![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
services.msc
- Thread starter mdlsFREAK
- Start date
- Status
Well, you might think that, but it's not always the case. Out of sight, out of mind. Again, your missing my POV. There are multiple threads where people have had issues because of disabled services. I'm sure all those people thought "I'll turn this back on if I need it" but forgot. The problem with that line of thinking is service dependancies and memory, or lack thereof.repo man said:
Correct. The service will only use CPU cycles and a bit of memory at boot, but it will not make a noticable difference at all. The NT kernal does not give recources to something that does not request it. If the service does not request it it will stay idle and fully paged out of physical memory. Most services will just load .dlls that wait in system memory and some don't use up any RAM and will remain on disk and be paged into memory if needed. This may sound bad, but these .dlls are only a few kilobytes in size. Also each process only uses the CPU when it is supposed to use it. Just because it says it is running in services.msc does not mean it is using up any CPU cycles or memory.
So the NT kernal does not give recources to something that does not request it. If the service does not request it it will stay idle and fully paged out of physical memory. So a service will not use any system recources unless the service is directly in use.
Another thing is that I have fixed a few PC's where the user was following blackvipers stupid advice by disabling services and then lost funcionality of something.
The only reason I see to disable a service is if you find it annoying. Security Center is a perfect example.
KoolDrew said:
Especially since there is a "noob approved" method to do it (via control panel). MS and other vendors can plan for possibility its been disabled whenever they release something in the future, because they made it something accessible to every joe blow user. They aren't going to assume you have hacked apart your services, and they can't cover every possible angle/combination. They have to pick a road and take it. They assume you are following best practices, and if you are not then you are smart enough to flip stuff back on at the right time or fix stuff that gets hosed because of your tweaking.
Phoenix, I guarantee you that I will not be asking anyone for any help with anything on my computer.
If people have trouble from turning off services, they should be bright enough to learn from their mistakes. If they can't they probably shouldn't be fooling around with their OS. If they ask for help, and it annoys you, ignore them.
If people have trouble from turning off services, they should be bright enough to learn from their mistakes. If they can't they probably shouldn't be fooling around with their OS. If they ask for help, and it annoys you, ignore them.
So riddle me this, wise people: How does a service know that a condition has been met that requires it to wake up all of a sudden if no CPU cycles are being used checking for said condition? I think people are mistakenly thinking of code in terms of high level languages where "nothing" happens until an event such as a click. Clearly that's not what's happening at the lower levels. Every running process must check for input periodically.
And how does a the entire working set of a process page to disk when there is a minimum working set size (by default 200KB per process in a 64MB system.)
These absolute statements really need to be qualified with conditional statements in order to be true. Here are a few qualifiers that would work. "For all practical purposes" or "Almost all."
I'm not a blackviper supporter. I don't know the guy, and I've never seen his advice. I'm also not proposing that adjusting services is for the casual user, but then again, neither is editing the registry. However, a good example of an unused process gone haywire is the "msmsgs.exe" process, aka MS Messenger. That particular process is a royal pain to prevent from running (albeit not a service), and in truth it really does nothing worthwhile most of the time. All of the parent processes that might spawn it run just fine without it unless you're using some MS subscription or IM features or who knows what. But I tell you, unless you've taken steps prevent this process from running, once launched it will constantly read and re-read files and registry keys by the hundreds every minute. Don't believe me? Launch Outlook Express or some other MS program that you suspect might also launch msmsgs.exe (not to be confused with the "Messenger" service.) Now look in your task manager and make sure that "msmsgs.exe" is running. Now close Outlook Express and notice that msmsgs.exe is still running. Now run regmon and filemon from Sysinternals.com and observe how much bullshit activity this one process is using even though you know that you're not using it for a damn thing. You also know that it's not needed because your system worked just fine without it running. Kill the process. Now go to program files\messenger and remove all permissions to the entire messenger folder and prevent inheritance. Run Outlook Express or whatever again and notice that msmsgs.exe did not launch this time.
I realize that every process is not a service. However, every service is at least one process. Here's a real good example of a useless process that runs a ridiculous number of reads every second. Combine that with any sort of antivirus or threat monitoring solution that actually has to bother to observe what the msmsgs.exe process is doing and you have a good argument in favor of preventing at least the useless processes you know about from starting.
I'll take my chances with access denied to the msmsgs.exe file that some future functionality will not rely upon it, or that I might run into a problem until I remember what I did. Same goes for about half a dozen or so of the services that I'm sure that I don't need. Althought the totality of the impact might be negligible, from a gamer's perspective those little flurries of pointless activity may easily translate into a momentary reduction in framerate at exactly the wrong time. I recommend people use tools to monitor their own system behavior and make their own decisions once they feel well informed. Again, Microsoft HAS PUBLISHED an official guide to XP security that lists EVERY SINGLE service that is installed by default and whether or not that service is required to run. Why argue against apparantly bad advice from Blackviper, when the source of the operating system already has an official document on the subject? (link in previous post)
And yes, every single running process can potentially be exploited. It doesn't matter if it's a service or not. Services are simply a way of defining processes that run at system startup or on demand in a security context other than the currently logged on user. Many programs can be run as a service but also as an interactive application. Forget the term services. Think processes.
And how does a the entire working set of a process page to disk when there is a minimum working set size (by default 200KB per process in a 64MB system.)
These absolute statements really need to be qualified with conditional statements in order to be true. Here are a few qualifiers that would work. "For all practical purposes" or "Almost all."
I'm not a blackviper supporter. I don't know the guy, and I've never seen his advice. I'm also not proposing that adjusting services is for the casual user, but then again, neither is editing the registry. However, a good example of an unused process gone haywire is the "msmsgs.exe" process, aka MS Messenger. That particular process is a royal pain to prevent from running (albeit not a service), and in truth it really does nothing worthwhile most of the time. All of the parent processes that might spawn it run just fine without it unless you're using some MS subscription or IM features or who knows what. But I tell you, unless you've taken steps prevent this process from running, once launched it will constantly read and re-read files and registry keys by the hundreds every minute. Don't believe me? Launch Outlook Express or some other MS program that you suspect might also launch msmsgs.exe (not to be confused with the "Messenger" service.) Now look in your task manager and make sure that "msmsgs.exe" is running. Now close Outlook Express and notice that msmsgs.exe is still running. Now run regmon and filemon from Sysinternals.com and observe how much bullshit activity this one process is using even though you know that you're not using it for a damn thing. You also know that it's not needed because your system worked just fine without it running. Kill the process. Now go to program files\messenger and remove all permissions to the entire messenger folder and prevent inheritance. Run Outlook Express or whatever again and notice that msmsgs.exe did not launch this time.
I realize that every process is not a service. However, every service is at least one process. Here's a real good example of a useless process that runs a ridiculous number of reads every second. Combine that with any sort of antivirus or threat monitoring solution that actually has to bother to observe what the msmsgs.exe process is doing and you have a good argument in favor of preventing at least the useless processes you know about from starting.
I'll take my chances with access denied to the msmsgs.exe file that some future functionality will not rely upon it, or that I might run into a problem until I remember what I did. Same goes for about half a dozen or so of the services that I'm sure that I don't need. Althought the totality of the impact might be negligible, from a gamer's perspective those little flurries of pointless activity may easily translate into a momentary reduction in framerate at exactly the wrong time. I recommend people use tools to monitor their own system behavior and make their own decisions once they feel well informed. Again, Microsoft HAS PUBLISHED an official guide to XP security that lists EVERY SINGLE service that is installed by default and whether or not that service is required to run. Why argue against apparantly bad advice from Blackviper, when the source of the operating system already has an official document on the subject? (link in previous post)
And yes, every single running process can potentially be exploited. It doesn't matter if it's a service or not. Services are simply a way of defining processes that run at system startup or on demand in a security context other than the currently logged on user. Many programs can be run as a service but also as an interactive application. Forget the term services. Think processes.
ok people...
I leave the place for a couple of days and all of a sudden all of yous start another services thread... and a 3 pages long one to boost !!!!!1111oneoneone
And another thing:
Some people which i wont name (though the ozone layer comes to mind....) have a nack for misinterpreting official articles in a way which makes them "right"...
If MS meant for the general user (or any other user...) to "tweak & disable" services, Billy Gates (my childhood friend, honestly....) would be all over MSNBC with comercials and www.microsoft.com would be flooded with guides and how-to's...
you know why its not. Cause disabling services is just plain dumb....
