scheduler, you can schedule any script, program, or document to run at a time that is most convenient for you. If you must run scheduled tasks then consider disabling all users other than administrator from running tasks. It can create major security problems and allow a hacker to compromise your system by scheduling Trojans to run.
Consequence: If disabled, tasks will not be run at their scheduled times.
Recommendation: It should be disabled unless absolutely required.

Service Name: TCP/IP NetBIOS Helper
Short Name: LMHosts
Process Name: svchost.exe -k LocalService
Depends on: AFD Networking Support Environment, NetBIOS Over TCP/IP
Components depend on this: None
Purpose: It provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, enabling users to share files, print, and log on to the network.
Consequence: If this service is stopped or disabled, NETBTs client s, including Server, Netlogon and Messenger, will stop responding. As a result, you may not be able to share files, printers and logon.
Recommendation: Disable. For small networks, this service may be essential if you share files with others. For larger networks with central file servers, keep disabled on desktops.

Service Name: TCP/IP Print Server
Short Name: LPDSVC
Process Name: svchost.exe -k tapisrv
Depends on: Print Spooler, Remote Procedure Call (RPC), TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose: It enables TCP/IP-based printing using the Line Printer Daemon protocol. The LPDSVC on the server receives documents from native LPR utilities running on Unix computers.
Consequence: If this service is stopped or disabled, TCP/IP-based printing will be unavailable.
Recommendation: Disable

Service Name: Telephony
Short Name: TapiSrv
Process Name: tcpsvcs.exe
Depends on: Plug and Play, Remote Procedure Call (RPC)
Components depend on this: Fax, Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS), Remote Access Auto Connection Manager, Remote Access Connection Manager
Purpose: It provides Telephony API (TAPI) support for clients using programs that control telephony devices and IP-based voice connections.
Consequence: If this service is stopped or disabled, any program that depends upon telephony, including modem subsystem support, will not function correctly.
Recommendation: Automatic (if using Dial-Up Networking/Faxing/ or PC Phone Services) otherwise should be disabled.

Service Name: Telnet
Short Name: TlntSvr
Process Name: tlntsvr.exe
Depends on: Remote Procedure Call, NT LM Security Support Provider, TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose: It enables a remote user to log on to this computer and run programs; supports various TCP/IP Telnet clients, including UNIX- and Windows-based computers. In simple words, it allows a remote user to log on to the system and run console programs by using the command line. Having this service enabled on your system poses a serious security threats.
Consequence: If the Telnet service is stopped or disabled, remote users will not be able to connect to the computer using telnet.
Recommendation: Disable

Service Name: Terminal Server Licensing
Short Name: TermServLicensing
Process Name: LServer.exe
Depends on: Event Log, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: Installs a license server and provides registered client licenses when connecting to a Terminal Server. The Terminal Services License Service is a low-impact service that stores the client licenses that have been issued for a Terminal Server and tracks the licenses that have been issued to client computers or terminals.
Consequence: If this service is stopped or disabled, the server will be unavailable to issue Terminal Server licenses to clients when requested. If another License Server is discoverable on a domain controller in the forest, the requesting Terminal Server will attempt to use it.
Recommendation: Enable (Automatic).

Service Name: Terminal Services
Short Name: TermService
Process Name: svchost.exe -k termsvcs
Depends on: Remote Procedure Call (RPC), Infrared Monitor
Components depend on this: Fast User Switching Compatibility Services
Purpose: It allows users to connect interactively to a remote computer. Remote Desktop, Fast User Switching, Remote Assistance, and Terminal Server depend on this service. By default, Terminal Services is installed in remote administration mode. To install Terminal Services in Application Mode, use Configure Your Server or Add/Remove Windows Components to change the Terminal Services mode.
Consequence: If this service is stopped or disabled, remote users cannot use Remote Desktop. To prevent remote use of this computer, clear the check boxes in the Remote tab of the System properties control panel item.
Recommendation: Enable (Manual).

