Which Windows Services to DEFINETLY disable/manual

[kleox64]

Games machine on a network with net access.

Can anyone provide a list, i dont wona follow black vipers guide after so many people ending up with poor perfromance/broken windows.

Update (Disabled)
1) Indexing Service
2) XP Firewall (assuming H/W firewall)
3) Messenger
4) License Logging Service
5) Error Reporting Service
6) Remote Registry
7) System Restore (iam ghosting and never used it)


Update (Set to Manual)
1) Automatic Updates
2) Background Intelligent Transfer Service
3) Fast User Switching
4) Wireless Zero Configuration (for desktop machines were using wired)

 

[lomn75]

The default is fine. Just have a firewall in place so that any running services aren't publicly accessible.

I would definitely not have the Indexing service running, as I don't see any need for optimized full text searches on my system, but I think it's defaulted to Manual.

 

[kleox64]

Allready have a firewall, XP's firewall is allways disabled.

 

[rcolbert]

Services you can disable without consequence under any circumstance you're likely to ever encounter:

Messenger
License Logging Service
Error Reporting Service
Distributed Link Tracking Client

Services you may want to set to manual start:

Automatic Updates
Background Intelligent Transfer Service
Fast User Switching
Remote Registry
Wireless Zero Configuration (if you don't use a wireless adapter)


And of course folks will be dropping in at any moment to tell you what a waste of time this is, and blah blah blah blah blah....

 

[Malk-a-mite]

Services you may want to set to manual start:

Remote Registry

I would suggest that unless you actually make use of remote registry in your enviroment setting it to disabled would be a good idea.

http://www.sans.org/top20/#w3

 

[SJConsultant]

Services you can disable without consequence under any circumstance you're likely to ever encounter:

Messenger
License Logging Service
Error Reporting Service
Distributed Link Tracking Client

Services you may want to set to manual start:

Automatic Updates
Background Intelligent Transfer Service
Fast User Switching
Remote Registry
Wireless Zero Configuration (if you don't use a wireless adapter)


And of course folks will be dropping in at any moment to tell you what a waste of time this is, and blah blah blah blah blah....

FYI License logging service is only present in the Server OS's and not Client OS's.

Be careful when saying there are "no consequences" in disabling services. For example, the "Distributed Link Tracking Client Service" allows a user to move files and have subsequent shortcuts updated automatically. Would suck to have to recreate shortcuts when moving files.

I would suggest that unless you actually make use of remote registry in your enviroment setting it to disabled would be a good idea.

http://www.sans.org/top20/#w3

Remote Registry is a moot point to disable since the OP is behind a firewall.

Disabling services in the name of security is overkill when the context hasn't been explicitly defined in which the system will be used. To disable services simply because it will make the system "more secure" is disingenious at best and only serves to prove how little people actually think about the proper context of applying security best practices and layers.

For example, if the OPs computer is a desktop connected via a simple NAT router, then the only way to directly connect and "exploit" a service is if the hacker is in the OPs LAN. But if the hacker has physical access to the OP's LAN the game is over since once physical access has been breached the hacker owns the machine regardless of how many services are disabled.

If the OP has wireless and has WEP set, then there isn't any hacker who is going to take the time and resources to crack into his little network, so that's a moot point as well.

Leave the services at default, use a firewall, use AV software, and use WEP if your router is wireless.

 

[KoolDrew]

Leave everything default.

 

[rcolbert]

The statement about the function of the distributed link tracking client is noted. The advice is for a gaming PC, and I expect that if someone has a large number of shortcuts, or is likely to move file and directories around frequently then the recommendation should be taken with a grain of salt. In most cases on a gaming PC, a whole lot more than shortcuts will be broken if you move the files that you might create shortcuts to.

BTW - In a domain the Distributed Link Tracking system is intriguing and yet can be a pain in the behind due to the way GUIDs are tracked and stored in Active Directory. It sure makes the case against Ghosting a system with shortcuts on it. I recall a situation at a small company where an entire department was unknowingly launching Excel.exe from a single desktop in their little IT lab. Definitely a double-edged sword.

 

[SJConsultant]

BTW - In a domain the Distributed Link Tracking system is intriguing and yet can be a pain in the behind due to the way GUIDs are tracked and stored in Active Directory. It sure makes the case against Ghosting a system with shortcuts on it. I recall a situation at a small company where an entire department was unknowingly launching Excel.exe from a single desktop in their little IT lab. Definitely a double-edged sword.

This I agree, I recently uncovered some issues with one client site where roaming profile shortcuts are pointing to machines other than the one the user is logged into.

 

[Malk-a-mite]

If the OP has wireless and has WEP set, then there isn't any hacker who is going to take the time and resources to crack into his little network, so that's a moot point as well.

I will gladly accept that you and I have different views on security, but I would like to suggest that some "hackers" are just bored people looking for something/someone to mess with. So I wouldn't be comfortable saying that "there isn't any hacker" who would attempt it.

*shrug*

 

[kleox64]

Distributed link stays as it is, keep the suggestions coming.

kleo

 

[lomn75]

Ranked in order of my preference, but mutually exclusive.

Suggestion #1: Toss out the whole list and go to default. You're not seeing the basic fallacies presented in the lists.

Suggestion #2: Turn ON Auto Updates and BITS. You're wanting to disable service XXX to prevent a possible security hole that's less likely than being eaten by a shark hit by lightning, but you don't want to keep new, common exploits from being patched for you? I don't understand people.

Suggestion #3: Unplug your network cable.

 

[elation]

I like to run a clean system too. If it's not needed, why have it start up? If nothing else, your system will probably start a bit faster with out the extra services.

