Thoughts from the EPS Windows Server Performance Team
Back when I was a Systems Administrator, one of my roles was to review the system configuration for a server prior to its implementation in the production environment. We had a fairly streamlined process for server deployment – including scripts to verify the security hardening, installed software, disabled services etc. Disabling “unnecessary” services on a system is sometimes a very subjective process. If you were in the IT field in 2003, then you most likely remember the critical hotfix (MS03-043) that was released for a vulnerability in the Messenger service. Since that patch, many (if not most) environments have made disabling that service a standard practice. Other services are also turned off, based on the server’s role, whether it is in the DMZ or on the Internal network etc. This is all part of good system configuration and maintenance – in terms of both reducing the attack surface and eliminating unnecessary overhead.
However … some caution should be exercised when deciding what services to turn off. For example, when I walked into a new job four years ago, one of the first problems I was asked to investigate was why none of the servers were dynamically registering their DNS information. Every single one of the desktop machines was registered, but not a single system in the server room was registered. After about two minutes of looking at one of the problem systems, I realized that the DHCP client service was disabled. A quick check on a couple of other systems confirmed that all of them had that service set to disabled via GPO. The fix of course, was relatively simple – but of course the requisite (finger-pointing) post-mortem revealed that none of the admins really knew what the DHCP Client service did. They had fallen into the common trap of thinking that DHCP was just for handing out IP Addresses to client machines. Since the servers all had static IP addresses, they assumed that the DHCP Client service was “unnecessary” and disabled it (by the by, the Dynamic DNS failure due to the DHCP Client service not working is outlined in KB264539).
So, what was the point of that anecdote? Recently we had a customer ask us “what services can safely be disabled”. In this particular instance he was trying to create a standard configuration for his desktop systems and wanted to know if we could give him “the absolute minimum set” of services that needed to stay running so he could optimize the system performance of his client computers. The short answer was that we don’t really test various service configuration combinations outside of what is enabled by default out of the box. The reason for this is that services sometimes perform secondary functions. A classic example of this is the Spooler Service. We all know that the primary function of the spooler service is to handle print spooling and processing. However – on a domain controller, the installation of the DC role adds a thread to the spooler service that is responsible for performing print pruning – removing the stale print queue objects from the Active Directory. If the spooler service is not running on at least one DC in each site, then the AD has no means to remove old queues that no longer exist.
So the moral of the story is that while there are opportunities for tuning by turning off services to decrease the overhead – you have to know everything that the service does, lest your good intentions have dire consequences. And with that, we’ve reached the end of our post. Until next time …
- CC Hameed
Would've been great if you added a link to the article describing what secondary functions are performed by each service.
The MS article (http://support.microsoft.com/kb/816517/en-us#2) is a good place to begin as a way to know which services can be disabled without bringing the box down. Anything other than these I would worry about touching.
Of course (as you point out) you still have to look at what else you can be affecting as it is not always obvious.
Thanks for the article!
Vaguely related note:
Starting in Windows Vista, the DHCP Client service is no longer used for dynamic DNS registration. It's now the DNS Client service.
Which, you know, makes more sense. :)
I agree the question of "what is an unnecessary service" is not answerable without understanding what one believes is necessary or not.
However, it seems reasonable to request some basic documentation on what each service does. That way the administrator can make an informed decision as to whether or not that service performs a task that the administrator requires.
Perhaps the real problem is that most MS services are huge blackboxes which don't really indicate what they do, and when they do, they only hint towards its vaugely.
This sort of approach makes services nearly impossible to administer from the box default unless you have the time to find out how the MS engineers decided to screw you (either deliberately or through thoughtlessness).
Point in case : svchost. Granted, this is somewhat improved in vista, but only barely.
Even now, my machine is running services with names like "CNG Key Isolation" and "Application Information" and "Andrea ADI Filters Service". What these services do is meaningless and could just as easily be labeled "Generic MS Service 1", "Generic MS Service 2", and so on.
Let's face it. MS doesn't want us to turn any service off and makes it impossible to make an informed choice. When we do make guess, there is some hidden trap that screws seemingly unrelated items up.
It might be MS's OS, but its my machine, and let's not forget - before its MS's hoarded money pile, it was my hard earned cash.
Yes, the mystery service black box design IS one of my hot buttons, thanks for asking.
Having read this article, I agree with the sentiment of the other posters - disabling unnecessary services is a good thing for security ... so long as we don't end up with broken systems as a result.
In my view it would assist us in securing systems if this type of information was included in the MBSA or perhaps a domain based MBSA in the case of the print spooler.
Other things that can help us secure systems - which helps both the consumer and MS's reputation as being easy to use and secure is to:
1) Help us do the right thing by providing clear information.
2) One Service - One Role.
"Even now, my machine is running services with names like "CNG Key Isolation" and "Application Information" and "Andrea ADI Filters Service". What these services do is meaningless and could just as easily be labeled "Generic MS Service 1", "Generic MS Service 2", and so on."
Actually, if you open services.msc, you'll see pretty good descriptions of what the CNG Key Isolation and Application Information services do. As for the Andrea ADI Filters Service, that's not even a Microsoft service. It's installed by your sound card manufacturer, so don't blame Microsoft for it or for the lack of description as to what it does (it is a noise reduction service for the microphone input on your machine and can often be safely disabled).