A blog by Jose Barreto, a member of the File Server team at Microsoft.
All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights.
Information on unreleased products are subject to change without notice.
Dates related to unreleased products are estimates and are subject to change without notice.
The content of this site are personal opinions and might not represent the Microsoft Corporation view.
The information contained in this blog represents my view on the issues discussed as of the date of publication.
You should not consider older, out-of-date posts to reflect my current thoughts and opinions.
© Copyright 2004-2012 by Jose Barreto. All rights reserved.
Follow @josebarreto on Twitter for updates on new blog posts.
I have been experimenting with Windows Server 2008 for a while now and I recently did a number of comparisons between the Core and Full versions of the new OS. This time I am looking at Services configured in a default installation and I also included Windows Server 2003 R2 in the mix, since there were significant changes that are easy to spot. I have seen a lot of documentation about how those services are more secure in the new release, but I wanted to check for myself.
I installed the Enterprise edition of Windows Server 2003 R2 and compared to both the Full and Core installs of Windows Server 2008 Enterprise June CTP. As usual, please note that this is still a pre-release version and the default services settings might still change before the final release. To gather the information, I used the Services Control command-line tool (SC.EXE), which is available in all versions tested. I first gathered a list of all services and stored in a text file using:
sc query | find “SERVICE_NAME:” > servicelist.txt
Then I used the good old FOR command to loop through each service and query its complete configuration using the qc option of the sc tool, storing everything in another text file:
for /f “delims=: tokens=2” %1 in (servicelist.txt) do sc qc %1 >>serviceconf.txt
With that data at hand for all three different systems, I pasted it all into Excel and started playing with a pivot table. The results are included in the table below. Although I double-checked everything, please note that some of the data manipulation was not fully automated, so the results might include some inacuracies.
What you see consistently is that Windows Server 2008 is moving away from using the admin-level LocalSystem context and leveraging the user-level LocalService and NetworkService contexts. Even with the new features and services in Windows Server 2008, the number of LocalSystem services are down from a total of 27 on Windows Server 2003 R2 to 23 on a Full install of Windows Server 2008 and only 16 on a Core install.
There are also a few details that are significant but are not well-captured by the table below. One is the fact that the advanced firewall puts further restrictions on these services (for instance, you can only communicate with certain services using specific ports, both inbound and outbound). Another detail is that some services do not start by default (start_type = demand_start). Those are marked in the table with a (*) sign. Although not security-related, there are also services that will have a delayed start (start_type = auto_start (delayed)) and those are marked in the table with a (-) sign.
The table also makes it easy to spot services present in a Full install but not in a Core install, which I mentioned in previous post. It also exposes other details, like the fact that Wireless Networks are now an optional component in the new Server.
To learn more about services, check http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx