Information about services that are required to run a security-enhanced IIS server on Windows 2000 (810866)

MORE INFORMATION

Any service is a potential point of attack. Because a service processes client requests, it can be used as an entry point. Microsoft recommends that you disable nonessential services to minimize risk.

Note The recommendations in this article are based on the "Member Server Baseline Services Policy" topic in chapter 4 of the Security Operations Guide for Windows 2000 Server. To see this guide, visit the following Microsoft Web site:The services that are required vary depending on the tools and applications that you require. For example, if your environment includes Microsoft Windows NT 4.0, you may require other services for compatibility purposes. Some of these additional services may depend on other services that must also be enabled.

With the Hfnetchk utility, you can verify the patches that are installed on each of the servers in your organization. Both server services and remote registry services are included in the recommendations to permit you to run the Hfnetchk utility.

Recommended services for member servers

The following are the recommended services for member servers:

• COM+ Event System - This service permits management of component services.
• DHCP Client - This service is required to update records in dynamic Domain Name System (DNS).
• Distributed Link Tracking Client - This service is used to maintain links on NTFS file system volumes.
• DNS Client - Permits resolution of DNS names
• Event Log - This service permits event log messages to be viewed in the event log.
• Logical Disk Manager - This service is required to make sure dynamic disk information is up-to-date.
• Logical Disk Manager Administrative Service - This service is required to perform disk administration.
• Net Logon - This service is required for domain participation.
• Network Connections - This service is required for network communication.
• Performance Logs and Alerts - This service collects performance data for the computer, and then this service writes the performance data to a log or triggers alerts.
• Plug and Play - This service is required for Windows 2000 to identify and to use system hardware.
• Protected Storage - This service is required to protect sensitive data such as private keys.
• Remote Procedure Call (RPC) - This service is required for internal processes in Windows 2000.
• Remote Registry Service - This service is required for the Hfnetchk utility.
• Security Accounts Manager - This service stores account information for local security accounts.
• Server - This service is required for the Hfnetchk utility.
• System Event Notification - This service is required to record entries in the event logs.
• TCP/IP NetBIOS Helper Service - This service is required for software distribution in Group Policy. This service may be used to distribute patches.
• Windows Management Instrumentation Driver Extensions - This service is required to implement performance alerts by using the Performance Logs and Alerts service.
• Windows Time - This service is required for Kerberos authentication to function consistently.
• WorkStation - This service is required to participate in a domain.

Additional services for IIS

The following services may be required if you are running IIS:

• IIS Admin Service - This service provides the administrative interface for World Wide Web Publishing, the FTP Publishing Service, and SMTP.
• World Wide Web Publishing - This service provides Web server functionality.
• FTP Publishing Service - This service provides FTP connectivity.
• SMTP - This service transports electronic mail.
• Indexing Service - This service indexes contents and properties of files.

Key services not included

The goal of the Member Server Baseline Policy group policy is to be as restrictive as possible. Several services are disabled that may be required in your environment. Some of the more common services are:

• SNMP Service - In many cases, management applications require an agent to be installed on each server. Typically, these agents use SNMP to forward alerts back to a centralized management server. If management agents are required, determine whether these agents require the SNMP service started.
• Windows Management Instrumentation (WMI) - The WMI service is disabled in the Member Server Baseline Policy group policy. To manage logical disks by using computer management, you must enable the WMI service. Many other applications and tools also use WMI.
• Messenger Service and Alerter Service - Although these services are not explicitly dependent on one another, these services work together to send administrative alerts. The Messenger service sends alerts that are triggered by the Alerter service. If you are using the Performance Logs and Alerts service to trigger alerts, you must enable these services.