Disabling Nonessential Windows
Services
Mark Ciampa, © 2004
A logical
first step in establishing a defense against computer attacks is to turn
off all nonessential Windows systems. With information security, disabling
systems that are not necessary likewise restricts entry points that attackers
can use. You do so for the same reason that a bank vault only has
one door instead of a back door, windows, and side entrance: if there’s
only way to enter, then it’s easier to restrict access. A second advantage
is that disabling nonessential services frees up RAM and increases the
performances of your system.
This Web tutorial provides important background
information regarding what a Windows service is, which services are not
necessary, and how to view and turn off unnecessary services.
What are Windows services?
Since the advent of
personal computers, programs have been written that run in the background
of the operating system. A background program is not prominently displayed
on the screen and does not require user input as a regular foreground program
does. Instead, the background program waits in the computer’s random access
memory (RAM) until the user presses a specific combination of keys known
as a hot key, such as Ctrl+Shift+P. Then the idling program springs to
life. These early programs, which performed functions such as displaying
an instant calculator, small notepad, or address book, were called terminate-and-stay-resident
(TSR) programs. Because users only had to press a hot key instead of
starting the program each time they wanted to use it, TSR programs proved
very popular.
Operating systems also use programs that
run in the background. However, instead of letting the user directly access
them, these background programs typically perform tasks for the operating
system such as managing network connections. In Microsoft Windows, a background
program, such as Svchost.exe, is called a process. The process provides
a service to the operating system, which is indicated by the service
name, such as Appmgmt. Users can view the display name of a service, which
gives a detailed description, such as Application Management. A single
process can provide multiple services. In Figure 1, the display name “Application
Management” appears in the Services (Local) window, while the process Svchost.exe
appears in the Task Manager, as shown in Figure 2.
Figure 1 - Display Name
Figure 2 - Process Name
Note in the above figure that the process Svchost.exe
is providing multiple services to the local computer, network, and complete
system.
A service can be set to one of the following
three modes:
|
Windows Service Mode
|
Description
|
| Automatic |
When a service is in automatic mode, it starts every
time that the computer is turned on. Some services turn themselves off
when they are no longer needed, although this is rare. |
| Manual |
Manual mode allows Windows to start a service when it
is needed. However, not all services start properly when set to Manual
mode. |
| Disabled |
This setting prevents a service from starting, even if
it is needed. Some services display error messages if they are not loaded,
even if they are not needed. |
Nonessential Windows Services
Not all Windows services
that Microsoft turns on by default are essential. Of the 89 services
in Windows XP, 36 are set by default to Automatic. However, some users
claim that as few as eight services are essential. The following table
lists some Windows XP services and recommends settings for home and office
computers.
|
Service Name
|
Process Name
|
Description
|
Default Mode
|
Recommended Mode
|
| Alerter Manual |
Services.exe |
Notifies selected users and computers
of administrative alerts |
Manual |
Manual (Office); Disabled (Home) |
| Wuauserv |
Svchost.exe |
Enables download and installation
of critical Windows updates |
Automatic |
Automatic |
| BITS |
Svchost.exe |
Uses idle network bandwidth to
transfer data |
Automatic |
Manual |
| ClipSrv |
Clipsrv.exe |
Enables ClipBook Viewer to store
information and share with remote computers |
Manual |
Disabled |
| MSDTC |
Msdtc.exe |
Coordinates transactions that span
multiple resource managers, such as databases, message queues, and file
systems |
Manual |
Manual (Office); Disabled (Home) |
| DNSCache |
Svchost.exe |
Caches Domain Name System (DNS)
names for this computer |
Automatic |
Disabled |
| ERSvc |
Svchost.exe |
Displays dialog box that lets you
report an application error or system crash to Microsoft |
Automatic |
Disabled |
| Netman |
Svchost.exe |
Controls the network and your ability
to connect to the Internet via dial-up |
Manual |
Automatic |
Spooler |
Spoolsv.exe |
Loads files to memory for later
printing |
Manual |
Automatic |
| SCardDRV |
Scardsvr.exe |
Enables support for smart-card
readers that do not support Plug and Play |
Manual |
Disabled |
You might have to adjust these settings
to match your system configuration. For example, if you are using a Plug
and Play smart-card reader, you can disable the SCardDRV service. However,
if your computer is using a legacy smart card that does not support Plug
and Play, you should set the SCardDRV service to Automatic or Manual.
For more information on services
see the Microsoft Technet Web
site.
Viewing Windows Services
Before stopping any services, you
should know how to determine what services are running on a system.
1. On a Windows XP computer, click
Start and then click Run. The Run dialog box opens.
2. Type msconfig and then press
Enter to display the System Utility Configuration dialog box.
3. Click the Services tab, shown
in Figure 3. Scroll down to see which services are running or stopped.
Figure 3 System Configuration
Utility dialog box
4. Click Cancel to close the dialog
box.
5. Click Start and then click Run.
In the Run dialog box, type Services.msc and then press Enter to display
the Local Services window, shown in Figure 4.
Figure 4 Services (Local) window
6. If necessary, expand the columns
to read the description of the service. Then locate and click the Secondary
Logon service. Notice that three options are displayed for this service:
stop the service, pause the service, and restart the service.
7. Double-click the Secondary Logon
service to open the Secondary Logon Properties (Local Computer) dialog
box, shown in Figure 5. Notice that it is here that a service can be stopped
and started.
Figure 5 Secondary Logon Properties
(Local Computer) dialog box
8. Click Cancel to close the dialog
box. Then close the Services (Local) window.
9. Right-click a blank area of
the taskbar, and then click Task Manager to open the Windows Task Manager
dialog box.
10. Click the Processes tab. Scroll
down to see the process names of the services. Then close the Task Manager
dialog box.
Disabling Windows Services
Services can provide
a valuable tool for an attacker to use against the system. Because these
services run in the background without any user intervention, an attacker
can take advantage of them to launch an attack. Attaching an attack to
a service that is already functioning and is hidden from the user is an
ideal setting for attackers. If you disable the services you don’t need,
you eliminate a vulnerability in your computer system. Besides preventing
attackers from attaching malicious code to services, disabling nonessential
services eliminates another vulnerability by blocking entries into the
system. Disabling a service can also free RAM. Disabling all of the nonessential
services can free anywhere from 12 MB to 70 MB of RAM, depending on the
system.
Determining which services
are not essential can be difficult for the following reasons:
• The service name and the display
names are not always the same
• A single process can provide
multiple services
• Some services generate error
messages if they are not loaded
To illustrate how to disable Windows services, we will
turn on and off the ClipSrv service, which enables the ClipBook Viewer
to store information and share it with remote computers. Although you can
use the System Configuration Utility tool to manage services, it is preferable
to manage them through Local Services because this utility is more flexible.
1. On a Windows XP or 2003 computer, right-click a blank
area of the taskbar, and then click Task Manager to open the Windows Task
Manager dialog box .
2. Click the Processes tab. Scroll down to see that the
ClipBook process (Clipsrv.exe) is not running. Then minimize the Windows
Task Manager dialog box.
3. Click Start and then click Run. The Run dialog box
opens.
4. Type Services.msc and then press Enter to display
the Services (Local) window. If necessary, expand the columns to read the
descriptions of the services.
5. Locate and then click the ClipBook service. Notice
that only one option is displayed for this service: start the service.
This indicates that the service is currently not running.
6. Double-click the ClipBook service to open the ClipBook
Properties (Local Computer) dialog box, shown in Figure 6.
Figure 6 ClipBook Properties
(Local Computer) dialog box
Notice that the startup mode is Manual, meaning
that it is only run when needed. The service status is Stopped unless you
have already used this service. Also notice that you can use a series of
buttons to manage this service: Start, Stop, Pause, and Remove. Based on
the current status of the service some of the buttons may be unavailable.
7. Click the Recovery tab to display the recovery options,
shown in Figure 7.
Figure 7 Recovery options
for the ClipBook service
8. Click the First failure list arrow, and then click
Restart the Service. This tells Windows that if the service is needed but
is not running to start the service.
9. Click the General tab. Click the Start button to start
this service.
10. Maximize the Windows Task Manager dialog box, and
then click the Image Name column heading to sort the column. Locate clipserv.exe,
shown in Figure 8.
Figure 8 Clipserv.exe running
11. Return to the ClipBook Properties (Local Computer)
dialog box. (You may need to double-click ClipBook again in the Services
(Local) window. Click the Stop button.
12. Maximize the Windows Task Manager dialog box and
note that Clipserv.exe is no longer running.
13. Return to the ClipBook Properties (Local Computer)
dialog box. (You may need to double-click ClipBook again in the Services
(Local) window. Click the Startup type list arrow, and then click Disabled.
14. Click Apply. The ClipBook service now will not be
loaded even if the service is needed.
15. Close all windows.
Please feel free to contact me at
mark.ciampa@wku.edu if you have any comments