UnNeeded/unwanted Services
Results 1 to 7 of 7

Thread: UnNeeded/unwanted Services

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    112

    UnNeeded/unwanted Services

    OK, here's the question. I am in the process of configuration a public DNS servre to host my own DNS SOA for my companies public website, rather then allowing our ISP to host them. The ISP is going to be secondary. The reason we want to do this is so we can make DNS changes on the fly.

    So I am in the process of Hardening the server. (it is Win2K, patched, with the Baseline Security Analyzer run) (I know we are a windows shop and my experience with LINUX is limitted what can I say) It is up to snuff as far as patches etc. I have removed alll unnessicary stuff (Accessories/Games/Wall Paper/etc) I want this to be as skinny a server as possible. I am looking for recomendation on the minimum set of services needed to run this DNS server. I have removed IIS... Here is a list of what is currently running for services... and my thought about what I am going to eliminate. What do you all think about what is the minimum required to get good preformance outta this box... If I am thinking about diabling a service I will put that in bracket after the service name ...

    Alerter (Disable)
    Background Intelligent Transfer Service (Not sure what this is)
    COM+ Event System (Disable)(But not sure)
    Computer Browser (Disable)(again question this thought)
    DefWatch (ANtiVirus stuff)
    DHCP CLient (why if this is static IPed...?) (Disable)
    Distributed File System (??)
    Distributed Link Tracking CLient (??)
    Distributed Ling Tracking Server (??)
    Distributed Transaction Coordinator (??)
    DNS CLient
    DNS Server
    Event Log
    IPSEC Policy Agent (Disable)
    Logical Disk Manager
    Messenger (??)
    Network Connections
    Norton AntiVirus Client
    NT LM Security Support Provider(??)
    Plug and Play (Disable)
    Print Spooler (Disable)
    Protected Storage (??)
    Remote Administrator Service (RAdmin)
    Remote Proceedure Call (RPC) (Not sure on this one)
    Remote Registry Service (Disable)
    RunAs Service (Disable)
    Security Account Manager
    server
    System Event Notification (??)
    Task Scheduler (Disable)
    TCP/IP NetBIOS Helper Servcie (Again this is a questionable one if needed. Not the same as NetBIOS so...hmmmm what you'll think)
    Telephony (Disable)
    Terminal Service (Disable) (service will be removed when this goes into production)
    Windows Management Instrumentation (??)
    WMDM PMSP Service (??)
    Workstation (Is this needed??)
    My other Computer is a 4000 node Beowulf Custer

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    giving you advice on this is difficult without knowing the entire environment.

    - is it a standalone server or part of a domain?
    - if it's part of a domain what adjacent hosts/services will exist?
    - is the dns zone win2k integrated or isolated?
    - if it's integrated - do other hosts in the private network fall into the same domain, exist as a subdomain, etc?
    - is this a bastion host, part of a dmz/red-lan?
    - is it proxied?
    - are there any other dependent services being run from this host? if so, what?
    - what type of host management is expected?
    - how are dns zone transfers handled between your host and the secondary isp provided host.

    some of the services you have marked as disabled or question marked might create integration issues depending on the answers above. additionally, i'd advise not running an authoritative service publicly....and i would exponentiate that advisory if it's win2k integrated. i might exponentiate that advisory if it's also enabled for zone-transfers depending on configuration.

    it sounds like a typical standalone setup - but i'd really hate to give bad advice for not asking about the details beforehand.
    -droby10

  3. #3
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    This should offer you absolutely everything you need:

    http://www.blackviper.com/WIN2K/servicecfg.htm

    It's a list of all of the services for Windows 2000, along with recommended settings for the following types of machines:

    DEFAULT Server | DEFAULT Pro | "SAFE" | Internet Gateway | Gaming System | Super Tweak
    Hope it helps.

    AJ

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    112
    This is totally stand alone system that is going to live in a DMZ... Not part of a domain cause it is living in the DMZ. Hence since it is not a W2K DC it is not AD intgrated...
    My other Computer is a 4000 node Beowulf Custer

  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    cool...just making sure. again with these suggestions, there may be issues with whatever type of management infrastructure is in place (which i didn't get any feedback on).

    i would suggest or reaffirm your statements on the questioned services for:

    COM+ Event System - disable (you're not running iis - and i gather there's no other dependencies)
    Computer Browser- disable (there's no need for it on a standalone box)
    DHCP CLient - disable (no need - potential risk for addr poisoning)
    DNS CLient - disable (others will disagree with me on this one)
    Messenger - disable
    NT LM Security Support Provider - disable (only if you aren't running COM+)
    Remote Proceedure Call - enable (you could try it disabled in a staging environment - but i think it'd be a useless box)
    TCP/IP NetBIOS Helper Servcie - disable (nbt is the devil in windows clothing)
    Windows Management Instrumentation - disable (might be a potential risk - allows remote execution, shutdown, process control, etc.)
    -droby10

  6. #6
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888
    Originally posted here by avdven
    This should offer you absolutely everything you need:

    http://www.blackviper.com/WIN2K/servicecfg.htm

    It's a list of all of the services for Windows 2000, along with recommended settings for the following types of machines:



    Hope it helps.

    AJ
    Nice site for a newbie, also great for reference, I have a better understanding of the win2k services now, although I noticed that SP3 added a couple more he is not listing in this expose'
    I recomend checking it out, kinda gives you the idea that he has lots of money and wants to show it off a bit
    I have a question; are you the bug, or the windshield?

  7. #7
    Member
    Join Date
    Apr 2002
    Posts
    45
    Originally posted here by avdven
    This should offer you absolutely everything you need:

    http://www.blackviper.com/WIN2K/servicecfg.htm

    It's a list of all of the services for Windows 2000, along with recommended settings for the following types of machines:



    Hope it helps.

    AJ
    Man, this a good link ! I've put it into my fav's ! Tks for the info !

    I would personnaly take of everything that is not DNS related and windows core services including all your antivirus stuff ! It's DNS, there's nothing not public related anyway. Just make sure to do a backup of your DNS tables and a ghost of your server. If it goes down, you'll be back up in a sec !

    Still be carefull with what you take off !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •