Tech Support Forum banner
Not open for further replies.
1 - 1 of 1 Posts

1,483 Posts
Discussion Starter · #1 ·
From Mark Mansi newsletter...great write even better speaker...if oyu dont get his letter...YOU SHOULD

This month, we start with a couple of topics that came up at our first two Security Roadshows and move to some great short tips.

Which Services Can I Turn Off?
Services are programs that run on an NT/2000/XP/.NET machine whether someone's logged into that machine or not. While they are quite useful, each service presents yet another potential source for hackers seeking to find security holes to exploit in order to seize control of your system. Additionally, services take up RAM and CPU power. So many security experts recommend turning off unnecessary services.

But which services are unnecessary? That's a tough question to answer entirely, but here are a few suggestions. Don't take these as gospel, because every service is needed by someone. But they're a few things to look at.

Server and/or Computer Browser service
The Server service enables your computer to share its files with other computers, to act as a "server" in the "client-server" sense of file sharing. The other half of this transaction is the client piece of file sharing, another service with perhaps the most misleading name of any NT service: the "workstation" service.

Clearly any system that will act as a file server must have this service enabled. But the odd thing about Microsoft operating systems is that they all install with the Server service enabled, including Windows XP, 2000 Professional, Windows 98, and Windows ME. Thus, if you had 1000 workstations and 50 servers on your network, then you've got a total of 1,050 file servers.

That's bad because anyone who can get access to the Server service on your computer could easily get access to any file on your computer. And most workstations don't share files, so why run the thing anyway, as it just takes up CPU power and 1/2 meg of RAM? (Some people do need to run this, as their administrators like to be able to connect to the default C$, D$, etc shares. If this is the case, then I guess you should leave it on.)

Furthermore, every server annoys the network by announcing its presence every 12 minutes with a broadcast saying "hi, I'm still here... I'm a server named JoesPC and I don't have anything to share, but I'm a server and I wanted you all to know that I'm still here!" Broadcasts slow down a network and the machines on the network, as everything's got to stop and listen to the broadcast to see if there's anything important in it. Those broadcasts go into the server browse list, which is how all of those computers get into Network Neighborhood / My Network Places.

Now, even if you do want the Server service running on all of your systems, you can get the systems to stop doing those broadcasts by stopping a different service -- the Computer Browser service. Some people worry that turning this off will keep their computer from being able to browse My Network Places, but that's not the case at all. This service only announces a server's presence; shutting it off on your computer will still let you open up NetHood and see the other computers on the network. (By leaving your Server service on and disabling Computer Browser, you are, then, essentially running your server in "stealth mode;" think of this as a Romulan cloaking device for servers.)

People tend to leave the Server service on for two reasons that are unnecessary: Web servers and Remote Assistance / NetMeeting. You do not need to have the Server service running on a Web server, and both Remote Assistance and NetMeeting can still transfer files without the Server service.

Fax Service
Manual and off by default, but you always have to wonder if someone will find a way to exploit it... I have very few systems attached to fax-capable modems, so I disable this wherever I find it.

Indexing Service
This seems to get turned on wherever you have a Web server. It's a great way to build fast, powerful search engines for a Web server but unless you've explictly created a search page on your Web then disable this. Also, delete the two default indexes "System" and "Web" and instead create custom indexes as needed. See Newsletter #17 for more info on Indexing Service, but the bottom line is that most of us can safely ignore it.

Alerter and Messenger
Two services that support pop-up messages on your desktop. These are not the pop-ups that you get on the Web -- shutting down these services will not get rid of Web pop-ups, unfortunately. Nor is this Windows Messenger. The system uses this to send administrative messages; for example, it's possible to type "net send * get off the system" and everyone will get a little pop-up message that says "get off the system;" the idea is that administrators can use this as a primitive kind of instant messaging to network users.

I tend to turn this off, but be aware that if you do then many error messages only appear in the event logs at that point.

IMAPI CD-Burning COM Service
New to XP, this service assists XP's Roxio CD Creator. If you turn it off, then Roxio stops working. If, on the other hand, you use a separate third-party burner, like Ahead Software's Nero Burning ROM, then the service is unnecessary and you can disable it.

Shell Hardware Detection
This is new to XP. When you plug in certain kinds of hardware, like cameras, CF cards or the like, then XP responds by popping up a window and asking you what you'd like to do -- download pictures, create a slide show, etc. That's all done with the "shell hardware detection" service. If you find the "what shall we do with this new hardware?" windows irritating then you can shut off this service.

Still Image Service
Camera support stuff. If you know you use it, great. Otherwise, disable it.

I'm not sure why this is, but XP actually has a service that supports Themes. Call me an old fuddy-duddy, but I prefer to burn my CPU cycles getting work done or playing a game, so I've never quite understood why anyone would turn on the zooming menus and the other stuff that you can do on the UI. As I'm kind a plain-blue-background-and-no-sound-effects guy, this service doesn't do anything for me, so I shut it off.

Volume Shadow Service
This is the client half of a neat tool that lets you simply and automatically archive important files several times a day. Unfortunately, the server half isn't appearing until Windows .NET 2003 Server arrives. So it's safe to stop this service for now... but don't forget to turn it back on when .NET arrives!

Web Client
If you have Web pages that you store on other people's servers, then you need some way to connect to those servers to change your Web content. For years FTP has been a popular approach but it's a little limited for some, which led to an improved over-the-Internet file sharing system called the Web Distributed Authoring and Versioning or WebDAV protocol. (Look up RFCs 2518 and 3258 if you need the geeky details.) Basically, though, it's a file sharing system that runs over port 80, piggy-backing on HTTP. And it's a terrific idea, as anyone who's ever fought with an FTP client can attest.

XP includes the client-side part of it in a service called the Web Client. 2000, .NET and, if I recall right, IIS 4.0 include the server-side in "Web folders." See, you probably didn't even know that you had a built-in file sharing system that had nothing at all to do with SMB and that can slip past your firewalls because it runs on port 80!

But what's that you say, you need to know how well-tested the Web Client and Web Folders are? Me too. My paranoid suspicion is that this is going to turn out to be a great protocol with the usual bunch of security holes that someone will discover and exploit some day. So for myself, I shut off the Web Client service and avoid Web folders on my Web servers.

Windows Image Acquisition
Support for webcams mostly. If you're not using one, then you can shut this service off.

World Wide Web Publishing Service, SMTP, FTP
For years, Microsoft has installed a Web server on every copy of Server, unless you asked Setup not to. That's why there are still systems out there trying to infect my Web servers with Nimda -- there are people who set up 2000 Server or NT Server to be a file server and who don't even realize that they've become and "accidental webmaster," so they don't know that their Web server (the one that they don't even know that they have) is infected and is trying to infect others.

Take a moment and see if you're running FTP, SMTP, or IIS on a server that you don't want to run those services on. You'll tighten up your system's security and get back some resources.

And If You Have XP...
You may find that your computer came with a copy of XP and that the hardware vendor added a few services. Could they be making your system more wobbly or less secure? There's an easy way to test to see if you need these extra services. Just start up msconfig.exe and click the "Services" tab. It's got a check box on it labeled "Hide Microsoft Services;" check it and you'll see just the stuff that the vendor (and perhaps you, depending on what you've installed) added. You can then stop any of those services or even click the "disable all" button to shut 'em all off. You can then restart your system and, well, just see if you miss any of them.

If you get too nuts and find that you've stopped a service that you needed to get your system going, then you can always start it with the Recovery Console and use the enable command to tell your system to start the service; then you'll be back up and running.
1 - 1 of 1 Posts
Not open for further replies.