Home > Articles > Home & Office Computing > Microsoft Windows Server

📄 Contents

  1. Windows 2000 Services Overview
  2. Windows 2000 Services Checklist
  3. Summary
  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Understanding each Windows 2000 service and shutting off unnecessary services will keep your server more secure than creating accounts for each service. If you carefully choose which services you run on a server, you can significantly reduce that server's exposure to attack. In the following list, you will discover some of the most common services and some risks they might pose. Keep in mind that just because I recommend not using a service does not mean that the service poses a direct security risk. The strategy here is to reduce risk by not running services unless they are specifically being used for a needed purpose.

Alerter Service

The Alerter service notifies users of administrative alerts (disk failure, space allocation problems, and so on). It works in conjunction with the Messenger Service, which receives and routes Alerter messages. Because unseasoned users might not recognize the difference between legitimate and illegitimate Alerter service notifications, someone might be able to trick a user into thinking he or she is getting a message from a system administrator. This type of attack, known as a social engineering attack, can result in the user taking some action based on what message was received. For example, the user might receive a message requesting their password to perform system maintenance or correct a problem. As a rule, you should probably restrict reception of Alerter service alerts to administrators.

    Service ID: Alerter

    Description: Notifies selected users and computers of administrative alerts

    Executable: %SystemRoot%\System32\services.exe

    Risks: Potential for social engineering attack

Application Management

The Application Management service provides communicates with Active Directory to assign, publish, and remove applications installed on the system through Group Policy. If your organization is not deploying applications through Goup Policy, it is best to disable the service.

    Service ID: AppMgmt

    Description: Provides software installation services such as Assign, Publish, and Remove

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

Boot Information Negotiation Layer

This service is used with the Remote Installation Service (RIS), and should not be running unless the organization installs the operating system through RIS. The service does not pose a security risk, but it is not required and is a waste of system resources.

    Service ID: BINLSVC

    Description: Provides the ability to install Windows 2000 Professional on PXE remote boot-enabled client computers

    Executable: SystemRoot%\System32\tcpsvcs.exe

    Risks: No known risks

Browser

The Browser service keeps a list of computers on your network and supplies the list to programs as they request it. This service is not required and in some cases, such as with a Web server, it should not be running.

    Service ID: Browser

    Description: Maintains an up-to-date list of computers on your network and supplies the list to programs that request it

    Executable: %SystemRoot%\System32\services.exe

    Risks: Reveals information about a network

Indexing Service

The Indexing Service indexes documents and document properties on your disks and stores the information in a catalog so you can later search it. The indexing service has been the source of numerous vulnerabilities on IIS Web servers and should not be enabled on public servers unless specifically used.

    Service ID: cisvc

    Description: Indexes files on the hard drive

    Executable: %SystemRoot%\System32\cisvc.exe

    Risks: Has been prone to vulnerabilities in the past.

Refer to the following security bulletins for more information on how the Indexing Service has been exploited in previous compromises:

ClipBook

The ClipBook Service supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks. This allows users to clip and paste text and graphics over network connections. Unless you use this feature, disable the service. A summary of a potential vulnerability using the ClipBook can be found at http://www.securiteam.com/windowsntfocus/5TP022A2AW.html.

    Service ID: ClipSrv

    Description: Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks

    Executable: %SystemRoot%\System32\clipsrv.exe

    Risks: Potential for remote access to ClipBook pages

Distributed File System

Allows you to create a single logical drive that is distributed across several locations on a network. Although there are no known vulnerabilities, it is something that should be turned off unless needed.

    Service ID: Dfs

    Description: Manages logical volumes distributed across a local or wide area network

    Executable: %SystemRoot%\System32\Dfssvc.exe

    Risks: No known risks

DHCP Client

The DHCP Client manages network configuration by registering and updating IP addresses and DNS names. Although DHCP is not considered an insecure service, it is recommended to assign a static IP address to servers to prevent potential attacks against the DHCP protocol.

    Service ID: DHCP

    Description: Manages network configuration by registering and updating IP addresses and DNS names

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

Logical Disk Manager Administrative Service

This service is used to manage logical disks. It is recommended that you should set it to start manually. The service will start itself when needed by the operating system. The service can be set to manual startup by using the Services MMC Snap-in found under the Administrative Tools. By selecting a service and viewing its properties, an administrator can set the Startup type to Manual.

    Service ID: dmadmin

    Description: Administrative service for disk management requests

    Executable: SystemRoot%\System32\dmadmin.exe /com

    Risks: No known risks

Logical Disk Manager

This is the Logical Disk Manager Watchdog Service, a service that manages dynamic disks. This service is required by the operating system to run. This service's startup settings should be left set for automatic startup.

    Service ID: dmserver

    Description: Used to manage logical disks

    Executable: %SystemRoot%\System32\services.exe

    Risks: Logical Disk Manager Watchdog Service

DNS Server

The DNS Server service answers Domain Name System (DNS) name queries. Although there are no known risks with the Windows 2000 DNS Server, DNS servers in general have been the source of many vulnerabilities and the service should be used with caution. Refer to Chapter 15, "Protecting Other Internet Services," for a discussion of potential DNS vulnerabilities and instructions on securing a Windows 2000 DNS server.

    Service ID: DNS

    Description: Answers query and update requests for Domain Name System (DNS) names

    Executable: %SystemRoot%\System32\dns.exe

    Risks: No known risks, but opens a TCP port to listen for requests

DNS Client

The DNS Client service can be useful for caching DNS lookups for logging or an intrusion detection system. This service can speed DNS lookups, but does pose a security risk, because an attacker can view the contents of your DNS cache and determine Internet sites that you have recently visited. To view the contents of your DNS cache, type the command ipconfig /_displaydns.

    Service IDDnscache

    Description: Resolves and caches Domain Name System (DNS)

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

Event Log

The Event Log logs administrative event messages from the system as well as running programs. Although limited in features and still suffering from a few bugs, it can be useful for intrusion detection and system monitoring. This service should be enabled, especially on standalone servers.

    Service ID: Eventlog

    Description: Logs event messages issued by programs and Windows

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

COM+ Event System

This system provides automatic distribution of events to subscribing COM components. For more information on COM+ and to obtain a COM+ spy program, visit http://www.rollthunder.com/newslv2n2.htm. If this service is not used by any of your installed software, the COM+ Event System and System Event Notification Service can be disabled.

    Service ID: EventSystem

    Description: Provides automatic distribution of events to subscribing COM components

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Fax Service

This manages fax sending and receiving. It's not required or recommended for a server, unless it is specifically designated as a fax server.

    Service ID: Fax

    Description: Helps you send and receive faxes

    Executable: %SystemRoot%\system32\faxsvc.exe

    Risks: No known risks

Single Instance Storage Groveler

This service is used with the Remote Installation Service and is not required unless using the Remote Installation Service.

    Service ID: Groveler

    Description: Scans Single Instance Storage (SIS) volumes for duplicate files, and points duplicate files to one data storage point, conserving disk space

    Executable: %SystemRoot%\System32\grovel.exe

    Risks: No known risks

Internet Authentication Service

This service is used to authenticate dial-up and VPN users. Obviously, this service should not be used on anything but dial-up and VPN servers.

    Service ID: IAS

    Description: Enables authentication, authorization and accounting of dial-up and VPN users. IAS supports the RADIUS protocol.

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

IIS Admin Service

The IIS Admin service allows for administration of IIS services through the Internet Services Manager MMC panel. This service is required if you are running any Internet services. If the server is not running any Internet Services, you should uninstall Internet Information Server from Control Panel, Add and Remove Programs and the IIS Admin service will also be uninstalled.

    Service ID: IISADMIN

    Description: Allows administration of Web and FTP services through the Internet Information Services snap-in

    Executable: %SystemRoot%\System32\inetsrv\inetinfo.exe

    Risks: No known risks

Intersite Messaging

Intersite Messaging is used with Active Directory replication and is not required or recommended for anything except Active Directory servers.

    Service ID: IsmServ

    Description: Allows sending and receiving messages between Windows Advanced Server sites

    Executable: %SystemRoot%\System32\ismserv.exe

    Risks: No known risks

Kerberos Key Distribution Center

This domain service provides Kerberos Authentication Services (AS) and Ticket-Granting Services (TGS). This service works in conjunction with Active Directory on a Domain Controller, and cannot be stopped. This service should not be running on anything but a Domain Controller.

    Service ID: kdc

    Description:Generates session keys and grants service tickets for mutual client/server authentication

    Executable: %SystemRoot%\System32\lsass.exe

    Risks: No known risks

Server

This service provides RPC support and file, print, and named pipe sharing. This service is implemented as a file system driver and handles I/O requests. The service does not need to be running unless you plan on sharing files or printers over a Windows network.

