0% found this document useful (0 votes)
111 views58 pages

Securing The Core Operating System: 8 Controlling Access To Data - . - 139

The document discusses securing access to files, folders, and the registry in Windows operating systems. It describes how discretionary access control lists (DACLs) determine a principal's access to files and folders based on permissions set by the owner. It provides details on default permissions, controlling permissions through tools like Subinacl.exe, and how basic permissions map to specific access rights. The document also touches on encrypting files using EFS and best practices for access control.

Uploaded by

viknesh61191
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
111 views58 pages

Securing The Core Operating System: 8 Controlling Access To Data - . - 139

The document discusses securing access to files, folders, and the registry in Windows operating systems. It describes how discretionary access control lists (DACLs) determine a principal's access to files and folders based on permissions set by the owner. It provides details on default permissions, controlling permissions through tools like Subinacl.exe, and how basic permissions map to specific access rights. The document also touches on encrypting files using EFS and best practices for access control.

Uploaded by

viknesh61191
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 58

Contents

Part III

Securing the Core Operating System


Controlling Access to Data . . .
Securing File and Folder Permissions . . . How DACLs Work . . . Assigning DACLs at Creation . . . How DACLs Are Handled When Files and Folders Are Copied or Moved. . . Command-Line Tools . . . Securing File and Folder Access by Using Share Permissions . . . Using the Encrypting File System . . . How EFS Works . . . EFS Command-Line Tools . . . Additional EFS Features in Windows Server 2003 and Windows XP . . . Introduction to Designing a Data Recovery Agent Policy . . . Securing Registry Permissions . . . Configuring Registry Permissions . . . Best Practices . . . Additional Information . . .

139
139 144 144 145 147 151 152 153 154 158 160 162 163 164 165

Managing Security for System Services . . .


Managing Service Permissions . . . Configuring the Startup Value for a Service . . . Stopping, Starting, Pausing, and Resuming Services . . . Configuring the Security Context of Services . . . Configuring the DACL for the Service. . . Default Services in Windows Server 2003, Windows 2000, and Windows Best Practices. . . Additional Information . . .

167
.167 .169 .170 .171 .173 .175 .194 .195

XP

Chapter 8

Controlling Access to Data


In this chapter: Securing File and Folder Permissions . . . Using the Encrypting File System . . . Securing Registry Permissions . . . Best Practices . . . Additional Information . . . . .139 . .152 . .162 .164 . .165

In Microsoft Windows Server 2003, Windows 2000, and Windows XP, a security principals level of access to files and folders is determined by NTFS file system and share permissions. These permissions are discretionary: anyone with ownership of a file or folder, Change Permissions, or Full Control permissions can assign access control at his discretion. When freshly installed, Windows Server 2003, Windows 2000, and Windows XP assign default permission structures to the file system; however, you will need to alter these permissions to ensure that only the appropriate users have access to files stored on the computer.

Securing File and Folder Permissions


All file and folder objects stored on an NTFS volume have security descriptors to control access to the object. The security descriptor includes a discretionary access control list (DACL) and a system access control list (SACL), in addition to information that identifies the objects owner. Figure 8-1 shows the contents of a security descriptor.
Header Owner SID Group SID DACL ACEs SACL ACEs

Figure 8-1

Contents of a security descriptor 139

140

Part III: Securing the Core Operating System

DACLs owe their name to the fact that they can be configured at the discretion of any account that possesses Take Ownership, Change Permissions, or Full Control permissions to the file system object. DACLs are defined by security descriptors, which consist of several elements as described in Table 8-1.
Table 8-1 Element Header SID (user) SID (group) Generic deny ACEs Generic allow ACEs

Elements of a Security Descriptor


Description Metadata pertaining to the access control entries (ACEs) associated with the DACL. The security identifier (SID) of the owner of the object. The SID of the primary group of the objects owner. ACEs that deny access to an account or security group based on that groups SIDs. These ACEs can be inherited from the objects parent or assigned directly to the object. ACEs that allow access to child objects to an account or security group based on that groups SIDs. These ACEs can be inherited from the objects parent or assigned directly to the object.

What Does Owning a Resource Mean?


The owner of a resource, such as a file or folder, is the account that ultimately determines the access control over that resource. The owner has complete control over the resource, including the ability to assign permissions to other accounts. Even if the owner is explicitly denied access to a resource, the owner can still change the permissions on the resource to restore her access. File ownership is also used by the quota system in Windows Server 2003, Windows 2000, and Windows XP to calculate the amount of disk space used by each tracked account, if disk quotas are enabled. The default owner of files and folders in Windows Server 2003, Windows 2000, and Windows XP installations is the built-in Administrators group, although a user who creates a file or folder is the owner of anything she creates. Members of the Administrators group can always take ownership of files and folders on the local computereven if NTFS permissions prohibit administrators from accessing the resource. This ensures that files can be recovered by an administrator in the event that a user leaves the company or permissions are incorrectly configured and must be corrected. When a member of the Administrators group takes ownership of a resource, the ownership is granted to the Administrators group. However, the SID of the individual administrator is also recorded and stored in the DACL for accountability reasons. When a user who is not a member of the Administrators group takes ownership of a resource, ownership is associated with her accounts SID.

Chapter 8: Controlling Access to Data

141

Windows Server 2003 enables Administrators to replace the owner of a file or folder in the graphical user interface. Although the user interface prevents you from assigning ownership of an object to any user account in Windows 2000 and Windows Server 2003, you can complete this action from the command line if you are a member of the Administrators group or have the privilege to Restore files and directories on the computer using the command-line tool Sub inacl.exe. The syntax for replacing the owner of a file using Subinacl.exe follows:
Subinacl /file filename.ext /setowner=domain\newowner

You can use Subinacl.exe to configure permissions on the following items:


Files Folders Registry keys Services Printers Kernel objects Shares Metabases

Subinacl.exe is a low-level utility and should be used with caution. For routine permission changes on files and folders, other tools such as Xcacls.exe and Cacls.exe are easier to use but do not offer nearly the number of options that Subinacl.exe does. You can define NTFS permissions at either the folder or file level. For folders, you can assign the following standard permissions in the Security tab of the folders properties page:

Full Control Modify Read & Execute List Folder Contents Read Write

142

Part III:

Securing the Core Operating System

For individual files, these are the standard permissions:


Full Control Modify Read & Execute Read Write

Standard NTFS permissions are compilations of several special permissions, including these:
Traverse Folder/Execute File Traverse Folder allows or denies navigating through folders, even though the user does not have permissions to access files or folders within that folder.This permission applies to folders only. Execute File allows or denies running program files and applies to files only. Setting the Traverse Folder permission will not automatically set the Execute File permission on the files in the folder. Additionally, by default the Everyone group is assigned the Bypass Traverse Checking user right, which prevents the Traverse Folder permissions from being assessed when a resource is accessed.

List Folder/Read Data List Folder allows or denies viewing file names and sub-

folder names within the folder and applies to folders only. Read Data allows or denies viewing data in files and applies to files only.

Read Attributes Allows or denies viewing the attributes of a file or folder, such as

Read-Only and Hidden attributes.

Read Extended Attributes Allows or denies viewing the extended attributes of a

file or folder. Specific programs define the extended attributes.

Create Files/Write Data Create Files allows or denies creating files within a

folder. Write Data allows or denies making changes to a file and overwriting existing content.

Create Folders/Append Data Create Folders allows or denies creating folders

within a folder. Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting any existing data in the file.

Write Attributes Allows or denies changing the attributes of a file or folder,

such as Read-Only and Hidden attributes.

Write Extended Attributes Allows or denies changing the extended attributes

of a file or folder. The extended attributes are defined by specific programs.

Delete Subfolders and Files Allows or denies deleting subfolders and files when

applied at a parent folder, even if the Delete permission has not been granted on the specific subfolder or file.

Chapter 8: Controlling Access to Data


Delete Allows or denies the deletion of a file or folder. Read Permissions Allows or denies reading permissions assigned to a file or

143

folder.
Change Permissions

Allows or denies modification of the permissions assigned

to a file or folder.
Take Ownership

Allows or denies taking ownership of the file or folder.

Table 8-2 displays how, in Windows Server 2003, Windows 2000, and Windows XP, the special permissions map to the basic permissions. File and Folder Permissions Mapping in Windows Server 2003, Windows 2000, and Windows XP
Table 8-2 Basic Permissions Special Permissions Traverse Folder /Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders /Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership Full Control X X X X X X X X X X X X X X X X X X X Modify X X X X X X X X Read & Execute X X X X List Folder Contents* X X X X X X X X X X X Read Write

* Permissions apply to folder objects only.

144

Part III: Securing the Core Operating System

How DACLs Work


When a user attempts to access a file or folder on an NTFS partition, the users access token is compared with the DACL of the file or folder. If no ACEs correspond to a SID in the users access token, the user is implicitly denied access to the resource. If ACEs correspond to the users access token, the ACEs are applied in the following order:
Explicit deny

An ACE applied directly to the resource that denies access. An explicit deny always overrides all other permissions. An ACE applied directly to the resource that grants access. An explicit allow always overrides an inherited deny but is always overridden by explicit deny ACEs.

Explicit allow

Inherited deny

An ACE inherited from the resources parent object. An inherited deny ACE overrides an inherited allow permission but is overridden by an explicit allow.
Inherited allow

An ACE inherited from the resources parent object.

ACEs that apply to the user are cumulative, meaning that the user receives the sum of the ACEs that apply to his user account and groups of which he is a member. For example, if an access control list (ACL) contains two allow ACEs that apply to the user, one for Read access and the other for Write access, the user will receive Read and Write access. Caution Because explicit allow ACEs override inherited deny ACEs, you should

assign explicit permissions with caution. For example, if the Sales_Managers group has been denied the Write permission on all files and folders in the d:\finance_audit folder but a user named Tom is granted Write permissions to the d:\finance_audit\review\TPS.xls file, Tom will be able to modify the TPS.xls fileeven if he is a member of the Sales_Managers group, which is denied Write permissions by inheritance.

Assigning DACLs at Creation


When a file or folder is created, it inherits from its parent object the permissions that are applicable to its type of object. This includes both permissions that are inherited by the parent object and permissions that are explicitly assigned to the parent object. Once created, you can augment the inherited permissions by adding ACEs to the newly created resource. In Windows Server 2003, Windows 2000, and Windows XP, each file and folder has the Allow Inheritable Permissions From The Parent Object To Propagate To This Object property enabled by default. If you alter the permissions on the parent object,

Chapter 8: Controlling Access to Data

145

the permission change will automatically flow to the child object. If you want to modify this behavior, you need to decide whether you want to remove the inherited permissions or copy them to the object. If you choose to remove the inherited permissions, the only permissions that will remain are those explicitly granted to the object. If you choose to copy the permissions, the object will have the same permissions as it had previously, but the formerly inherited permissions will instead be explicitly assigned to the object. Note In the user interface of Windows Server 2003, Windows 2000, and

Windows XP, explicit permissions are displayed with a check in a white check box and inherited permissions are displayed with a check in a gray check box. Gray check boxes cannot be directly modified unless the permissions are made explicit, which changes the check boxes to white to indicate explicit assignment.

How DACLs Are Handled When Files and Folders Are Copied or Moved
The way DACLs are handled for files and folders that are moved and copied into other locations can be confusing. If you are responsible for securing files and folders, you must understand several intricacies of copying and moving files and folders, or you might unwittingly create a security risk. The first thing you need to know is that creating a copy of a file on the same partition actually creates a new file in the destination container. Thus, all permissions are inherited from the new parent object. The original objects permissions are unchanged. This action creates a potential security risk because two copies of the same file that have different security settings can exist. Second, when a file is moved on the same partition, it is not physically relocated to a different address on the diskinstead, the reference to the object in the file system hierarchy is updated. When the ACL on a parent object or an object itself is changed, the permissions structures are updated, but moving an object on the same partition does not trigger a refresh of ACLs. Therefore, all previously inherited and explicit permissions on the moved object initially remain unchanged. The Security tab for the object will indicate that the permissions are inherited from its parent object, but until the ACL is refreshed, the Security tab shows inherited permissions from the objects previous parent, along with any permissions assigned directly to the object. The next time that the ACLs for the object itself or for any parent object in the inheritance hierarchy are changed, the inherited permissions on the object will be received from the objects new location in the file system hierarchy. However, the moved object will retain any explicitly assigned permission.

146

Part III:

Securing the Core Operating System

This behavior is a departure from the way that permissions on moved file system objects functioned in Microsoft Windows NT, where objects that were moved within the same partition retained all permissions. If you want to achieve Windows NT-style retention of all permissions on an object you move within the same partition, before moving the object, you must deselect the inheritance attribute on the object and copy the existing inherited permissions so that they become explicit permissions. Or you must remove existing inherited permissions altogether and assign any desired explicit permissions. You can then move the object and re-enable permissions inheritance, which will refresh the ACL on the object. When the ACL is refreshed in this manner, the moved object retains its explicit permissions but receives new inherited permissions from its new parent. Finally, when you move a file or folder to a different partition or computer, the operation is actually a copy-and-delete process. The file is copied in the new location, thus creating a new file system object, and upon successful creation of the new object, the original is deleted. Creating a copy of a file system objectregardless of whether the copy is created on the same partition or on a different partition or computeralways creates a new instance of the object in the destination location. Therefore, all permissions on the object are inherited from the new parent. Original copies of the object are either deleted (in a move operation across partitions or computers) or unaffected (in a copy operation). Therefore, you should exercise caution when moving or copying files and folders to different partitions or computers because the permissions on the newly created object might not be consistent with the permissions on the original object. In Windows Server 2003, Windows 2000, and Windows XP, file and folder permissions are automatically inherited from parent objects. Therefore, understanding the default permission on files and folders is important in planning directory structures. You might need to change the default permissions to meet your organizations security policy. Table 8-3 provides a legend of permission inheritance in Windows Server 2003, Windows 2000, and Windows XP.
Table 8-3

Permissions Inheritance Legend


Description The ACE will be applied to the current directory and inherited by subdirectories. The ACE will be applied to files in the directory and inherited by files in subdirectories. The ACE will not be applied to the current folder or file but will be inherited by child folders. The ACE is not propagated to any child objects.

Abbreviation CI (Container Inherit) OI (Object Inherit) IO (Inherit Only) NI (Not Inherited)

Chapter 8: Controlling Access to Data

147

More Info The default file and registry permissions can be found in the following
white papers:

Windows Server 2003 (http://www.microsoft.com/windowsserver2003 /techinfo/overview/secdef.mspx) Windows XP (http://www.microsoft.com/downloads/details.aspx? FamilyID=60ce1ef5-8d6d-49a0-8eb5-4e362cde75e7&displaylang=en) Windows 2000 (http://www.microsoft.com/windows2000/techinfo/planning /security/secdefs.asp)

Command-Line Tools
In Windows Server 2003, Windows 2000, and Windows XP, the Xcopy.exe utility can be used to preserve the permissions and ownership of files and folders when they are copied. Additionally, you can use several command-line tools to control the file and folder permissions:

Cacls.exe Xcacls.exe Subinacl.exe Robocopy.exe

On the CD Robocopy.exe, Xcacls.exe, and Subinacl.exe are located on the CD

included with this book. Cacls.exe is included in the default installation of Windows Server 2003, Windows 2000, and Windows XP.

Cacls.exe
Cacls.exe is a command-line utility that enables basic management of file and folder permissions. The usage for Cacls.exe follows:
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

Table 8-4 shows the command-line options for Cacls.exe. You can also use wildcard characters to specify more than one file in a command.

148

Part III:

Securing the Core Operating System

Table 8-4 Option filename /T /E /C

Command-Line Options for Cacls.exe


Description Placeholder for the name of the file. Running Cacls.exe with just the file name displays the DACL of the file or folder. Changes DACLs of specified files in the current directory and all subdirectories. Edits the existing DACL instead of replacing it. Continues processing even if an access denied error occurs. Grants the specified user access rights to the file or folder using explicit permissions. Specifies the domain and user name for which you are modifying permissions. You can specify more than one user in a command. Specifies the permissions as follows: R for Read, W for Write, C for Change (Write), F for Full Control, N for None. Revokes all the specified users access rights (valid only with /E). Replaces the specified users access rights. Denies the specified user access to the file or folder.

/G user:perm user perm /R user /P user:perm /D user

Tip

You can redirect console output from the command line by using a standard redirection character. For example, to redirect output from the Cacls.exe tool to a file, type Cacls.exe filename.ext>output.txt. The results of running the command will be written to the Output.txt file rather than to the console.

Xcacls.exe
Xcacls.exe is a more robust version of Cacls.exe. Not only does Xcacls.exe give you greater control over the special permissions, it is scriptable: unlike Cacls.exe, Xcacls.exe allows you to suppress message prompts. The usage for Xcacls.exe follows:
xcacls filename [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]

Table 8-5 shows the command-line options for Xcacls.exe.


Table 8-5 Option filename /T

Command-Line Options for Xcacls.exe


Description Placeholder for the name of the file. Running Xcacls.exe with just the file name displays the DACL of the file or folder. Recursively walks through the current directory and all its subdirectories applying the chosen access rights to the matching files or directories. Edits the existing DACL instead of replacing it. Causes Xcacls.exe to continue if an access denied error occurs.

/E /C

Chapter 8: Controlling Access to Data

149

Table 8-5 Option

Command-Line Options for Xcacls.exe


Description Grants access to the user to the matching file or directory. The perm variable applies the specified access right to files. Specifies the permissions as follows: R for Read, C for Change (Write), F for Full Control, P for Change Permissions, O for Take Ownership, X for Execute, E for Read, W for Write, D for Delete. Revokes all access rights for the specified user. Replaces access rights for the user. Denies the user access to the file or directory. Disables confirmation when replacing user access rights. By default, Xcacls.exe prompts for confirmation and, when used in a batch routine, causes the routine to stop responding until the confirmation is entered. The /Y option was introduced to avoid this confirmation so that Xcacls.exe can be used in batch mode.

/G user:perm;spec perm

/R user /P user:perm;spec /D user /Y

On the CD Xcacls.exe is located of the CD that is included with this book .

Xcacls.vbs, a Microsoft Visual Basic script, is also included on the CD. You can use Xcacls.vbs to assign permissions in a similar way that you do with Xcacls.exe, albeit from a script. Xcacls.exe is designed to be used at the command line or in batch files; Xcacls.vbs is designed to be used in a scripting environment, where better automation and error handling are required. In addition, you can edit Xcacls.vbs by using any text editor to add custom functionality, such as logging permission changes to a file.

Subinacl.exe
Subinacl.exe is a low-level utility for managing DACLs on many types of objects, including files and folders. The syntax for using Subinacl.exe follows:
subinacl [view_mode] [/ test_mode] object_type object_name [action[= parameter]] [action[= parameter ]] ... [/playfile file_name] [/help [/full] [keyword]]

The options you can use with Subinacl.exe are explained in Table 8-6.
Table 8-6 Option view_mode

Command-Line Options for Subinacl.exe


Description Defines the level of detail in the output of Subinacl.exe. You can use the following switches with this option:

/noverbose /verbose

/test_mode

When this option is specified, changes are not actually made to the objects security descriptor. This option enables you to view what the results of the command would be without actually making the changes.

150

Part III:

Securing the Core Operating System

Table 8-6 Option object_type

Command-Line Options for Subinacl.exe


Description Specifies the type of object on which you are modifying the permissions. You can use these types of objects:

/file /subdirectories /onlyfile /share /clustershare /keyreg /subkeyreg /service /printer /kernelobject

object_name action

Defines the name of an object on which you are viewing or modifying the permissions. Sets the action that you are attempting to carry out on the object. The action switches include the following:

/display (default) /setowner=owner /replace=[DomainName\]OldAccount=[DomainName\] NewAccount /changedomain=OldDomainName=NewDomainName /migratetodomain=SourceDomain=DestDomain /findsid=[DomainName\]Account[=stop] /suppresssid=[DomainName\]Account /confirm /perm /audit /ifchangecontinue /cleandeletedsidsfrom=DomainName /accesscheck=[DomainName\]UserName /setprimarygroup=[DomainName\]Group /grant=[DomainName\]UserName[=Access] /deny=[ DomainName\]UserName[=Access] /revoke=[DomainName\]UserName /playfile filename

Chapter 8: Controlling Access to Data

151

Robocopy.exe
Robocopy.exe is a 32-bit Windows command-line application that simplifies the task of maintaining an identical copy of a folder tree in multiple locations, either on the same computer or in separate network locations. Robocopy is robustit retries operations after network errors and efficiently copies only changed files. Robocopy is flexibleyou can copy a single folder or walk a directory tree, specifying multiple file names and wildcard characters for source files. On the CD For detailed information on using Robocopy, see the Robocopy.doc file
on the CD included with this book.

Securing File and Folder Access by Using Share Permissions


NTFS permissions always apply to files and folders, regardless of whether they are accessed locally or over the network through a file share. When you share a folder, the share and its contents are accessed by the server service running on the machine on which the share is created. Share permissions differ from NTFS permissions in that they apply only when the share is accessed over the network and they do not offer the level of granularity provided by NTFS permissions. Table 8-7 explains the permissions that you can assign to a share.
Table 8-7 Permission Full Control Change Read

Share Permissions
Description Full control over all folders and files in the share Read and Write permissions to files and folders Read permission for files and folders

By default in Windows 2000 and Windows XP, when a share is created, the share permissions are set to Everyone Full Control. In Windows Server 2003, share permissions are set to Everyone Read. Like NTFS permissions, share permissions are cumulative. Furthermore, deny permissions override allow permissions. When a user attempts to access a file or folder on a share, cumulative share permissions as well as the cumulative NTFS permissions are calculated. The user accessing the share receives the more restrictive set of these two sets of permissions. For example, if the share permissions are left to the default setting of Everyone Full Control and the user has only Read and Execute permissions on the files and folders in the share, the user will have only Read and Execute access. Although share permissions are not nearly as granular as NTFS permissions, they are still useful if implemented correctly. For example, you can achieve a higher degree of security on a shares contents by removing the default share permissions and granting

152

Part III: Securing the Core Operating System

members of the Everyone group Change permissions. This will prevent the changing of permissions on the files and folders in the share remotely through the network redirector. When you remove the Everyone Full Control share permission, the owner of a file can modify permissions only through an interactive logon session, either at the server console or through Terminal Services.

Using the Encrypting File System


Although properly configured DACLs will protect data, sometimes you need a greater degree of protection. Your organization might have some data that must be kept confidential from administrators, even those who have Full Control permissions on the files. Also, your organization might have data that is stored temporarily on laptops issued to employees that must remain confidential even if the physical security of the laptop is compromised. The encrypting file system (EFS) enables users and administrators to encrypt files and folders to extend file and folder security beyond NTFS permissions. EFS combines asymmetric and symmetric encryption to encrypt files and manage the encryption keys. EFS uses symmetric encryptioneither the DES-X algorithm or the 3DES algorithm (Windows Server 2003 and Windows XP only)to encrypt the data and asymmetric encryption to manage the symmetric encryption keys. The default configuration of EFS allows users to encrypt files without any configuration by an administrator. When a user encrypts a file, EFS automatically generates a publickey pair for the user and either obtains a digital certificate by requesting one from a Certification Authority (CA) or self-creates a certificate if no CA is available to issue certificates. File encryption and decryption is supported on a per-file or entire-directory basis. Directory encryption is transparently enforced. All files (and subdirectories) created in a directory marked for encryption are automatically encrypted. If you move a file from an encrypted directory to an unencrypted directory on the same volume, the file remains encrypted, whereas moving or copying it to another volume on the computer causes the file to be transparently decrypted as long as you are the user who encrypted the file. Encryption and decryption can be set using the properties of the file or folder in Windows Explorer. Additionally, command-line tools and administrative interfaces are provided for advanced users and recovery agents to ease management of encrypted files. A file need not be decrypted before use; encryption and decryption are done transparently when bytes travel to and from the disk. EFS automatically detects an encrypted file and locates the users certificate and associated private key to decrypt the file.

Chapter 8: Controlling Access to Data

153

How EFS Works


EFS works differently depending on whether a computer is a member of a domain or it is a stand-alone computer. The following description explains how EFS works in a domain environment. When a user chooses to encrypt a file, the file is loaded into protected memory and the users computer generates a random encryption key known as a file encryption key (FEK). The computer uses a symmetric encryption algorithmeither DES-X or, if configured, 3DES in Windows Server 2003 and Windows XPto encrypt the file using the FEK as the key, as Figure 8-2 shows.
File Data FEK DES-X (Or 3DES in Windows XP) Encrypted file 3?1A

Figure 8-2

Encrypting the contents of a file using EFS

Next, the computer retrieves the users EFS certificate from the users profile and extracts the users public key. If the user does not have an EFS certificate, the computer generates an EFS certificate based on the users account information, including the users password. The FEK is encrypted using the RSA algorithm with the public key from the users EFS certificate and is added to the header of the file in the data decryption field (DDF). This process is shown in Figure 8-3.
FEK User's EFS public key RSA Encrypted file DDF DRF 3?1A

Figure 8-3

Encrypting the FEK of a file using the EFS public key of the user account

The final step in encrypting the file is accomplished by the computer retrieving the certificate for each EFS recovery agent. For each EFS recovery agent certificate, the computer extracts the public key and encrypts the FEK by using the RSA encryption algorithm and stores the encrypted FEK in the data recovery field (DRF) located in the files header. This process is shown in Figure 8-4.

154

Part III: Securing the Core Operating System

Figure 8-4

Encrypting the FEK of a file using the EFS recovery agents public key

The only users who can view the information in the file are those who encrypted the file and anyone who possesses a recovery agents private key, unless additional users are added after the file is encrypted. Even another user with Full Control permissions on the file will not be able to read it. When a user attempts to open the file, the users private key is retrieved and used to decrypt the FEK. The decrypted FEK is then used to decrypt the file. Files secured with EFS are not paged out of volatile memory when decrypted, preventing data from the file from being stored in the page file. When the user saves the file, a new FEK is generated and the process of creating the EFS header is repeated. If the user opens the file and moves it to a non-NTFS partition or to a remote server, the file will be transparently decrypted. Users with Back Up Files And Folders user rights on a computer containing encrypted files will be able to back up the files. However, if the backup is restored to a non-NTFS partition, the contents of the files will be unintelligible.

EFS Command-Line Tools


In addition to configuring EFS in Windows Explorer, you can use two command-line tools to get information about EFS encrypted files or manipulate EFS encryption: Efsinfo.exe and Cipher.exe.

Chapter 8: Controlling Access to Data

155

On the CD Efsinfo.exe is located on the CD included with this book. Cipher.exe is

available in Windows Server 2003, Windows XP Professional, and Windows 2000 Service Pack 3 or later.

Efsinfo.exe
Efsinfo.exe is a command-line tool that enables you to retrieve information from the EFS header of a file encrypted with EFS. You must have the permission to read the attributes of the file to retrieve the information from the file you specify. The syntax for using Efsinfo.exe follows:
EFSINFO [/U] [/R] [/C] [/I] [/Y] [/S: dir] [ pathname [...]]

The options for using Efsinfo.exe are described in Table 8-8.


Table 8-8 Option /U /R /C

Efsinfo.exe Options
Description Displays user information from the DDF. Displays recovery agent information from the DRF. Displays certificate thumbprint information for the user account that encrypted the file. You access the properties of a certificate by double-clicking an issued certificate in the certificates Microsoft Management Console (MMC). Forces the utility to continue the specified operation even after errors have occurred. By default, Efsinfo.exe stops when an error is encountered. Displays your current EFS certificate thumbprint on the local PC. Performs the specified operation on directories in the given directory and all subdirectories.

/I /Y /S:dir

Cipher.exe
Cipher.exe enables you to manipulate EFS-encrypted files from the command prompt. The version of Cipher.exe in Windows 2000 is different from that in Windows Server 2003 and Windows XP and the two cannot be interchanged. In Windows 2000, the syntax of the Cipher.exe command is this:
CIPHER [/E | /D] [/S: dir] [/P:keyfile] [/K:keyfile] [/L:keyfile] [/I] [/F] [/Q] [filename [...]]

Table 8-9 describes the options available when using Cipher.exe in Windows 2000.

156

Part III:

Securing the Core Operating System

Table 8-9 Option /E /D /S /A /I

Cipher.exe Options in Windows 2000


Description Encrypts the specified files. Directories are marked so that files added afterward will be encrypted. Decrypts the specified files. Directories are marked so that files added afterward will no longer be encrypted. Performs the specified operation on files in the given directory and all subdirectories. Encrypts files and the folders in which they are stored. Forces the computer to continue performing the specified operation even after errors have occurred. By default, Cipher.exe stops when an error is encountered. Forces the encryption operation on all specified files, even those already encrypted. For files that have already been encrypted, a new FEK is generated and the EFS header re-created. Files already encrypted are skipped by default when using the /F option. Forces the computer to generate and use a new FEK for all files. When this option is specified, the computer attempts to update the users EFS certificate. This option is useful after deploying EFS certificates from your Public Key Infrastructure (PKI). Reports only the most essential information.

/F

/K

/Q

Used without parameters, Cipher.exe displays the encryption state of the current directory and any files it contains. You can use multiple file names and wildcards. You must put spaces between multiple parameters. Important The Cipher.exe tool was replaced in Windows 2000 Service Pack 3 with a
version that adds the /W option. The /W option permanently deletes, or wipes, all deleted data from a directory. This removes all artifacts of files that have been deleted but not necessarily removed from the hard disk. If the directory specified is a mount point to another volume, the data on that volume will be removed.

The Windows Server 2003 and Windows XP version of Cipher.exe includes all the options that the Windows 2000 version does as well as the options described in Table 8-10.

Chapter 8: Controlling Access to Data

157

Additional Cipher.exe Options in Windows Server 2003 and Windows XP


Table 8-10 Option /R Description Generates a .pfx file and a .cer file. You can use the certificate in the .cer file as the recovery agent and export the .pfx file (which contains the private key and the certificate) for archival. You can store these files in a secure offline location until they are needed to recover encrypted files. By removing the EFS recovery agent (RA) from the local computer, you prevent an attacker from using the RA account to gain access to encrypted files and folders. Updates the FEK and recovery agent on all encrypted files. The only other option that works with /U is /N. Works only in combination with /U. When used with /U, /N suppresses the updating of the FEK and recovery agent. This option is used to locate encrypted files on a hard disk.

/U /N

Differences in Using EFS with Local Accounts


When EFS is used with local accounts, the EFS certificate used by default is selfgenerated based on the users logon credentials on the local computer. In Windows 2000, if the physical security of the computer is compromised, encrypted files are left vulnerable because a number of tools enable an attacker to reset the password on local accounts. After the password is reset, the attacker can log on to the computer as the user and decrypt the files because the attacker has access to the EFS private key stored in the user profile. If you are using Windows 2000 and EFS with local accounts, you can increase the protection of the local account database by enabling the System Key (Syskey.exe) in either mode 2 or mode 3. By default, if the Administrator account is used to encrypt files and folders, the encryption FEK and RA FEK are the same. In Windows Server 2003 and Windows XP, the EFS private key is stored by using the Data Protection API (DPAPI), which encrypts secrets by using an encryption key based on the users password. If the password is reset administratively, the DPAPI encryption key no longer is valid. Thus, resetting the password causes the derived EFS private key to be inaccessible. Furthermore, the encrypted files would remain confidential. Windows Server 2003 and Windows XP issue a warning when an administrator attempts to reset the password of a local user. To prevent losing data with encrypted files, always ensure that you have an exported data recovery agent stored in a secure location.

158

Part III: Securing the Core Operating System

Additional EFS Features in Windows Server 2003 and Windows XP


Several enhancements to EFS were made in Windows Server 2003 and Windows XP. These features are built on the features of EFS in Windows 2000 but add support for additional functionality and security. The main improvements include these:

Encryption of offline files Remote encryption of files using WebDAV Sharing of encrypted files

Encryption of Offline Files


Windows Server 2003 and Windows XP enable offline files and folders to be encrypted using EFS. Offline folders use a common database on the local computer to store all offline files, and they limit access to those files through explicit DACLs. The database displays the files to the user in a manner that hides the database structure and format so that it appears to the user as a normal folder. Other users files and folders are not displayed and are not available. Because the offline folders directory is stored in a folder common to all users of a system (\%systemroot%\CSC), no individual user can encrypt its contents. Thus, the entire database is encrypted by the System account. One limitation of encrypting the offline files database is that files and folders are not displayed in an alternate color when the user is working offline. The remote server can contain copies of the files that have been individually encrypted on the server, and when the user is online and working with server-based copies of those files, the files can be displayed in an alternate color. Although the files are encrypted, this might seem to be an inconsistency to the user. Important The offline folders feature, also known as the client-side caching (CSC)

feature, runs as a System process and therefore can be accessed by any user or process that can run as System, including administrators on the local machine. Therefore, when sensitive data is stored in offline folders, administrative access should be restricted to users and the System Key should be used in mode 2 or mode 3.

Remote Encryption of Files Using WebDAV


Windows Server 2003 and Windows XP support a new method for encrypting files on remote servers using a protocol known as Web-Based Distributed Authoring and Versioning (WebDAV). When the client running Windows Server 2003 or Windows XP maps a drive to a WebDAV access point on a remote server, files can be encrypted locally on the client and then transmitted as raw encrypted files to the WebDAV server by using an HTTP PUT command. Similarly, encrypted files downloaded to a client

Chapter 8: Controlling Access to Data

159

running Windows Server 2003 and Windows XP are transmitted as raw encrypted files and are decrypted locally on the client by using an HTTP GET command. The Temporary Internet Files directory is used for intermediate transfer of the files by using HTTP where the WebDAV detects and sets the encrypted file attribute for Windows Server 2003 and Windows XP. Therefore, only public-key pairs and private-key pairs on the client are used to encrypt files, even though the files are stored on a remote server. The WebDAV redirector is a new mini-redirector that supports the WebDAV protocol for remote document sharing by using HTTP. The WebDAV redirector supports the use of existing applications, and it allows file sharing across the Internet (through firewalls, routers, and so on) to HTTP servers. Microsoft Internet Information Services 6.0 (Windows Server 2003), 5.0 (Windows 2000), and 5.1 (Windows XP) support WebDAV folders, known as Web folders. The WebDAV redirector does have some limitations on the files that can be transmitted using the WebDAV protocol. The actual limitation varies depending on the amount of virtual memory available, but in general, only files of less than 400 megabytes can be transferred in Windows Server 2003 and Windows XP with EFS over WebDAV. Files and folders, when encrypted using a WebDAV share, appear as unencrypted if a user or administrator logs on to the server locally. Once a file has been encrypted using WebDAV, that file should be accessed and decrypted only by using WebDAV. This unique behavior does not affect the ability to back up and restore the server by using Ntbackup.exe or the Windows NT backup API set. Administrators and users should not encrypt files locally on a volume that hosts a WebDAV share. All administration should be done through the WebDAV share only. You can create a WebDAV folder in Windows Server 2003, Windows 2000, and Windows XP by enabling Web Sharing on the properties of any folder. Note that if a user does not have a key to decrypt the file on a WebDAV share, she will receive an access denied error if she attempts to modify the advanced EFS attributes of the file.

Sharing of Encrypted Files


In Windows Server 2003 and Windows XP, EFS supports the sharing of files between multiple users on a per-file basis. However, users must be specified individually instead of by security group, and multiple encryption accounts are not supported on folders. Once a file has been encrypted, you can add users to the list of those who can decrypt the encrypted file by selecting the Advanced Properties dialog box of an encrypted file and clicking the Details button. Individual users can add other users (but not groups) from the local machine or from the Active Directory directory service, provided the user has a valid EFS certificate and keys. Figure 8-5 shows this process.

160

Part III: Securing the Core Operating System

Figure 8-5

Sharing files encrypted with EFS in Windows Server 2003 and Windows XP

Introduction to Designing a Data Recovery Agent Policy


When utilizing EFS, you must ensure that files can be recovered if a users EFS private key is lost or the files need to be retrieved for legal reasons. The data recovery agent (DRA) private key can decrypt files and remove the encryption attribute on them. More Info Establishing a data recovery policy requires in-depth knowledge of PKI

and thus is outside the scope of this book. For more information on designing a data recovery policy, see the Data Protection and Recovery in Windows XP white paper at http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.asp.

EFS automatically enforces a recovery policy that requires a recovery agent be available for files to be encrypted. The recovery policy is a type of public-key policy that provides user accounts to be designated as DRAs. A default recovery policy is automatically established when the Administrator account logs on to the system for the first time, making the administrator the recovery agent. The default recovery policy is configured locally for workgroup computers. For computers that are part of an Active Directory-based domain, the recovery policy is configured in a domain OU Group Policy object (GPO). If no recovery agent policy is created, the computers local recovery agent policy is used. Recovery certificates are issued by a CA and are managed by using the Certificates MMC snap-in or by using the Cipher.exe /r command in Windows Server 2003 and Windows XP.

