I have been experimenting with Windows Server 2008 for a while now and I recently did a number of comparisons between the Core and Full versions of the new OS. This time I am looking at Services configured in a default installation and I also included Windows Server 2003 R2 in the mix, since there were significant changes that are easy to spot. I have seen a lot of documentation about how those services are more secure in the new release, but I wanted to check for myself.

I installed the Enterprise edition of Windows Server 2003 R2 and compared to both the Full and Core installs of Windows Server 2008 Enterprise June CTP. As usual, please note that this is still a pre-release version and the default services settings might still change before the final release. To gather the information, I used the Services Control command-line tool (SC.EXE), which is available in all versions tested. I first gathered a list of all services and stored in a text file using:

sc query | find “SERVICE_NAME:” > servicelist.txt

Then I used the good old FOR command to loop through each service and query its complete configuration using the qc option of the sc tool, storing everything in another text file:

for /f “delims=: tokens=2” %1 in (servicelist.txt) do sc qc %1 >>serviceconf.txt

With that data at hand for all three different systems, I pasted it all into Excel and started playing with a pivot table. The results are included in the table below. Although I double-checked everything, please note that some of the data manipulation was not fully automated, so the results might include some inacuracies.

What you see consistently is that Windows Server 2008 is moving away from using the admin-level LocalSystem context and leveraging the user-level LocalService and NetworkService contexts. Even with the new features and services in Windows Server 2008, the number of LocalSystem services are down from a total of 27 on Windows Server 2003 R2 to 23 on a Full install of Windows Server 2008 and only 16 on a Core install. 

There are also a few details that are significant but are not well-captured by the table below. One is the fact that the advanced firewall puts further restrictions on these services (for instance, you can only communicate with certain services using specific ports, both inbound and outbound). Another detail is that some services do not start by default (start_type = demand_start). Those are marked in the table with a (*) sign. Although not security-related, there are also services that will have a delayed start (start_type = auto_start (delayed)) and those are marked in the table with a (-) sign.

The table also makes it easy to spot services present in a Full install but not in a Core install, which I mentioned in previous post. It also exposes other details, like the fact that Wireless Networks are now an optional component in the new Server.

Service Name

Service Display Name Windows Server
2003 R2
Windows Server
2008 Core
Windows Server 
2008 Full
AeLookupSvc Application Experience LocalSystem LocalSystem LocalSystem
BFE Base Filtering Engine   LocalService LocalService
BITS Background Intelligent Transfer Service   LocalSystem- LocalSystem-
Browser Computer Browser LocalSystem    
CryptSvc Cryptographic Services LocalSystem NetworkService NetworkService
DcomLaunch DCOM Server Process Launcher LocalSystem LocalSystem LocalSystem
Dhcp DHCP Client NetworkService LocalService LocalService
dmserver Logical Disk Manager LocalSystem    
Dnscache DNS Client NetworkService NetworkService NetworkService
DPS Diagnostic Policy Service   LocalService LocalService
ERSvc / WerSvc Windows Error Reporting Service LocalSystem    LocalSystem
Eventlog Windows Event Log LocalSystem LocalService LocalService
EventSystem COM+ Event System LocalSystem LocalService LocalService
gpsvc Group Policy Client   LocalSystem LocalSystem
helpsvc Help and Support LocalSystem    
IKEEXT IKE and AuthIP IPsec Keying Modules   LocalSystem LocalSystem
iphlpsvc IP Helper   LocalSystem LocalSystem
KtmRm KtmRm for Distributed Transaction Coordinator   NetworkService- NetworkService-
lanmanserver Server LocalSystem LocalSystem LocalSystem
lanmanworkstation Workstation LocalSystem LocalService LocalService
LmHosts TCP/IP NetBIOS Helper LocalService LocalService LocalService
MpsSvc Windows Firewall   LocalService LocalService
MSDTC Distributed Transaction Coordinator NetworkService NetworkService- NetworkService-
Netman Network Connections LocalSystem*   LocalSystem*
netprofm Network List Service   LocalService LocalService
NLA / NlaSvc  Network Location Awareness LocalSystem* NetworkService NetworkService
nsi Network Store Interface Service   LocalService LocalService
PlugPlay Plug and Play LocalSystem LocalSystem LocalSystem
PolicyAgent IPsec Policy Agent LocalSystem NetworkService NetworkService
ProfSvc User Profile Service   LocalSystem LocalSystem
ProtectedStorage Protected Storage LocalSystem    
RemoteRegistry Remote Registry LocalService LocalService LocalService
RpcSs Remote Procedure Call (RPC) NetworkService NetworkService NetworkService
SamSs Security Accounts Manager LocalSystem LocalSystem LocalSystem
Schedule Task Scheduler LocalSystem LocalSystem LocalSystem
seclogon Secondary Logon LocalSystem LocalSystem LocalSystem
SENS System Event Notification Service LocalSystem LocalSystem LocalSystem
ShellHWDetection Shell Hardware Detection LocalSystem   LocalSystem
slsvc Software Licensing   NetworkService NetworkService
Spooler Print Spooler LocalSystem   LocalSystem
TermService Terminal Services LocalSystem* NetworkService NetworkService
TrkWks Distributed Link Tracking Client LocalSystem   LocalSystem
TrustedInstaller Windows Modules Installer   LocalSystem* LocalSystem*
UxSms Desktop Window Manager Session Manager     LocalSystem
W32Time Windows Time LocalService LocalService LocalService
WdiSystemHost Diagnostic System Host     LocalSystem*
WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service   LocalService* LocalService*
winmgmt Windows Management Instrumentation LocalSystem LocalSystem LocalSystem
WinRM Windows Remote Management (WS-Management)   NetworkService- NetworkService-
wuauserv Automatic Updates or Windows Update LocalSystem LocalSystem- LocalSystem-
WZCSVC Wireless Configuration LocalSystem    
Totals
Local System 27 16 23
Local Service 3 13 13
Network Service 4 10 10
Grand Total 34 39 46

To learn more about services, check http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx