First published on TECHNET on Nov 18, 2008
Back when I was a Systems Administrator, one of my roles was to review the system configuration for a server prior to its implementation in the production environment. We had a fairly streamlined process for server deployment – including scripts to verify the security hardening, installed software, disabled services etc. Disabling “unnecessary” services on a system is sometimes a very subjective process. If you were in the IT field in 2003, then you most likely remember the
critical hotfix (MS03-043)
that was released for a vulnerability in the Messenger service. Since that patch, many (if not most) environments have made disabling that service a standard practice. Other services are also turned off, based on the server’s role, whether it is in the DMZ or on the Internal network etc. This is all part of good system configuration and maintenance – in terms of both reducing the attack surface and eliminating unnecessary overhead.
However … some caution should be exercised when deciding what services to turn off. For example, when I walked into a new job four years ago, one of the first problems I was asked to investigate was why none of the servers were dynamically registering their DNS information. Every single one of the desktop machines was registered, but not a single system in the server room was registered. After about two minutes of looking at one of the problem systems, I realized that the DHCP client service was disabled. A quick check on a couple of other systems confirmed that all of them had that service set to disabled via GPO. The fix of course, was relatively simple – but of course the requisite (finger-pointing) post-mortem revealed that none of the admins really knew what the DHCP Client service did. They had fallen into the common trap of thinking that DHCP was just for handing out IP Addresses to client machines. Since the servers all had static IP addresses, they assumed that the DHCP Client service was “unnecessary” and disabled it (by the by, the
Dynamic DNS failure due to the DHCP Client service not working is outlined in KB264539
So, what was the point of that anecdote? Recently we had a customer ask us “what services can safely be disabled”. In this particular instance he was trying to create a standard configuration for his desktop systems and wanted to know if we could give him “the absolute minimum set” of services that needed to stay running so he could optimize the system performance of his client computers. The short answer was that we don’t really test various service configuration combinations outside of what is enabled by default out of the box. The reason for this is that services sometimes perform secondary functions. A classic example of this is the Spooler Service. We all know that the primary function of the spooler service is to handle print spooling and processing. However – on a domain controller, the installation of the DC role adds a thread to the spooler service that is responsible for performing print pruning – removing the stale print queue objects from the Active Directory. If the spooler service is not running on at least one DC in each site, then the AD has no means to remove old queues that no longer exist.
So the moral of the story is that while there are opportunities for tuning by turning off services to decrease the overhead – you have to know everything that the service does, lest your good intentions have dire consequences. And with that, we’ve reached the end of our post. Until next time …