I need some advice on the impact of security with respect to some of the default services that roll out with Windows XP?

I am on a team of people which is looking into possible exploits or vulnerabilities with respect to services that can be disabled without affecting end users in our environment. It has been suggested to look at some 40+ services that are enabled by default with Windows XP and try to decide if it would strengthen our environment by disabling any unnecessary ones. The problem now is to determine which ones can safely be disabled (or should be) and not impact users or troubleshooters down the road.

I have some concern with this strategy but don’t have enough information to make a good decision and was hoping that some one here may be able to help?

We are on a 2000 platform with active directory in force and the main emphasis here is security. I don’t feel that disabling services without a complete understanding of inter-dependency’s is a good idea and was hoping that some one may have a list of services that can be safely disabled (to improve security) without disrupting the end user environment or maybe a list of potential ones to look at that may be of concern.

I tend to have the "Don’t fix it if it is not broke" mentality and but do understand that some may need to be looked at and disabled. I am however concerned with the mentality of "disable every service that is not directly utilized" or what some people may consider to be "not directly utilized".

Can some one help direct me with the best overall strategy?

I am sure that are some that are more important than others but the question seems to come down to are some services potential problems when left in the default configuration (i.e. auto or manual) or have the current XP security policies already considered this? I would like to think that any service that has potential risk would already be disabled but that may be too much to hope for, right?

Some educated advice would be very much appreciated.

Thanks,

Make sure you block the Messenger Service.

Actually that's not necessarily a good idea. Believe it or not, there are
legitimate uses for it in a enterprise network like this. It depends on
whether its being used. It's not inherently insecure.



"Tim" <(E-Mail Removed)> wrote in message
newsB9D1A49-7B8D-4837-970C-(E-Mail Removed)...
> Make sure you block the Messenger Service.

Have a look here: http://www.blackviper.com/WIN2K/servicecfg.htm

There are other sites like it... search google. Careful though because most
of these sites are geared to home users who want to 'tweak' their systems.
Many of these services are more important in a domain.

That said, the default services that are installed are generally OK to leave
alone.

Here's a guide from Microsoft. It applies to 2000 Server but the
descriptions might also help with some services you'll see on 2000
Professional workstations.
http://www.microsoft.com/technet/Sec...n2k/a0601.mspx
(Keep in mind, many of the services on the Server version don't apply to
workstations.) Incidentally, it would be wise to read the whole article,
starting here
http://www.microsoft.com/technet/Sec...k/default.mspx



--
Colin Nash
Microsoft MVP
Windows Printing/Imaging/Hardware



"Kevin Bentley" <Kevin (E-Mail Removed)> wrote in message
news:2332D39D-F35C-42E6-BB19-(E-Mail Removed)...
>I need some advice on the impact of security with respect to some of the
>default services that roll out with Windows XP?
>
> I am on a team of people which is looking into possible exploits or
> vulnerabilities with respect to services that can be disabled without
> affecting end users in our environment. It has been suggested to look at
> some 40+ services that are enabled by default with Windows XP and try to
> decide if it would strengthen our environment by disabling any unnecessary
> ones. The problem now is to determine which ones can safely be disabled
> (or should be) and not impact users or troubleshooters down the road.
>
> I have some concern with this strategy but don't have enough information
> to make a good decision and was hoping that some one here may be able to
> help?
>
> We are on a 2000 platform with active directory in force and the main
> emphasis here is security. I don't feel that disabling services without a
> complete understanding of inter-dependency's is a good idea and was hoping
> that some one may have a list of services that can be safely disabled (to
> improve security) without disrupting the end user environment or maybe a
> list of potential ones to look at that may be of concern.
>
> I tend to have the "Don't fix it if it is not broke" mentality and but do
> understand that some may need to be looked at and disabled. I am however
> concerned with the mentality of "disable every service that is not
> directly utilized" or what some people may consider to be "not directly
> utilized".
>
> Can some one help direct me with the best overall strategy?
>
> I am sure that are some that are more important than others but the
> question seems to come down to are some services potential problems when
> left in the default configuration (i.e. auto or manual) or have the
> current XP security policies already considered this? I would like to
> think that any service that has potential risk would already be disabled
> but that may be too much to hope for, right?
>
> Some educated advice would be very much appreciated.
>
> Thanks,
>

