Which Windows Services Do We Need?

Which Windows Services Do We Need?

  • Comments 6
  • Likes
 

When you look at Microsoft Windows services, it can be confusing to sort through them and understand which ones you need. In this blog entry I'm going to take a more detailed look at Windows services and see if we can identify any services that might not be needed, or determine whether any are suspicious.

 

I think that services can be categorized into two different types: server services and client services. Server services are a bit easier to deal with because they typically do not directly interface with local users and should not be installed on a client computer.

 

Services that probably should not run on a client computer (laptop or desktop):

Description

Executable

FTP

Msftpsvr

Telnet

Tintsvr

World Wide Web (www)

w3svc

SMTP

Smtpsvc

SQL Express

mssql$sqlexpress

SQL Server

Mssqlserver

Web service

Iisadmin

 

Services that run on server computers as client services can be a bit harder to identify, because several services might be called by a server service that would be viable on a server. The list in the following table does not list services that could be determined to be viable on a typical server.

 

Services that you would not expect on a server:

Description

Executable

Peer Networking Grouping

P2psvc

Computer Browser services

Browser

Routing and Remote Access

RemoteAccess

Windows Audio

Audiosrv

Bluetooth

Bthserv

MultiMedia Class scheduler

Mmcss

Peer Networking Identity Manager

Pnrpsvc

Windows Themes

Themes

 

Now that we have a list of services that can be considered for evaluation, it would be nice to somehow automate the process of obtaining service information.

 

I started to dabble in PowerShell a while ago, and the following example is a perfect illustration of a simple but quick way to obtain service information without having to manually look at services on a device.

 

Looking for services using PowerShell

 

If you're not familiar with PowerShell, I recommend you take a look at it. In my book it's the best thing for an administrator since the advent of the automobile! http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

 

Step 1. Create a check file of service that you want to flag

 

Create a text file that identifies the services you want to flag. For instance I have a file called c:\temp\base.txt, and its contents are as follows:

 

Ftp service

telnet service

www service

SMTP service

sql express

sql server

web service

 

You can use your favorite editing tool such as Notepad.exe to create the file.

 

Step 2. Use Compare-Object to find the service

 

From a PowerShell command prompt, run the following command:

 

Compare-Object $(get-service | foreach { $_.Name } ) $(get-content c:\temp\base.txt) -includeequal  -excludeDifferent

 

Simple, right?

 

Other Services

 

When you run the script it provides you with all kinds of great information. But maybe it's not enough information.

 

If you run this script I'd be interested in your results. Did  you see something you did not expect? What was it? Have you identified any services that did not make my list? Are you aware of services (third-party, maybe malware) that should be watched for?

 

And what about services like BITS (Background Intelligent Transfer Service) and RPC? Because there's a need to allow Windows Update to run as expected, these services would need to run most of the time.

 

Finally, do scripts like this one provide value to you? What would you recommend to improve on it?

 

Comments
  • The phrase "probably would/wouldn't expect" sadly puts a lot of conjecture into an otherwise very informative post. If You're looking for solid advice on the services required for specific server roles on Windows Server 2003, and how to get to a secured system using the built-in tools, then the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14845) is a must-read. System services are covered in Chapter 7.

    Cheers,

    Oliver

  • When working with ill or ?infected stand-alone PCs, the safest approach is via a CDR-based maintenance OS such as Bart or WinPE.  

    In these cases, a challenge is how to apply tools that require registry access, e.g. HiJackThis, registry-aware scanners, etc.

    Bart has a solution in the form of Paraglider's RunScanner plugin (I have not tested this on Vista via WinPE, but I don't expect it to work).

    However, enumeration of services and drivers are not effectively redirected by RunScanner, presumably because the APIs involved look to "live" behavior rather than registry settings.  So managing these items "from orbit" (i.e. without running the stricken or infected HD installation) is a problem.

  • When considering services, risks can arise from small forms that are legit, but arrive as bundled with something else, e.g.

    1)  Apache web server (e.g. dropped by HP)

    2)  Old Sun Java JREs

    3)  mIRC, remote access tools, etc.

    4)  SQL servers (e.g. as part of office suite)

    On (2), it's harder to miss a modern JRE's bulk, but really old 1.4.xx, 1.3.xx JREs are small enough to drop.  I find bits of these in DPF etc. and it's unclear whether these are functional, or pose a threat as an exploitable surface.

    The shape of this problem is similar to patching GDIPlus, i.e. it can be hard to round 'em all up or know what to do with them!

  • This is a quiet blog full of posts that invite feedback - but if you find them "too late", you can't post comments because comments are closed.

    I can understand closing comments on a busy blog that has a set audience who have been following it regularly for a while, but a new blog is likely to be found and read from newest to oldest, and folks may want to comment on "old" stuff - as I will do here, off-topic or not! :-)

  • Whoa, there, it's 2008, right? Someone pinch me.

    Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security?

    And you think that using shell is a good way to admin a system?

    It's like I'm reading a UNIX BBS from the late 1980s.

    Too weird.

  • -Whoa, there, it's 2008, right? Someone pinch me.

    -Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security?

    Actually I the idea is to get exposure to Powershell, as a shell tool.

    Asking public to comment....

    The blog is a discussion, and comments are always welcome.

    -And you think that using shell is a good way to admin a system?

    You have an opinion on this, could you elaborate your concern?

    -It's like I'm reading a UNIX BBS from the late 1980s.

    -Too weird.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment