Securing The Core Operating System: 8 Controlling Access To Data - . - 139
Securing The Core Operating System: 8 Controlling Access To Data - . - 139
Part III
139
139 144 144 145 147 151 152 153 154 158 160 162 163 164 165
167
.167 .169 .170 .171 .173 .175 .194 .195
XP
Chapter 8
In Microsoft Windows Server 2003, Windows 2000, and Windows XP, a security principals level of access to files and folders is determined by NTFS file system and share permissions. These permissions are discretionary: anyone with ownership of a file or folder, Change Permissions, or Full Control permissions can assign access control at his discretion. When freshly installed, Windows Server 2003, Windows 2000, and Windows XP assign default permission structures to the file system; however, you will need to alter these permissions to ensure that only the appropriate users have access to files stored on the computer.
Figure 8-1
140
DACLs owe their name to the fact that they can be configured at the discretion of any account that possesses Take Ownership, Change Permissions, or Full Control permissions to the file system object. DACLs are defined by security descriptors, which consist of several elements as described in Table 8-1.
Table 8-1 Element Header SID (user) SID (group) Generic deny ACEs Generic allow ACEs
141
Windows Server 2003 enables Administrators to replace the owner of a file or folder in the graphical user interface. Although the user interface prevents you from assigning ownership of an object to any user account in Windows 2000 and Windows Server 2003, you can complete this action from the command line if you are a member of the Administrators group or have the privilege to Restore files and directories on the computer using the command-line tool Sub inacl.exe. The syntax for replacing the owner of a file using Subinacl.exe follows:
Subinacl /file filename.ext /setowner=domain\newowner
Files Folders Registry keys Services Printers Kernel objects Shares Metabases
Subinacl.exe is a low-level utility and should be used with caution. For routine permission changes on files and folders, other tools such as Xcacls.exe and Cacls.exe are easier to use but do not offer nearly the number of options that Subinacl.exe does. You can define NTFS permissions at either the folder or file level. For folders, you can assign the following standard permissions in the Security tab of the folders properties page:
Full Control Modify Read & Execute List Folder Contents Read Write
142
Part III:
Standard NTFS permissions are compilations of several special permissions, including these:
Traverse Folder/Execute File Traverse Folder allows or denies navigating through folders, even though the user does not have permissions to access files or folders within that folder.This permission applies to folders only. Execute File allows or denies running program files and applies to files only. Setting the Traverse Folder permission will not automatically set the Execute File permission on the files in the folder. Additionally, by default the Everyone group is assigned the Bypass Traverse Checking user right, which prevents the Traverse Folder permissions from being assessed when a resource is accessed.
List Folder/Read Data List Folder allows or denies viewing file names and sub-
folder names within the folder and applies to folders only. Read Data allows or denies viewing data in files and applies to files only.
Read Attributes Allows or denies viewing the attributes of a file or folder, such as
Create Files/Write Data Create Files allows or denies creating files within a
folder. Write Data allows or denies making changes to a file and overwriting existing content.
within a folder. Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting any existing data in the file.
Delete Subfolders and Files Allows or denies deleting subfolders and files when
applied at a parent folder, even if the Delete permission has not been granted on the specific subfolder or file.
143
folder.
Change Permissions
to a file or folder.
Take Ownership
Table 8-2 displays how, in Windows Server 2003, Windows 2000, and Windows XP, the special permissions map to the basic permissions. File and Folder Permissions Mapping in Windows Server 2003, Windows 2000, and Windows XP
Table 8-2 Basic Permissions Special Permissions Traverse Folder /Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders /Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership Full Control X X X X X X X X X X X X X X X X X X X Modify X X X X X X X X Read & Execute X X X X List Folder Contents* X X X X X X X X X X X Read Write
144
An ACE applied directly to the resource that denies access. An explicit deny always overrides all other permissions. An ACE applied directly to the resource that grants access. An explicit allow always overrides an inherited deny but is always overridden by explicit deny ACEs.
Explicit allow
Inherited deny
An ACE inherited from the resources parent object. An inherited deny ACE overrides an inherited allow permission but is overridden by an explicit allow.
Inherited allow
ACEs that apply to the user are cumulative, meaning that the user receives the sum of the ACEs that apply to his user account and groups of which he is a member. For example, if an access control list (ACL) contains two allow ACEs that apply to the user, one for Read access and the other for Write access, the user will receive Read and Write access. Caution Because explicit allow ACEs override inherited deny ACEs, you should
assign explicit permissions with caution. For example, if the Sales_Managers group has been denied the Write permission on all files and folders in the d:\finance_audit folder but a user named Tom is granted Write permissions to the d:\finance_audit\review\TPS.xls file, Tom will be able to modify the TPS.xls fileeven if he is a member of the Sales_Managers group, which is denied Write permissions by inheritance.
145
the permission change will automatically flow to the child object. If you want to modify this behavior, you need to decide whether you want to remove the inherited permissions or copy them to the object. If you choose to remove the inherited permissions, the only permissions that will remain are those explicitly granted to the object. If you choose to copy the permissions, the object will have the same permissions as it had previously, but the formerly inherited permissions will instead be explicitly assigned to the object. Note In the user interface of Windows Server 2003, Windows 2000, and
Windows XP, explicit permissions are displayed with a check in a white check box and inherited permissions are displayed with a check in a gray check box. Gray check boxes cannot be directly modified unless the permissions are made explicit, which changes the check boxes to white to indicate explicit assignment.
How DACLs Are Handled When Files and Folders Are Copied or Moved
The way DACLs are handled for files and folders that are moved and copied into other locations can be confusing. If you are responsible for securing files and folders, you must understand several intricacies of copying and moving files and folders, or you might unwittingly create a security risk. The first thing you need to know is that creating a copy of a file on the same partition actually creates a new file in the destination container. Thus, all permissions are inherited from the new parent object. The original objects permissions are unchanged. This action creates a potential security risk because two copies of the same file that have different security settings can exist. Second, when a file is moved on the same partition, it is not physically relocated to a different address on the diskinstead, the reference to the object in the file system hierarchy is updated. When the ACL on a parent object or an object itself is changed, the permissions structures are updated, but moving an object on the same partition does not trigger a refresh of ACLs. Therefore, all previously inherited and explicit permissions on the moved object initially remain unchanged. The Security tab for the object will indicate that the permissions are inherited from its parent object, but until the ACL is refreshed, the Security tab shows inherited permissions from the objects previous parent, along with any permissions assigned directly to the object. The next time that the ACLs for the object itself or for any parent object in the inheritance hierarchy are changed, the inherited permissions on the object will be received from the objects new location in the file system hierarchy. However, the moved object will retain any explicitly assigned permission.
146
Part III:
This behavior is a departure from the way that permissions on moved file system objects functioned in Microsoft Windows NT, where objects that were moved within the same partition retained all permissions. If you want to achieve Windows NT-style retention of all permissions on an object you move within the same partition, before moving the object, you must deselect the inheritance attribute on the object and copy the existing inherited permissions so that they become explicit permissions. Or you must remove existing inherited permissions altogether and assign any desired explicit permissions. You can then move the object and re-enable permissions inheritance, which will refresh the ACL on the object. When the ACL is refreshed in this manner, the moved object retains its explicit permissions but receives new inherited permissions from its new parent. Finally, when you move a file or folder to a different partition or computer, the operation is actually a copy-and-delete process. The file is copied in the new location, thus creating a new file system object, and upon successful creation of the new object, the original is deleted. Creating a copy of a file system objectregardless of whether the copy is created on the same partition or on a different partition or computeralways creates a new instance of the object in the destination location. Therefore, all permissions on the object are inherited from the new parent. Original copies of the object are either deleted (in a move operation across partitions or computers) or unaffected (in a copy operation). Therefore, you should exercise caution when moving or copying files and folders to different partitions or computers because the permissions on the newly created object might not be consistent with the permissions on the original object. In Windows Server 2003, Windows 2000, and Windows XP, file and folder permissions are automatically inherited from parent objects. Therefore, understanding the default permission on files and folders is important in planning directory structures. You might need to change the default permissions to meet your organizations security policy. Table 8-3 provides a legend of permission inheritance in Windows Server 2003, Windows 2000, and Windows XP.
Table 8-3
147
More Info The default file and registry permissions can be found in the following
white papers:
Windows Server 2003 (http://www.microsoft.com/windowsserver2003 /techinfo/overview/secdef.mspx) Windows XP (http://www.microsoft.com/downloads/details.aspx? FamilyID=60ce1ef5-8d6d-49a0-8eb5-4e362cde75e7&displaylang=en) Windows 2000 (http://www.microsoft.com/windows2000/techinfo/planning /security/secdefs.asp)
Command-Line Tools
In Windows Server 2003, Windows 2000, and Windows XP, the Xcopy.exe utility can be used to preserve the permissions and ownership of files and folders when they are copied. Additionally, you can use several command-line tools to control the file and folder permissions:
included with this book. Cacls.exe is included in the default installation of Windows Server 2003, Windows 2000, and Windows XP.
Cacls.exe
Cacls.exe is a command-line utility that enables basic management of file and folder permissions. The usage for Cacls.exe follows:
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]
Table 8-4 shows the command-line options for Cacls.exe. You can also use wildcard characters to specify more than one file in a command.
148
Part III:
Tip
You can redirect console output from the command line by using a standard redirection character. For example, to redirect output from the Cacls.exe tool to a file, type Cacls.exe filename.ext>output.txt. The results of running the command will be written to the Output.txt file rather than to the console.
Xcacls.exe
Xcacls.exe is a more robust version of Cacls.exe. Not only does Xcacls.exe give you greater control over the special permissions, it is scriptable: unlike Cacls.exe, Xcacls.exe allows you to suppress message prompts. The usage for Xcacls.exe follows:
xcacls filename [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]
/E /C
149
/G user:perm;spec perm
Xcacls.vbs, a Microsoft Visual Basic script, is also included on the CD. You can use Xcacls.vbs to assign permissions in a similar way that you do with Xcacls.exe, albeit from a script. Xcacls.exe is designed to be used at the command line or in batch files; Xcacls.vbs is designed to be used in a scripting environment, where better automation and error handling are required. In addition, you can edit Xcacls.vbs by using any text editor to add custom functionality, such as logging permission changes to a file.
Subinacl.exe
Subinacl.exe is a low-level utility for managing DACLs on many types of objects, including files and folders. The syntax for using Subinacl.exe follows:
subinacl [view_mode] [/ test_mode] object_type object_name [action[= parameter]] [action[= parameter ]] ... [/playfile file_name] [/help [/full] [keyword]]
The options you can use with Subinacl.exe are explained in Table 8-6.
Table 8-6 Option view_mode
/noverbose /verbose
/test_mode
When this option is specified, changes are not actually made to the objects security descriptor. This option enables you to view what the results of the command would be without actually making the changes.
150
Part III:
/file /subdirectories /onlyfile /share /clustershare /keyreg /subkeyreg /service /printer /kernelobject
object_name action
Defines the name of an object on which you are viewing or modifying the permissions. Sets the action that you are attempting to carry out on the object. The action switches include the following:
/display (default) /setowner=owner /replace=[DomainName\]OldAccount=[DomainName\] NewAccount /changedomain=OldDomainName=NewDomainName /migratetodomain=SourceDomain=DestDomain /findsid=[DomainName\]Account[=stop] /suppresssid=[DomainName\]Account /confirm /perm /audit /ifchangecontinue /cleandeletedsidsfrom=DomainName /accesscheck=[DomainName\]UserName /setprimarygroup=[DomainName\]Group /grant=[DomainName\]UserName[=Access] /deny=[ DomainName\]UserName[=Access] /revoke=[DomainName\]UserName /playfile filename
151
Robocopy.exe
Robocopy.exe is a 32-bit Windows command-line application that simplifies the task of maintaining an identical copy of a folder tree in multiple locations, either on the same computer or in separate network locations. Robocopy is robustit retries operations after network errors and efficiently copies only changed files. Robocopy is flexibleyou can copy a single folder or walk a directory tree, specifying multiple file names and wildcard characters for source files. On the CD For detailed information on using Robocopy, see the Robocopy.doc file
on the CD included with this book.
Share Permissions
Description Full control over all folders and files in the share Read and Write permissions to files and folders Read permission for files and folders
By default in Windows 2000 and Windows XP, when a share is created, the share permissions are set to Everyone Full Control. In Windows Server 2003, share permissions are set to Everyone Read. Like NTFS permissions, share permissions are cumulative. Furthermore, deny permissions override allow permissions. When a user attempts to access a file or folder on a share, cumulative share permissions as well as the cumulative NTFS permissions are calculated. The user accessing the share receives the more restrictive set of these two sets of permissions. For example, if the share permissions are left to the default setting of Everyone Full Control and the user has only Read and Execute permissions on the files and folders in the share, the user will have only Read and Execute access. Although share permissions are not nearly as granular as NTFS permissions, they are still useful if implemented correctly. For example, you can achieve a higher degree of security on a shares contents by removing the default share permissions and granting
152
members of the Everyone group Change permissions. This will prevent the changing of permissions on the files and folders in the share remotely through the network redirector. When you remove the Everyone Full Control share permission, the owner of a file can modify permissions only through an interactive logon session, either at the server console or through Terminal Services.
153
Figure 8-2
Next, the computer retrieves the users EFS certificate from the users profile and extracts the users public key. If the user does not have an EFS certificate, the computer generates an EFS certificate based on the users account information, including the users password. The FEK is encrypted using the RSA algorithm with the public key from the users EFS certificate and is added to the header of the file in the data decryption field (DDF). This process is shown in Figure 8-3.
FEK User's EFS public key RSA Encrypted file DDF DRF 3?1A
Figure 8-3
Encrypting the FEK of a file using the EFS public key of the user account
The final step in encrypting the file is accomplished by the computer retrieving the certificate for each EFS recovery agent. For each EFS recovery agent certificate, the computer extracts the public key and encrypts the FEK by using the RSA encryption algorithm and stores the encrypted FEK in the data recovery field (DRF) located in the files header. This process is shown in Figure 8-4.
154
Figure 8-4
Encrypting the FEK of a file using the EFS recovery agents public key
The only users who can view the information in the file are those who encrypted the file and anyone who possesses a recovery agents private key, unless additional users are added after the file is encrypted. Even another user with Full Control permissions on the file will not be able to read it. When a user attempts to open the file, the users private key is retrieved and used to decrypt the FEK. The decrypted FEK is then used to decrypt the file. Files secured with EFS are not paged out of volatile memory when decrypted, preventing data from the file from being stored in the page file. When the user saves the file, a new FEK is generated and the process of creating the EFS header is repeated. If the user opens the file and moves it to a non-NTFS partition or to a remote server, the file will be transparently decrypted. Users with Back Up Files And Folders user rights on a computer containing encrypted files will be able to back up the files. However, if the backup is restored to a non-NTFS partition, the contents of the files will be unintelligible.
155
available in Windows Server 2003, Windows XP Professional, and Windows 2000 Service Pack 3 or later.
Efsinfo.exe
Efsinfo.exe is a command-line tool that enables you to retrieve information from the EFS header of a file encrypted with EFS. You must have the permission to read the attributes of the file to retrieve the information from the file you specify. The syntax for using Efsinfo.exe follows:
EFSINFO [/U] [/R] [/C] [/I] [/Y] [/S: dir] [ pathname [...]]
Efsinfo.exe Options
Description Displays user information from the DDF. Displays recovery agent information from the DRF. Displays certificate thumbprint information for the user account that encrypted the file. You access the properties of a certificate by double-clicking an issued certificate in the certificates Microsoft Management Console (MMC). Forces the utility to continue the specified operation even after errors have occurred. By default, Efsinfo.exe stops when an error is encountered. Displays your current EFS certificate thumbprint on the local PC. Performs the specified operation on directories in the given directory and all subdirectories.
/I /Y /S:dir
Cipher.exe
Cipher.exe enables you to manipulate EFS-encrypted files from the command prompt. The version of Cipher.exe in Windows 2000 is different from that in Windows Server 2003 and Windows XP and the two cannot be interchanged. In Windows 2000, the syntax of the Cipher.exe command is this:
CIPHER [/E | /D] [/S: dir] [/P:keyfile] [/K:keyfile] [/L:keyfile] [/I] [/F] [/Q] [filename [...]]
Table 8-9 describes the options available when using Cipher.exe in Windows 2000.
156
Part III:
/F
/K
/Q
Used without parameters, Cipher.exe displays the encryption state of the current directory and any files it contains. You can use multiple file names and wildcards. You must put spaces between multiple parameters. Important The Cipher.exe tool was replaced in Windows 2000 Service Pack 3 with a
version that adds the /W option. The /W option permanently deletes, or wipes, all deleted data from a directory. This removes all artifacts of files that have been deleted but not necessarily removed from the hard disk. If the directory specified is a mount point to another volume, the data on that volume will be removed.
The Windows Server 2003 and Windows XP version of Cipher.exe includes all the options that the Windows 2000 version does as well as the options described in Table 8-10.
157
/U /N
158
Encryption of offline files Remote encryption of files using WebDAV Sharing of encrypted files
feature, runs as a System process and therefore can be accessed by any user or process that can run as System, including administrators on the local machine. Therefore, when sensitive data is stored in offline folders, administrative access should be restricted to users and the System Key should be used in mode 2 or mode 3.
159
running Windows Server 2003 and Windows XP are transmitted as raw encrypted files and are decrypted locally on the client by using an HTTP GET command. The Temporary Internet Files directory is used for intermediate transfer of the files by using HTTP where the WebDAV detects and sets the encrypted file attribute for Windows Server 2003 and Windows XP. Therefore, only public-key pairs and private-key pairs on the client are used to encrypt files, even though the files are stored on a remote server. The WebDAV redirector is a new mini-redirector that supports the WebDAV protocol for remote document sharing by using HTTP. The WebDAV redirector supports the use of existing applications, and it allows file sharing across the Internet (through firewalls, routers, and so on) to HTTP servers. Microsoft Internet Information Services 6.0 (Windows Server 2003), 5.0 (Windows 2000), and 5.1 (Windows XP) support WebDAV folders, known as Web folders. The WebDAV redirector does have some limitations on the files that can be transmitted using the WebDAV protocol. The actual limitation varies depending on the amount of virtual memory available, but in general, only files of less than 400 megabytes can be transferred in Windows Server 2003 and Windows XP with EFS over WebDAV. Files and folders, when encrypted using a WebDAV share, appear as unencrypted if a user or administrator logs on to the server locally. Once a file has been encrypted using WebDAV, that file should be accessed and decrypted only by using WebDAV. This unique behavior does not affect the ability to back up and restore the server by using Ntbackup.exe or the Windows NT backup API set. Administrators and users should not encrypt files locally on a volume that hosts a WebDAV share. All administration should be done through the WebDAV share only. You can create a WebDAV folder in Windows Server 2003, Windows 2000, and Windows XP by enabling Web Sharing on the properties of any folder. Note that if a user does not have a key to decrypt the file on a WebDAV share, she will receive an access denied error if she attempts to modify the advanced EFS attributes of the file.
160
Figure 8-5
Sharing files encrypted with EFS in Windows Server 2003 and Windows XP
and thus is outside the scope of this book. For more information on designing a data recovery policy, see the Data Protection and Recovery in Windows XP white paper at http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.asp.
EFS automatically enforces a recovery policy that requires a recovery agent be available for files to be encrypted. The recovery policy is a type of public-key policy that provides user accounts to be designated as DRAs. A default recovery policy is automatically established when the Administrator account logs on to the system for the first time, making the administrator the recovery agent. The default recovery policy is configured locally for workgroup computers. For computers that are part of an Active Directory-based domain, the recovery policy is configured in a domain OU Group Policy object (GPO). If no recovery agent policy is created, the computers local recovery agent policy is used. Recovery certificates are issued by a CA and are managed by using the Certificates MMC snap-in or by using the Cipher.exe /r command in Windows Server 2003 and Windows XP.
161
In a network environment, the domain administrator controls how EFS is implemented in the recovery policy for all users and computers in the scope of influence. In a default Windows Server 2003, Windows 2000, or Windows XP installation, when the first domain controller is set up, the domain administrator is the specified recovery agent for the domain. The way the domain administrator configures the recovery policy determines how EFS is implemented for users on their local machines. You can choose to have recovery agents configured or an empty recovery agent:
Recovery agent scenario
When an administrator adds one or more recovery agents, a recovery agent policy is in effect. These agents are responsible for recovering any encrypted data within their scope of administration. This is the most common type of recovery policy. You can ensure all recovery agents are available to all computers running Windows Server 2003, Windows 2000, or Windows XP by using Group Policy. When an administrator deletes all recovery agents and their public-key certificates, an empty recovery policy is in effect. An empty recovery policy means that no recovery agent exists, and if the client operating system is Windows 2000, EFS is disabled altogether. Windows Server 2003 and Windows XP support EFS with an empty DRA policy.
In a Windows 2000 environment, if an administrator attempts to configure an EFS recovery policy with no recovery agent certificates, EFS is automatically disabled. In a Windows Server 2003 or Windows XP Professional environment, the same action enables users to encrypt files without a DRA. Windows Server 2003 enables you to disable EFS for computers in the domain by completing the following steps: 1. Open Active Directory Users and Computers, right-click the domain that has the recovery policy you want to change, and then click Properties. 2. Click the Group Policy tab, right-click the recovery policy you want to change, and then click Edit. The path is Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Encrypting File System. 3. Clear the Allow Users To Encrypt Files Using Encrypting File System (EFS) check box. You can also disable EFS on individual computers running Windows Server 2003 or Windows XP by adding the EfsConfiguration (DWORD) registry value to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS. When this value is set to 1, it disables EFS; when it is set to 0, it enables EFS. When a domain user logs on at a domain computer that is within the scope of the EFS recovery policy, all DRA certificates are cached in the computers certificate store. This means that EFS on every domain computer can easily access and use the DRAs public key (or multiple public keys, if multiple DRAs are designated). On computers where
162
an EFS recovery policy is in effect, every encrypted file contains at least one data recovery field in which the files FEK is encrypted by using the DRAs public key and stored. By using the associated private key, any designated DRA can decrypt any encrypted file within the scope of the EFS recovery policy.
HKEY_CURRENT_CONFIG
HKCC
HKEY_PERFORMANCE_DATA
HKPD
When the computer is running, the registry is loaded in memory and active. When the computer is powered down, the persistent information stored in the registry is written to the hard disk. Table 8-12 lists the storage location for some common registry hives.
163
HKEY_USERS\DEFAULT
When you use an administrative tool to change the configuration of a system feature or service, the change usually takes effect immediately or soon thereafter. However, if you make the same change by editing the registry, you might need to log off and log on again, restart the service, or restart. In general, if you change the value of any entry in HKLM\Services\System\CurrentControlSet001, you must restart the computer for the changes to take effect. Also, if you use a registry editor to change values for most entries in HKEY_CURRENT_USER, you must log off and log on again for the changes to take effect. More Info For detailed information on the structure of the registry and the specifics
of the data stored in the registry, see the Technical Reference to the Registry eBook (Regentry.chm) in the Microsoft Windows 2000 Server Resource Kit, Supplement One (Microsoft Press, 2000).
164
Part III:
Create Subkey Enumerate Subkeys Notify Create Link Delete Write DACL Write Owner Read Control
In Windows Server 2003, Windows 2000, and Windows XP, you can use Regedt32.exe to alter registry permissions from the user interface or you can use the Subinacl.exe command-line tool. Changing permissions on registry values requires the same techniques as modifying NTFS permissions does.
Best Practices
Use least privilege.
Whenever assigning permissions, assign the least privilege the user needs to complete her job function. Always assign permissions at the highest point in the container hierarchy and allow them to be inherited by child objects to simplify their application. Assigning permission to security groups by using a structured model makes assigning permissions scalable and flexible. This is helpful when users and files change. Always archive the DRA when encrypting files with EFS to prevent files from being irreversibly encrypted.
165
Additional Information
Data Protection and Recovery in Windows XP (http://www.microsoft.com /technet/prodtechnol/winxppro/support/dataprot.mspx ) New Security Tool for Encrypting File System (http://www.microsoft.com /technet/security/tools/cipher.mspx) Access Control Lists (http://msdn.microsoft.com/library/en-us/secauthz /security/access_control_lists.asp) The following Knowledge Base articles:
243756: How to Use Encrypting File System (EFS) with Internet Information Services (http://support.microsoft.com/kb/243756) 223338: Using a Certificate Authority for the Encrypting File Service (http://support.microsoft.com/kb/223338 ) 241201: How to Back Up Your Encrypting File System Private Key (http://support.microsoft.com/kb/241201 ) 242296: How to Restore an Encrypting File System Private Key for Encrypted Data Recovery in Windows 2000 (http://support.microsoft.com /kb/242296) 243026: Using Efsinfo.exe to Determine Information About Encrypted Files (http://support.microsoft.com/kb/243026 ) 255742: Methods for Recovering Encrypted Data Files (http://support.microsoft.com/kb/255742 ) 273856: Third-Party Certificate Authority Support for Encrypting File System (http://support.microsoft.com/kb/273856) 230520: How to Encrypt Data Using EFS in Windows 2000 (http://support.microsoft.com/kb/230520 ) 329741: EFS Files Appear Corrupted When You Open Them (http://support.microsoft.com/kb/329741 ) 221997: Cannot Gain Access to Previously Encrypted Files on Windows 2000 (http://support.microsoft.com/kb/221997 ) 227825: Backup Tool Backs Up Files to Which You Do Not Have Read Access (http://support.microsoft.com/kb/227825)
166
Part III:
230490: The Encrypted Data Recovery Policy for Encrypting File System (http://support.microsoft.com/kb/230490 ) 223178: Transferring Encrypted Files That Need to Be Recovered (http://support.microsoft.com/kb/223178 ) 223316: Best Practices for Encrypting File System (http://support.microsoft.com/kb/223316 ) 223448: Cannot Use Shared Encrypted Files in Windows 2000 (http://support.microsoft.com/kb/223448 ) 254156: Encrypted Files Made Available Offline Not Encrypted on the Client (http://support.microsoft.com/kb/254156) 272279: How to Troubleshoot the File Replication Service and the Distributed File System (http://support.microsoft.com/kb/272279) 283223: Recovery of Encrypted Files on a Server (http://support.microsoft.com/kb/283223 ) 290260: EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset (http://support.microsoft.com/kb/290260) 248723: Info: Understanding Encrypted Directories (http://support.microsoft.com/kb/248723 )
Chapter 9
In Microsoft Windows Server 2003, Windows 2000, and Windows XP, many applications run independent of any user account and regardless of whether a user is logged on to the computer. These applications are registered as services, or more specifically, Service Control Programs (SCPs). Services are controlled by the Service Control Manager (SCM), which runs as Services.exe. The configuration of services is stored in the registry, under the key HKLM\SYSTEM\CurrentControlSet\Services. You can use the Srvany.exe utility to cause an executable to run as a service. On the CD Srvany.exe is located on the CD included with this book.