Reasons? Just read this thread thoroughly...
I leave the place for a couple of days and all of a sudden all of yous start another services thread... and a 3 pages long one to boost !!!!!1111oneoneone
And another thing:
Some people which i wont name (though the ozone layer comes to mind....) have a nack for misinterpreting official articles in a way which makes them "right"...
If MS meant for the general user (or any other user...) to "tweak & disable" services, Billy Gates (my childhood friend, honestly....
) would be all over MSNBC with comercials and www.microsoft.com would be flooded with guides and how-to's...you know why its not. Cause disabling services is just plain dumb....
Reasons? Just read this thread thoroughly...
i can see where you are going with this but...rcolbert said:
Isnt it just too dug up anyway. I mean if someones actually gets to pull a hack as to insert a process (or a bunch of them) in the OS process stack without authentication, man, he deserves to hack me.
The same goes to modifying a process inside the procesor's process stack....
In fact, i'd be honored to be hacked by someone with such l33t skillz
But yes, it could be possible. Maybe using an unprotected instruction in the procesor's architecture... But i don't think any procesor at this age and time would allow such a thing.... But who knows.
The next semester i'll take "Microprocesors", if i learn anything worthwhile, ill post it.
I help people all the time, yet I still ask for help too...repo man said:
Well, people who aren't "bright" enough want to learn, sometimes they break things when they try. What annoys me is people spouting incorrect information like it's gospel.
That little advice from BV in the FAQ should be in 100 pt. blinking red font BEFORE you read the advice, not a FAQ you read after your having issues. Then, maybe then, it would help one person. I still say the whole site is junk, people running that advice are not helping their system's performance by any worth-while amount.
rcolbert,
First, I'm not going to argue the fine line between "little" and "no" resources. What I would ask is that you admit your arguing a moot point. With all these services running, listening for all these requests, taking up all these CPU cycles and RAM, no matter how many you disable you don't get a measurable performance boost, correct?
Second, name a service based exploit where having the service disabled would have left the system running, and is the correct "real world" solution to that type of attack. IE don't list messenger service because everyone should have a NAT IP. Again, I think your arguing a moot point. If there isn't a problem with services being exploited as the *vector* of the attack, then disabling them in the name of security at any risk is not benefitial.
Heh, well, everyone gets corrected at some point. One of my favorite quotes is:djnes said:That never...and I mean NEVER happens on here. Nope...not a chance....nada.
"Everybody is ignorant, only on different subjects."
~Will Rogers
It's a matter of how people handle it when presented counter information. Do they *try* to remain ignorant? That's irritating.
I'm very curious to see rcolbert's (or anyone's) respons to me last post...
I was talking to some coworkers about this very subject and a topic came up which I think is pertitant to this conversation.
People have shown the the perf numbers are the same (less then 1% difference) between disabled services and XP defaults, and some people were upset with these numbers, since they must consume resources right? The NT kernel is very smart about this and pages out services not being used for a reason, which has already been described, but what hasn't been also described is why it's in XP's best interests to keep it this way, and that reason is Power. If XP kept every service in memory, etc, the worst case scenario people talk about on these forums, XP could never ever be used in a laptop. Any Process stealing cycles for no reason is a guaranteed way for a laptop to run out of juice. So it's in XP's best interests to be smart about services being paged in etc, which is obviously shown by those perf numbers.
Anyway, just another data point in the leave services alone camp, since they don't take any resources worth noting, it's better to leave it at defaults.
People have shown the the perf numbers are the same (less then 1% difference) between disabled services and XP defaults, and some people were upset with these numbers, since they must consume resources right? The NT kernel is very smart about this and pages out services not being used for a reason, which has already been described, but what hasn't been also described is why it's in XP's best interests to keep it this way, and that reason is Power. If XP kept every service in memory, etc, the worst case scenario people talk about on these forums, XP could never ever be used in a laptop. Any Process stealing cycles for no reason is a guaranteed way for a laptop to run out of juice. So it's in XP's best interests to be smart about services being paged in etc, which is obviously shown by those perf numbers.
Anyway, just another data point in the leave services alone camp, since they don't take any resources worth noting, it's better to leave it at defaults.
I'll completely agree with the 1% or less variance. My only argument has been against the notion of absolute zero. What I'm curious to know is was the subject of security ever part of the discussion of services?
A side note from services, as Microsoft's security culture continues it's slow but gradual improvement, what is the climate these days about non-service related processes that spawn with applications but do not close down? For example, in MS Money 2004 there were three separate processes that spawned (the money scheduler was one that I recall) but did not stop when the application stopped. In MS Money 2005 there are no orphaned processes left running. Similarly, the msmsgs.exe process seems hell-bent on starting whenever a communications service is started, although it's usefulness seems quite debatable. msmsgs.exe is a hyperactive process IMO just based on the feedback from regmon and filemon.
As a gamer I look for processes that show significant activity in task manager, regmon, and filemon. Those tend to be candidates to further investigate to see if they can be turned off. Is there something wrong with this? I know imperically that I have removed some observable intermittent stutter during gameplay in a few situations by preventing the system from allowing msmsgs.exe from starting on a system that can easily run the most demanding games at extremely high framerates. This however was not trial and error. This was using regmon and filemon to observe system activity during gameplay, realizing the tried and true principle that you can't observe something without influencing it.
As an IT person, I look for superfluous services that serve no purpose and look to shut them off as a matter of policy to reduce the exposed surface area. This is a pretty much by-the-book MS approach, is it not?
A side note from services, as Microsoft's security culture continues it's slow but gradual improvement, what is the climate these days about non-service related processes that spawn with applications but do not close down? For example, in MS Money 2004 there were three separate processes that spawned (the money scheduler was one that I recall) but did not stop when the application stopped. In MS Money 2005 there are no orphaned processes left running. Similarly, the msmsgs.exe process seems hell-bent on starting whenever a communications service is started, although it's usefulness seems quite debatable. msmsgs.exe is a hyperactive process IMO just based on the feedback from regmon and filemon.
As a gamer I look for processes that show significant activity in task manager, regmon, and filemon. Those tend to be candidates to further investigate to see if they can be turned off. Is there something wrong with this? I know imperically that I have removed some observable intermittent stutter during gameplay in a few situations by preventing the system from allowing msmsgs.exe from starting on a system that can easily run the most demanding games at extremely high framerates. This however was not trial and error. This was using regmon and filemon to observe system activity during gameplay, realizing the tried and true principle that you can't observe something without influencing it.
As an IT person, I look for superfluous services that serve no purpose and look to shut them off as a matter of policy to reduce the exposed surface area. This is a pretty much by-the-book MS approach, is it not?
Yes and no. That depends on you definition of security. MS "high security" for example pretty much won't let you use a floppy or USB. Are you shooting for that level of security? I doubt it. If so, sure, close down what's not needed in the name of security. However, how many of us are working in high-security fields like gov't work? I seriously many are, certianly not any I have seen. I also doubt some of the effectivness of that as in the real world how many times are we seeing service based exploits?rcolbert said:
From my earlier post:
Second, name a service based exploit where having the service disabled would have left the system running, and is the correct "real world" solution to that type of attack. IE don't list messenger service because everyone should have a NAT IP. Again, I think your arguing a moot point. If there isn't a problem with services being exploited as the *vector* of the attack, then disabling them in the name of security at any risk is not benefitial.
Anyways, the reason they get the tag of "reducing surface area" is to reduce potential attacks, ones not yet introduced. In the real world I don't view that as necessary or prudent, I mean if you want to be secure from potential attacks, disconnect your uplink to the internet. Then lets talk.
Phoenix86 said:
On the point between little and no, my argument as previously stated was not for or against the disabling of services, but in favor of using clear and precise language in order to prevent spreading misconceptions about the way computers function.
The most recent service based exploit I can think of is the one I posted regarding the license logging service. This is entirely a real world situation and there is more than one correct approach. You are correct that most everyone is behind a firewall or a NAT, however perimeter security is a very small component these days. Internal threats on a large network especially with thousands of mobile workers across hundreds of sites with VPN access require much more than perimeter defenses. I have (personally implemented) a domain wide policy on our North America domain that disables the License Logging service across nearly 1,000 servers. Note that I had this policy in place for many months before this exploit came into existence. The real world difference in this case is that instead of having two or three people take the time to study the potential threat and ensure that virus defintions and countermeasures were adequately in place, we were simply able to move forward knowing that the service is not running in our environment and that our normal virus definition update and patch management update process would be perfectly adequate. In other words, since our exposure is known to be zero we saved possibly 24-48 man-hours of work. That is 100% real world real time that we saved in a this particular case. All of the Microsoft folks I have personally spoken with regarding our configuration agree that it is the correct approach, including the person who is responsible for the overall patch deployment strategy within Microsoft to their very own data centers.
Security, ahh the buzzwords of buzzwords these days. This is my opinion on security, which has been stated many times, is that you have to have proper remediation since no matter what you do, assume some day someone might succeed. This includes, Firewalls, Proper Permissions, etc. The problem with the RPC bug that people like to use as an example was that it had exploitable code, AND when the code was exploited, the keys to the kingdom were just handed over. (Local System being the kingdom) Now it's split into two services in XPSP2 and SrSP1 so that one cannot get the keys without moving through a couple gates first. Every system service is that way now, one cannot get the keys to the kingdom they have to cross a moat, and some armed guards first. Windows also looked at services that shouldn't have been started by default and changed the default behavior. In XPSP2 messenger was the only one I believe, there might have been others. Srv 2k3 a lot of services got their default changed. But every service disabled does have a cost, and it's up to you to decide the cost. Disabling services not in the default config guarantees some application will break (And I spent probably close to 40 hours debugging one of these breaks, so I do know the development pain trying to figure out how the hell this one API call just decided to fail).rcolbert said:
Now non services related processes, as far as I know the policy has always been to clean up your messes, but I don't work on the Money team, or the Messenger team. I know Microsoft published several ways to disable messenger, through poledit, but people liked the option of uninstalling it better.
The reason messenger starts btw, is not cause messenger is secretly monitoring your Outlook, it's cause Outlook called it, to show if your contacts were online. I agree that it isn't the best feature, but some people liked it. Mandatory legal text:
Note: This posting is provided "AS IS" with no warranties, and confers no rights.
I feel dirty for having read this entire thread. And a little guilty because I think I've turned off a service or twelve because of some FAQ somewhere. [edit] Phew, not the same site.
But... The PC runs rock solid and... well, it's still a 900Mhz setup and Donkey Kong still lags.
Edit 2 - This thread is kind of amusing when you consider there's a "How to change your motherboard without reinstalling Windows" sticky. (Yes, I know there's a use for it. Still....)
[edit] Phew, not the same site. But... The PC runs rock solid and... well, it's still a 900Mhz setup and Donkey Kong still lags.
Edit 2 - This thread is kind of amusing when you consider there's a "How to change your motherboard without reinstalling Windows" sticky. (Yes, I know there's a use for it. Still....)
Ranma_sao: So let's say we completely ignore the Black Vipers of the world and go to a reliable source:
http://www.microsoft.com/downloads/details.aspx?familyid=2d3e25bc-f434-4cc6-a5a7-09a8a229f118
If you download the guide and open the PDF entitled "Windows XP Security Guide" and then scroll to page 83, here's what you find:
"When Windows XP Professional installs, default system services are created and
configured to run when the system starts. Many of these system services do not need to
run in the environments defined in this guide.
There are additional optional services available with Windows XP Professional, such as
IIS, that are not installed during the default installation of the operating system. You can
add these optional services to an existing system by using Add/Remove Programs or
creating a customized automated installation of Windows XP Professional.
Important: Keep in mind that any service or application is a potential point of attack.
Therefore, any unneeded services or executable files should be disabled or removed in
your environment."
The document goes on to describe the requirements for each and every default service. I think overall it's a pretty good guide. I'm not advocating that people go on a random service hunt throughout their environment. What I am saying is that it is the plain and straightforward advice directly from Microsoft that should be considered (in moderation of course.)
I realize that XPsp2 and 2K3sp1have changed some additional things around. I pointed out to Phoenix and I'll reiterate the License Logging Service (for server) exploit is a very good example of a service that was disabled through this best practice concept and subsequently rewarded us with immunity to a specific threat.
