Which Windows Services Do We Need?
When you look at Microsoft Windows services, it can be confusing to sort through them and understand which ones you need. In this blog entry I'm going to take a more detailed look at Windows services and see if we can identify any services that might not be needed, or determine whether any are suspicious.
I think that services can be categorized into two different types: server services and client services. Server services are a bit easier to deal with because they typically do not directly interface with local users and should not be installed on a client computer.
Services that probably should not run on a client computer (laptop or desktop):
Description |
Executable |
FTP |
Msftpsvr |
Telnet |
Tintsvr |
World Wide Web (www) |
w3svc |
SMTP |
Smtpsvc |
SQL Express |
mssql$sqlexpress |
SQL Server |
Mssqlserver |
Web service |
Iisadmin |
Services that run on server computers as client services can be a bit harder to identify, because several services might be called by a server service that would be viable on a server. The list in the following table does not list services that could be determined to be viable on a typical server.
Services that you would not expect on a server:
Description |
Executable |
Peer Networking Grouping |
P2psvc |
Computer Browser services |
Browser |
Routing and Remote Access |
RemoteAccess |
Windows Audio |
Audiosrv |
Bluetooth |
Bthserv |
MultiMedia Class scheduler |
Mmcss |
Peer Networking Identity Manager |
Pnrpsvc |
Windows Themes |
Themes |
Now that we have a list of services that can be considered for evaluation, it would be nice to somehow automate the process of obtaining service information.
I started to dabble in PowerShell a while ago, and the following example is a perfect illustration of a simple but quick way to obtain service information without having to manually look at services on a device.
Looking for services using PowerShell
If you're not familiar with PowerShell, I recommend you take a look at it. In my book it's the best thing for an administrator since the advent of the automobile! https://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx
Step 1. Create a check file of service that you want to flag
Create a text file that identifies the services you want to flag. For instance I have a file called c:\temp\base.txt, and its contents are as follows:
Ftp service
telnet service
www service
SMTP service
sql express
sql server
web service
You can use your favorite editing tool such as Notepad.exe to create the file.
Step 2. Use Compare-Object to find the service
From a PowerShell command prompt, run the following command:
Compare-Object $(get-service | foreach { $_.Name } ) $(get-content c:\temp\base.txt) -includeequal -excludeDifferent
Simple, right?
Other Services
When you run the script it provides you with all kinds of great information. But maybe it's not enough information.
If you run this script I'd be interested in your results. Did you see something you did not expect? What was it? Have you identified any services that did not make my list? Are you aware of services (third-party, maybe malware) that should be watched for?
And what about services like BITS (Background Intelligent Transfer Service) and RPC? Because there's a need to allow Windows Update to run as expected, these services would need to run most of the time.
Finally, do scripts like this one provide value to you? What would you recommend to improve on it?
Comments
Anonymous
January 01, 2003
This is a quiet blog full of posts that invite feedback - but if you find them "too late", you can't post comments because comments are closed. I can understand closing comments on a busy blog that has a set audience who have been following it regularly for a while, but a new blog is likely to be found and read from newest to oldest, and folks may want to comment on "old" stuff - as I will do here, off-topic or not! :-)Anonymous
January 01, 2003
-Whoa, there, it's 2008, right? Someone pinch me. -Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security? Actually I the idea is to get exposure to Powershell, as a shell tool. Asking public to comment.... The blog is a discussion, and comments are always welcome. -And you think that using shell is a good way to admin a system? You have an opinion on this, could you elaborate your concern? -It's like I'm reading a UNIX BBS from the late 1980s. -Too weird.Anonymous
January 01, 2003
When working with ill or ?infected stand-alone PCs, the safest approach is via a CDR-based maintenance OS such as Bart or WinPE. In these cases, a challenge is how to apply tools that require registry access, e.g. HiJackThis, registry-aware scanners, etc. Bart has a solution in the form of Paraglider's RunScanner plugin (I have not tested this on Vista via WinPE, but I don't expect it to work). However, enumeration of services and drivers are not effectively redirected by RunScanner, presumably because the APIs involved look to "live" behavior rather than registry settings. So managing these items "from orbit" (i.e. without running the stricken or infected HD installation) is a problem.Anonymous
January 01, 2003
The comment has been removedAnonymous
September 14, 2007
The phrase "probably would/wouldn't expect" sadly puts a lot of conjecture into an otherwise very informative post. If You're looking for solid advice on the services required for specific server roles on Windows Server 2003, and how to get to a secured system using the built-in tools, then the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14845) is a must-read. System services are covered in Chapter 7. Cheers, OliverAnonymous
May 07, 2008
Whoa, there, it's 2008, right? Someone pinch me. Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security? And you think that using shell is a good way to admin a system? It's like I'm reading a UNIX BBS from the late 1980s. Too weird.