167
168
Full Control
Read the permissions on services Authenticated Users locally logged on, including Local Service, Network Service Connect to the SCM
Enumerate services Query the status of services Read the permissions on services
Full Control
To view or manage the permissions on services, you must use either the Subinacl.exe tool or the Security Templates Microsoft Management Console (MMC) snap-in. You can control services by using the Services MMC snap-in under Administrative Tools by typing services.msc at the command prompt or Run command or by editing the registry directly. Security configuration of services includes the ability to do the following:
Configure the startup value for each service Stop, start, pause, and resume services Configure the security context under which the service runs Configure the discretionary access control list (DACL) for the service
169
System Start
0x1
Automatic
0x2
Manual
0x3
Disabled
0x4
When a service is started, it runs in the Services.exe process, the Lsass.exe process, its own instance, or an instance of Svchost.exe. To view the process in which a service is running, you can use the Tlist.exe command from Windows 2000 Support Tools. Type tlist-s at the command prompt. Figure 9-1 shows the output of running Tlist /s on Windows 2000. Both Windows Server 2003 and Windows XP include the Tasklist tool in the default installation. Type tasklist /svc at the command prompt. You should configure services to start up automatically or manually only if they are necessary for the operation of the computer or applications that run on the computer. By setting unused services to Disabled, you can decrease the potential attack surface of the computer. You can set a service startup value to Disabled in the Services MMC snap-in, through Security Templates, or by manually setting the registry startup value to 4.
170
Figure 9-1
Net start servicename starts a stopped service. Net stop servicename stops a started service. Net pause servicename pauses a started service. Net continue servicename continues a paused service.
Note You can use either a services name or its display name with the Net com-
mand. If the display name of the service has a space embedded in it, place the service name within quotes. You can also suppress the prompt by appending /Y to the Net command. This is useful when configuring batch files.
When a service is stopped, it will no longer respond to or initiate requests. Each service responds differently to being paused; you should research how a service will respond to being paused before pausing it. As mentioned, you must have the appropriate permissions to stop and start a service.
171
Whether the service is set to start up automatically or manually or is disabled Whether the service can interact with the desktop (Windows Station 0) The full path of the services executable file The process ID (PID) the service is using
Whether the service will run in a shared process (Svchost.exe) or its own unique process Whether the service is currently running (true) or not (false)
You can also create programs, either Windows Script Host (WSH) scripts or console applications, that retrieve information on services through WMI.
172
Part III:
required. In Windows Server 2003 and Windows XP, services can run under the LocalSystem account or under either the Local Service account or the Network Service accountboth of which have limited rights and permissions on the local computer roughly equivalent to those possessed by Authenticated Users. Additionally, Local Service is unable to authenticate to other computers and thus can be used only with console-bound services. When a service running under Network Service needs to interact with another computer, it will authenticate using the computers account. In Windows Server 2003, 21 services were moved from running under LocalSystem to running under Local Service or Network Service to be more secure by default. In Windows Server 2003, Windows 2000, and Windows XP, you can also run a service in the security context of a user account. If you run a service under the security context of a user account, the password for the account will be stored as a Local Security Authority (LSA) secret. If a computer is compromised and the attacker gains Administrator or System access, the attacker can retrieve LSA secrets, including the user names and passwords of service accounts. Therefore, if you run services under the security context of a user account, always use a local user account. If the computer should be compromised and the LSA secrets exposed, the attacker will not gain domain credentialsthis will significantly minimize the impact of the security incident. This is especially true of service accounts that require elevated privileges. In addition, do not use the same password for all service accounts because the compromise of one of the accounts could lead to a greater network compromise. Warning Microsoft strongly recommends that services that run in an elevated
security context, such as LocalSystem, not be allowed to interact with the desktop. The desktop that runs in Windows Station 0 is the security boundary of any computer running the Windows operating system. Any application running on the interactive desktop can interact with any window on the interactive desktop, even if that window is not displayed on the desktop. This is true for every application, regardless of the security context of the application that creates the window and the security context of the application running on the desktop. The Windows message system does not allow an application to determine the source of a window message. Because of this, any service that opens a window on the interactive desktop exposes itself to applications that are executed by the logged-on user. If the service tries to use window messages to control its functionality, the logged-on user can disrupt that functionality by using malicious messages. This class of attack is commonly known as Shatter attacks. An example of a vulnerability in an application that interacts with the desktop is given in the Microsoft Security Bulletin MS04-019, which resolved a vulnerability in the Utility Manager in Microsoft Windows NT 4.0 and later. Prior to when this patch was installed, an attacker could escalate his privilege on a computer to LocalSystem by exploiting the vulnerability discussed in the security bulletin.
173
Service Permissions
Full Name SERVICE_ALL_ACCESS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_QUERY_STATUS SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP SERVICE_PAUSE_CONTINUE SERVICE_INTERROGATE SERVICE_USER_DEFINED_CONTROL DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Description Grants full control over the service Allows the service configuration to be viewed Allows the service configuration to be modified Allows the SCM to be queried for the status of a service Allows the dependent services to be displayed Allows the service to be started Allows the service to be stopped Allows the service to be paused and resumed Allows the service to respond to status queries Allows for special instructions to be given to the service Allows the service to be deleted Allows the DACL of the service to be viewed Allows the DACL of the service to be modified Allows the owner of the service to be modified
You must know the full name of the service to read the permissions for it when using the Subinacl.exe utility. The following listing shows how to use Subinacl.exe to read permissions on a service in Windows XP:
174
Part III:
+Service netlogon /owner =system /primary group =system /audit ace count =1 /apace =everyone SYSTEM_AUDIT_ACE_TYPE-0x2 FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80 SERVICE_ALL_ACCESS /perm. ace count =4 /pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS0x4SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_INTERROGATE0x80READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100 /pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100 /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SERVICE_STOP-0x20SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100
Figure 9-2 shows the default permissions for the Net Logon service in Windows XP using the Security Templates MMC snap-in.
Figure 9-2
175
service is turned off, the computer will not be able to receive administrative alerts, such as those from the Messenger service or Performance Monitor. This service should be disabled unless you use administrative alerts. It is disabled by default in Windows Server 2003 and Windows XP.
Windows Server 2003 and Windows XP Windows Firewall/Internet Connection Sharing (ICS). Stopping or disabling this service prevents Windows Firewall or ICS from working. You should set this service to start manually.
Assign, Publish, and Remove. This service processes requests to enumerate, install, and remove applications deployed over a corporate network. This service is called when you use Add or Remove Programs in Control Panel to install or remove an application when you are deploying software by Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate applications deployed by using Group Policy. This service should be set to Disabled unless you are installing applications through Group Policy. The service is started by the first call made to itit does not terminate until you stop it manually or restart the computer.
ASP.NET State Service Part of Microsoft .NET Framework 1.1, which is installed
by default in Windows Server 2003, this service provides support for out-of-process session states for ASP.NET applications running in Microsoft Internet Information Services (IIS) 6.0. If this service is stopped, out-of-process requests will not be processed. If you are not running ASP.NET applications on your server, this service can be disabled; by default it is set to start manually.
176
Part III:
updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site (http://windowsupdate.microsoft.com). Automatic Updates is a default service in Windows Server 2003 and Windows XP and is added to Windows 2000 computers during the application of Windows 2000 Service Pack 3. You should enable this service to start automatically unless you have your own security update management solution. You can configure Automatic Updates by using System in Control Panel or by using Group Policy.
data to avoid interfering with other network connections. This service is available only in Windows Server 2003 and Windows XP and should be set to Manual because it is used by the Automatic Updates service to download security updates.
Certificate Services Creates, manages, and revokes X.509 certificates when Cer-
tificate Services is installed in Windows Server 2003 or Windows 2000 Server. This service should be set to start automatically if Certificate Services is being run on the server.