Chapter 8: Controlling Access to Data

161

In a network environment, the domain administrator controls how EFS is implemented in the recovery policy for all users and computers in the scope of influence. In a default Windows Server 2003, Windows 2000, or Windows XP installation, when the first domain controller is set up, the domain administrator is the specified recovery agent for the domain. The way the domain administrator configures the recovery policy determines how EFS is implemented for users on their local machines. You can choose to have recovery agents configured or an empty recovery agent:
Recovery agent scenario

When an administrator adds one or more recovery agents, a recovery agent policy is in effect. These agents are responsible for recovering any encrypted data within their scope of administration. This is the most common type of recovery policy. You can ensure all recovery agents are available to all computers running Windows Server 2003, Windows 2000, or Windows XP by using Group Policy. When an administrator deletes all recovery agents and their public-key certificates, an empty recovery policy is in effect. An empty recovery policy means that no recovery agent exists, and if the client operating system is Windows 2000, EFS is disabled altogether. Windows Server 2003 and Windows XP support EFS with an empty DRA policy.

Empty recovery scenario

In a Windows 2000 environment, if an administrator attempts to configure an EFS recovery policy with no recovery agent certificates, EFS is automatically disabled. In a Windows Server 2003 or Windows XP Professional environment, the same action enables users to encrypt files without a DRA. Windows Server 2003 enables you to disable EFS for computers in the domain by completing the following steps: 1. Open Active Directory Users and Computers, right-click the domain that has the recovery policy you want to change, and then click Properties. 2. Click the Group Policy tab, right-click the recovery policy you want to change, and then click Edit. The path is Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Encrypting File System. 3. Clear the Allow Users To Encrypt Files Using Encrypting File System (EFS) check box. You can also disable EFS on individual computers running Windows Server 2003 or Windows XP by adding the EfsConfiguration (DWORD) registry value to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS. When this value is set to 1, it disables EFS; when it is set to 0, it enables EFS. When a domain user logs on at a domain computer that is within the scope of the EFS recovery policy, all DRA certificates are cached in the computers certificate store. This means that EFS on every domain computer can easily access and use the DRAs public key (or multiple public keys, if multiple DRAs are designated). On computers where

162

Part III: Securing the Core Operating System

an EFS recovery policy is in effect, every encrypted file contains at least one data recovery field in which the files FEK is encrypted by using the DRAs public key and stored. By using the associated private key, any designated DRA can decrypt any encrypted file within the scope of the EFS recovery policy.

Securing Registry Permissions


The registry is a dynamic, hierarchical database that contains values of variables for the operating system and applications. The operating system and other programs also store data about users and the current configuration of the system and its components in the registry. Because the registry is available whenever the system is running, programs that start and stop can keep persistent data in the registry and the settings are saved when the system shuts down. The registry is constructed of six hives that are used for different purposes, as described in Table 8-11.
Table 8-11 Hive HKEY_CURRENT_USER

Default Registry Hives


Abbreviation HKCU Description Stores information about the profile of the currently logged-on user that is persistently stored in HKU Contains subkeys for all local user profiles Contains file association and COM registration information Contains entries for the configuration of the operating system and applications Contains the current hardware profile that is persistently stored in HKLM\SYSTEM\CurrentControlSet \Hardware Profiles\Current Contains information about performance counters

HKEY_USERS HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE

HKU HKCR HKLM

HKEY_CURRENT_CONFIG

HKCC

HKEY_PERFORMANCE_DATA

HKPD

When the computer is running, the registry is loaded in memory and active. When the computer is powered down, the persistent information stored in the registry is written to the hard disk. Table 8-12 lists the storage location for some common registry hives.

Chapter 8: Controlling Access to Data

163

Table 8-12 Hive

Default Storage Locations of Common Hives


Storage Location %systemroot%\system32\Config\System %systemroot%\system32\Config\Sam %systemroot%\system32\Config\Security %systemroot%\system32\Config\Software %systemdrive%\Documents and Settings\<username>\Ntuser.dat %systemdrive%\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat %systemroot%\system32\Config\Default

HKEY_LOCAL_MACHINE\SYSTEM HKEY_LOCAL_MACHINE\SAM HKEY_LOCAL_MACHINE\SECURITY HKEY_LOCAL_MACHINE\SOFTWARE HKEY_CURRENT_USER HKEY_USERS

HKEY_USERS\DEFAULT

When you use an administrative tool to change the configuration of a system feature or service, the change usually takes effect immediately or soon thereafter. However, if you make the same change by editing the registry, you might need to log off and log on again, restart the service, or restart. In general, if you change the value of any entry in HKLM\Services\System\CurrentControlSet001, you must restart the computer for the changes to take effect. Also, if you use a registry editor to change values for most entries in HKEY_CURRENT_USER, you must log off and log on again for the changes to take effect. More Info For detailed information on the structure of the registry and the specifics
of the data stored in the registry, see the Technical Reference to the Registry eBook (Regentry.chm) in the Microsoft Windows 2000 Server Resource Kit, Supplement One (Microsoft Press, 2000).

Configuring Registry Permissions


As with files and folders stored on NTFS partitions, the registry is secured by using DACLs. Unlike NTFS permissions, registry permissions are assigned to container objects only. An individual registry value inherits its security from its parent object. A registry key has two basic permissions: Full Control and Read. The Full Control permission includes all of the special permissions in Table 8-12. The Read permission is composed of the following special permissions: Read Control, Query Value, Notify, and Enumerate Subkeys. Table 8-13 lists the special permissions on registry keys.

164

Part III:

Securing the Core Operating System

Table 8-13 Permission Query Value Set Value

Special Registry Permissions


Description Allows the value of the registry key to be read Allows the value of an existing key to be written Allows the creation of subkeys Allows the enumeration of subkeys Required to request change notifications for a registry key or for subkeys of a registry key Reserved for use by the operating system Allows the key to be deleted Allows the modification of the DACL Allows the modification of the owner Allows the SACL to be read

Create Subkey Enumerate Subkeys Notify Create Link Delete Write DACL Write Owner Read Control

In Windows Server 2003, Windows 2000, and Windows XP, you can use Regedt32.exe to alter registry permissions from the user interface or you can use the Subinacl.exe command-line tool. Changing permissions on registry values requires the same techniques as modifying NTFS permissions does.

Best Practices
Use least privilege.

Whenever assigning permissions, assign the least privilege the user needs to complete her job function. Always assign permissions at the highest point in the container hierarchy and allow them to be inherited by child objects to simplify their application. Assigning permission to security groups by using a structured model makes assigning permissions scalable and flexible. This is helpful when users and files change. Always archive the DRA when encrypting files with EFS to prevent files from being irreversibly encrypted.

Assign permissions at the highest possible point in a hierarchy.

Assign permissions to security groups, not users.

Use caution when encrypting files.

Chapter 8: Controlling Access to Data

165

Additional Information

Data Protection and Recovery in Windows XP (http://www.microsoft.com /technet/prodtechnol/winxppro/support/dataprot.mspx ) New Security Tool for Encrypting File System (http://www.microsoft.com /technet/security/tools/cipher.mspx) Access Control Lists (http://msdn.microsoft.com/library/en-us/secauthz /security/access_control_lists.asp) The following Knowledge Base articles:

243756: How to Use Encrypting File System (EFS) with Internet Information Services (http://support.microsoft.com/kb/243756) 223338: Using a Certificate Authority for the Encrypting File Service (http://support.microsoft.com/kb/223338 ) 241201: How to Back Up Your Encrypting File System Private Key (http://support.microsoft.com/kb/241201 ) 242296: How to Restore an Encrypting File System Private Key for Encrypted Data Recovery in Windows 2000 (http://support.microsoft.com /kb/242296) 243026: Using Efsinfo.exe to Determine Information About Encrypted Files (http://support.microsoft.com/kb/243026 ) 255742: Methods for Recovering Encrypted Data Files (http://support.microsoft.com/kb/255742 ) 273856: Third-Party Certificate Authority Support for Encrypting File System (http://support.microsoft.com/kb/273856) 230520: How to Encrypt Data Using EFS in Windows 2000 (http://support.microsoft.com/kb/230520 ) 329741: EFS Files Appear Corrupted When You Open Them (http://support.microsoft.com/kb/329741 ) 221997: Cannot Gain Access to Previously Encrypted Files on Windows 2000 (http://support.microsoft.com/kb/221997 ) 227825: Backup Tool Backs Up Files to Which You Do Not Have Read Access (http://support.microsoft.com/kb/227825)

166

Part III:

Securing the Core Operating System

230490: The Encrypted Data Recovery Policy for Encrypting File System (http://support.microsoft.com/kb/230490 ) 223178: Transferring Encrypted Files That Need to Be Recovered (http://support.microsoft.com/kb/223178 ) 223316: Best Practices for Encrypting File System (http://support.microsoft.com/kb/223316 ) 223448: Cannot Use Shared Encrypted Files in Windows 2000 (http://support.microsoft.com/kb/223448 ) 254156: Encrypted Files Made Available Offline Not Encrypted on the Client (http://support.microsoft.com/kb/254156) 272279: How to Troubleshoot the File Replication Service and the Distributed File System (http://support.microsoft.com/kb/272279) 283223: Recovery of Encrypted Files on a Server (http://support.microsoft.com/kb/283223 ) 290260: EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset (http://support.microsoft.com/kb/290260) 248723: Info: Understanding Encrypted Directories (http://support.microsoft.com/kb/248723 )

Chapter 9

Managing Security for System Services


In this chapter: Managing Service Permissions . . . Default Services in Windows Server 2003, Windows 2000, and Windows XP. . . Best Practices . . . Additional Information . . . . .167 . .175 .194 . .195

In Microsoft Windows Server 2003, Windows 2000, and Windows XP, many applications run independent of any user account and regardless of whether a user is logged on to the computer. These applications are registered as services, or more specifically, Service Control Programs (SCPs). Services are controlled by the Service Control Manager (SCM), which runs as Services.exe. The configuration of services is stored in the registry, under the key HKLM\SYSTEM\CurrentControlSet\Services. You can use the Srvany.exe utility to cause an executable to run as a service. On the CD Srvany.exe is located on the CD included with this book.

Managing Service Permissions


To view or manipulate services, you must have appropriate access to the SCM. Permissions to the SCM cannot be altered, although permissions over specific services can be modified. Tables 9-1 and 9-2 list the default permissions for the SCM in Windows 2000, Windows Server 2003, and Windows XP, respectively. These services are not exposed in a human-readable format in the registry.

167

168

Part III: Securing the Core Operating System

Table 9-1 Group Everyone

SCM Permissions in Windows 2000


Permissions Granted
Connect to the SCM Enumerate services Query the status of services Read the permissions on services

Administrators Local System

Full Control

Table 9-2 Group

SCM Permissions in Windows Server 2003 and Windows XP


Permissions Granted
Connect to the SCM Enumerate services Query the status of services

Authenticated Users remotely logged on to the computer

Read the permissions on services Authenticated Users locally logged on, including Local Service, Network Service Connect to the SCM
Enumerate services Query the status of services Read the permissions on services

Administrators and LocalSystem

Full Control

To view or manage the permissions on services, you must use either the Subinacl.exe tool or the Security Templates Microsoft Management Console (MMC) snap-in. You can control services by using the Services MMC snap-in under Administrative Tools by typing services.msc at the command prompt or Run command or by editing the registry directly. Security configuration of services includes the ability to do the following:

Configure the startup value for each service Stop, start, pause, and resume services Configure the security context under which the service runs Configure the discretionary access control list (DACL) for the service

Chapter 9: Managing Security for System Services

169

Configuring the Startup Value for a Service


When the computer starts, the SCM retrieves service startup and dependency information from the registry and starts SCPs accordingly. Table 9-3 lists the startup values that can be assigned to services.
Table 9-3 Startup Value Boot Start

Startup Values for Services


Registry Value 0x0 Description Ntldr or Osloader preloads the driver so that it is in memory during system boot. This value is used only for kernel-mode drivers, which are generally not manageable by administrators. This value can be set only in the registry. The driver loads and initializes after Boot Start drivers have initialized. The Boot Start drivers are loaded before the Starting Windows screen appears. This value can be set only in the registry. The SCM starts services with an Automatic startup value during the boot process when the Starting Windows screen appears. The progress bar indicates the loading and starting of services. Some services are not loaded until after the network devices have been initialized. The SCM starts the service when prompted by another application or a user with the necessary permissions. Often services will start dependent services only when they are needed. The SCM will not permit the service to be started.

