Badger_sly
[H]ard|Gawd
- Joined
- Mar 20, 2002
- Messages
- 1,594
Nice work on the data, rcolbert. At least now there is proof that can be pointed to when someone asks in the future.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
services.msc
- Thread starter mdlsFREAK
- Start date
- Status
GreNME: First off, the statement I was responding to was " only an authenticated user can take advantage of services on your machine." That doesn't mean "able to start a service" in my book. I interpreted "take advantage" to mean "utilize", not "start." Obviously there are numerous services that users (and other computers) can access without authentication.
Phoenix86: I am referring to "NonPgdPl" (i.e. memory that is in use by a process that has not been paged.)
Phoenix86: I am referring to "NonPgdPl" (i.e. memory that is in use by a process that has not been paged.)
Actually now the graph is making sense. Of course it's not paging that data to the PF, you probably have gobs of RAM (or plenty of free RAM).
Windows will generally only page when RAM is needed, on your system, it's not being used. As it is, more data will flow from RAM to the PF. Run the same test with a game running (or other memory hog). Then you will see the processes use less RAM
While yes, this will take *some* cycles of CPU and I/O it's only when the data is needed. The only time that would cause a performance hit once the app is open is if you suddenly needed more RAM (say a new level in a game) and some addidtional paging was needed. Reducing running programs/services *may* delay a game loading a new level a hair and would speed up application launch times a bit, but doesn't help once running.
I should correct my statement about when data is paged from "when the OS realizes it's not being used" "when the OS needs the resources". At any rate, the end result (which we all seem to agree on) is no benefit to the system...
Windows will generally only page when RAM is needed, on your system, it's not being used. As it is, more data will flow from RAM to the PF. Run the same test with a game running (or other memory hog). Then you will see the processes use less RAM
While yes, this will take *some* cycles of CPU and I/O it's only when the data is needed. The only time that would cause a performance hit once the app is open is if you suddenly needed more RAM (say a new level in a game) and some addidtional paging was needed. Reducing running programs/services *may* delay a game loading a new level a hair and would speed up application launch times a bit, but doesn't help once running.
I should correct my statement about when data is paged from "when the OS realizes it's not being used" "when the OS needs the resources". At any rate, the end result (which we all seem to agree on) is no benefit to the system...
I am in complete agreement that impact of services that are running but quiet is totally negligible. My only function here is to moderate the degree by which the virtues of virtual memory and pre-emptive multitasking are extoled. Don't even get me started on hyperthreading. 
Any clarification is appreciated, I have read quite a bit on this and I still learn something new just about every time I read another thread. It doesn't help that people try to apply Win9X thinking to XP, nor that there are a billion web sites with incorrect information.
I think the best way to articulate my point is this:
Every service has at least one process.
Every process has a working set of memory.
Every working set has a current size, minimum size, and maximum size.
So long as a process is running, it will at least consume the minimum size of it's working set in physical RAM.
Glad to hear that even with competing viewpoints that there is room for open discourse.
Every service has at least one process.
Every process has a working set of memory.
Every working set has a current size, minimum size, and maximum size.
So long as a process is running, it will at least consume the minimum size of it's working set in physical RAM.
Glad to hear that even with competing viewpoints that there is room for open discourse.
Once again playing the semantics game. The problem here is that you are demanding everyone go by your definition of terms and wording and argue it from there. I already said I wasn't interested in doing that.rcolbert said:
However, since you're being so adamant that your own personal definition of things is absolute (which you ironically warn against), then do us all a favor and give an explanation of each of the columns in the memsnap log, how they are to be broken down logistically, and how they apply to actual usage of resources. Use, say, they lsass process as an example for all the boys and girls.
When you can explain to me how anyone was supposed to understand "take advantage of" to mean "start" rather than "utilize" I will answer the rest of your question. I don't think I'm splitting hairs here. I think what you are thinking and what you are typing are two different things. Did anyone else read "take advantage of" and think that he meant "start a service?" Show of hands please..
(an lssas is a local security subsystem that must be running, and I won't BS about it because to tell you any more I'd be googling it.)