Service Name: Terminal Services Session Directory
Short Name: Tssdis
Process Name: tssdis.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It Enables a user connection request to be routed to the appropriate terminal server in a cluster. In other words, it allows clusters of load-balanced Terminal Servers to properly route a user's connection request to the server where the user already has a session running. Users will be routed to the first-available Terminal Server, regardless of whether they've got a running session elsewhere in the cluster. Load Balancing pools the processing resources of several servers using the TCP/IP networking protocol. You can use this service with a cluster of terminal servers to scale the performance of a single terminal server by distributing sessions across multiple servers. Session Directory keeps track of disconnected sessions on the cluster, and ensures that users are reconnected to those sessions.
Consequence: If this service is stopped or disabled, load balancing for terminal services will not work, and connection requests will be routed to the first available server.
Recommendation: Disable

Service Name: Themes
Short Name: Themes
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: It provides user experience theme management. It provides rendering support for the new Windows XP graphic user interface (GUI). A desktop theme is a predefined set of icons, fonts, colors, sounds, and other window elements that give the computer desktop a unified and distinctive look. You can switch themes, create your own theme by changing a theme and then saving it with a new name, or restore the traditional Windows Classic look as your theme. This service is disabled by default on all Windows Server 2003 operating systems products.
Consequence: If this service is stopped or disabled, the new Windows XP visual style ( windows, buttons, scrollbars and other controls) will revert back to the Windows Classic visual style.
Recommendation: Disable

Service Name: Trivial FTP Daemon
Short Name: tftpd
Process Name: tftpd.exe
Depends on: TCP/IP Protocol Driver, IPSEC Driver
Components depend on this: None
Purpose: TFTP (trivial file transfer protocol) is an integral part of the Remote Installation (RIS). A Remote Installation server uses the Trivial File Transfer Protocol Daemon (TFTPD) to download the initial files required for the remote installation process to begin. The most common file downloaded to the client using TFTPD is Startrom.com, which is responsible for bootstrapping the client computer. If the user then presses F12 when prompted, the Client Installation Wizard is downloaded to begin the remote installation process.
Consequence: Stopping or disabling this service will cause RIS to fail.
Recommendation: Disable (Unless you use Remote Installation).

U


Service Name: Uninterruptible Power Supply
Short Name: UPS
Process Name: ups.exe
Depends on: None
Components depend on this: None
Purpose: It manages communications with an Uninterruptible Power Supply (UPS) connected to the computer by a serial port. If you have a USB UPS, you should not start this service. By default the startup type is manual and the default status is stopped, unless you install and configure a serial UPS. Once you install and configure a serial UPS, the startup type changes to automatic and the default status changes to ‘started’.
Consequence: If this service is stopped or disabled, communications with the UPS will no longer work. In the event of power loss on the alternating current (AC) line, the UPS will be unable to direct the PC to shut down while the UPS battery discharges toward a critically low state. This could result in loss of data.
Recommendation: Disable

Service Name: Upload Manager
Short Name: Uploadmgr
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks the client's permission to upload the computer's hardware profile and then search the Internet for information about how to obtain the appropriate driver or get support.
Consequence: If this service is stopped or disabled, driver data will not be uploaded to Microsoft.
Recommendation: Disable.

V

Service Name: Virtual Disk Service
Short Name: VDS
Process Name: VDS.EXE
Depends on: Remote Procedure Call (RPC), Plug and Play
Components depend on this: None
Purpose: It provides a single interface for managing block storage virtualization whether done in OS software, RAID storage hardware subsystems, or other virtualization engines. In simple words, it provides software volume and hardware volume management service.
Consequence: If this service is stopped or Disabled, VDS services will no longer be available.
Recommendation: Enable (Manual).

Service Name: Volume Shadow Copy
Short Name: VSS
Process Name: vssvc.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It manages and implements volume shadow copies used for backup and other purposes. Shadow copy backups ensure that:
•Applications can continue to write data to the volume during a backup.
• Files that are open are no longer omitted during a backup.
• Backups can be performed at any time, without locking out users.
Consequence: If this service is stopped or disabled, volume shadow copy backup functionality will no longer occur.
Recommendation: Enable (Manual). If you don’t use Windows Backup on this desktop, disable this service.