ClipBook Enables the ClipBook Viewer to create and share pages of data to be
viewed by a remote computer using Network DDE (NetDDE), which is described later in this chapter. This service is turned off by default, and it is started only when a user starts the ClipBook Viewer application. If you disable this service, the local ClipBook will not be able to send or receive ClipBook data from remote computers, but the ClipBook will still function properly on the local computer. You should disable this service.
Cluster Service Operates the server cluster solutions in the Windows platform.
This service is available only in Windows Server 2003, Enterprise Edition, and Windows 2000 Advanced Server and Datacenter Server with clustering or Network Load Balancing (NLB) installed. You can remove this service by removing clustering using Add or Remove Programs in Control Panel in Windows 2000.
COM components. If the service is turned off, the System Event Notification System (SENS) stops workingCOM+ login and logoff notifications will not occur. Other COM+ Inbox applications, such as the Volume Snapshot service, will not work correctly. You should set this service to Manual, unless your COM+ components are installed on the computer.
based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, a COM+ application installed on the computer will not start. This service is available only in Windows Server 2003 and Windows XP and should be set to start manually, unless you install COM+ applications on computers on your organizations network.
177
and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that need to view network domains and resources. If you disable this service, the computer will no longer participate in browser elections and will not maintain a server list. You can safely disable this service on most clients and servers on networks that use computers that run only Windows 2000 and later versions of the operating system.
Service, which confirms the signatures of Windows files and Microsoft ActiveX components; Protected Root Service, which adds and removes trusted root Certification Authority certificates from the computer; and Key Service, which helps enroll the computer for certificates. If Cryptographic Services is stopped, the three management services will not function properly. You should set this service to start automatically. This service is available only in Windows Server 2003 and Windows XP.
addresses if the computer has network adapters configured to use the Dynamic Host Configuration Protocol (DHCP) to obtain TCP/IP information. It is also responsible for updating dynamic Domain Name System (DNS) servers. You should set this service to start automatically, unless you have statically configured IP addresses and information and do not require the automatic updating of DNS.
DHCP Server Uses DHCP to allocate IP addresses to and allow the advanced
configuration of network settingssuch as DNS servers and Windows Internet Name Service (WINS) serverson DHCP clients automatically. If the DHCP Server service is turned off, DHCP clients will not receive IP addresses or network settings automatically. This service is available only in Windows Server 2003 and Windows 2000 Server when the DHCP service is installed. You can remove this service by using Add or Remove Programs in Control Panel.
local area network (LAN) or wide area network (WAN). DFS is a distributed service that integrates disparate file shares into a single logical namespace. This service is available only in Windows Server 2003 and Windows 2000 Server when DFS is installed. It must be running on domain controllers.
Distributed Link Tracking (DLT) Client Maintains links between the NTFS file
system files within a computer or across computers in a domain. The DLT Client service ensures that shortcuts and object linking and embedding (OLE) links continue to work after the target file is renamed or moved. If the DLT Client service is disabled, you will not be able to track links. Likewise, users on other computers will not be able to track links for documents on your computer. In a workgroup, you should disable this service because it is not used frequently. In a domain environment, you should use this service only if you frequently move files and folders on NTFS volumes.
178
Part III:
Distributed Link Tracking (DLT) Server Stores information so that files moved
between volumes can be tracked for each volume in the domain. The DLT Server service runs on each domain controller in a domain. This service enables the DLT Client service to track linked documents that have been moved to a location in another NTFS v5 (the version of NTFS used in Windows 2000 and later) volume in the same domain. If the DLT Server service is disabled, links maintained by the DLT Client service might be less reliable. You should disable this service unless you are using link tracking on your network.
uted across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers. The Distributed Transaction Coordinator is necessary if transactional components will be configured through COM+. This service is also required for transactional queues in Microsoft Message Queuing (MSMQ) and Microsoft SQL Server operations that span multiple systems. Disabling this service prevents these transactions from occurring. You should set this service to Disabled on all computers where it is not being used.
DNS Client
Resolves and caches DNS names. The DNS Client service must be running on every computer that will perform DNS name resolution. The capability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. Running the DNS Client service is also critical for enabling location of the devices identified by using DNS names. If the DNS Client service is disabled, your computers might not be able to locate the domain controllers of the Active Directory domains and Internet connections. You should set this service to start automatically unless you are certain that the computer will not require any host name resolution services.
DNS Server Enables DNS name resolution by answering queries and update
requests for DNS names. This service is available only in Windows Server 2003 and Windows 2000 Server when DNS is installed. You can remove this service by using Add or Remove Programs in Control Panel.
Error Reporting Service In Windows Server 2003 and Windows XP, by default,
when an application crashes, the user is prompted to report the incident, along with the crash-dump information. This information is sent to Microsoft for analysis. You can configure this service by using System in Control Panel. For example, you can define which applications should and should not send crash-dump information. To prevent this service from running, you must set it to Disabled. You should always set this service to Disabled unless you would like to report the information to Microsoft.
179
Event Log Logs event messages issued by programs and the Windows operat-
ing system. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. The Event Log service writes to log files the events sent by applications, services, and the operating system. If the Event Log service is disabled, you will not be able to track events, which reduces your ability to diagnose problems with your system quickly. In addition, you will not be able to audit security events. You cannot disable this service.
a workgroup to use fast-user switching to switch quickly between multiple active logon sessions. This feature was designed for home users and does not work when the computer is a member of a domain. You should disable this service.
Fax Service Enables you to send and receive faxes. This service is not installed
by default and can be added and removed by using Add or Remove Programs in Control Panel.
multiple servers. File Replication is the automatic file replication service in Windows Server 2003 and Windows 2000. It is used to copy and maintain files on multiple servers simultaneously and to replicate the Windows 2000 system volume (SYSVOL) on all domain controllers. In addition, this service can be configured to replicate files among alternate targets associated with the fault-tolerant DFS. If this service is disabled, file replication will not occur and server data will not be synchronized. Stopping the File Replication service can seriously impair a domain controllers ability to function.
access files on a Windows-based server machine. If this service is turned off, Macintosh-based clients will not be able to view any NTFS shares. This service is not installed by default and can be removed by using Add or Remove Programs in Control Panel. You should remove this service if you are not sharing files with Macintosh-based clients.
the IIS console. Features include bandwidth throttling, use of security accounts, and extensible logging. You should remove this service if you are not running an FTP site. You can do so by using Add or Remove Programs in Control Panel.
Help and Support Enables the Help and Support application in Windows
Server 2003 and Windows XP to provide dynamic help to users. If disabled, the Help and Support service application will not function.
HTTP SSL Service In Windows Server 2003, IIS uses this service to facilitate the
creation and management of Secure Sockets Layer (SSL) sessions. Unless you have installed IIS and are running a Web site that requires SSL, you should disable this service.
180
Part III:
Human Interface Devices Enables generic input access to the Human Interface
Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, the hot buttons it controls will no longer function. You should set this service to Disabled unless you use a custom keyboard or other input device for hotkey mappings. This service exists only in Windows Server 2003 and Windows XP.
IIS Admin Service Allows administration of IIS. If this service is not running,
you will not be able to run Web, FTP, Network News Transfer Protocol (NNTP), or Simple Mail Transfer Protocol (SMTP) sites, and you will not be able to configure IIS. You should remove or disable this service if you will not be using the IIS Admin Web site to manage the Web components, such as IIS or FTP, on the computer. You can remove this service by using Add or Remove Programs in Control Panel.
2003 and Windows XP that are equipped with a CD-ROM drive to create CDs. You should disable this service on computers that do not have a CD-R or CD-RW drive and set the service to start manually on computers that do and that require burning CDs using this service. This service will start when you send files to a CD-R or CD-RW drive. This service is disabled in Windows Server 2003.
Indexing Service Indexes contents and properties of files on local and remote
computers and provides rapid access to files through a querying language. The Indexing Service also enables quick searching of documents on local and remote computers as well as a search index for content shared on the Web. If this service is either stopped or disabled, all search functionality will be provided by traversing the folder hierarchy and scanning each file for the requested string. When the service is turned off, search response is typically much slower. You should disable this service on servers and set it to start automatically on workstations.
authorization, auditing, and accounting of users who are connecting to a network (LAN or remote) by using virtual private network (VPN) equipment, Remote Access Service (RAS), or 802.1x wireless and Ethernet/switch access points. IAS implements the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User Service (RADIUS) protocol. If IAS is disabled or stopped, authentication requests will fail over to a backup IAS server, if one is available. If none of the other backup IAS servers are available, users will not be able to connect. This service only appears in the Services list in Windows Server 2003 and Windows 2000 Server when IAS is installed. You should remove this service on computers that are not RADIUS servers, proxies, or clients by using Add or Remove Programs in Control Panel.