    Service ID: lanmanserver

    Description: Provides RPC support and file, print, and named pipe sharing

    Executable: %SystemRoot%\System32\services.exe

    Risks: Exposes system file and printer resources if not properly secured.

Workstation

This service provides network connections and communications. It works as a file system driver and allows a user to access resources located on a Windows network. This should only be running on workstations and servers on an internal network secured behind a firewall. It should be disabled on any server that is accessible to the Internet.

    Service ID: lanmanworkstation

    Description: Provides network connections and communications

    Executable: %SystemRoot%\System32\services.exe

    Risks: Some standalone servers, such as Web servers, should not participate on a Windows network.

TCP/IP Print Server

This service allows remote Unix users to access a printer managed by a Windows 2000 server using the TCP/IP protocol. This service has had some vulnerabilities and, because it opens a port to the Internet, is not recommended unless the network is separated from the Internet by a firewall. Refer to the following article that discusses a potential issue with the TCP/IP Print Server by using malformed print requests available at http://support.microsoft.com/support/kb/articles/Q257/8/70.ASP?LN=EN-US&SD=gn&FR=0&qry=tcp/ip%20printing&rnk=17&src=DHCS_MSPSS_gn_SRCH&SPR=WIN2000.

    Service ID: LDPSVC

    Description: Provides a TCP/IP-based printing service that uses the Line Printer protocol

    Executable: %SystemRoot%\System32\tcpsvcs.exe

    Risks: Has had vulnerabilities and opens a listening port

License Logging Service

Manages licensing information for a site. This service should not be used on anything but a domain controller.

    Service ID: LicenseService

    Description: Domain License Management

    Executable: %SystemRoot%\System32\llssrv.exe

    Risks: No known risks

TCP/IP NetBIOS Helper Service

Allows for NetBIOS communications over TCP/IP networks. This service should be disabled unless required for compatibility with an older version of Windows. Refer to Chapter 9, "Network Protocols, Clients, and Services," for more information on Netbios and Netbios over TCP/IP (NetBT).

    Service ID: LmHosts

    Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution

    Executable: %SystemRoot%\System32\services.exe

    Risks: Exposes system to NetBIOS weaknesses, such as NTLM authentication.

Messenger Service

The Messenger Service (not to be confused with MSN Messenger Service or other instant messenger services) sends and receives messages transmitted by administrators or by the Alerter service. This service is not required and should be disabled.

    Service ID: Messenger

    Description: Sends and receives messages transmitted by

    administrators or by the Alerter service

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

NetMeeting Remote Desktop Sharing

This service allows authorized users to remotely access your Windows desktop using NetMeeting. This service should be disabled because it has much potential for vulnerabilities. For remote desktop access, use Terminal Services instead.

    Service ID: mnmsrvc

    Description: Allows authorized people to remotely access your Windows desktop using NetMeeting

    Executable: %SystemRoot%\System32\mnmsrvc.exe

    Risks: Exposes a potentially insecure service

Distributed Transaction Coordinator

The Microsoft Distributed Coordinator Transaction Coordinator (MS DTC) provides a transaction coordination facility via the OLE Transactions protocol, and coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.

    Service ID: MSDTC

    Description: Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers

    Executable: %SystemRoot%\System32\msdtc.exe

    Risks: No known risks

FTP Publishing Service

File Transfer Protocol (FTP) is not a secure protocol and the FTP publishing service can be a great security risk if not properly secured. This service should be disabled unless specifically providing file sharing via FTP. If used, it should be carefully secured and monitored. Refer to Chapter 15 for information on securing the FTP Publishing Service.

    Service ID: MSFTPSVC

    Description: Provides FTP connectivity and administration through the Internet Information Services snap-in

    Executable: %SystemRoot%\System32\inetsrv\inetinfo.exe

    Risks: No known risks with Microsoft's FTP server. In general, FTP is an insecure service. See Chapter 15 for more information.

Windows Installer

The Windows Installer Service manages software installations. This service is useful for installing and repairing software applications.

    Service ID: MSIServer

    Description: Installs, repairs and removes software according to instructions contained in .MSI files

    Executable: %SystemRoot%\System32\msiexec.exe /V

    Risks: No known risks

Network DDE

This service provides Dynamic Data Exchange traffic transport and security. Network DDE is not required for most applications and should be set to manual startup.

