Last Updated: 2006-08-17 23:25:31 UTC
by Chris Carboni (Version: 1)
Disable any and all un-needed services.
Removing any un-needed services greatly reduces your exposure to vulnerabilities as you now have fewer items running that could be vulnerable to attack.
Let's use the server service aka File and Printer Sharing as an example.
Chapter 7 of the Windows XP Threats and Countermeasures Guide (a must read for sysadmins IMHO) has a list of XP and Server 2003 services and a description of what each one does.
Threats and Countermeasures says the following about the Server service
"The Server service provides RPC support, file, print, and named pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer. This service is installed and runs automatically by default on Windows XP and Windows Server 2003.
If the Server service stops or if you disable it, the computer will not be able to share local files and printers with other computers on the network, and it will not be able to satisfy remote RPC requests."Ok, so, why would you need this service enabled on your system? That depends on what role the system is playing.
If the system is a file and/or print server you need the server service running or you have nothing but an energy gulping, heat generating paperweight.
If the system is a web server only, you don't need the server service enabled. Other types of application servers may or may not need the service enabled depending on the nature of the application.
Corporate laptops and desktops typically don't need the server service enabled.
Corporate users/admins take note - disabling the server service will make some forms of remote administration and management difficult, if not impossible so carefully evaluate the risks before taking any action.
If you are a home user with no other systems on your local LAN, you don't need the server service enabled.
If you are a home user with other systems on your internal LAN, then you only need the server service enabled if you are sharing folders or printers with the other system(s) on your LAN.
Ok, so you've realized that you don't need the service ruinning and you want to know how to stop it.
**Warning - the changes described below could cause a negative impact on production systems. Testing is required to determine whether the server service and/or any dependant services can / should be stopped.
You can either manage the service through the GUI (right click 'My Computer', manage, Services and Applications, Services) or ...
From a command shell on the target machine.:
C:>net stop lanmanserver
The system may respond:
Stopping the Server service will also stop these services.
[List of Services Here]
Do you want to continue this operation? (Y/N) [N]:
These are services that are dependent on the server service. You should carefully evaluate the need for any listed services before stopping the server service.
Ok, so the server service is stopped and the network is still functioning. Unless you change the way the service starts up (it is set to start automatically), the next time the system is rebooted, the server service will start again.
From the same command shell:
C:>sc config lanmanserver start= disabled
(Make sure the there is no space between 'start' and '=')
Which when successfull will return:
[SC] ChangeServiceConfig SUCCESS
For those unfamilliar with sc.exe, a full description can be found here.
sc.exe (and Netsvc.exe) can also be used to stop services but I prefer net stop for local use as it provides (again IMHO) a cleaner method of stopping dependant services. SC and Netsvc are excellent tools (as are some of the free offerings available from reputable vendors) for use in scripting remote service management.
This is just one example of a service that is enabled by default that many users keep enabled thinking they need it, when in many cases, they do not.
Home users: Take a few minutes and look through your list of running services and compare them with the descriptions in the Threats and Countermeasures Guide. Turn off and disable whatever you don't need.
Administrators: Take some time and look at your systems. Determine what is running, and what needs to be running. Develop a plan (including testing) to make any needed changes, get the approval you need and implement your plan.