And while realizing that security is a buzzword, you also have to recognize that security creates a lot of real, actual work. Staying ahead of the threats is difficult enough in a large environment. Working a S.W.A.T. situation when an exploit is on the loose inside your enterprise is ten times harder.
Phoenix: I realize I'm restating things here, but again, this is my imperical evidence in the form of Microsoft documentation, the quality of which I assume we all agree rises above the level of various Internet pundits (Black Viper) and forum jockeys (ourselves).
http://www.microsoft.com/downloads/details.aspx?familyid=2d3e25bc-f434-4cc6-a5a7-09a8a229f118
If you download the guide and open the PDF entitled "Windows XP Security Guide" and then scroll to page 83, here's what you find:
"When Windows XP Professional installs, default system services are created and
configured to run when the system starts. Many of these system services do not need to
run in the environments defined in this guide.
There are additional optional services available with Windows XP Professional, such as
IIS, that are not installed during the default installation of the operating system. You can
add these optional services to an existing system by using Add/Remove Programs or
creating a customized automated installation of Windows XP Professional.
Important: Keep in mind that any service or application is a potential point of attack.
Therefore, any unneeded services or executable files should be disabled or removed in
your environment."
The document goes on to describe the requirements for each and every default service. I think overall it's a pretty good guide. I'm not advocating that people go on a random service hunt throughout their environment. What I am saying is that it is the plain and straightforward advice directly from Microsoft that should be considered (in moderation of course.)
I realize that XPsp2 and 2K3sp1have changed some additional things around. I pointed out to Phoenix and I'll reiterate the License Logging Service (for server) exploit is a very good example of a service that was disabled through this best practice concept and subsequently rewarded us with immunity to a specific threat.
And while realizing that security is a buzzword, you also have to recognize that security creates a lot of real, actual work. Staying ahead of the threats is difficult enough in a large environment. Working a S.W.A.T. situation when an exploit is on the loose inside your enterprise is ten times harder.
Phoenix: I realize I'm restating things here, but again, this is my imperical evidence in the form of Microsoft documentation, the quality of which I assume we all agree rises above the level of various Internet pundits (Black Viper) and forum jockeys (ourselves).
Real quick, I'm not seeing that license logging post your reffering to, am I blind? link?
edit: and from that article your skipping pg. 5 where they define "high security"
"High Security
The high security environment consists of elevated security settings for the client. When
applying high security settings, user functionality is limited to specific functions that are
only required for the necessary tasks. Access is limited to approved applications,
services, and infrastructure environments."
I don't think that describes many people here...
edit: and from that article your skipping pg. 5 where they define "high security"
"High Security
The high security environment consists of elevated security settings for the client. When
applying high security settings, user functionality is limited to specific functions that are
only required for the necessary tasks. Access is limited to approved applications,
services, and infrastructure environments."
I don't think that describes many people here...
Believe me I understand security takes a lot of work, maybe I should have been clearer in my last post. Being hacked when I was a network admin a long time ago, was my worst nightmare, it took weeks before I "trusted" the network again. What I meant was, is a lot of people seem to take security as the fix it word. Services shouldn't be disabled for performance, well then I disable them for Security! Yes, I understand in todays world some jackhole ras's into work from home, or walks into work with his home laptop, infects all the computers with the latest new virus is a threat, bypassing that glorious firewall and everything else. But an admin worth his salt should have mediation in effect. If you want to disable services on your corporate network, go ahead, I'm not saying you shouldn't do something, I'm saying I wouldn't.rcolbert said:
I believe every admin should have a threat model for their network, and identify all threats, and figure out the mediation for those threats. Someone Ras's in, make sure the ras server has packet filtering on, and make sure virus signatures are up to date corporate wide. None of these mediation techniques are rocket science, I'm sure there are probably hundreds of documents on the web on how properly write a threat model, and how to identify attack vectors. But believe me, I take security seriously and I don't want anyone to believe that I don't. Back before I worked at Microsoft I owned a computer consulting company, and I did red team work, which by the way is hella fun and I wish I could do it again. (Red team would be try and hack their network, look at their network topology, suggest fixes to make it less easy to penetrate the next time.)Phoenix86 said:
On high security: That was one of three target environments for the document, the other two being Enterprise and Standalone.
Here's the relevant info on the License Logging Service exploit:
> Symantec Vulnerability Alert
>
> Microsoft Windows License Logging Service Buffer Overflow
> Vulnerability
> Bugtraq ID 12481
> CVE CAN-2005-0050
> Published Feb 8 2005
> Last Update 3/18/2005 5:52:15 PM GMT
> Remote Yes
> Local No
> Credibility Vendor Confirmed
> Classification Boundary Condition Error
> Ease Exploit Available
> Availability Always
> Authentication Not Required
>
> Impact 10 Severity 10 Urgency Rating 9.6
>
Ranma_Sao said:Believe me I understand security takes a lot of work, maybe I should have been clearer in my last post. Being hacked when I was a network admin a long time ago, was my worst nightmare, it took weeks before I "trusted" the network again. What I meant was, is a lot of people seem to take security as the fix it word. Services shouldn't be disabled for performance, well then I disable them for Security! Yes, I understand in todays world some jackhole ras's into work from home, or walks into work with his home laptop, infects all the computers with the latest new virus is a threat, bypassing that glorious firewall and everything else. But an admin worth his salt should have mediation in effect. If you want to disable services on your corporate network, go ahead, I'm not saying you shouldn't do something, I'm saying I wouldn't.
We're still waiting for Server 2003 SP1 to arrive in order for it to work with 3rd party remote access solutions (e.g. Cisco) to create a quarrantine space to enforce security policies and allow limited access while remediation measures are in effect. I have to say that as an enterprise we're a bit more forgiving than MS is when it comes to remediation. I've got a pretty good idea of the delta between the way our shop works and how things go in Redmond, and let's be blunt, your guys are pretty brutal on the patching and remediation side.
Our greatest threat population happens to be a large mobile workforce, some of whom work on engagements at client site for months at a time. There is still a lot of social engineering that is required to manage that particular type of user.
Which has been patched already and is not present on XP.rcolbert said:
Umm, yeah, lets limit our discussion to XP... That was the jist of the thread.GreNME said:
Yeah, but look at the services under those profiles. They don't recommend you make changes to many at all... Remote assistance is enabled under Enterprise for example, but not "high security".
This is exactly what I'm talking about when I say we are typically not in that environment. Most people don't work in the DoD.
Unless you can tell me how services on 2003 are fundamentally different than those on XP I think the example is perfectly valid. What I believe you are asking for in an example is simply a proof of concept, and there you have it.
If you want to limit the scope of the discussion to home users on the [H] who are running XP and don't do the proper research to make good decisions about tweaking their systems, then I would extend the advice beyond services and tell those folks to not tweak their systems at all. But if you simply want to limit the scope to exclude valid examples and anecdotal evidence then I'll keep arguing the point that simply telling people to not touch services because a) it's unnecesarry, b) it provides no benefit, and c) it'll probably cause system problems, is erring on the side of caution which is exactly what people who are inquiring about tweaking their systems are not interested in doing.
God's sakes, we are in a forum where people are overclocking their CPU's and videocards to the extreme and yet we're afraid of something as simple as the services.msc? At least if your advice was cautionary against using regedit I'd understand the need for such a conservative approach.
The bottom line is that it is apparent that no one is going to move off the argument against altering service startup configuration. I recognize that. Let's just agree to disagree.
If you want to limit the scope of the discussion to home users on the [H] who are running XP and don't do the proper research to make good decisions about tweaking their systems, then I would extend the advice beyond services and tell those folks to not tweak their systems at all. But if you simply want to limit the scope to exclude valid examples and anecdotal evidence then I'll keep arguing the point that simply telling people to not touch services because a) it's unnecesarry, b) it provides no benefit, and c) it'll probably cause system problems, is erring on the side of caution which is exactly what people who are inquiring about tweaking their systems are not interested in doing.
God's sakes, we are in a forum where people are overclocking their CPU's and videocards to the extreme and yet we're afraid of something as simple as the services.msc? At least if your advice was cautionary against using regedit I'd understand the need for such a conservative approach.
The bottom line is that it is apparent that no one is going to move off the argument against altering service startup configuration. I recognize that. Let's just agree to disagree.
Agreeing to disagree is intellectually dishonest.
I'm willing to change my position on specific services, given adequate reason. I'm against wholesale statemens like "disable service for performance" like blackviper gives.