System Start

0x1

Automatic

0x2

Manual

0x3

Disabled

0x4

When a service is started, it runs in the Services.exe process, the Lsass.exe process, its own instance, or an instance of Svchost.exe. To view the process in which a service is running, you can use the Tlist.exe command from Windows 2000 Support Tools. Type tlist-s at the command prompt. Figure 9-1 shows the output of running Tlist /s on Windows 2000. Both Windows Server 2003 and Windows XP include the Tasklist tool in the default installation. Type tasklist /svc at the command prompt. You should configure services to start up automatically or manually only if they are necessary for the operation of the computer or applications that run on the computer. By setting unused services to Disabled, you can decrease the potential attack surface of the computer. You can set a service startup value to Disabled in the Services MMC snap-in, through Security Templates, or by manually setting the registry startup value to 4.

170

Part III: Securing the Core Operating System

Figure 9-1

Using the Tlist command to map services to processes

Stopping, Starting, Pausing, and Resuming Services


You can control the operating status of services by using the Services MMC snap-in. You can also do so from the command line by using the Net command if you have permissions to do so. In Windows Server 2003, Windows 2000, and Windows XP, you generally must have local administrative privileges to stop or pause services, unless you have been granted appropriate permissions for those services. You can use the following commands from the command line or in a batch file to control services:

Net start servicename starts a stopped service. Net stop servicename stops a started service. Net pause servicename pauses a started service. Net continue servicename continues a paused service.

Note You can use either a services name or its display name with the Net com-

mand. If the display name of the service has a space embedded in it, place the service name within quotes. You can also suppress the prompt by appending /Y to the Net command. This is useful when configuring batch files.

When a service is stopped, it will no longer respond to or initiate requests. Each service responds differently to being paused; you should research how a service will respond to being paused before pausing it. As mentioned, you must have the appropriate permissions to stop and start a service.

Chapter 9: Managing Security for System Services

171

Obtaining Information on Services


Although you can use the Services MMC snap-in to retrieve information on services, such as startup mode, security context, and application path, you cannot view information from many services quickly. In Windows Server 2003 and Windows XP, you can also use Windows Management Instrumentation (WMI) to obtain the critical security information for services running on the computer either programmatically or from the command line. To view or configure services from the command line, launch the WMI console by typing WMIC at the command prompt. The computer will take a minute or two to load the WMI Command line (WMIC) shell for the first time. At the wmic:root\cli> prompt, type service. WMI will retrieve information from all services configured to run on the computer and display it to the console. WMI will display the following security-related information for each service:
Start Mode

Whether the service is set to start up automatically or manually or is disabled Whether the service can interact with the desktop (Windows Station 0) The full path of the services executable file The process ID (PID) the service is using

Desktop Interaction Path Name Process ID

Service Type Started

Whether the service will run in a shared process (Svchost.exe) or its own unique process Whether the service is currently running (true) or not (false)

Start Name The security context the service runs in


State

Whether the service is running, stopped, or paused

You can also create programs, either Windows Script Host (WSH) scripts or console applications, that retrieve information on services through WMI.

Configuring the Security Context of Services


Each service runs under a security context. The security context in which a service runs determines its rights and permissions. In Windows 2000, most services run under the LocalSystem account. This account has full control over all resources on the computer. Services that run in the LocalSystem account security context not only have membership in the local Administrators group, but they also have rights not normally assigned to any user account, such as process manipulation rights. More directly, LocalSystem is the trusted computing base of the operating system. Thus, you do not want to run a service under the LocalSystem account unless it is absolutely

172

Part III:

Securing the Core Operating System

required. In Windows Server 2003 and Windows XP, services can run under the LocalSystem account or under either the Local Service account or the Network Service accountboth of which have limited rights and permissions on the local computer roughly equivalent to those possessed by Authenticated Users. Additionally, Local Service is unable to authenticate to other computers and thus can be used only with console-bound services. When a service running under Network Service needs to interact with another computer, it will authenticate using the computers account. In Windows Server 2003, 21 services were moved from running under LocalSystem to running under Local Service or Network Service to be more secure by default. In Windows Server 2003, Windows 2000, and Windows XP, you can also run a service in the security context of a user account. If you run a service under the security context of a user account, the password for the account will be stored as a Local Security Authority (LSA) secret. If a computer is compromised and the attacker gains Administrator or System access, the attacker can retrieve LSA secrets, including the user names and passwords of service accounts. Therefore, if you run services under the security context of a user account, always use a local user account. If the computer should be compromised and the LSA secrets exposed, the attacker will not gain domain credentialsthis will significantly minimize the impact of the security incident. This is especially true of service accounts that require elevated privileges. In addition, do not use the same password for all service accounts because the compromise of one of the accounts could lead to a greater network compromise. Warning Microsoft strongly recommends that services that run in an elevated

security context, such as LocalSystem, not be allowed to interact with the desktop. The desktop that runs in Windows Station 0 is the security boundary of any computer running the Windows operating system. Any application running on the interactive desktop can interact with any window on the interactive desktop, even if that window is not displayed on the desktop. This is true for every application, regardless of the security context of the application that creates the window and the security context of the application running on the desktop. The Windows message system does not allow an application to determine the source of a window message. Because of this, any service that opens a window on the interactive desktop exposes itself to applications that are executed by the logged-on user. If the service tries to use window messages to control its functionality, the logged-on user can disrupt that functionality by using malicious messages. This class of attack is commonly known as Shatter attacks. An example of a vulnerability in an application that interacts with the desktop is given in the Microsoft Security Bulletin MS04-019, which resolved a vulnerability in the Utility Manager in Microsoft Windows NT 4.0 and later. Prior to when this patch was installed, an attacker could escalate his privilege on a computer to LocalSystem by exploiting the vulnerability discussed in the security bulletin.

Chapter 9: Managing Security for System Services

173

Configuring the DACL for the Service


Each service has a DACL that determines the permissions that users have over the service. The DACL for services is not exposed in the Services MMC console. You can view the DACL on a service by using Subinacl.exe or by reading the security configuration of a computer into a security template and viewing the services DACL by using the Security Templates MMC snap-in. The basic permissions for services are listed in Table 9-4.
Table 9-4 Permission Full Control Query Template Change Template Query Status Enumerate Dependents Start Stop Pause And Continue Interrogate User Defined Control Delete Read Permissions Change Permissions Take Ownership

Service Permissions
Full Name SERVICE_ALL_ACCESS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_QUERY_STATUS SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP SERVICE_PAUSE_CONTINUE SERVICE_INTERROGATE SERVICE_USER_DEFINED_CONTROL DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Description Grants full control over the service Allows the service configuration to be viewed Allows the service configuration to be modified Allows the SCM to be queried for the status of a service Allows the dependent services to be displayed Allows the service to be started Allows the service to be stopped Allows the service to be paused and resumed Allows the service to respond to status queries Allows for special instructions to be given to the service Allows the service to be deleted Allows the DACL of the service to be viewed Allows the DACL of the service to be modified Allows the owner of the service to be modified

You must know the full name of the service to read the permissions for it when using the Subinacl.exe utility. The following listing shows how to use Subinacl.exe to read permissions on a service in Windows XP:

174

Part III:

Securing the Core Operating System

+Service netlogon /owner =system /primary group =system /audit ace count =1 /apace =everyone SYSTEM_AUDIT_ACE_TYPE-0x2 FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80 SERVICE_ALL_ACCESS /perm. ace count =4 /pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS0x4SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_INTERROGATE0x80READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100 /pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100 /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SERVICE_STOP-0x20SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100

Figure 9-2 shows the default permissions for the Net Logon service in Windows XP using the Security Templates MMC snap-in.

Figure 9-2

Managing service permissions with the Security Templates MMC snap-in

Chapter 9: Managing Security for System Services

175

Default Services in Windows Server 2003, Windows 2000, and Windows XP


In Windows Server 2003, Windows 2000, and Windows XP, many services are installed by default with the operating system. Each service is configured according to different security needs. You should evaluate each service to determine whether the service is required by computers on your network and whether you need to change the permissions on the startup value, change the startup value itself, or change the permissions for the service. The following list describes each of these default services. Note Unless otherwise noted, all services are installed by default in Windows
Server 2003, Windows 2000, and Windows XP.

Alerter Notifies selected users and computers of administrative alerts. If this

service is turned off, the computer will not be able to receive administrative alerts, such as those from the Messenger service or Performance Monitor. This service should be disabled unless you use administrative alerts. It is disabled by default in Windows Server 2003 and Windows XP.

Application Layer Gateway Service Provides support for third-party plug-ins to

Windows Server 2003 and Windows XP Windows Firewall/Internet Connection Sharing (ICS). Stopping or disabling this service prevents Windows Firewall or ICS from working. You should set this service to start manually.

Application Management Provides software installation services, such as

Assign, Publish, and Remove. This service processes requests to enumerate, install, and remove applications deployed over a corporate network. This service is called when you use Add or Remove Programs in Control Panel to install or remove an application when you are deploying software by Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate applications deployed by using Group Policy. This service should be set to Disabled unless you are installing applications through Group Policy. The service is started by the first call made to itit does not terminate until you stop it manually or restart the computer.

ASP.NET State Service Part of Microsoft .NET Framework 1.1, which is installed

by default in Windows Server 2003, this service provides support for out-of-process session states for ASP.NET applications running in Microsoft Internet Information Services (IIS) 6.0. If this service is stopped, out-of-process requests will not be processed. If you are not running ASP.NET applications on your server, this service can be disabled; by default it is set to start manually.

176

Part III:

Securing the Core Operating System

Automatic Updates Enables the download and installation of critical Windows

updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site (http://windowsupdate.microsoft.com). Automatic Updates is a default service in Windows Server 2003 and Windows XP and is added to Windows 2000 computers during the application of Windows 2000 Service Pack 3. You should enable this service to start automatically unless you have your own security update management solution. You can configure Automatic Updates by using System in Control Panel or by using Group Policy.

Background Intelligent Transfer Service Uses idle network bandwidth to transfer

data to avoid interfering with other network connections. This service is available only in Windows Server 2003 and Windows XP and should be set to Manual because it is used by the Automatic Updates service to download security updates.

Certificate Services Creates, manages, and revokes X.509 certificates when Cer-

tificate Services is installed in Windows Server 2003 or Windows 2000 Server. This service should be set to start automatically if Certificate Services is being run on the server.

ClipBook Enables the ClipBook Viewer to create and share pages of data to be

viewed by a remote computer using Network DDE (NetDDE), which is described later in this chapter. This service is turned off by default, and it is started only when a user starts the ClipBook Viewer application. If you disable this service, the local ClipBook will not be able to send or receive ClipBook data from remote computers, but the ClipBook will still function properly on the local computer. You should disable this service.

Cluster Service Operates the server cluster solutions in the Windows platform.

This service is available only in Windows Server 2003, Enterprise Edition, and Windows 2000 Advanced Server and Datacenter Server with clustering or Network Load Balancing (NLB) installed. You can remove this service by removing clustering using Add or Remove Programs in Control Panel in Windows 2000.

COM+ Event System Provides automatic distribution of events to subscribing

COM components. If the service is turned off, the System Event Notification System (SENS) stops workingCOM+ login and logoff notifications will not occur. Other COM+ Inbox applications, such as the Volume Snapshot service, will not work correctly. You should set this service to Manual, unless your COM+ components are installed on the computer.

COM+ System Application Manages the configuration and tracking of COM+-

based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, a COM+ application installed on the computer will not start. This service is available only in Windows Server 2003 and Windows XP and should be set to start manually, unless you install COM+ applications on computers on your organizations network.

Chapter 9: Managing Security for System Services

177

Computer Browser Maintains an up-to-date list of computers on your network

and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that need to view network domains and resources. If you disable this service, the computer will no longer participate in browser elections and will not maintain a server list. You can safely disable this service on most clients and servers on networks that use computers that run only Windows 2000 and later versions of the operating system.

Cryptographic Services Provides three management services: Catalog Database

Service, which confirms the signatures of Windows files and Microsoft ActiveX components; Protected Root Service, which adds and removes trusted root Certification Authority certificates from the computer; and Key Service, which helps enroll the computer for certificates. If Cryptographic Services is stopped, the three management services will not function properly. You should set this service to start automatically. This service is available only in Windows Server 2003 and Windows XP.

DHCP Client Manages network configuration by registering and updating IP

addresses if the computer has network adapters configured to use the Dynamic Host Configuration Protocol (DHCP) to obtain TCP/IP information. It is also responsible for updating dynamic Domain Name System (DNS) servers. You should set this service to start automatically, unless you have statically configured IP addresses and information and do not require the automatic updating of DNS.

DHCP Server Uses DHCP to allocate IP addresses to and allow the advanced

configuration of network settingssuch as DNS servers and Windows Internet Name Service (WINS) serverson DHCP clients automatically. If the DHCP Server service is turned off, DHCP clients will not receive IP addresses or network settings automatically. This service is available only in Windows Server 2003 and Windows 2000 Server when the DHCP service is installed. You can remove this service by using Add or Remove Programs in Control Panel.

Distributed File System (DFS) Manages logical volumes distributed across a

local area network (LAN) or wide area network (WAN). DFS is a distributed service that integrates disparate file shares into a single logical namespace. This service is available only in Windows Server 2003 and Windows 2000 Server when DFS is installed. It must be running on domain controllers.

Distributed Link Tracking (DLT) Client Maintains links between the NTFS file

system files within a computer or across computers in a domain. The DLT Client service ensures that shortcuts and object linking and embedding (OLE) links continue to work after the target file is renamed or moved. If the DLT Client service is disabled, you will not be able to track links. Likewise, users on other computers will not be able to track links for documents on your computer. In a workgroup, you should disable this service because it is not used frequently. In a domain environment, you should use this service only if you frequently move files and folders on NTFS volumes.

178

Part III:

Securing the Core Operating System

Distributed Link Tracking (DLT) Server Stores information so that files moved

between volumes can be tracked for each volume in the domain. The DLT Server service runs on each domain controller in a domain. This service enables the DLT Client service to track linked documents that have been moved to a location in another NTFS v5 (the version of NTFS used in Windows 2000 and later) volume in the same domain. If the DLT Server service is disabled, links maintained by the DLT Client service might be less reliable. You should disable this service unless you are using link tracking on your network.

Distributed Transaction Coordinator Coordinates transactions that are distrib-

uted across multiple computer systems and/or resource managers, such as databases, message queues, file systems, or other transaction-protected resource managers. The Distributed Transaction Coordinator is necessary if transactional components will be configured through COM+. This service is also required for transactional queues in Microsoft Message Queuing (MSMQ) and Microsoft SQL Server operations that span multiple systems. Disabling this service prevents these transactions from occurring. You should set this service to Disabled on all computers where it is not being used.
DNS Client

Resolves and caches DNS names. The DNS Client service must be running on every computer that will perform DNS name resolution. The capability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. Running the DNS Client service is also critical for enabling location of the devices identified by using DNS names. If the DNS Client service is disabled, your computers might not be able to locate the domain controllers of the Active Directory domains and Internet connections. You should set this service to start automatically unless you are certain that the computer will not require any host name resolution services.
DNS Server Enables DNS name resolution by answering queries and update

requests for DNS names. This service is available only in Windows Server 2003 and Windows 2000 Server when DNS is installed. You can remove this service by using Add or Remove Programs in Control Panel.

Error Reporting Service In Windows Server 2003 and Windows XP, by default,

when an application crashes, the user is prompted to report the incident, along with the crash-dump information. This information is sent to Microsoft for analysis. You can configure this service by using System in Control Panel. For example, you can define which applications should and should not send crash-dump information. To prevent this service from running, you must set it to Disabled. You should always set this service to Disabled unless you would like to report the information to Microsoft.

Chapter 9: Managing Security for System Services

179

Event Log Logs event messages issued by programs and the Windows operat-

ing system. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. The Event Log service writes to log files the events sent by applications, services, and the operating system. If the Event Log service is disabled, you will not be able to track events, which reduces your ability to diagnose problems with your system quickly. In addition, you will not be able to audit security events. You cannot disable this service.

Fast User Switching Compatibility Enables computers running Windows XP in

a workgroup to use fast-user switching to switch quickly between multiple active logon sessions. This feature was designed for home users and does not work when the computer is a member of a domain. You should disable this service.

Fax Service Enables you to send and receive faxes. This service is not installed

by default and can be added and removed by using Add or Remove Programs in Control Panel.

File Replication Maintains file synchronization of file directory contents among

multiple servers. File Replication is the automatic file replication service in Windows Server 2003 and Windows 2000. It is used to copy and maintain files on multiple servers simultaneously and to replicate the Windows 2000 system volume (SYSVOL) on all domain controllers. In addition, this service can be configured to replicate files among alternate targets associated with the fault-tolerant DFS. If this service is disabled, file replication will not occur and server data will not be synchronized. Stopping the File Replication service can seriously impair a domain controllers ability to function.

File Server for Macintosh Enables Macintosh-based computers to store and

access files on a Windows-based server machine. If this service is turned off, Macintosh-based clients will not be able to view any NTFS shares. This service is not installed by default and can be removed by using Add or Remove Programs in Control Panel. You should remove this service if you are not sharing files with Macintosh-based clients.

FTP Publishing Service Provides FTP connectivity and administration through

the IIS console. Features include bandwidth throttling, use of security accounts, and extensible logging. You should remove this service if you are not running an FTP site. You can do so by using Add or Remove Programs in Control Panel.

Help and Support Enables the Help and Support application in Windows

Server 2003 and Windows XP to provide dynamic help to users. If disabled, the Help and Support service application will not function.

HTTP SSL Service In Windows Server 2003, IIS uses this service to facilitate the

creation and management of Secure Sockets Layer (SSL) sessions. Unless you have installed IIS and are running a Web site that requires SSL, you should disable this service.

180

Part III:

Securing the Core Operating System

Human Interface Devices Enables generic input access to the Human Interface

Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, the hot buttons it controls will no longer function. You should set this service to Disabled unless you use a custom keyboard or other input device for hotkey mappings. This service exists only in Windows Server 2003 and Windows XP.

IIS Admin Service Allows administration of IIS. If this service is not running,

you will not be able to run Web, FTP, Network News Transfer Protocol (NNTP), or Simple Mail Transfer Protocol (SMTP) sites, and you will not be able to configure IIS. You should remove or disable this service if you will not be using the IIS Admin Web site to manage the Web components, such as IIS or FTP, on the computer. You can remove this service by using Add or Remove Programs in Control Panel.

IMAPI CD-Burning COM Service Enables computers running Windows Server

2003 and Windows XP that are equipped with a CD-ROM drive to create CDs. You should disable this service on computers that do not have a CD-R or CD-RW drive and set the service to start manually on computers that do and that require burning CDs using this service. This service will start when you send files to a CD-R or CD-RW drive. This service is disabled in Windows Server 2003.

Indexing Service Indexes contents and properties of files on local and remote

computers and provides rapid access to files through a querying language. The Indexing Service also enables quick searching of documents on local and remote computers as well as a search index for content shared on the Web. If this service is either stopped or disabled, all search functionality will be provided by traversing the folder hierarchy and scanning each file for the requested string. When the service is turned off, search response is typically much slower. You should disable this service on servers and set it to start automatically on workstations.

Internet Authentication Service (IAS) Performs centralized authentication,

authorization, auditing, and accounting of users who are connecting to a network (LAN or remote) by using virtual private network (VPN) equipment, Remote Access Service (RAS), or 802.1x wireless and Ethernet/switch access points. IAS implements the Internet Engineering Task Force (IETF) standard Remote Authentication Dial-In User Service (RADIUS) protocol. If IAS is disabled or stopped, authentication requests will fail over to a backup IAS server, if one is available. If none of the other backup IAS servers are available, users will not be able to connect. This service only appears in the Services list in Windows Server 2003 and Windows 2000 Server when IAS is installed. You should remove this service on computers that are not RADIUS servers, proxies, or clients by using Add or Remove Programs in Control Panel.

Chapter 9: Managing Security for System Services

181

Internet Connection Sharing Provides network address translation (NAT),

addressing, and name resolution services for all computers on your home or small-office network through a dial-up or broadband connection in Windows 2000. This service is available only in Windows 2000 and should be disabled unless the computer will be used as a gateway to another network.

Intersite Messaging Allows the sending and receiving of messages between

Windows server sites. This service is used for mail-based replication between sites. The Active Directory directory service includes support for replication between sites by using SMTP over IP transport. If you are not using the SMTP service in IIS, you should remove this service by using Add or Remove Programs in Control Panel, unless the computer is a domain controller that uses SMTP for intersite replication.

IPSec Services (IPSec Policy Agent in Windows 2000) Manages IP Security

(IPSec) policy, including the Internet Key Exchange (IKE) protocol, and coordinates IPSec policy settings with the IP security driver. If you know you will not be using IPSec, you should set this service to manual startup. Otherwise, you should set this service to start automatically.

Kerberos Key Distribution Center Enables users to log on to the network using

the Kerberos v5 authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the domain and access services when using that domain controller for authentication. This service exists only on Windows Server 2003 and Windows 2000 Active Directory domain controllers.

License Logging Tracks Client Access License usage for server products, such

as IIS, Terminal Services, and File and Print Services, as well as products such as SQL Server and Microsoft Exchange Server. If this service is disabled, licensing for these programs will work properly, but usage will no longer be tracked. This service is available only in Windows Server 2003 and Windows 2000 Server and should be disabled unless you are tracking license usage.

Logical Disk Manager Watches Plug and Play events for new drives to be

detected and passes volume and/or disk information to the Logical Disk Manager Administrative Service to be configured. If disabled, the Disk Management MMC snap-in display will not change when disks are added or removed. This service should not be disabled if dynamic disks are in the system. You should set this service to start manually.

Logical Disk Manager Administrative Service Performs administrative services

for disk management requests. This service is started only when you configure a drive or partition or when a new drive is detected. This service does not run by default, but it is activated whenever dynamic disk configuration changes occur or when the Disk Management MMC snap-in is open. The service starts, completes the configuration operation, and then exits. You should set this service to start manually.

182

Part III:

Securing the Core Operating System

Message Queuing Provides a messaging infrastructure and development tool

for creating distributed messaging applications for the Windows operating system. Microsoft Message Queuing (MSMQ) provides guaranteed message delivery, efficient routing, security, support for sending messages within transactions, and priority-based messaging. Disabling MSMQ affects a number of other services, including COM+ Queued Component (QC) functionality, some parts of Windows Management Instrumentation (WMI), and the MSMQ Triggers service. If you are not using a message queue on the computer, you should remove the Message Queuing service by using Add or Remove Programs in Control Panel.

Messenger Sends messages to or receives them from users and computers.

This service also sends and receives messages transmitted by administrators or the Alerter service. If disabled, Messenger notifications cannot be sent to or received from the computer or from users currently logged on, and the NET SEND and NET NAME commands will no longer function. You should disable this service unless you have applications that send administrative alerts, such as uninterruptible power supply (UPS) software or print notifications. The Messenger service is disabled by default in Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2.

Microsoft Software Shadow Copy Provider Manages software-based volume

shadow copies taken by the Volume Shadow Copy service in Windows Server 2003 and Windows XP. If this service is stopped, software-based volume shadow copies cannot be managed. You should disable this service unless you are using volume shadow copies to archive data, in which case the service should be set to manual.

Net Logon Supports pass-through authentication of account logon events for

computers in a domain. This service is started automatically when the computer is a member of a domain. It is used to maintain a secure channel to a domain controller for use by the computer in the authentication of users and services running on the computer. In the case of a domain controller, the Net Logon service handles the registration of the computers DNS names specific to domain controller locator discoveries. On domain controllers, the service enables passthrough authentication for other domain controllers by forwarding passthrough authentication requests to the destination domain controller, where the logon credentials are validated. If this service is turned off, the computer will not operate properly in a domain. Specifically, it can deny NT LAN Manager (NTLM) authentication requests and, in the case of a domain controller, will not be discoverable by client machines. You should set this service to start automatically for all domain members and manually for nondomain members. You will need to start this service before joining the domain on non-domain-joined computers if you set it to start manually.

Chapter 9: Managing Security for System Services

183

NetMeeting Remote Desktop Sharing Allows authorized users to access your

Windows desktop remotely from another PC over a corporate intranet by using Microsoft NetMeeting. The service must be explicitly enabled by NetMeeting and can be disabled in NetMeeting or shut down by using the notification area icon. Disabling the service unloads the NetMeeting display driver used for application sharing. You should disable this service unless you are using NetMeeting for business needs.