W

Service Name: WebClient
Short Name: WebClient
Process Name: svchost.exe -k LocalService
Depends on: WebDav Client Redirector
Components depend on this: None
Purpose: It allows Win32 applications to access documents on the Internet. That is, it enables Windows-based programs to create, access, and modify Internet-based files.
Consequence: Disabling the service will remove this capability, and will prevent users from using the Web Publishing Wizard to publish data to the internet for locations that use the WebDAV protocol.
Recommendation: Disable

Service Name: Web Element Manager
Short Name: ElementMgr
Process Name: Elementmgr.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It is used by the Remote Administration process to serve user interface elements and it is responsible for serving Web user interface elements for the Administration Web site at port 8098.
Consequence: If this service is stopped or disabled, the Remote Administration system won't work properly.
Recommendation: Enable (Automatic)

Service Name: Windows Audio
Short Name: AudioSrv
Process Name: svchost.exe -k netsvcs
Depends on: Plug and Play, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides support for sound and related Windows Audio event functions. This service manages Plug-and-Play events for audio devices such as sound cards and global audio effects (GFX) for Windows audio application program interfaces.
Consequence: This service cannot be stopped once started. If this service is disabled, audio functionality may be impacted to include the inability to hear sound or process GFXs.
Recommendation: Disable (you will get no sound without this service)

Service Name: Windows Image Acquisition (WIA)
Short Name: StiSvc
Process Name: svchost.exe -k imgsvc
Depends on: Remote Procedure Call (RPC), Shell Hardware Detection
Components depend on this: None
Purpose: It provides image acquisition services for scanners and cameras.
Consequence: If this service is disabled, events from imaging devices are neither captured nor processed. If stopped, the service will restart automatically at reboot if there is a WIA device installed. Also, this service demand starts any time a WIA enabled application is launched.
Recommendation: Disable

Service Name: Windows Installer
Short Name: MsiServer
Process Name: msiexec.exe /V
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: Windows Installer manages the installation and removal of applications by applying a set of centrally defined setup rules during the installation process. These setup rules define the installation and configuration of the installed application. In addition, you use this service to modify, repair, or remove an existing application. The Windows Installer technology consists of the Windows Installer service for the Windows operating systems and the package (.msi) file format used to hold information regarding the application setup and installations.
It manages the installation, addition, and deletion of software components, monitors file resiliency, and maintains basic disaster recovery by way of rollbacks.
Consequence: If this service is disabled, the installation, removal, repair, and modification of applications that use the Windows Installer will not succeed. Some applications use this service while running and those applications might not be able to execute.
Recommendation: Enable (Manual)

Service Name: Windows Internet Name Service (WINS)
Short Name: WINS
Process Name: wins.exe
Depends on: Event Log, NT LM Security Support Provider, Remote Procedure Call (RPC), Security Accounts Manager, COM+ Event System
Components depend on this: None
Purpose: Enables NetBIOS name resolution. Presence of the WINS server(s) is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory and all computers on the network are running Windows 2000 or later.
Consequence: If this service is disabled, older clients will be unable to obtain NT domain information and use domain resources.
Recommendation: Enable (Automatic)

Service Name: Windows Management Instrumentation
Short Name: Winmgmt
Process Name: svchost.exe -k netsvcs
Depends on: Event Log, Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides system management information; required to implement performance alerts using Performance Logs and Alerts.
Consequence: If this service is disabled, System management and performance information will be unavailable and many Windows programs will be unable to function properly.
Recommendation: Enable (Automatic)

Service Name: Windows Management Instrumentation Driver Extensions
Short Name: Wmi
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: None
Purpose: This service monitors all drivers and event trace providers that are configured to publish WMI or event trace information.
Consequence: This is extension of WMI only
Recommendation: Enable (Manual)

Service Name: Windows Media Services
Short Name: WMServer
Process Name: WMServer.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides streaming media services over IP-based networks.
Consequence: If this service is stopped, streaming media services will not be available.
Recommendation: Enable (Automatic)

Service Name: Windows System Resource Manager
Short Name: WindowsSystemResourceManager
Process Name: Wrm.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: The Windows System Resource Manager (WSRM) service is a tool to help customers deploy applications into consolidation scenarios. It provides policy-based management of CPU and memory consumption of processes running on a single operating system instance. Planned scenarios include multiple heterogeneous server applications, multiple Terminal Services users, multiple SQL server instances, multiple Internet Information Server (version 6) application pools or Exchange and IIS6 running together on the same machine. The service may only be installed and run on Windows Server 2003, Datacenter and Enterprise Edition.
Consequence: If this service stopped or disabled then the services offered by this will not available.
Recommendation: Disable