You wouldn't want everyone to "OC their procs by ~20%" because that'll smoke some procs. Same thing applies here. Each tweak (or OC) varies by use and OS. Blanket statements like these as applied to services would see the same flak in the OC forums too. At least I'd hope so...
GreNME said:
I'm not arguing about a particular service. I am providing an example of a service that can be safely disabled that has had a recent vulnerability. That example was provided before I was informed that you wanted to limit the scope of the discussion to Windows XP. As an example though, it still proves the theory behind the practice. Do you want an XP specific example now? No brainer there, how about the messenger service? Yes, it's been patched. Can you tell me why 99% of the folks on this forum shouldn't disable the messenger service on their home PC's? At what point will you concede that:
1) Unnecessary services can be disabled at the user's discretion (or not, also at user's discretion which is simply your choice)
2) Any running process can be vulnerable to exploits
3) Every running process consumes some resources regardless of how infinitesimally small
Anything beyond that is simply and subjectively good or bad advice.
Phoenix86 said:Agreeing to disagree is intellectually dishonest.
I'm willing to change my position on specific services, given adequate reason. I'm against wholesale statemens like "disable service for performance" like blackviper gives.
You wouldn't want everyone to "OC their procs by ~20%" because that'll smoke some procs. Same thing applies here. Each tweak (or OC) varies by use and OS. Blanket statements like these as applied to services would see the same flak in the OC forums too. At least I'd hope so...
I'm in agreement that blanket statements are a large part of the problem in this discussion. I'll also go out on a limb and say that the process of reducing surface area of attack by stopping unneeded services is not my own invention, but one that is espoused by Microsoft.
I agree that configuring the default Windows services provides little performance benefit unless you have a specific need. I'll also turn around and say that most people have far more than the default running and it does pay to look closely at whatever starts with your system, services, startup items, and items in the run key. Over time, the sheer volume of crap running on a system can be mind boggling.
Would you agree on Wireless Zero (if non-applicable) and Messenger? That'd be a start.
It's already been established that the WZC service isn't kicked off if no wireless hardware is installed.rcolbert said:
Someone tell me honestly, if it's already been established that disabling services doesn't give any performance boost or resource-freeing, then why in god's name is anyone arguing about it? Sometimes, people on here tend to get too damn granular instead of looking at the whole picture. This is one of those cases. What's the point of doing anything in terms of tweaking if it makes no difference? Isn't that the general rule of tweaking? To squeeze out more performance? So why is everyone so concerned with doing something that doesn't give any more performance? I vote to lock this thread because it's been beaten to death, re-incarnated, and then beaten to death again, several times over. No good is going to come of this anymore, as the results have already been decided.
Debate for the sake of debate produces some interesting and tangible side effects. So long as we aren't name-calling there may be some value to be had yet.
Hell, look how long the "Valve Sucks" thread went on without any semblence of progress or new input.
Hell, look how long the "Valve Sucks" thread went on without any semblence of progress or new input.
These threads follow a pattern, odd.
OP:Hey what services can I tweak to help performace?
pg.1 Blackviper/similar site
pg.1 OMG BV SUXORZ!
pg.1 quackviper!
pg.1 Ad hominem
pg.2 retort
pg.2 e-wang comparison
pg.2 appeal to authority
pg.3 details
pg.3 links
pg.3 witty remarks
pg.4 thread has died or...
pg.4 something relevant is discussed.
pg.4 thread dies or...
pg.4 relevant discussion sparks interest.
pg.5 ...
Lost of mature people here if you get a chance to know them. Also lots of noobs, sometimes hard to tell the difference.
OP:Hey what services can I tweak to help performace?
pg.1 Blackviper/similar site
pg.1 OMG BV SUXORZ!
pg.1 quackviper!
pg.1 Ad hominem
pg.2 retort
pg.2 e-wang comparison
pg.2 appeal to authority
pg.3 details
pg.3 links
pg.3 witty remarks
pg.4 thread has died or...
pg.4 something relevant is discussed.
pg.4 thread dies or...
pg.4 relevant discussion sparks interest.
pg.5 ...
Lost of mature people here if you get a chance to know them. Also lots of noobs, sometimes hard to tell the difference.
- Status