181
addressing, and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection in Windows 2000. This service is available only in Windows 2000 and should be disabled unless the computer will be used as a gateway to another network.
Windows server sites. This service is used for mail-based replication between sites. The Active Directory directory service includes support for replication between sites by using SMTP over IP transport. If you are not using the SMTP service in IIS, you should remove this service by using Add or Remove Programs in Control Panel, unless the computer is a domain controller that uses SMTP for intersite replication.
(IPSec) policy, including the Internet Key Exchange (IKE) protocol, and coordinates IPSec policy settings with the IP security driver. If you know you will not be using IPSec, you should set this service to manual startup. Otherwise, you should set this service to start automatically.
Kerberos Key Distribution Center Enables users to log on to the network using
the Kerberos v5 authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the domain and access services when using that domain controller for authentication. This service exists only on Windows Server 2003 and Windows 2000 Active Directory domain controllers.
License Logging Tracks Client Access License usage for server products, such
as IIS, Terminal Services, and File and Print Services, as well as products such as SQL Server and Microsoft Exchange Server. If this service is disabled, licensing for these programs will work properly, but usage will no longer be tracked. This service is available only in Windows Server 2003 and Windows 2000 Server and should be disabled unless you are tracking license usage.
Logical Disk Manager Watches Plug and Play events for new drives to be
detected and passes volume and/or disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management MMC snap-in display will not change when disks are added or removed. This service should not be disabled if dynamic disks are in the system. You should set this service to start manually.
for disk management requests. This service is started only when you configure a drive or partition or when a new drive is detected. This service does not run by default, but it is activated whenever dynamic disk configuration changes occur or when the Disk Management MMC snap-in is open. The service starts, completes the configuration operation, and then exits. You should set this service to start manually.
182
Part III:
for creating distributed messaging applications for the Windows operating system. Microsoft Message Queuing (MSMQ) provides guaranteed message delivery, efficient routing, security, support for sending messages within transactions, and priority-based messaging. Disabling MSMQ affects a number of other services, including COM+ Queued Component (QC) functionality, some parts of Windows Management Instrumentation (WMI), and the MSMQ Triggers service. If you are not using a message queue on the computer, you should remove the Message Queuing service by using Add or Remove Programs in Control Panel.
This service also sends and receives messages transmitted by administrators or the Alerter service. If disabled, Messenger notifications cannot be sent to or received from the computer or from users currently logged on, and the NET SEND and NET NAME commands will no longer function. You should disable this service unless you have applications that send administrative alerts, such as uninterruptible power supply (UPS) software or print notifications. The Messenger service is disabled by default in Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2.
shadow copies taken by the Volume Shadow Copy service in Windows Server 2003 and Windows XP. If this service is stopped, software-based volume shadow copies cannot be managed. You should disable this service unless you are using volume shadow copies to archive data, in which case the service should be set to manual.
computers in a domain. This service is started automatically when the computer is a member of a domain. It is used to maintain a secure channel to a domain controller for use by the computer in the authentication of users and services running on the computer. In the case of a domain controller, the Net Logon service handles the registration of the computers DNS names specific to domain controller locator discoveries. On domain controllers, the service enables passthrough authentication for other domain controllers by forwarding passthrough authentication requests to the destination domain controller, where the logon credentials are validated. If this service is turned off, the computer will not operate properly in a domain. Specifically, it can deny NT LAN Manager (NTLM) authentication requests and, in the case of a domain controller, will not be discoverable by client machines. You should set this service to start automatically for all domain members and manually for nondomain members. You will need to start this service before joining the domain on non-domain-joined computers if you set it to start manually.
183
Windows desktop remotely from another PC over a corporate intranet by using Microsoft NetMeeting. The service must be explicitly enabled by NetMeeting and can be disabled in NetMeeting or shut down by using the notification area icon. Disabling the service unloads the NetMeeting display driver used for application sharing. You should disable this service unless you are using NetMeeting for business needs.
tions folder, in which you can view both network and remote connections. This service takes care of network configuration (client side) and displays the status in the notification area on the desktop (the area on the taskbar to the right of the taskbar buttons). You can also access configuration parameters through this service. Disabling this service will prevent you from configuring your LAN settings and domain members from receiving group policies. You should set this service to start manually.
Network DDE Provides network transport and security for dynamic data
exchange (DDE) by applications running on the same computer or on different computers. This service is not started by default, and it is started only when invoked by an application that uses Network DDE (NetDDE), such as Clipbrd.exe or DDEshare.exe. If you disable the service, any application that depends on NetDDE will time out when it tries to start the service. You should disable this service unless you use NetDDE-enabled applications.
Network DDE DSDM Manages shared dynamic data exchange and is used only
by Network DDE to manage shared DDE conversations. You should disable this service unless you use NetDDE-enabled applications.
and location information and notifies applications when this information changes. Disabling this service will prevent Windows Firewall from working. You should set this service to start manually.
server. If the service is off, client computers will not be able to connect and read or retrieve posts. You should remove this service by using Add or Remove Programs in Control Panel if you are not running an NNTP server.
authentication credentials by calling through the NLTM Security Support Provider (SSP). If this service is stopped, users will not be able to log on to applications that call the NTLM SSP. Most applications do not call this SSP directly. You should set this service to start manually.
184
Part III:
Performance Logs and Alerts Configures performance logs and alerts. This ser-
vice is used to collect performance data automatically from local or remote computers that have been configured by using the Performance Logs and Alerts snap-in. If the service is stopped by a user, all currently running data collections will terminate and no scheduled collections will occur. You should set this service to Disabled unless you are monitoring the performance of a server by using the Performance Logs and Alerts MMC snap-in.
Plug and Play Enables a computer to recognize and adapt to hardware changes
with little or no user input. With Plug and Play, a user can add or remove devices without any intricate knowledge of computer hardware and without being forced to manually configure hardware or the operating system. Disabling this service will prevent the computer from starting. You should set this service to start automatically.
Server 2003 or Windows XP to retrieve information about portable music players attached to the computer as part of the Digital Rights Management (DRM) features. You should disable this service on computers that will not be used with portable music devices, such as MP3 players.
print spooler located on a computer running Windows Server 2003 or Windows 2000 Server. If this service is stopped, printing will be unavailable to Macintosh clients. If the computer does not have a printer used by Macintoshbased clients, you should remove this service by using Add or Remove Programs in Control Panel.
Print Spooler Queues and manages print jobs locally and remotely. The print
spooler is the heart of the Windows printing subsystem and controls all printing jobs. This service manages the print queues on the system and communicates with printer drivers and I/O components. If the Print Spooler service is disabled, you will not be able to print and other users will not be able to print to a printing device attached to your computer. You should set this service to Automatic, unless you are certain that no one will be printing to or from the computer. If users will not be printing to or from the computer, you should set this service to Disabled.
Protected Storage Provides protected storage for sensitive data, such as private
keys, to prevent access by unauthorized services, processes, or users. Protected Storage (P-Store) is a set of software libraries that allows applications to fetch and retrieve security and other information from a personal storage location, hiding the implementation and details of the storage itself. The storage location provided by this service is not secure or protected from modification. P-Store uses the Hash-Based Message Authentication Code (HMAC) and the SHA1 cryptographic hash function to encrypt the users master key. This component requires no configuration. Disabling it will make information protected with
185
this service inaccessible to you. P-Store is an earlier service that has been supplanted by the Data Protection API (DPAPI), which is currently the preferred service for protected storage. You should set this service to start automatically. Microsoft Internet Explorer stores Autocomplete forms, user names, passwords, and URL histories in P-Store.
QoS Admission Control (RSVP) Provides network signaling and local traffic-con-
trol setup functionality for Quality of Service-aware programs and control applets. You should set this service to start manually.
QoS RSVP Invoked when an application uses the Generic Quality of Service
(GQoS) API to request a specific quality of service on the end-to-end connection it uses. If disabled, QoS is not guaranteed to the application. The application must then decide whether to accept best-effort data transmission or refuse to run. You should set this service to start manually.
work whenever a program references a remote DNS or NetBIOS name or address. This service detects an attempt to resolve the name of a remote computer or share or an unsuccessful attempt to send packets to a remote computer or share. The service brings up a dialog box that offers to make a dial-up or VPN connection to the remote computer. Disabling the service has no effect on the rest of the operating system. You should disable this service unless you have a specific reason to use it.
vice manages the actual work of connecting, maintaining, and disconnecting dial-up and VPN connections from your computer to the Internet or other remote networks. Double-clicking a connection in the Network and Dial-Up Connections folder and selecting the Dial button generates a work request for this service that is queued with other requests for creating or destroying connections. This service will unload itself when no requests are pending. But in practice, the Network and Dial-Up Connections folder calls on this service to enumerate the set of connections and to display the status of each one. So, unless the Network and Dial-Up Connections folder contains no connections, the service will always be running. The service cannot be disabled without breaking other portions of the operating system, such as the Network and Dial Up Connections folder. You should set this service to Manual, unless you are certain that you will not be using remote access connections, in which case you should disable the service.