(an lssas is a local security subsystem that must be running, and I won't BS about it because to tell you any more I'd be googling it.)
Now wait; I'm confused...you said:
as a reason against disabling services. But now you're saying:GreNME said:
You don't need to be able to start a service to "take advantage" of it. You yourself give an example:GreNME said:
If a service is disabled, there's zero chance it can get "taken advantage" of. You seem to be changing your story...GreNME said:
That's not how it works. You are the one who brought up memsnap. I already know what the data is showing, and it is not showing anything to substantiate either of our claims. However, I want you to "explain" it to the best of your ability, since you first brought it up.rcolbert said:
I'll tell you the same thing I told O[H]-Troll: I will give you $500 US if you can come before me and take advantage of ANY services on my XP install. I'll even use my XP Home lappie if you want, though you have more services to choose from with my XP Pro lappie. If you can do it without me giving explicit permission to access a service, then I will acquiesce. The problem isn't in the services here. If you have services being fooled with by an outside source without you wanting it, you've already been owned.
You misunderstand what I was asking. I was asking you to use the lsass process running as the "for example" in your explanation of the columns in memsnap. The discrepency within it (way higher paged data than the working set) takes a bit deeper understanding of how the processes are being tallied than just downloading and cutting-pasting output from a tool.
Well, the answer is yes and no: a non-auth user can put input into and call a running service remotely, but only after an authorized user has given that privilege. ActiveX scripts, for example, can call services, but the user must be allowing ActiveX scripts to run for it to happen (and by default, the user is prompted).Phoenix86 said:
Basically, it's pedantic wordplay. The problem is not on the services level, it's in allowing users to run as admin to begin witha mentality that has kept the *nix world far safer from malicious code than most general consensus likes to think.
That still requires auth., and makes their point on the difference between "use" and "start" moot. They are the ones making a deal over the difference in words, I want to see if there is a point or not.GreNME said:
I think the graph is easily explained. A MUCH better example would be a system that is using a lot more memory than available RAM forcing the unused items to page. Then you could see how much data *isn't* being paged to disk. You can't tell shit from the data we're looking at here...
This is being reduced to the absurd.
Netlogon (prior to logon you interact with it)
Telnet Server (ditto)
Computer Browser (no authentication required)
WINS Server (nada)
DNS Server (zero)
...
All of these services can be used by non-authenticated users and the list goes on and on and on. Why the fuck would anyone think that you were talking about the privilege of starting a service? In the context of what you were saying your whole line of thought was around external users interacting with services, presumably via an exploit. My whole point was that unauthenticated users access services on Windows boxes all the time and for normal reasons. I don't need an exploit to interact with a service on your box. I just need your IP address. Your backtracking puts you in an indefensible position. You say I'm arguing semantics? Try saying what you mean up front. You brought this point up well before I brought up memsnap. Bottom line is that your pedestrian knowledge of memory and CPU utilization leads you to make false generalizations in which your only out is by virtue of the fact that you don't write with even the slightest modicum of technical precision. Your statements have all the strength of a bowl of jell-o that's been sitting on the kitchen counter for four hours.
But I don't mean to start a fight....
Netlogon (prior to logon you interact with it)
Telnet Server (ditto)
Computer Browser (no authentication required)
WINS Server (nada)
DNS Server (zero)
...
All of these services can be used by non-authenticated users and the list goes on and on and on. Why the fuck would anyone think that you were talking about the privilege of starting a service? In the context of what you were saying your whole line of thought was around external users interacting with services, presumably via an exploit. My whole point was that unauthenticated users access services on Windows boxes all the time and for normal reasons. I don't need an exploit to interact with a service on your box. I just need your IP address. Your backtracking puts you in an indefensible position. You say I'm arguing semantics? Try saying what you mean up front. You brought this point up well before I brought up memsnap. Bottom line is that your pedestrian knowledge of memory and CPU utilization leads you to make false generalizations in which your only out is by virtue of the fact that you don't write with even the slightest modicum of technical precision. Your statements have all the strength of a bowl of jell-o that's been sitting on the kitchen counter for four hours.
But I don't mean to start a fight....
Indeed. I find your misinformation alarmingly absurd.rcolbert said:
You can interact only to authenticate. Nothing else. Without authenticating, you are denied any access to it. You may as well say that a person without a key to a locked door has access to the door, which is incorrect.
And ditto on the explanation. No privs == no access.
Wrong. Try to utilize the Computer Browser service on my machine remotely without authentication. It makes anonymous requests out, but no access from the outside in.
How in the hell are you accessing that service with no privs? You can get the information it broadcasts if you are allowed access set by the admin of the server, but other than that your "nada" is the level of access you have to the service.
Same as the WINS. I can give you access to my 2k3 SBS environment at home, and I'd love to see you even get an IP, let alone get info from WINS or DNS from the network.
Care to rethink that list some?
Netlogon (prior to logon you interact with it)
Of course you know the purpose of the Netlogon service. However, you are interacting with it whether or not you logon successfully.
Telnet Server (ditto)
Same as above.
Computer Browser (no authentication required)
You can harden this service now to prevent anonymous access, but the point isn't about hardened services. Typically computer browse lists are exchanged without authentication. Again, this is simply an example of a service you can talk to without authentication.
WINS Server (nada)
Absolutely no authentication is required to register in WINS or to query the WINS database.
DNS Server (zero)
Also, no authentication is required to perform lookups against DNS. The only possible security is if you are running AD integrated DNS zones on a DC. You show me a functioning DNS server that I can't run nslookup against.
More:
NetBackup Service. The NetBackup client service talks to NetBackup master and media servers without any form of authentication other than DNS lookups. Oh yeah, and it inherited this behavior due to it's Unix roots.
IIS: You can require authentication or not as an admin. The point again is not how your PC is confiugred. The point is that Windows services, many out of the box, will talk to other systems freely and easily.
Does this mean you can configure or control services without authentication? No, of course not. Does this mean you can authenticate against services that require it without proper credentials? No. However, you are simply wrong when you assert that services can't be utilized by unauthenticated users.
Of course you know the purpose of the Netlogon service. However, you are interacting with it whether or not you logon successfully.
Telnet Server (ditto)
Same as above.
Computer Browser (no authentication required)
You can harden this service now to prevent anonymous access, but the point isn't about hardened services. Typically computer browse lists are exchanged without authentication. Again, this is simply an example of a service you can talk to without authentication.
WINS Server (nada)
Absolutely no authentication is required to register in WINS or to query the WINS database.
DNS Server (zero)
Also, no authentication is required to perform lookups against DNS. The only possible security is if you are running AD integrated DNS zones on a DC. You show me a functioning DNS server that I can't run nslookup against.
More:
NetBackup Service. The NetBackup client service talks to NetBackup master and media servers without any form of authentication other than DNS lookups. Oh yeah, and it inherited this behavior due to it's Unix roots.
IIS: You can require authentication or not as an admin. The point again is not how your PC is confiugred. The point is that Windows services, many out of the box, will talk to other systems freely and easily.
Does this mean you can configure or control services without authentication? No, of course not. Does this mean you can authenticate against services that require it without proper credentials? No. However, you are simply wrong when you assert that services can't be utilized by unauthenticated users.
Now we're getting somewhere. You see, getting information from something is not the same as accessing the service itself. None of those are entry points for unauthenticated users in any way, and cannot be used as such. Hence, the malicious attacker has only one option: DoS. There are other countermeasures for that, but the fact remains that services are in no way able to be used as a point of entry for the unauthenticated user.Shall I use the term "take advantage of for unauthenticated entry" for your sake? Information gathering is all well and good, but with no point of entry that info is ultimately useless.
I'm not really attempting to turn a resources argument into a security argument either. I'm more interested in the services, processes, and resources element of the discussion. More to the point, if a service is listening on a port, you can talk to it. You might not like what it has to say to you, but you can certainly talk to it. Therfore, the process needs to be aware that you're talking to it. Either the OS/IP Stack is doing extra work to be the listener for the process, or the process is not 100% dormant. In any case, there are CPU cycles consumed.
The thing is, you're switching goalposts in order to sustain an argument. For example, you bring up server services that XP does not have in trying to point out examples of chatty services, when XP with the default firewall on would not respond to requests from net logon, telnet (which isn't on by default), or computer browser (unless file and printer sharing is enabled).
Server configs are totally different, but if you wish I can go into what are on by default and what are not, and the proper methods for securing a machine that requires the use of the services you listed anyway (which doesn't include disabling them).
Basically, what I'm getting at is that the disabling of any of those services is counter-intuitive to securing the machine. I could post the picture of "The Ultimate Firewall," which is basically a pair of wire cutters. That's basically what the approach disabling services is, and why I am arguing that it is not a reasonable method of security. No matter how it's spun, services are not the point-of-entry for malicious attacks (pre-SP1 RPC being the only exception), and that is why disabling services as a security method is nonsensical (which I know you haven't been arguing).
The thing is, we're talking past each other at this point, because we're working from totally different starting points. You're more interested in having exactly the precise wording to satisfy your sense of "right," while I'm pointing out that the concept itself and the methodology behind it is what matters.
Server configs are totally different, but if you wish I can go into what are on by default and what are not, and the proper methods for securing a machine that requires the use of the services you listed anyway (which doesn't include disabling them).
Basically, what I'm getting at is that the disabling of any of those services is counter-intuitive to securing the machine. I could post the picture of "The Ultimate Firewall," which is basically a pair of wire cutters. That's basically what the approach disabling services is, and why I am arguing that it is not a reasonable method of security. No matter how it's spun, services are not the point-of-entry for malicious attacks (pre-SP1 RPC being the only exception), and that is why disabling services as a security method is nonsensical (which I know you haven't been arguing).
The thing is, we're talking past each other at this point, because we're working from totally different starting points. You're more interested in having exactly the precise wording to satisfy your sense of "right," while I'm pointing out that the concept itself and the methodology behind it is what matters.
It's been a long day and I'm sitting here bored. What can I say?
I and Microsoft disagree with the totality of the point you are making.
In fact, eliminating unneeded services is strongly recommended by Microsoft as a means to "reduce the potential surface area" vulnerable to attacks.
I have been involved directly with Microsoft for many years, and recently to great extent on Windows security. In fact, last week I had a LiveMeeting with a number of folks from Microsoft including the very person who is responsible for the security and patch management policy and implementation for their own worldwide internal IT operations. I am by no means an authority on the subject, although I oversee the same policies and procedures for our company's North American operations, spanning more than 300 sites in the US and Canada. If you look at the number of services that are installed and turned on by default in Windows XP and Server 2003 versus any previous Windows version, it's fairly obvious that Microsoft is agressively working on reducing the surface area for potential attack. Advising someone that turning off services is pointless from a security standpoint is plain old bad advice.
Any process listening on any port regardless of the firewalls and patches in place, *may* be suceptible to some as yet unknown exploit such as a malformed request or a buffer overflow. If you thought the same as you do six months ago, I had tools whereby I could talk to any Windows server and run any code I chose on it, regardless of what you had done from a Microsoft or Virus Scanning level. The only two things that would have prevented your system from being compromised would be an active agent like the Cisco Security Agent, or if you were simply hidden behind hardware such as a NAT.
All of the tools I mention are pretty much useless today against a patched system. However, there's no way of knowing which process will turn up next as having some sort of vulnerability. Exploits such as buffer overflows or malformed requests almost never require authentication to work. Their sole job is to let you anonymously run arbitrary code of your choosing on remote systems.
From a corporate perspective if you run a tool like Foundstone against your enterprise, you'll see exactly what all the extra running services do in terms of softening up your defenses. And also for the record, the Windows firewall in XP is extremely basic and should not be considered an adequate substitue for a good thrid party product. It's better than nothing, but that's about it.
Tell you what, give me your IP address if you're not behind a NAT and we'll see... (j/k)
In fact, eliminating unneeded services is strongly recommended by Microsoft as a means to "reduce the potential surface area" vulnerable to attacks.
I have been involved directly with Microsoft for many years, and recently to great extent on Windows security. In fact, last week I had a LiveMeeting with a number of folks from Microsoft including the very person who is responsible for the security and patch management policy and implementation for their own worldwide internal IT operations. I am by no means an authority on the subject, although I oversee the same policies and procedures for our company's North American operations, spanning more than 300 sites in the US and Canada. If you look at the number of services that are installed and turned on by default in Windows XP and Server 2003 versus any previous Windows version, it's fairly obvious that Microsoft is agressively working on reducing the surface area for potential attack. Advising someone that turning off services is pointless from a security standpoint is plain old bad advice.
Any process listening on any port regardless of the firewalls and patches in place, *may* be suceptible to some as yet unknown exploit such as a malformed request or a buffer overflow. If you thought the same as you do six months ago, I had tools whereby I could talk to any Windows server and run any code I chose on it, regardless of what you had done from a Microsoft or Virus Scanning level. The only two things that would have prevented your system from being compromised would be an active agent like the Cisco Security Agent, or if you were simply hidden behind hardware such as a NAT.
All of the tools I mention are pretty much useless today against a patched system. However, there's no way of knowing which process will turn up next as having some sort of vulnerability. Exploits such as buffer overflows or malformed requests almost never require authentication to work. Their sole job is to let you anonymously run arbitrary code of your choosing on remote systems.
From a corporate perspective if you run a tool like Foundstone against your enterprise, you'll see exactly what all the extra running services do in terms of softening up your defenses. And also for the record, the Windows firewall in XP is extremely basic and should not be considered an adequate substitue for a good thrid party product. It's better than nothing, but that's about it.
Tell you what, give me your IP address if you're not behind a NAT and we'll see... (j/k)
For the record as well, check out the Windows XP Security Guide.pdf by downloading the zip file here:
http://www.microsoft.com/downloads/details.aspx?familyid=2d3e25bc-f434-4cc6-a5a7-09a8a229f118
Starting on page 84 Microsoft goes to great lengths to detail recommendations for default and built-in services. I don't think they'd make such a lengthy recommendation for no reason.
http://www.microsoft.com/downloads/details.aspx?familyid=2d3e25bc-f434-4cc6-a5a7-09a8a229f118
Starting on page 84 Microsoft goes to great lengths to detail recommendations for default and built-in services. I don't think they'd make such a lengthy recommendation for no reason.
Um, no. Unnecessary services are already not on by default since 2003 Server. You turn on what you need by setting it up.
So, apparently, Microsoft learned the right way to do it.
Ahh, the old "appeal to authority" routine. How's this: I've been involved in designing and maintaining the network security for medical facilities and federal banking institutions for a few years now, which include far more than one operating system or network infrastructure. I have a acquiantance who develops for Checkpoint, among other security and intrusion prevention professionals.
Really, it's a pretty senseless pissing match to get into. We can drop names all we want and get nothing but a bunch of names dropped.
Name some. Theoretically, and computer connected to a network is, with all the caveats and "what-ifs" you can come up with, is susceptible. Hence my bringing up the old parody page of the wire-cutters as the only sure firewall.
Gonna be in the DFW area any time soon? I'll gladly take you up on that bet.
And none of them use a service as a point-of-entry. RPC was the only service so far that has had such a problem.
It's good enough that it will deny the basic TCP requests that can be used to find possible susceptibility. No, there isn't a way in hell I would suggest it for a corporate network, but that's why the server OS doesn't come with it to begin with. Use the right tool for the right job.
Please, please, please don't tell me you're that NTCanuck dude.Tell you what, give me your IP address if you're not behind a NAT and we'll see... (j/k)
GreNME said:
First off, congratulations on remembering your freshman critical thinking list of logical fallacies. How's this one:
I played Pebble Beach and stayed the night in a suite at Spanish Bay all on Microsoft's dime.
- or -
I sat with Drew Major and debugged Netware 2.0a using a hex editor in the 1980's.
(both true)
Better yet: I flew with the San Jose Sharks on their charter plane and had all access for games in St. Louis and Dallas as a guest of Compaq. Only 3 non-team affiliated people (including the Compaq host) were present.
(just had to slip that one in there.)
But seriously, we both have posted statements to the effect that MS has changed the number and behavior of services in 2003 in order to be more secure. You overlook the fact that MS has also published security templates that can be applied to make servers even more secure. Part of what those templates do is disable unneeded services. That and my above reference to the XP security guide surely hints that MS agrees to some extent with the notion of shutting down unneeded services for security purposes. No?
And WINS, SQL, IIS and many other services have been suceptible to malformed requests and buffer overflows to the point of allowing arbitrary code execution, to name a few. Not just RPC. I'm too damn tired to look up KB articles now. Maybe in the morning if either of us still care about this by then.
And I'm definitely no Canuck.
Oh, sorry... I was just trying to get back to that goalpost we were discussing before you shifted from it.
Nice name-dropping again. I see you paid attention when auto and insurance salesmen made pitches to you. I prefer to actually stick to the merits of the issue rather than rely on name-dropping. Compensating much?
I think the point about security is entirely accurate. I am currently reading the Windows 2003 Server Security guide and there are numerous services that are turned on automatic or manual by default that Microsoft recommends turning to disabled as part of the member server security baseline policy. While servers are going to require different things than a workstation the point is that MS recommends disabling them for security reasons. So whether they are doing anything or not MS seems to believe your machine will be more secure with them disabled.
They do in this technet article. Let me quote:
Wow. Sounds like it's Ok with M$ if you shut them off...but wait! There's more!Microsoft said:
Man, they even thought it was important enough to put "Important" in front of it. Well, looks like shutting off unneeded services is a pretty good idea.Microsoft said:
O[H]-Zone said:
Go back and read the other hundred threads. Once again recommending joe blow user mess with his services is not what M->S<- is recommending, and its irresponsible for someone that knows better to recommend it to noobs. You never necessarily really lacked the knowledge, just the perspective. O[L]Zone.
"As described in Chapter 1, "Introduction to the Windows XP Security Guide," the guidance presented in this chapter is specific to the Enterprise Client environment and the High Security environment defined in this guide." (paragraph #2 FYI)
So's winlogon, let's kill it. Oh, wait, that one is kinda important. But it listen's on ports, but it arbitrates user permissions, it is obviously a security risk! Yet you still run it, and if you kill it, windows bluescreens.O[H]-Zone said:
I've read that guide, and the guide is making concessions, that things might not work right. Disabling remote registry breaks SuS and other remote patch stuff for example. Yes, every application that is listening on a port is a potential attack vector. Every Application you run with admin privs, is a potential permission hole, yet for some reason people like running applications.
Computers were meant to be used, so disabling features to make your home computer unable to function seems like a problem. Now, you can do whatever you want to your home computer, but be aware, that I wouldn't touch the services config, and since we got in the name dropping contest, I'm pretty sure I got ya all beat on the who knows windows internals and who have talked to them more. *IF*rcolbert said:
If something is talking to that service, yes it will use resources. However, IF it's not, and the memory is needed the data should get paged to disk freeing up the RAM needed for whatever applicationsis requesting it. Yes, that will cause a little I/O but as you said in your first post this doesn't measurable effect performance, and that's the goal of this OP in this thread.
Also, if something is talking to that service, I'd argue it's needed and you should keep it running. If it's not needed, turn of what's broadcasting the requests... That's like plugging your ears so your don't have to listed to the radio, just turn off the radio.
Well, talk about a shift in gears... I guess it was needed, we all pretty much agree disabling services doesn't help with performance.
OK, anyways, on to security (moving target)... Here's the thing with almost all recommendations I have read about "reducing surface area", they almost *always* use communication protocals/services as their example like telnet (not enabled by default in XP or 2K3), FTP, IIS. However, these are NOT the services most people are tweaking. Nor are they they ones people in the "don't disable services" camp preach against. It's things like BITS, or Secondary Login, or Remote Registry.
Anyways, I might agree on axing a service or two in the name of security, but not wholesale slaughter like the "how few services do I need to run" camp preaches.
Isn't that what we're talking about...a higher-security environment?OldPueblo said:
Then it doesn't qualify as a service that you're not using, does it? As in:Ranma_Sao said:
Do research, find out which services you're sure you're not using, and turn them off.
- Status