Network Connections Manages objects in the Network and Dial-Up Connec-

tions folder, in which you can view both network and remote connections. This service takes care of network configuration (client side) and displays the status in the notification area on the desktop (the area on the taskbar to the right of the taskbar buttons). You can also access configuration parameters through this service. Disabling this service will prevent you from configuring your LAN settings and domain members from receiving group policies. You should set this service to start manually.

Network DDE Provides network transport and security for dynamic data

exchange (DDE) by applications running on the same computer or on different computers. This service is not started by default, and it is started only when invoked by an application that uses Network DDE (NetDDE), such as Clipbrd.exe or DDEshare.exe. If you disable the service, any application that depends on NetDDE will time out when it tries to start the service. You should disable this service unless you use NetDDE-enabled applications.

Network DDE DSDM Manages shared dynamic data exchange and is used only

by Network DDE to manage shared DDE conversations. You should disable this service unless you use NetDDE-enabled applications.

Network Location Awareness (NLA) Collects and stores network configuration

and location information and notifies applications when this information changes. Disabling this service will prevent Windows Firewall from working. You should set this service to start manually.

Network News Transfer Protocol (NNTP) Creates an NNTP-enabled news

server. If the service is off, client computers will not be able to connect and read or retrieve posts. You should remove this service by using Add or Remove Programs in Control Panel if you are not running an NNTP server.

NT LM Security Support Provider Enables applications to log on to validate

authentication credentials by calling through the NLTM Security Support Provider (SSP). If this service is stopped, users will not be able to log on to applications that call the NTLM SSP. Most applications do not call this SSP directly. You should set this service to start manually.

184

Part III:

Securing the Core Operating System

Performance Logs and Alerts Configures performance logs and alerts. This ser-

vice is used to collect performance data automatically from local or remote computers that have been configured by using the Performance Logs and Alerts snap-in. If the service is stopped by a user, all currently running data collections will terminate and no scheduled collections will occur. You should set this service to Disabled unless you are monitoring the performance of a server by using the Performance Logs and Alerts MMC snap-in.

Plug and Play Enables a computer to recognize and adapt to hardware changes

with little or no user input. With Plug and Play, a user can add or remove devices without any intricate knowledge of computer hardware and without being forced to manually configure hardware or the operating system. Disabling this service will prevent the computer from starting. You should set this service to start automatically.

Portable Music Serial Number Service Enables a computer running Windows

Server 2003 or Windows XP to retrieve information about portable music players attached to the computer as part of the Digital Rights Management (DRM) features. You should disable this service on computers that will not be used with portable music devices, such as MP3 players.

Print Server for Macintosh Enables Macintosh clients to route printing to a

print spooler located on a computer running Windows Server 2003 or Windows 2000 Server. If this service is stopped, printing will be unavailable to Macintosh clients. If the computer does not have a printer used by Macintoshbased clients, you should remove this service by using Add or Remove Programs in Control Panel.

Print Spooler Queues and manages print jobs locally and remotely. The print

spooler is the heart of the Windows printing subsystem and controls all printing jobs. This service manages the print queues on the system and communicates with printer drivers and I/O components. If the Print Spooler service is disabled, you will not be able to print and other users will not be able to print to a printing device attached to your computer. You should set this service to Automatic, unless you are certain that no one will be printing to or from the computer. If users will not be printing to or from the computer, you should set this service to Disabled.

Protected Storage Provides protected storage for sensitive data, such as private

keys, to prevent access by unauthorized services, processes, or users. Protected Storage (P-Store) is a set of software libraries that allows applications to fetch and retrieve security and other information from a personal storage location, hiding the implementation and details of the storage itself. The storage location provided by this service is not secure or protected from modification. P-Store uses the Hash-Based Message Authentication Code (HMAC) and the SHA1 cryptographic hash function to encrypt the users master key. This component requires no configuration. Disabling it will make information protected with

Chapter 9: Managing Security for System Services

185

this service inaccessible to you. P-Store is an earlier service that has been supplanted by the Data Protection API (DPAPI), which is currently the preferred service for protected storage. You should set this service to start automatically. Microsoft Internet Explorer stores Autocomplete forms, user names, passwords, and URL histories in P-Store.

QoS Admission Control (RSVP) Provides network signaling and local traffic-con-

trol setup functionality for Quality of Service-aware programs and control applets. You should set this service to start manually.

QoS RSVP Invoked when an application uses the Generic Quality of Service

(GQoS) API to request a specific quality of service on the end-to-end connection it uses. If disabled, QoS is not guaranteed to the application. The application must then decide whether to accept best-effort data transmission or refuse to run. You should set this service to start manually.

Remote Access Auto Connection Manager Creates a connection to a remote net-

work whenever a program references a remote DNS or NetBIOS name or address. This service detects an attempt to resolve the name of a remote computer or share or an unsuccessful attempt to send packets to a remote computer or share. The service brings up a dialog box that offers to make a dial-up or VPN connection to the remote computer. Disabling the service has no effect on the rest of the operating system. You should disable this service unless you have a specific reason to use it.

Remote Access Connection Manager Creates a network connection. This ser-

vice manages the actual work of connecting, maintaining, and disconnecting dial-up and VPN connections from your computer to the Internet or other remote networks. Double-clicking a connection in the Network and Dial-Up Connections folder and selecting the Dial button generates a work request for this service that is queued with other requests for creating or destroying connections. This service will unload itself when no requests are pending. But in practice, the Network and Dial-Up Connections folder calls on this service to enumerate the set of connections and to display the status of each one. So, unless the Network and Dial-Up Connections folder contains no connections, the service will always be running. The service cannot be disabled without breaking other portions of the operating system, such as the Network and Dial Up Connections folder. You should set this service to Manual, unless you are certain that you will not be using remote access connections, in which case you should disable the service.

Remote Desktop Help Session Manager Manages and controls the Remote

Assistance feature in Windows Server 2003 and Windows XP. If this service is stopped or disabled, Remote Assistance will be unavailable. You should disable this service unless your organization uses the Remote Assistance feature, in which case you should set the service to start manually.

186

Part III:

Securing the Core Operating System

Remote Installation (Boot Information Negotiation Layer (BINL) in Windows 2000) Enables you to install Windows Server 2003, Windows 2000, and Win-

dows XP on computers equipped with pre-execution-compatible network interface cards. The BINL service is the primary component of Remote Installation Services (RIS). If BINL is no longer needed on the system, you can discontinue its use by using the Add/Remove Windows Components option in Control Panel to remove the RIS component. If turned off, RIS will not allow client machines to install the operating system remotely. This service is available in Windows Server 2003 and Windows 2000 Server only when RIS is installed.

Remote Procedure Call (RPC) Provides the RPC endpoint mapper and other

miscellaneous RPC services. If this service is turned off, the computer will not boot. You should set this service to start automatically.

Remote Procedure Call (RPC) Locator Provides the name services for RPC cli-

ents. This service helps locate RPC servers that support a given interface (also known as an RPC named service) within an enterprise. This service is turned off by default. Note that no operating system component uses this service, although some applications might. You should set this service to start manually.

Remote Registry Allows remote registry manipulation. This service lets users

connect to a remote registry and read and/or write keys to itprovided they have the required permissions. This service is usually used by remote administrators and performance monitor counters. If disabled, the service doesnt affect registry operations on the computer on which it runs; therefore, the local system will run in the same manner. Other computers or devices will no longer be able to connect to this computers registry. You must be running this service to use some patch management tools, such as Microsoft Baseline Security Analyzer (MBSA). You should set this service to start automatically.

Remote Storage Engine Migrates infrequently used data to tape. This service

leaves a marker on disk, allowing the data to be recalled automatically from tape if you attempt to access the file. If you are not using remote storage, you should remove or disable this service. Otherwise, you should set it to start manually.

Remote Storage File Manages operations on remotely stored files. If you are not

using the remote storage feature of Windows Server 2003 or Windows 2000, you should remove or disable this service.

Remote Storage Media Controls the media used to store data remotely. If you

are not using the remote storage feature of Windows Server 2003 or Windows 2000, you should remove or disable this service.

Remote Storage Notification Enables Remote Storage to notify you when you

have accessed an offline file. Because it takes longer to access a file that has been moved to tape, Remote Storage will notify you if you are attempting to read a file

Chapter 9: Managing Security for System Services

187

that has been migrated and will allow you to cancel the request. If this service is turned off, you will not receive any additional notification when you try to open offline files. Nor will you be able to cancel an operation that involves an offline file. If you are not using the remote storage feature of Windows Server 2003 or Windows 2000, you should remove or disable this service.

Removable Storage Manages removable media drives and libraries. This service

maintains a catalog of identifying information for removable media used by a system, including tapes, CDs, and so on. This service is used by features such as Backup and Remote Storage to handle media cataloging and automation. This service stops itself when there is no work to do. If you are not using the remote storage feature of Windows Server 2003 or Windows 2000, you should disable this service.

Resultant Set of Policy Provider This service enables you to connect to a Win-

dows Server 2003 domain controller, access the WMI database for that computer, and simulate Resultant Set of Policy (RSoP) for Group Policy settings that would be applied to a user or computer located in Active Directory in a Windows 2000 or later domain. You should set this service to Disabled and enable it only when using RSoP.

Routing and Remote Access Offers routing services in LAN and WAN environ-

ments, including VPN services. If this service is turned off, incoming remote access and VPN connections, dial-on-demand connections, and routing protocols will not be available. In a routing context, Routing and Remote Access Service (RRAS) drives the TCP/IP stack-forwarding engine. The forwarding code can be enabled outside the service for various reasons, most notably Internet Connection Sharing (ICS). You should set this service to Disabled.

Secondary Logon (RunAs Service in Windows 2000) Allows you to run specific

tools and programs with different permissions than your current logon provides. You should set this service to start automatically.

Security Accounts Manager Startup of this service signals to other services that

the Security Accounts Manager (SAM) subsystem is ready to accept requests. This service should not be disabled. Doing so will prevent other services in the system from being notified when the SAM is ready, which can in turn cause those services to not start correctly.

Server Provides RPC support, file print sharing, and named pipe sharing over

the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. You should set this service to start automatically.

188

Part III:

Securing the Core Operating System

Shell Hardware Detection Monitors and provides notification for AutoPlay

hardware events, such as the insertion of CD-ROM disks or USB storage devices. You should disable this service on servers and set it to start automatically on workstations. This service to not available in Windows 2000.

Simple Mail Transfer Protocol (SMTP) Transports e-mail across the network.

The SMTP service is used as an e-mail submission and relay agent. It can accept and queue e-mail for remote destinations and retry at specified intervals. The Collaboration Data Objects (CDO) for Windows Server 2003 or Windows 2000 COM components can use the SMTP service to submit and queue outbound email. If you are not using this service, you should remove it by using Add or Remove Programs in Control Panel.

Single Instance Storage Groveler Is an integral component of Remote Installa-

tion Services (RIS). The Single Instance Storage Groveler is installed only when you add the RIS component from Add or Remove Windows Components in Control Panel or select it when initially installing the operating system. If the service is turned off, RIS installation images will expand to their full image size and you will not be able to conserve space on the hard drive. You should remove the RIS service by using Add or Remove Programs in Control Panel if the computer is not a RIS server.

Site Server ILS Service As part of IIS, this service scans TCP/IP stacks and

updates directories with the most current user information. Windows 2000 is the last version of the operating system to support the Site Server Internet Locator Service (ILS). You should remove this service by using Add/Remove Programs in Control Panel if you are not using it on your Web server.

Smart Card Manages and controls access to a smart card inserted into a smart

card reader attached to the computer. The Smart Card service is based on Personal computer/Smart Card (PC/SC) consortium standards for accessing information on smart card devices. Disabling the Smart Card service will result in a loss of smart card support in the system. You should set this service to Disabled unless the computer uses smart cards for authentication, in which case, you should set the service to start manually.

Smart Card Helper Provides support for earlier smart card readers attached to

the computer. This component is designed to provide enumeration services for the Smart Card service so that earlier non-Plug and Play smart card reader devices can be supported. Turning off this service will remove support for nonPlug and Play readers. You should set this service to Disabled unless the computer uses smart cards for authentication, in which case, you should set the service to start manually.

