Which Windows Services Do We Need?

re: Which Windows Services Do We Need?

Oliver Carr — Fri, 14 Sep 2007 09:31:54 GMT

The phrase "probably would/wouldn't expect" sadly puts a lot of conjecture into an otherwise very informative post. If You're looking for solid advice on the services required for specific server roles on Windows Server 2003, and how to get to a secured system using the built-in tools, then the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14845) is a must-read. System services are covered in Chapter 7.

Cheers,

Oliver

Managing services from orbit

cquirke — Fri, 14 Sep 2007 19:17:01 GMT

When working with ill or ?infected stand-alone PCs, the safest approach is via a CDR-based maintenance OS such as Bart or WinPE.

In these cases, a challenge is how to apply tools that require registry access, e.g. HiJackThis, registry-aware scanners, etc.

Bart has a solution in the form of Paraglider's RunScanner plugin (I have not tested this on Vista via WinPE, but I don't expect it to work).

However, enumeration of services and drivers are not effectively redirected by RunScanner, presumably because the APIs involved look to "live" behavior rather than registry settings. So managing these items "from orbit" (i.e. without running the stricken or infected HD installation) is a problem.

Little Creatures

cquirke — Fri, 14 Sep 2007 19:22:37 GMT

When considering services, risks can arise from small forms that are legit, but arrive as bundled with something else, e.g.

1) Apache web server (e.g. dropped by HP)

2) Old Sun Java JREs

3) mIRC, remote access tools, etc.

4) SQL servers (e.g. as part of office suite)

On (2), it's harder to miss a modern JRE's bulk, but really old 1.4.xx, 1.3.xx JREs are small enough to drop. I find bits of these in DPF etc. and it's unclear whether these are functional, or pose a threat as an exploitable surface.

The shape of this problem is similar to patching GDIPlus, i.e. it can be hard to round 'em all up or know what to do with them!

Keep Comments Open on Old Posts!

cquirke — Fri, 14 Sep 2007 19:31:36 GMT

This is a quiet blog full of posts that invite feedback - but if you find them "too late", you can't post comments because comments are closed.

I can understand closing comments on a busy blog that has a set audience who have been following it regularly for a while, but a new blog is likely to be found and read from newest to oldest, and folks may want to comment on "old" stuff - as I will do here, off-topic or not! :-)

re: Which Windows Services Do We Need?

Davi Ottenheimer — Thu, 08 May 2008 02:53:25 GMT

Whoa, there, it's 2008, right? Someone pinch me.

Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security?

And you think that using shell is a good way to admin a system?

It's like I'm reading a UNIX BBS from the late 1980s.

Too weird.

re: Which Windows Services Do We Need?

frasim — Thu, 08 May 2008 07:25:07 GMT

-Whoa, there, it's 2008, right? Someone pinch me.

-Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security?

Actually I the idea is to get exposure to Powershell, as a shell tool.

Asking public to comment....

The blog is a discussion, and comments are always welcome.

-And you think that using shell is a good way to admin a system?

You have an opinion on this, could you elaborate your concern?

-It's like I'm reading a UNIX BBS from the late 1980s.

-Too weird.