    Service ID: NetDDE

    Description: Provides network transport and security for dynamic data exchange (DDE)

    Executable: %SystemRoot%\System32\netdde.exe

    Risks: Accepts DDE requests over the network

Network DDE DSDM

This service stores a database of shared conversations so that when a Network DDE share is accessed, the shared conversation is referenced, and security checks determine if the requester can be granted access. This service should be set to start manually.

    Service ID: NetDDEdsdm

    Description: Manages shared dynamic data exchange and is used by Network DDE

    Executable: %SystemRoot%\System32\netdde.exe

    Risks: No known risks

Net Logon

The Net Logon service supports pass-through authentication of account logon events for computers in a domain. This service should not be used on standalone servers that should not be part of a domain, such as Web servers.

    Service ID: NetLogon

    Description: Supports pass-through authentication of account logon events for computers in a domain

    Executable: %SystemRoot%\System32\lsass.exe

    Risks: Can be used to relay brute-force password attempts

Network Connections

This service manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. This service can be set to start manually because it will start itself when needed.

    Service ID: Netman

    Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Network News Transport Protocol (NNTP)

The Network News Transport Protocol (NNTP) is used to provide a news server service, such as USENET. When building an NNTP server, follow the steps to harden the operating system included in Chapter 15. NNTP servers should be installed in a DMZ network and be treated like other Internet services, such as FTP, Mail, and Web. It is not recommended to configure NNTP servers on private networks. Any server on an inside network should have the NNTP service uninstalled or disabled.

    Service ID: NntpSvc

    Description: Transports network news across the network

    Executable: %SystemRoot%\System32\inetsrv\inetinfo.exe

    Risks: No known risks

File Replication

The File Replication service (FRS) replicates files, system policies, and logon scripts across servers in a domain. The service can also be used to replicate data for Distributed File System (DFS) sets.

    Service ID: NtFrs

    Description: Maintains file synchronization of file directory contents among multiple servers

    Executable: %SystemRoot%\System32\ntfrs.exe

    Risks: No known risks

NTLM Security Support Provider

This service provides security to remote procedure call (RPC) programs that use transports other than named pipes (Windows 3.x, for example). The service appears in the service list once Client for Microsoft Networks is installed.

    Service ID: NtLmSsp

    Description: Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

    Executable: %SystemRoot%\System32\lsass.exe

    Risks: NTLM password hashes are vulnerable to offline brute-force attacks.

Removable Storage

This service manages removable media, drives, and libraries. The service can be enabled as needed.

    Service ID: NtmsSvc

    Description: Manages removable media, drives, and libraries

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Plug-and-Play

This service manages device installation and configuration and notifies programs of device changes. I have successfully run a system without this service, but booting up takes much longer and some services, such as Remote Access Service, will not work. This service is probably best set to automatic.

    Service ID: PlugPlay

    Description: Manages device installation and configuration and notifies programs of device changes

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

IPSEC Policy Agent

This service manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. The IPSEC Policy Agent retrieves the IPSEC policy from Active Directory or the local registry.

    Service ID: PolicyAgent

    Description: Manages IP security policy and starts the ISAKMP/Oakley(IKE) and the IP security driver

    Executable: %SystemRoot%\System32\lsass.exe

    Risks: No known risks

Protected Storage

This service provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. This service is required.

    Service ID: ProtectedStorage

    Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

Remote Access Auto Connection Manager

This service automatically dials network connections when a request is made for a remote network address. This service is only required if using dial-up network connections.

    Service ID: RasAuto

    Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Remote Access Connection Manager

This service manages dial-up network connections. The service should only be running if the server is supporting Routing and Remote Access Services (RRAS).

    Service ID: RasMan

    Description: Creates a network connection

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Routing and Remote Access

This service offers routing services in local area and wide area network environments. The service should be only used on remote access points such as VPN servers. If configured incorrectly, this service could allow unauthorized access to a network.

    Service ID: RemoteAccess

    Description: Offers routing services to businesses in local area and wide area network environments

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: Could allow unauthorized network access if configured improperly

Remote Registry Service

This service lets authorized administrators manipulate registry entries on remote hosts. This service is required for some functions, such as remote performance monitoring, but is not recommended if not specifically needed.

    Service ID: RemoteRegistry

    Description: Allows remote registry manipulation

    Executable: %SystemRoot%\System32\regsvc.exe

    Risks: Can potentially expose registry if not secured properly

Remote Procedure Call (RPC) Locator

This service lets RPC-enabled applications register resource availability and lets clients find compatible RPC servers. This service should only be running on a domain controller.