Service Name: Windows Time
Short Name: W32Time
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: Cluster Service
Purpose: It uses NTP to keep computers in the domain synchronized; critical for Kerberos authentication to consistently function.
Consequence: If this service is stopped or disabled, date and time synchronization will be unavailable in the forest or an external NTP server. Stopping W32time on a workstation prevents the workstation from synchronizing its time with another source, but has no effect on any other external server. If Kerberos authentication is implemented then it may cause Kerberos identification tokens to be marked as expired and discarded by a server, resulting in inaccessible resources.
Recommendation: Enable (Automatic)

Service Name: WinHTTP Web Proxy Auto-Discovery Service
Short Name: WinHttpAutoProxySvc
Process Name: svchost.exe –k LocalService
Depends on: AFD Networking Support Environment, TCP/IP Protocol Driver, DHCP Client, IPSec Driver
Components depend on this: Cluster Service
Purpose: It implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol to enable an HTTP client to automatically discover a proxy configuration.
Consequence: If this service is stopped or disabled, the WPAD protocol will be executed within the HTTP client's process instead of an external service process; there would be no loss of functionality as a result.
Recommendation: Enable (Manual)

Service Name: Wireless Configuration
Short Name: Wzcsvc
Process Name: svchost.exe -k netsvcs
Depends on: Remote Procedure Call (RPC), NDIS Usermode I/O Protocol
Components depend on this: Cluster Service
Purpose: It enables automatic configuration for IEEE 802.11 wireless adapters for wireless communications.
Consequence: If this service is stopped, automatic wireless configuration will be unavailable. You will have to manually configure wireless networking.
Recommendation: Disable

Service Name: WMI Performance Adapter
Short Name: WmiApSrv
Process Name: wmiapsrv.exe
Depends on: Remote Procedure Call (RPC)
Components depend on this: None
Purpose: It provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Consequence: This service runs only when Performance Data Helper is activated.
Recommendation: Enable (Manual)

Service Name: Workstation
Short Name: Lanmanworkstation
Process Name: svchost.exe -k netsvcs
Depends on: None
Components depend on this: Alerter, Computer Browser, Distributed File System, File Server for Macintosh, Messenger, NET LOGON, Remote Procedure Call (RPC) Locater
Purpose: It provides network connections and communications using the Microsoft Network services.
Consequence: If this service is stopped, you will no longer be able to establish connections to remote servers to access files and named-pipes. This will also prevent accessing files/printers stored on other machines. Stopping or disabling this service does not affect TCP/HTTP connectivity so internet browsing and Web Client access will still work.
Recommendation: Enable (Automatic)

Service Name: World Wide Web Publishing Service
Short Name: W3SVC
Process Name: svchost.exe –k iissvcs
Depends on: HTTP SSL, IIS Admin Service, Remote Procedure Call (RPC), Security Accounts Manager
Components depend on this: None
Purpose: This service provides HTTP services for applications on the Windows platform. The service contains a process manager and a configuration manager. The process manager controls the processes in which custom applications and simple Web sites reside. The configuration manager reads the stored system configuration and ensures that Windows is configured to route HTTP requests to the appropriate application pools or operating system processes.
Consequence: If this service is stopped or disabled, the operating system will no longer be able to serve Web pages or requests.
Recommendation: Enable (Automatic)

Conclusion:

As you can see from the above, not very much is actually needed to keep your Server functioning in proper manner. All the enabled services just pose an enormous security risk, bring little or no benefit, consume resources and can be safely turned off.

Refer Part One for other services :<<Part One>>

4 comments:

Anonymous said...

A nice post... but, it will be great if the un needed services are listed Separately

Anonymous said...

Great info. Have you compensated for the interoperability between the services? For instance, I cannot start W3SVC when HTTP SSL is disabled.

Anonymous said...

Thank you, Gopal Rao!
That's an usefull article.

Gopal Rao said...

Great info. Have you compensated for the interoperability between the services? For instance, I cannot start W3SVC when HTTP SSL is disabled.

Yup, please see the depends on and components depends on sections of the each service. To start any service the services that are listed under depends on section should be in running state, and if you stop the service then the services listed under the components depends on section would stop functioning.