Remote Desktop Help Session Manager Manages and controls the Remote
Assistance feature in Windows Server 2003 and Windows XP. If this service is stopped or disabled, Remote Assistance will be unavailable. You should disable this service unless your organization uses the Remote Assistance feature, in which case you should set the service to start manually.
186
Part III:
Remote Installation (Boot Information Negotiation Layer (BINL) in Windows 2000) Enables you to install Windows Server 2003, Windows 2000, and Win-
dows XP on computers equipped with pre-execution-compatible network interface cards. The BINL service is the primary component of Remote Installation Services (RIS). If BINL is no longer needed on the system, you can discontinue its use by using the Add/Remove Windows Components option in Control Panel to remove the RIS component. If turned off, RIS will not allow client machines to install the operating system remotely. This service is available in Windows Server 2003 and Windows 2000 Server only when RIS is installed.
Remote Procedure Call (RPC) Provides the RPC endpoint mapper and other
miscellaneous RPC services. If this service is turned off, the computer will not boot. You should set this service to start automatically.
Remote Procedure Call (RPC) Locator Provides the name services for RPC cli-
ents. This service helps locate RPC servers that support a given interface (also known as an RPC named service) within an enterprise. This service is turned off by default. Note that no operating system component uses this service, although some applications might. You should set this service to start manually.
Remote Registry Allows remote registry manipulation. This service lets users
connect to a remote registry and read and/or write keys to itprovided they have the required permissions. This service is usually used by remote administrators and performance monitor counters. If disabled, the service doesnt affect registry operations on the computer on which it runs; therefore, the local system will run in the same manner. Other computers or devices will no longer be able to connect to this computers registry. You must be running this service to use some patch management tools, such as Microsoft Baseline Security Analyzer (MBSA). You should set this service to start automatically.
Remote Storage Engine Migrates infrequently used data to tape. This service
leaves a marker on disk, allowing the data to be recalled automatically from tape if you attempt to access the file. If you are not using remote storage, you should remove or disable this service. Otherwise, you should set it to start manually.
Remote Storage File Manages operations on remotely stored files. If you are not
using the remote storage feature of Windows Server 2003 or Windows 2000, you should remove or disable this service.
Remote Storage Media Controls the media used to store data remotely. If you
are not using the remote storage feature of Windows Server 2003 or Windows 2000, you should remove or disable this service.
Remote Storage Notification Enables Remote Storage to notify you when you
have accessed an offline file. Because it takes longer to access a file that has been moved to tape, Remote Storage will notify you if you are attempting to read a file
187
that has been migrated and will allow you to cancel the request. If this service is turned off, you will not receive any additional notification when you try to open offline files. Nor will you be able to cancel an operation that involves an offline file. If you are not using the remote storage feature of Windows Server 2003 or Windows 2000, you should remove or disable this service.
Removable Storage Manages removable media drives and libraries. This service
maintains a catalog of identifying information for removable media used by a system, including tapes, CDs, and so on. This service is used by features such as Backup and Remote Storage to handle media cataloging and automation. This service stops itself when there is no work to do. If you are not using the remote storage feature of Windows Server 2003 or Windows 2000, you should disable this service.
Resultant Set of Policy Provider This service enables you to connect to a Win-
dows Server 2003 domain controller, access the WMI database for that computer, and simulate Resultant Set of Policy (RSoP) for Group Policy settings that would be applied to a user or computer located in Active Directory in a Windows 2000 or later domain. You should set this service to Disabled and enable it only when using RSoP.
Routing and Remote Access Offers routing services in LAN and WAN environ-
ments, including VPN services. If this service is turned off, incoming remote access and VPN connections, dial-on-demand connections, and routing protocols will not be available. In a routing context, Routing and Remote Access Service (RRAS) drives the TCP/IP stack-forwarding engine. The forwarding code can be enabled outside the service for various reasons, most notably Internet Connection Sharing (ICS). You should set this service to Disabled.
Secondary Logon (RunAs Service in Windows 2000) Allows you to run specific
tools and programs with different permissions than your current logon provides. You should set this service to start automatically.
Security Accounts Manager Startup of this service signals to other services that
the Security Accounts Manager (SAM) subsystem is ready to accept requests. This service should not be disabled. Doing so will prevent other services in the system from being notified when the SAM is ready, which can in turn cause those services to not start correctly.
Server Provides RPC support, file print sharing, and named pipe sharing over
the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. You should set this service to start automatically.
188
Part III:
hardware events, such as the insertion of CD-ROM disks or USB storage devices. You should disable this service on servers and set it to start automatically on workstations. This service to not available in Windows 2000.
Simple Mail Transfer Protocol (SMTP) Transports e-mail across the network.
The SMTP service is used as an e-mail submission and relay agent. It can accept and queue e-mail for remote destinations and retry at specified intervals. The Collaboration Data Objects (CDO) for Windows Server 2003 or Windows 2000 COM components can use the SMTP service to submit and queue outbound email. If you are not using this service, you should remove it by using Add or Remove Programs in Control Panel.
tion Services (RIS). The Single Instance Storage Groveler is installed only when you add the RIS component from Add or Remove Windows Components in Control Panel or select it when initially installing the operating system. If the service is turned off, RIS installation images will expand to their full image size and you will not be able to conserve space on the hard drive. You should remove the RIS service by using Add or Remove Programs in Control Panel if the computer is not a RIS server.
Site Server ILS Service As part of IIS, this service scans TCP/IP stacks and
updates directories with the most current user information. Windows 2000 is the last version of the operating system to support the Site Server Internet Locator Service (ILS). You should remove this service by using Add/Remove Programs in Control Panel if you are not using it on your Web server.
Smart Card Manages and controls access to a smart card inserted into a smart
card reader attached to the computer. The Smart Card service is based on Personal computer/Smart Card (PC/SC) consortium standards for accessing information on smart card devices. Disabling the Smart Card service will result in a loss of smart card support in the system. You should set this service to Disabled unless the computer uses smart cards for authentication, in which case, you should set the service to start manually.
Smart Card Helper Provides support for earlier smart card readers attached to
the computer. This component is designed to provide enumeration services for the Smart Card service so that earlier non-Plug and Play smart card reader devices can be supported. Turning off this service will remove support for nonPlug and Play readers. You should set this service to Disabled unless the computer uses smart cards for authentication, in which case, you should set the service to start manually.
189
(SNMP) requests to be serviced by the local computer. SNMP includes agents that monitor activity in network devices and report to the network console workstation. If the service is turned off, the computer no longer responds to SNMP requests. If the computer is being monitored by network management tools, the tools will not be able to collect data from the computer or control its functionality using SNMP. If you are not monitoring the computer with SNMP, you should remove this service by using Add or Remove Programs in Control Panel.
SNMP Trap Service Receives SNMP trap messages generated by local or remote
SNMP agents and forwards the messages to SNMP management programs running on the computer. If the service is turned off, SNMP applications will not receive SNMP traps that they are registered to receive. If you are using a computer to monitor network devices or server applications through SNMP traps, you might miss significant system occurrences. If you are not monitoring the computer with SNMP, you should remove this service by using Add or Remove Programs in Control Panel.
SSPD Discovery Services Enables the discovery of Universal Plug and Play
(UPnP) devices in Windows XP. You should set this service to Disabled, unless you actively use UPnP devices on your network.
Still Image Service Loads necessary drivers for imaging devices (such as scan-
ners and digital still-image cameras), manages events for those devices and associated applications, and maintains device state. The service is needed to capture events generated by imaging devices (such as button presses and connections). If the service is not running, events from the imaging devices connected to the computer will not be captured and processed. This service should be disabled unless digital images are downloaded on the computer from digital imaging devices.
System Event Notification Tracks system events, such as Windows logon net-
work events and power events, and notifies COM+ Event System subscribers of these events. System Event Notification System (SENS) is started automatically and depends on the COM+ Event System service. Disabling this service has the following effects:
The Win32 APIs IsNetworkAlive() and IsDestinationReachable() will not work well. These APIs are mostly used by mobile applications and portable computers. SENS interfaces do not work properly. In particular, SENS Logon/Logoff notifications will not work.
190
Part III:
The Work Offline notification will not work. Internet Explorer 5.0 or later uses SENS on portable computers to trigger when the user goes offline or online (by triggering the Work Offline prompt). SyncMgr (Mobsync.exe) will not work properly. SyncMgr depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications from SENS. COM+ Event System will try to notify SENS of some events but will not be able to.