7) System Restore (iam ghosting and never used it)

I love system restore even if it does eat up HDD space. Here's why:
Say you (or an inexperienced user) get some nasty spyware or virus. The scanners are unable to clean it or don't detect it because it's too new. Just restore the system - and in most cases - the critter is squished.

 

[kleox64]

I like to run a clean system too. If it's not needed, why have it start up? If nothing else, your system will probably start a bit faster with out the extra services.

I love system restore even if it does eat up HDD space. Here's why:
Say you (or an inexperienced user) get some nasty spyware or virus. The scanners are unable to clean it or don't detect it because it's too new. Just restore the system - and in most cases - the critter is squished.

In this case I boot to my restore OS (sits on a RAID 1 array) and run anti-virus/spyware checkers which remove the buggers anyway. Worst case I restore the damaged OS in 5 minutes, ive tried and tested this method over the past couple weeks and works perfectly.

 

[shaihulud]

KoolDrew Leave everything default

i stand next to kooldrew. one example, and reason as to why, indexing service is disabled by default. you do not have to disabled it. it is a fallacy that disabling this service will make your system faster. note, the service is set to manual. if you use computer management mmc, interface to service applications, indexing serivce. note, above that the seivice has not been started, and needs input to begin. i do admit, for i never need to use system restore, that it is toggled to disabled, and also xp firewall, since i have a router.

 

[USMC2Hard4U]

I turn off System Restore, Themes (because I like the default everywhere ) and Windows Time.

I turn off windows time, because in the event that I dont have an internet connection, and windows time goes to look for it, it will constantly keep running until it finds that intetnet connection... I just set my clock manually.

 

[rcolbert]

Reason why as a gamer I leave automatic updates on manual:

Because I don't want updates downloading in the background while I'm playing a game, and I surely don't want that popup balloon jumping out of the system tray when I'm moving in to get a knifekill on a sniper.

This is a gaming machine I'm talking about and automatic updates interferes with the machine's primary purpose.

Also, I'm well aware of when updates are released and will turn on automatic updates periodically and install them during non-gaming hours. Hence, the service is set to manual.

All configuration and tweaking must have proper context. We're not talking about tweaking our wives or mothers PC's here, nor are we talking about tweaking PC's that store valuable information like tax returns and irreplacable family pictures.

Most generalizations are worthless.


(that's a pun for the irony impaired)

 

[SJConsultant]

I will gladly accept that you and I have different views on security, but I would like to suggest that some "hackers" are just bored people looking for something/someone to mess with. So I wouldn't be comfortable saying that "there isn't any hacker" who would attempt it.

*shrug*

All I am going to say is why bother an encrypted network when there are countless others that are not encrypted? My example was for the OP in a residential situation.

Now business or corporate level wireless is a who different ballgame since there is alot more to gain from an encrypted business network than a home users network.

 

[Phoenix86]

Why did you start ANOTHER THREAD?

crolbert, I would not touch BITS. Some games won't run w/o it not to mention windowsupdate/auto updates.

 

[rcolbert]

Why did you start ANOTHER THREAD?

crolbert, I would not touch BITS. Some games won't run w/o it not to mention windowsupdate/auto updates.

Actually BITS is manual start by default, which I left as is. I simply included it due to its close association with Automatic Updates.

 

[Phoenix86]

Actually BITS is manual start by default, which I left as is. I simply included it due to its close association with Automatic Updates.

That would qualify as not touching it then, right?

 

[Malk-a-mite]

All I am going to say is why bother an encrypted network when there are countless others that are not encrypted? My example was for the OP in a residential situation.

Why bother? Because I don't wish to base my information security on the chance that my network won't be the one someone picks to mess with.

 

[ashmedai]

Can anyone provide a list, i dont wona follow black vipers guide after so many people ending up with poor perfromance/broken windows.
[/B]

Use the "SAFE" configuration, that's what it's there for.

I've been using a custom services.inf for a long time based on his "SAFE" list, if you're having problems with it make sure you read over the instructions very carefully as it's possible you made a small mistake somewhere. You make a small mistake when using regedit or whichever, you WILL have a bad time.

 

[KoolDrew]

Even his "SAFE" configuration list had some bad advice last time I checked.

 

[rcolbert]

That would qualify as not touching it then, right?

No, I think it's best to go to the services applet and reconfigure the service as disabled, then go to a command prompt and type "sc config bits start= demand"

 

[SJConsultant]

Why bother? Because I don't wish to base my information security on the chance that my network won't be the one someone picks to mess with.

Not sure if you are understanding my last statement so let me reiterate:

Why would someone bother to attack an encrypted residential wireless network when there are a great many more unencrypted that are free for the picking?

While there are tools that can crack WEP, these tools take a great length of time (in the order of several weeks) to perform this feat.

 

[Malk-a-mite]

Not sure if you are understanding my last statement so let me reiterate:

No, no, I understand the idea I just believe that for some the answer is either because they can or for the challenge. That's all. Like I mentioned I'm not willing to assume that someone else wouldn't attack a network just because there are easier targets.

EDIT:
Another thought as to why to crack an encrypted wireless residental - practice in a low risk enviroment.

So yeah, improbable not impossible, and since the effort to lock down my systems/networks is marginal in comparision I *personally* don't see why not. Fair enough?

EDIT2:
While we're discussing this tiny aspect, I just noticed that the XP FW is suggested disabled in favor of a hardware firewall - doesn't the XP FW do outbound application blocking? Something that most SOHO/residental hardware firewalls don't do?