    Service ID: RpcLocator

    Description: Manages the RPC name service database

    Executable: %SystemRoot%\System32\locator.exe

    Risks: No known risks

Remote Procedure Call (RPC)

This service calls services available on remote computers and is used for remote computer administration. This service is required on any Windows 2000 system.

    Service ID: RpcSs

    Description: Provides the endpoint mapper and other miscellaneous RPC services

    Executable: %SystemRoot%\System32\svchost -k rpcss

    Risks: Can expose system information

QoS Admission Control (RSVP)

This service provides managed bandwidth control to guarantee access to network services. This service should be enabled if you use the Windows QoS features.

    Service ID: RSVP

    Description: Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets

    Executable: %SystemRoot%\System32\rsvp.exe -s

    Risks: No known risks

Security Accounts Manager

The Security Accounts Manager (SAM) stores security information for local user accounts for authentication purposes. This is a required service.

    Service ID: SamSs

    Description: Stores security information for local user accounts.

    Executable: %SystemRoot%\system32\lsass.exe

    Risks: Although there are a number of ways to obtain SAM data, the SAM service itself does not pose a risk.

Task Scheduler

This service schedules a program to run at a later designated time. With NT4, only administrators could schedule tasks and all tasks ran as SYSTEM. With Windows 2000, any user can schedule a task that will only run under their own user context. This service should be disabled unless there are jobs that need to be scheduled.

    Service ID: Schedule

    Description: Enables a program to run at a designated time

    Executable: %SystemRoot%\System32\MSTask.exe

    Risks: No known risks

RunAs Service

This enables starting processes under alternate credentials, one of Microsoft's responses to the Trojan problem. Using RunAs, you can run a process as administrator while logged in as a non-privileged user. This service should be left enabled.

    Service ID: seclogon

    Description: Enables starting processes under alternate credentials

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

System Event Notification

This recommended service tracks system events such as Windows logon, network, and power events.

    Service ID: SENS

    Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Internet Connection Sharing

This provides sharing of one machine's Internet connection with several others, for example to share a DSL or cable modem connection. This service should be disabled because it could allow users to use an unauthorized Internet connection, bypassing the organization's proxy and monitoring services.

    Service ID: SharedAccess

    Description: Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection

    Executable: %SystemRoot%\System32\svchost.exe -k netsvcs

    Risks: No known risks

Simple TCP/IP Services

These services run several basic TCP/IP services, most of which are not considered secure. Opens TCP ports 7, 9, 13, 17, and 19. Simple TCP/IP Services is not installed by default and is not recommended to be installed. If it is installed, it can be removed from Control Panel, Add/Remove Programs, Add/Remove Windows Components, Networking Service and uncheck the option for Simple TCP/IP Services.

    Service ID: SimpTcp

    Description: Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day

    Executable: %SystemRoot%\System32\tcpsvcs.exe

    Risks: Runs several insecure services on various TCP ports

Simple Mail Transport Protocol (SMTP)

Provides outgoing Internet mail service. This service can be useful but should be limited to only be accessible from the local host or network.

    Service ID: SMTPSVC)

    Description: Transports electronic mail across the network

    Executable: %SystemRoot%\System32\inetsrv\inetinfo.exe

    Risks: E-mail spoofing or relaying

SNMP Service

The Simple Network Management Protocol (SNMP) is not a secure protocol and, by default, is set to use public as its community string. The SNMP service reveals sensitive information about a Windows 2000 server and should only be used on an internal network.

    Service ID: SNMP

    Description: Includes agents that monitor the activity in network devices and report to the network console workstation

    Executable: %SystemRoot%\System32\snmp.exe

    Risks: Reveals sensitive information about a server

SNMP Trap Service

The SNMP trap service receives SNMP messages sent from other SNMP agents. The SNMP trap service should be used only on internal networks and should not be exposed to the Internet.

    Service ID: SNMPTRAP

    Description: Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on this computer

    Executable: %SystemRoot%\System32\snmptrap.exe

    Risks: No known risks

Print Spooler

The print spooler is used to spool print jobs so that an application does not have to wait for a file to print. Unless the server is handling print queues, this service should be disabled.

    Service ID: Spooler

    Description: Loads files to memory for later printing

    Executable: %SystemRoot%\System32\spoolsv.exe

    Risks: No known risks

Performance Logs and Alerts

This service handles performance logs and alerts. This service is useful for both system and network monitoring.