Chapter 9: Managing Security for System Services

189

SNMP Service Allows incoming Simple Network Management Protocol

(SNMP) requests to be serviced by the local computer. SNMP includes agents that monitor activity in network devices and report to the network console workstation. If the service is turned off, the computer no longer responds to SNMP requests. If the computer is being monitored by network management tools, the tools will not be able to collect data from the computer or control its functionality using SNMP. If you are not monitoring the computer with SNMP, you should remove this service by using Add or Remove Programs in Control Panel.

SNMP Trap Service Receives SNMP trap messages generated by local or remote

SNMP agents and forwards the messages to SNMP management programs running on the computer. If the service is turned off, SNMP applications will not receive SNMP traps that they are registered to receive. If you are using a computer to monitor network devices or server applications through SNMP traps, you might miss significant system occurrences. If you are not monitoring the computer with SNMP, you should remove this service by using Add or Remove Programs in Control Panel.

SSPD Discovery Services Enables the discovery of Universal Plug and Play

(UPnP) devices in Windows XP. You should set this service to Disabled, unless you actively use UPnP devices on your network.

Still Image Service Loads necessary drivers for imaging devices (such as scan-

ners and digital still-image cameras), manages events for those devices and associated applications, and maintains device state. The service is needed to capture events generated by imaging devices (such as button presses and connections). If the service is not running, events from the imaging devices connected to the computer will not be captured and processed. This service should be disabled unless digital images are downloaded on the computer from digital imaging devices.

System Event Notification Tracks system events, such as Windows logon net-

work events and power events, and notifies COM+ Event System subscribers of these events. System Event Notification System (SENS) is started automatically and depends on the COM+ Event System service. Disabling this service has the following effects:

The Win32 APIs IsNetworkAlive() and IsDestinationReachable() will not work well. These APIs are mostly used by mobile applications and portable computers. SENS interfaces do not work properly. In particular, SENS Logon/Logoff notifications will not work.

190

Part III:

Securing the Core Operating System

The Work Offline notification will not work. Internet Explorer 5.0 or later uses SENS on portable computers to trigger when the user goes offline or online (by triggering the Work Offline prompt). SyncMgr (Mobsync.exe) will not work properly. SyncMgr depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications from SENS. COM+ Event System will try to notify SENS of some events but will not be able to.

System Restore Service Performs the automated backup and restore of a core

set of specified system and application file types (for example, .exe, .dll) that cannot be changed in Windows XP. System Restore Service does not back up any user data. You can configure System Restore Service by using System in Control Panel. You should set this service to start automatically, unless you are certain that you will not be using it.

Task Scheduler Enables a program to run at a designated time. This service

allows you to perform automated tasks on a chosen computer. Task Scheduler is started each time the operating system is started. If Task Scheduler is disabled, jobs that are scheduled to run will not run at their designated time or interval. You should set this service to start manually.

TCP/IP NetBIOS Helper Enables support for the NetBIOS over TCP/IP (NetBT)

service and NetBIOS name resolution. This service is an extension of the kernel mode NetBT. It should be considered an integral part of NetBT, rather than a normal service. This service does two things for NetBT, which you cannot do in kernel mode:

Performs DNS name resolution Pings a set of IP addresses and returns a list of reachable IP addresses

If this service is disabled, NetBTs clientsincluding the Workstation, Server, Netlogon, and Messenger servicescould stop responding. As a result, you might not be able to share files and printers, you might not be able to log on, and Group Policy will no longer be applied. You should set this service to start automatically.

Telephony Provides Telephony API (TAPI) support for programs that control

telephony devices and IP-based voice connections on the local computer and through the LAN on servers that are running the service. If no other dependent service is running and you stop the Telephony service, it will be restarted when any application makes an initialization call to the TAPI interface. If the service is disabled, any device that depends upon it will not be able to run. You should set this service to start manually.

Chapter 9: Managing Security for System Services

191

Telnet Allows a remote user to log on to the system and run console programs

by using the command line. A computer running the Telnet service can support connections from various TCP/IP telnet clients. You should disable this service unless you use the Telnet service to manage your computer.

Terminal Services Provides a multisession environment that allows client

devices to access a virtual interactive logon to a computer running Windows Server 2003, Windows XP, or Windows 2000 Server. Terminal Services allows multiple users to be connected interactively to the computer in their own isolated session. You should set this service to start automatically unless you are certain that you will not be using Windows Terminal Services, Remote Desktop, Fast-User Switching, or Remote Assistance, in which case you can disable this service.

Terminal Services Licensing Installs a license server and provides registered cli-

ent licenses when connecting to a Windows Server 2003 or Windows 2000 terminal server. If this service is turned off, the server will be unavailable to issue terminal server licenses to clients when they are requested. If another license server is discoverable on a domain controller in the forest, the requesting terminal server will attempt to use it. You should remove this service by using Add or Remove Programs in Control Panel.

Terminal Services Session Directory Provides services for clustered Terminal

Services to allow client devices to access and reconnect to virtual Windows desktop sessions in Windows Server 2003. This service is disabled by default and should be enabled only if the server is participating in a cluster to application terminal servers.

Themes Provides management themes in the Windows XP user interface. You

should set this service to start automatically. It is disabled by default in Windows Server 2003.

Trivial FTP Daemon Trivial File Transfer Protocol (TFTP) is an integral part of

Remote Installation Services. To disable this service, uninstall RIS. Disabling the Trivial FTP Daemon service directly will cause RIS to malfunction. You should remove RIS by using Add or Remove Programs in Control Panel if the computer is not a RIS server.

Uninterruptible Power Supply Manages communications with an uninterrupt-

ible power supply (UPS) connected to the computer by a serial port. If this service is turned off, communications with the UPS will be lost. You should disable this service unless you have a UPS device connection to the computer.

Universal Plug and Play Device Host Manages the operation of UPnP devices on

the local computer. Disabling this service will prevent the use of UPnP devices; however, regular Plug and Play devices will continue to function normally. You should disable this service unless your network actively uses UPnP devices.

192

Part III:

Securing the Core Operating System

Upload Manager Manages synchronous and asynchronous file transfers on

computers running Windows Server 2003 or Windows XP between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. Driver data is anonymously uploaded from customer computers to Microsoft and then used to help users find the drivers required for their systems. If users do not need to use Windows Update to locate updates to drivers, this service should be disabled.

Utility Manager Starts and configures accessibility tools from one window.

Utility Manager allows faster access to some accessibility tools and displays the status of the tools or devices that it controls. This service saves users time because an administrator can designate that certain features start when the Windows operating system starts. Utility Manager includes three built-in accessibility tools: Magnifier, Narrator, and On-Screen Keyboard. You should disable this service if you are not going to use it.

Virtual Disk Service Provides a single interface for managing block storage vir-

tualization whether done in operating system software, redundant array of independent disks (RAID) storage hardware subsystems, or other virtualization engines. You should disable this service unless you require its features.

Volume Shadow Copy Manages and implements Volume Shadow copies used

for backup and other purposes. This service is set to start manually and you should disable it only if you would like to disable Volume Shadow Copy functionality in Windows XP and Windows Server 2003.

WebClient Enables computers running Windows Server 2003 or Windows XP

to modify Internet-based or intranet-based files, including Web-Based Distributed Authoring and Versioning (WebDAV) extensions for HTTP. You should set this service to start manually except on servers where it should be disabled. It is disabled by default in Windows Server 2003.

Windows Audio Enables Windows Server 2003 or Windows XP to manage

audio devices. In Windows Server 2003, it is disabled by default, and in Windows XP it starts automatically.

Windows Firewall/Internet Connection Sharing (ICS) Provides personal firewall

and Internet connection sharing in Windows Server 2003 and Windows XP. You should configure this service to start automatically on computers that will be using Windows Firewall or ICS.

Windows Image Acquisition (WIA) Manages the retrieval of images from digital

cameras and scanners from devices attached to computers that run Windows Server 2003 or Windows XP. You should set this service to Disabled unless you use these devices on computers. It is disabled by default in Windows Server 2003.

Chapter 9: Managing Security for System Services

193

Windows Installer Installs, repairs, or removes software according to instruc-

tions contained in .msi files provided with the applications. If disabled, the installation, removal, repair, and modification of applications that make use of the Windows Installer will fail. You should set this service to start manually.

Windows Internet Name Service (WINS) Enables NetBIOS name resolution.

Presence of the WINS server(s) is crucial for locating the network resources identified by using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory, all computers on the network are running Windows 2000, and you no longer have applications that rely on NetBIOS to locate other computers or users. If you are not running a WINS server on the computer, you should remove this service by using Add or Remove Programs in Control Panel.

Windows Management Instrumentation (WMI) Provides system management

information. WMI is an infrastructure for building management applications and instrumentation. WMI provides access to the management data through a number of interfaces, including COM API, scripts, and command-line interfaces. If this service is turned off, WMI information will be unavailable and Group Policy might not be applied correctly. You should leave this service to start automatically.

Windows Management Instrumentation Driver Extensions Tracks all the drivers

that have registered WMI information to publish. If the service is turned off, clients cannot access the WMI information published by drivers. However, if the WMI APIs detect that the service is not running, the APIs will attempt to restart the service.

Windows Time Sets the computer clock. Windows Time (W32Time) maintains

date and time synchronization on all computers running on a Windows network. It uses the Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp, can be assigned to network validation and resource access requests. The implementation of NTP and the integration of time providers make W32Time a reliable and scalable time service for enterprise administrators. For computers not joined to a domain, W32Time can be configured to synchronize time with an external time source. If this service is turned off, the time setting for local computers will not be synchronized with any time service in the Windows domain or with an externally configured time service. You should set this service to start automatically.

WinHTTP Web Proxy Auto-Discovery Service Implements the Web Proxy Auto-

Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol that enables an HTTP client to discover a proxy configuration automatically. This service, available only in Windows Server 2003, should be disabled unless its functionality is specifically required.

194

Part III:

Securing the Core Operating System

Wireless Configuration Provides the automatic configuration of supported

802.11 wireless network adapters in Windows Server 2003 and Windows XP. You should set this service to start automatically unless you will not be using wireless network adapters on the computer, in which case, you should disable the service.

WMI Performance Adapter Provides performance library information from

WMI HiPerf providers. The service, available only in Windows Server 2003, is a manual service and is not running by default. You should allow this service to start manually.

Workstation Provides network connections and communications. The Work-

station service is a user-mode wrapper for the Microsoft Networks redirector. The service loads and performs configuration functions for the redirector, provides support for making network connections to remote servers, provides support for the Windows Network (WNet) APIs, and furnishes redirector statistics. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks.

World Wide Web Publishing Service Provides HTTP services for applications

on the Windows platform. The service depends on the IIS administration service and kernel TCP/IP support. If this service is turned off, the operating system will no longer be able to act as a Web server. See also the IIS Admin Service entry in this list.

Best Practices
Disable unused services.

For computers running Windows Server 2003, Windows 2000, and Windows XP, carefully evaluate which services are required to support your organizations software applications. Disable any services you are certain you will not need to minimize the potential attack surface of the computer. These are the recommended minimum services to run:
Service COM+ Event System DHCP Client DNS Client Event Log Logical Disk Manager Logical Disk Manager Administrative Service Net Logon Network Connections Setting Manual Automatic (if needed) Automatic Automatic Automatic Manual Automatic Manual

Chapter 9: Managing Security for System Services

195

Service Performance Logs and Alerts Plug and Play Protected Storage Remote Procedure Call (RPC) Remote Registry Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Window Management Instrumentation (WMI) Windows Management Instrumentation Driver Extensions Windows Time (W32Time) Workstation

Setting Manual Automatic Automatic Automatic Automatic (required for Microsoft Baseline Security Analyzer) Automatic Automatic Automatic Automatic Automatic Manual Automatic Automatic

Domain controllers require these additional services:


Service Distributed File System (DFS) DNS Server File Replication Intersite Messaging Kerberos Key Distribution Center NT LM Security Support Provider Setting Automatic Automatic Automatic Automatic Automatic Automatic

Additional Information

Microsoft Windows Internals, Fourth Edition (Microsoft Press, 2005) Services on MSDN (http://msdn.microsoft.com/library/en-us/dllproc/base /services.asp) Knowledge Base article 288129: How to Grant Users Rights to Manage Services in Windows 2000 (http://support.microsoft.com/kb/288129) Knowledge Base article 325349: How to Grant Users Rights to Manage Services in Windows Server 2003 (http://support.microsoft.com/kb/325349) Knowledge Base article 327618: Security, Services, and the Interactive Desktop (http://support.microsoft.com/kb/327618 )

You might also like