System Restore Service Performs the automated backup and restore of a core
set of specified system and application file types (for example, .exe, .dll) that cannot be changed in Windows XP. System Restore Service does not back up any user data. You can configure System Restore Service by using System in Control Panel. You should set this service to start automatically, unless you are certain that you will not be using it.
allows you to perform automated tasks on a chosen computer. Task Scheduler is started each time the operating system is started. If Task Scheduler is disabled, jobs that are scheduled to run will not run at their designated time or interval. You should set this service to start manually.
TCP/IP NetBIOS Helper Enables support for the NetBIOS over TCP/IP (NetBT)
service and NetBIOS name resolution. This service is an extension of the kernel mode NetBT. It should be considered an integral part of NetBT, rather than a normal service. This service does two things for NetBT, which you cannot do in kernel mode:
Performs DNS name resolution Pings a set of IP addresses and returns a list of reachable IP addresses
If this service is disabled, NetBTs clientsincluding the Workstation, Server, Netlogon, and Messenger servicescould stop responding. As a result, you might not be able to share files and printers, you might not be able to log on, and Group Policy will no longer be applied. You should set this service to start automatically.
Telephony Provides Telephony API (TAPI) support for programs that control
telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are running the service. If no other dependent service is running and you stop the Telephony service, it will be restarted when any application makes an initialization call to the TAPI interface. If the service is disabled, any device that depends upon it will not be able to run. You should set this service to start manually.
191
Telnet Allows a remote user to log on to the system and run console programs
by using the command line. A computer running the Telnet service can support connections from various TCP/IP telnet clients. You should disable this service unless you use the Telnet service to manage your computer.
devices to access a virtual interactive logon to a computer running Windows Server 2003, Windows XP, or Windows 2000 Server. Terminal Services allows multiple users to be connected interactively to the computer in their own isolated session. You should set this service to start automatically unless you are certain that you will not be using Windows Terminal Services, Remote Desktop, Fast-User Switching, or Remote Assistance, in which case you can disable this service.
Terminal Services Licensing Installs a license server and provides registered cli-
ent licenses when connecting to a Windows Server 2003 or Windows 2000 terminal server. If this service is turned off, the server will be unavailable to issue terminal server licenses to clients when they are requested. If another license server is discoverable on a domain controller in the forest, the requesting terminal server will attempt to use it. You should remove this service by using Add or Remove Programs in Control Panel.
Services to allow client devices to access and reconnect to virtual Windows desktop sessions in Windows Server 2003. This service is disabled by default and should be enabled only if the server is participating in a cluster to application terminal servers.
should set this service to start automatically. It is disabled by default in Windows Server 2003.
Trivial FTP Daemon Trivial File Transfer Protocol (TFTP) is an integral part of
Remote Installation Services. To disable this service, uninstall RIS. Disabling the Trivial FTP Daemon service directly will cause RIS to malfunction. You should remove RIS by using Add or Remove Programs in Control Panel if the computer is not a RIS server.
ible power supply (UPS) connected to the computer by a serial port. If this service is turned off, communications with the UPS will be lost. You should disable this service unless you have a UPS device connection to the computer.
Universal Plug and Play Device Host Manages the operation of UPnP devices on
the local computer. Disabling this service will prevent the use of UPnP devices; however, regular Plug and Play devices will continue to function normally. You should disable this service unless your network actively uses UPnP devices.
192
Part III:
computers running Windows Server 2003 or Windows XP between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. Driver data is anonymously uploaded from customer computers to Microsoft and then used to help users find the drivers required for their systems. If users do not need to use Windows Update to locate updates to drivers, this service should be disabled.
Utility Manager Starts and configures accessibility tools from one window.
Utility Manager allows faster access to some accessibility tools and displays the status of the tools or devices that it controls. This service saves users time because an administrator can designate that certain features start when the Windows operating system starts. Utility Manager includes three built-in accessibility tools: Magnifier, Narrator, and On-Screen Keyboard. You should disable this service if you are not going to use it.
Virtual Disk Service Provides a single interface for managing block storage vir-
tualization whether done in operating system software, redundant array of independent disks (RAID) storage hardware subsystems, or other virtualization engines. You should disable this service unless you require its features.
Volume Shadow Copy Manages and implements Volume Shadow copies used
for backup and other purposes. This service is set to start manually and you should disable it only if you would like to disable Volume Shadow Copy functionality in Windows XP and Windows Server 2003.
to modify Internet-based or intranet-based files, including Web-Based Distributed Authoring and Versioning (WebDAV) extensions for HTTP. You should set this service to start manually except on servers where it should be disabled. It is disabled by default in Windows Server 2003.
audio devices. In Windows Server 2003, it is disabled by default, and in Windows XP it starts automatically.
and Internet connection sharing in Windows Server 2003 and Windows XP. You should configure this service to start automatically on computers that will be using Windows Firewall or ICS.
Windows Image Acquisition (WIA) Manages the retrieval of images from digital
cameras and scanners from devices attached to computers that run Windows Server 2003 or Windows XP. You should set this service to Disabled unless you use these devices on computers. It is disabled by default in Windows Server 2003.
193
tions contained in .msi files provided with the applications. If disabled, the installation, removal, repair, and modification of applications that make use of the Windows Installer will fail. You should set this service to start manually.
Presence of the WINS server(s) is crucial for locating the network resources identified by using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory, all computers on the network are running Windows 2000, and you no longer have applications that rely on NetBIOS to locate other computers or users. If you are not running a WINS server on the computer, you should remove this service by using Add or Remove Programs in Control Panel.
information. WMI is an infrastructure for building management applications and instrumentation. WMI provides access to the management data through a number of interfaces, including COM API, scripts, and command-line interfaces. If this service is turned off, WMI information will be unavailable and Group Policy might not be applied correctly. You should leave this service to start automatically.
that have registered WMI information to publish. If the service is turned off, clients cannot access the WMI information published by drivers. However, if the WMI APIs detect that the service is not running, the APIs will attempt to restart the service.
Windows Time Sets the computer clock. Windows Time (W32Time) maintains
date and time synchronization on all computers running on a Windows network. It uses the Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp, can be assigned to network validation and resource access requests. The implementation of NTP and the integration of time providers make W32Time a reliable and scalable time service for enterprise administrators. For computers not joined to a domain, W32Time can be configured to synchronize time with an external time source. If this service is turned off, the time setting for local computers will not be synchronized with any time service in the Windows domain or with an externally configured time service. You should set this service to start automatically.
WinHTTP Web Proxy Auto-Discovery Service Implements the Web Proxy Auto-
Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol that enables an HTTP client to discover a proxy configuration automatically. This service, available only in Windows Server 2003, should be disabled unless its functionality is specifically required.
194
Part III:
802.11 wireless network adapters in Windows Server 2003 and Windows XP. You should set this service to start automatically unless you will not be using wireless network adapters on the computer, in which case, you should disable the service.
WMI HiPerf providers. The service, available only in Windows Server 2003, is a manual service and is not running by default. You should allow this service to start manually.
station service is a user-mode wrapper for the Microsoft Networks redirector. The service loads and performs configuration functions for the redirector, provides support for making network connections to remote servers, provides support for the Windows Network (WNet) APIs, and furnishes redirector statistics. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks.
World Wide Web Publishing Service Provides HTTP services for applications
on the Windows platform. The service depends on the IIS administration service and kernel TCP/IP support. If this service is turned off, the operating system will no longer be able to act as a Web server. See also the IIS Admin Service entry in this list.
Best Practices
Disable unused services.
For computers running Windows Server 2003, Windows 2000, and Windows XP, carefully evaluate which services are required to support your organizations software applications. Disable any services you are certain you will not need to minimize the potential attack surface of the computer. These are the recommended minimum services to run:
Service COM+ Event System DHCP Client DNS Client Event Log Logical Disk Manager Logical Disk Manager Administrative Service Net Logon Network Connections Setting Manual Automatic (if needed) Automatic Automatic Automatic Manual Automatic Manual
195
Service Performance Logs and Alerts Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Window Management Instrumentation (WMI) Windows Management Instrumentation Driver Extensions Windows Time (W32Time) Workstation
Setting Manual Automatic Automatic Automatic Automatic (required for Microsoft Baseline Security Analyzer) Automatic Automatic Automatic Automatic Automatic Manual Automatic Automatic
Additional Information
Microsoft Windows Internals, Fourth Edition (Microsoft Press, 2005) Services on MSDN (http://msdn.microsoft.com/library/en-us/dllproc/base /services.asp) Knowledge Base article 288129: How to Grant Users Rights to Manage Services in Windows 2000 (http://support.microsoft.com/kb/288129) Knowledge Base article 325349: How to Grant Users Rights to Manage Services in Windows Server 2003 (http://support.microsoft.com/kb/325349) Knowledge Base article 327618: Security, Services, and the Interactive Desktop (http://support.microsoft.com/kb/327618 )