Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Correct me if I'm wrong, but I think what others are trying to say is....why bother? If you don't have any wireless equipment installed, this service is never used anyway, so disabling it won't give you any benefits.repo man said:If I buy some wireless gear, I'm smart enough to go back and turn on WZF. As this is highly doubtful, I'm happy to leave it turned off.
Well, you might think that, but it's not always the case. Out of sight, out of mind. Again, your missing my POV. There are multiple threads where people have had issues because of disabled services. I'm sure all those people thought "I'll turn this back on if I need it" but forgot. The problem with that line of thinking is service dependancies and memory, or lack thereof.repo man said:If I buy some wireless gear, I'm smart enough to go back and turn on WZF. As this is highly doubtful, I'm happy to leave it turned off.
Correct me if I'm wrong, but I think what others are trying to say is....why bother? If you don't have any wireless equipment installed, this service is never used anyway, so disabling it won't give you any benefits
KoolDrew said:Security Center is a perfect example.
Insert software package here) no longer works after I used your tweaking tips, what do I do?
Put it back the way it was! Really, though, place each service that you disabled back to the way it was (displayed under the Default configuration) and see which service "fixes" your software. Do look at the dependencies and decide if you may need it! Tweaking your system always comes with risk.
That tiny, stupid warning is similar to changing all the frontal lights of a trailer truck for a bunch of red leds and expect it not to crash at night....repo man said:From Blackviper's FAQ:
i can see where you are going with this but...rcolbert said:Forget the term services. Think processes.
I help people all the time, yet I still ask for help too...repo man said:Phoenix, I guarantee you that I will not be asking anyone for any help with anything on my computer.
If people have trouble from turning off services, they should be bright enough to learn from their mistakes. If they can't they probably shouldn't be fooling around with their OS. If they ask for help, and it annoys you, ignore them.
That never...and I mean NEVER happens on here. Nope...not a chance....nada.Phoenix86 said:What annoys me is people spouting incorrect information like it's gospel.
Heh, well, everyone gets corrected at some point. One of my favorite quotes is:djnes said:That never...and I mean NEVER happens on here. Nope...not a chance....nada.![]()
repo man said:Phoenix, I guarantee you that I will not be asking anyone for any help with anything on my computer.
If people have trouble from turning off services, they should be bright enough to learn from their mistakes. If they can't they probably shouldn't be fooling around with their OS. If they ask for help, and it annoys you, ignore them.
Yes and no. That depends on you definition of security. MS "high security" for example pretty much won't let you use a floppy or USB. Are you shooting for that level of security? I doubt it. If so, sure, close down what's not needed in the name of security. However, how many of us are working in high-security fields like gov't work? I seriously many are, certianly not any I have seen. I also doubt some of the effectivness of that as in the real world how many times are we seeing service based exploits?rcolbert said:As an IT person, I look for superfluous services that serve no purpose and look to shut them off as a matter of policy to reduce the exposed surface area. This is a pretty much by-the-book MS approach, is it not?
Phoenix86 said:First, I'm not going to argue the fine line between "little" and "no" resources. What I would ask is that you admit your arguing a moot point. With all these services running, listening for all these requests, taking up all these CPU cycles and RAM, no matter how many you disable you don't get a measurable performance boost, correct?
Second, name a service based exploit where having the service disabled would have left the system running, and is the correct "real world" solution to that type of attack. IE don't list messenger service because everyone should have a NAT IP. Again, I think your arguing a moot point. If there isn't a problem with services being exploited as the *vector* of the attack, then disabling them in the name of security at any risk is not benefitial.
Security, ahh the buzzwords of buzzwords these days. This is my opinion on security, which has been stated many times, is that you have to have proper remediation since no matter what you do, assume some day someone might succeed. This includes, Firewalls, Proper Permissions, etc. The problem with the RPC bug that people like to use as an example was that it had exploitable code, AND when the code was exploited, the keys to the kingdom were just handed over. (Local System being the kingdom) Now it's split into two services in XPSP2 and SrSP1 so that one cannot get the keys without moving through a couple gates first. Every system service is that way now, one cannot get the keys to the kingdom they have to cross a moat, and some armed guards first. Windows also looked at services that shouldn't have been started by default and changed the default behavior. In XPSP2 messenger was the only one I believe, there might have been others. Srv 2k3 a lot of services got their default changed. But every service disabled does have a cost, and it's up to you to decide the cost. Disabling services not in the default config guarantees some application will break (And I spent probably close to 40 hours debugging one of these breaks, so I do know the development pain trying to figure out how the hell this one API call just decided to fail).rcolbert said:I'll completely agree with the 1% or less variance. My only argument has been against the notion of absolute zero. What I'm curious to know is was the subject of security ever part of the discussion of services?
A side note from services, as Microsoft's security culture continues it's slow but gradual improvement, what is the climate these days about non-service related processes that spawn with applications but do not close down? For example, in MS Money 2004 there were three separate processes that spawned (the money scheduler was one that I recall) but did not stop when the application stopped. In MS Money 2005 there are no orphaned processes left running. Similarly, the msmsgs.exe process seems hell-bent on starting whenever a communications service is started, although it's usefulness seems quite debatable. msmsgs.exe is a hyperactive process IMO just based on the feedback from regmon and filemon.
As a gamer I look for processes that show significant activity in task manager, regmon, and filemon. Those tend to be candidates to further investigate to see if they can be turned off. Is there something wrong with this? I know imperically that I have removed some observable intermittent stutter during gameplay in a few situations by preventing the system from allowing msmsgs.exe from starting on a system that can easily run the most demanding games at extremely high framerates. This however was not trial and error. This was using regmon and filemon to observe system activity during gameplay, realizing the tried and true principle that you can't observe something without influencing it.
As an IT person, I look for superfluous services that serve no purpose and look to shut them off as a matter of policy to reduce the exposed surface area. This is a pretty much by-the-book MS approach, is it not?
Believe me I understand security takes a lot of work, maybe I should have been clearer in my last post. Being hacked when I was a network admin a long time ago, was my worst nightmare, it took weeks before I "trusted" the network again. What I meant was, is a lot of people seem to take security as the fix it word. Services shouldn't be disabled for performance, well then I disable them for Security! Yes, I understand in todays world some jackhole ras's into work from home, or walks into work with his home laptop, infects all the computers with the latest new virus is a threat, bypassing that glorious firewall and everything else. But an admin worth his salt should have mediation in effect. If you want to disable services on your corporate network, go ahead, I'm not saying you shouldn't do something, I'm saying I wouldn't.rcolbert said:Snip
KoolDrew said:rcolbert, a service can only be an attack point IF the service listens on the network or does MS RPC.
Phoenix86 said:Real quick, I'm not seeing that license logging post your reffering to, am I blind? link?
edit: and from that article your skipping pg. 5 where they define "high security"
"High Security
The high security environment consists of elevated security settings for the client. When
applying high security settings, user functionality is limited to specific functions that are
only required for the necessary tasks. Access is limited to approved applications,
services, and infrastructure environments."
I don't think that describes many people here...
Ranma_Sao said:Believe me I understand security takes a lot of work, maybe I should have been clearer in my last post. Being hacked when I was a network admin a long time ago, was my worst nightmare, it took weeks before I "trusted" the network again. What I meant was, is a lot of people seem to take security as the fix it word. Services shouldn't be disabled for performance, well then I disable them for Security! Yes, I understand in todays world some jackhole ras's into work from home, or walks into work with his home laptop, infects all the computers with the latest new virus is a threat, bypassing that glorious firewall and everything else. But an admin worth his salt should have mediation in effect. If you want to disable services on your corporate network, go ahead, I'm not saying you shouldn't do something, I'm saying I wouldn't.I believe every admin should have a threat model for their network, and identify all threats, and figure out the mediation for those threats. Someone Ras's in, make sure the ras server has packet filtering on, and make sure virus signatures are up to date corporate wide. None of these mediation techniques are rocket science, I'm sure there are probably hundreds of documents on the web on how properly write a threat model, and how to identify attack vectors. But believe me, I take security seriously and I don't want anyone to believe that I don't. Back before I worked at Microsoft I owned a computer consulting company, and I did red team work, which by the way is hella fun and I wish I could do it again.
(Red team would be try and hack their network, look at their network topology, suggest fixes to make it less easy to penetrate the next time.)
Which has been patched already and is not present on XP.rcolbert said:Here's the relevant info on the License Logging Service exploit:
> Symantec Vulnerability Alert
>
> Microsoft Windows License Logging Service Buffer Overflow
> Vulnerability
> Bugtraq ID 12481
> CVE CAN-2005-0050
> Published Feb 8 2005
> Last Update 3/18/2005 5:52:15 PM GMT
> Remote Yes
> Local No
> Credibility Vendor Confirmed
> Classification Boundary Condition Error
> Ease Exploit Available
> Availability Always
> Authentication Not Required
>
> Impact 10 Severity 10 Urgency Rating 9.6
>
Umm, yeah, lets limit our discussion to XP... That was the jist of the thread.GreNME said:Which has been patched already and is not present on XP.
Yeah, but look at the services under those profiles. They don't recommend you make changes to many at all... Remote assistance is enabled under Enterprise for example, but not "high security".On high security: That was one of three target environments for the document, the other two being Enterprise and Standalone.
I think that totally not existing on one and not the other is a pretty damn fundemental difference.rcolbert said:Unless you can tell me how services on 2003 are fundamentally different than those on XP I think the example is perfectly valid.
Agreeing to disagree is intellectually dishonest.The bottom line is that it is apparent that no one is going to move off the argument against altering service startup configuration. I recognize that. Let's just agree to disagree.
GreNME said:I think that totally not existing on one and not the other is a pretty damn fundemental difference.
Phoenix86 said:Agreeing to disagree is intellectually dishonest.
I'm willing to change my position on specific services, given adequate reason. I'm against wholesale statemens like "disable service for performance" like blackviper gives.
You wouldn't want everyone to "OC their procs by ~20%" because that'll smoke some procs. Same thing applies here. Each tweak (or OC) varies by use and OS. Blanket statements like these as applied to services would see the same flak in the OC forums too. At least I'd hope so...
It's already been established that the WZC service isn't kicked off if no wireless hardware is installed.rcolbert said:Would you agree on Wireless Zero (if non-applicable) and Messenger? That'd be a start.
So long as we aren't name-calling there may be some value to be had yet.