    Service ID: SysmonLog

    Description: Configures performance logs and alerts

    Executable: %SystemRoot%\System32\smlogsvc.exe

    Risks: No known risks

Telephony

This service provides for telephony and IP based voice connections. This service should not be enabled unless you use such features on your LAN.

    Service ID: TapiSrv

    Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and, through the LAN, on servers that are also running the service

    Executable: %SystemRoot%\System32\svchost.exe -k tapisrv

    Risks: No known risks

Terminal Services

Terminal Service provides remote desktop access through TCP/IP connections. This service can be dangerous, especially if system passwords have already been compromised. Access to this service should be strictly limited by IP address (at the firewall or using IPSec) and should be closely monitored.

    Service ID: TermService

    Description: Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running

    Executable: %SystemRoot%\System32\termsrv.exe

    Risks: Potential remote desktop access, potential brute-force attack exposure

Terminal Services Licensing

Terminal services licensing is used to manage client licenses when using Terminal Services in application server mode. This service is required when the server is running Terminal Services in Application Server Mode. It is not installed unless Terminal Services has been installed in Application Server Mode.

    Service ID: TermServLicensing

    Description: Installs a license server and provides registered client licenses when connecting to a Terminal Server

    Executable: %SystemRoot%\System32\lserver.exe

    Risks: No known risks

Trivial FTP Daemon

Trivial FTP (TFTP) is not a secure service and should be used sparingly and only on a local trusted network. TFTP provides no form of user authentication or identification.

    Service ID: TFTPD

    Description: Implements the Trivial FTP Internet standard, which does not require a user name or password. Part of the Remote Installation Services.

    Executable: %SystemRoot%\System32\tftpd.exe

    Risks: Potential unauthorized file access.

Telnet

Allows a remote user to log on to the system and run console programs using the command line—the Microsoft Telnet server. Telnet is not a secure protocol and passwords are sent across the wire in plaintext. Furthermore, if NTLM authentication is enabled, NTLM password hashes can also be discovered. Telnet should be used sparingly and access should be tightly controlled at the firewall.

    Service ID: TlntSvr

    Description: Allows a remote user to log on to the system and run console programs using the command line

    Executable: %SystemRoot%\System32\tlntsvr.exe

    Risks: Potential for unauthorized remote command-line access, passwords and hashes sent unencrypted across the network

Utility Manager

The Utility Manager starts and configures accessibility tools. Disable this service unless you require use of the accessibility tools.

    Service ID: UtilMan

    Description: Starts and configures accessibility tools from one window

    Executable: %SystemRoot%\System32\UtilMan.exe

    Risks: No known risks

Windows Time

This service sets the system clock from a network time server. This service is only required on Windows 2000 Domain Controller services because the authentication protocol Kerberos depends on accurate time to validate users. It can be disabled on any other machine.

    Service ID: W32Time

    Description: Sets the computer clock

    Executable: %SystemRoot%\System32\services.exe

    Risks: No known risks

World Wide Web Publishing Service

Provides Web site services accessible anonymously from the Internet. This service exposes many vulnerabilities, especially with a default configuration. This service should never be run without first being hardened. See Chapter 14, "Protecting Web Services," for more information on hardening Web services.

    Service ID: W3SVC

    Description: Provides Web connectivity and administration through the Internet Information Services snap-in

    Executable: %SystemRoot%\System32\inetsrv\inetinfo.exe

    Risks: Numerous file access, remote command execution, denial of service, and other risks

Windows Management Instrumentation

The Windows Management Instrumentation (WMI) service provides system management information. It is essentially a Web-Based Enterprise Management (WBEM) compliant tool to collect and associate management data from a wide range of disparate sources. WMI is a useful administrative tool, but it is also useful for gathering information. The service should not be enabled if you are not specifically using it.

    Service ID: WinMgmt

    Description: Provides system management information

    Executable: %SystemRoot%\System32\WBEM\WinMgmt.exe

    Risks: Potential for exposing sensitive system information

Windows Internet Name Service (WINS)

WINS is Microsoft's name service for NetBIOS networks. Native Windows 2000 networks do not rely upon WINS. WINS can expose information about network users and computers and should be disabled. If enabled, it should be limited only to local network use.

    Service ID: WINS

    Description: Provides a NetBIOS name service for TCP/IP clients that have to register and resolve NetBIOS-type names

    Executable: %SystemRoot%\System32\wins.exe

    Risks: Potential for revealing sensitive system information

  • + Share This
  • 🔖 Save To Your Account