Search for and read the W2k3/XP hardening guides that
you can find on the MS website.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Kevin Bentley" <Kevin (E-Mail Removed)> wrote in message
news:2332D39D-F35C-42E6-BB19-(E-Mail Removed)...
> I need some advice on the impact of security with respect to some of the
default services that roll out with Windows XP?
>
> I am on a team of people which is looking into possible exploits or
vulnerabilities with respect to services that can be disabled without
affecting end users in our environment. It has been suggested to look at
some 40+ services that are enabled by default with Windows XP and try to
decide if it would strengthen our environment by disabling any unnecessary
ones. The problem now is to determine which ones can safely be disabled (or
should be) and not impact users or troubleshooters down the road.
>
> I have some concern with this strategy but don't have enough information
to make a good decision and was hoping that some one here may be able to
help?
>
> We are on a 2000 platform with active directory in force and the main
emphasis here is security. I don't feel that disabling services without a
complete understanding of inter-dependency's is a good idea and was hoping
that some one may have a list of services that can be safely disabled (to
improve security) without disrupting the end user environment or maybe a
list of potential ones to look at that may be of concern.
>
> I tend to have the "Don't fix it if it is not broke" mentality and but do
understand that some may need to be looked at and disabled. I am however
concerned with the mentality of "disable every service that is not directly
utilized" or what some people may consider to be "not directly utilized".
>
> Can some one help direct me with the best overall strategy?
>
> I am sure that are some that are more important than others but the
question seems to come down to are some services potential problems when
left in the default configuration (i.e. auto or manual) or have the current
XP security policies already considered this? I would like to think that
any service that has potential risk would already be disabled but that may
be too much to hope for, right?
>
> Some educated advice would be very much appreciated.
>
> Thanks,
>

Our focus is going to be new XP workstations that are brought into the envrionment. How much of a variation are we talking about with this regard?


"Colin Nash [MVP]" wrote:

> Have a look here: http://www.blackviper.com/WIN2K/servicecfg.htm
>
> There are other sites like it... search google. Careful though because most
> of these sites are geared to home users who want to 'tweak' their systems.
> Many of these services are more important in a domain.
>
> That said, the default services that are installed are generally OK to leave
> alone.
>
> Here's a guide from Microsoft. It applies to 2000 Server but the
> descriptions might also help with some services you'll see on 2000
> Professional workstations.
> http://www.microsoft.com/technet/Sec...n2k/a0601.mspx
> (Keep in mind, many of the services on the Server version don't apply to
> workstations.) Incidentally, it would be wise to read the whole article,
> starting here
> http://www.microsoft.com/technet/Sec...k/default.mspx
>
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Printing/Imaging/Hardware
>
>
>
> "Kevin Bentley" <Kevin (E-Mail Removed)> wrote in message
> news:2332D39D-F35C-42E6-BB19-(E-Mail Removed)...
> >I need some advice on the impact of security with respect to some of the
> >default services that roll out with Windows XP?
> >
> > I am on a team of people which is looking into possible exploits or
> > vulnerabilities with respect to services that can be disabled without
> > affecting end users in our environment. It has been suggested to look at
> > some 40+ services that are enabled by default with Windows XP and try to
> > decide if it would strengthen our environment by disabling any unnecessary
> > ones. The problem now is to determine which ones can safely be disabled
> > (or should be) and not impact users or troubleshooters down the road.
> >
> > I have some concern with this strategy but don't have enough information
> > to make a good decision and was hoping that some one here may be able to
> > help?
> >
> > We are on a 2000 platform with active directory in force and the main
> > emphasis here is security. I don't feel that disabling services without a
> > complete understanding of inter-dependency's is a good idea and was hoping
> > that some one may have a list of services that can be safely disabled (to
> > improve security) without disrupting the end user environment or maybe a
> > list of potential ones to look at that may be of concern.
> >
> > I tend to have the "Don't fix it if it is not broke" mentality and but do
> > understand that some may need to be looked at and disabled. I am however
> > concerned with the mentality of "disable every service that is not
> > directly utilized" or what some people may consider to be "not directly
> > utilized".
> >
> > Can some one help direct me with the best overall strategy?
> >
> > I am sure that are some that are more important than others but the
> > question seems to come down to are some services potential problems when
> > left in the default configuration (i.e. auto or manual) or have the
> > current XP security policies already considered this? I would like to
> > think that any service that has potential risk would already be disabled
> > but that may be too much to hope for, right?
> >
> > Some educated advice would be very much appreciated.
> >
> > Thanks,
> >
>
>
>