Dangerous Services, Part 1

Basic physical security policy for a building calls for eliminating all unnecessary doors and putting locks, guards, or cameras on the rest. For computers, network services are the doorways into a Windows 2000 system, so "eliminate all unnecessary services" is a time-honored commandment for protecting computers. Win2K comes with a lot of services enabled by default, many of which you don’t need. Even if the service doesn’t offer direct access to system resources, it might expose a system to buffer overflow attacks and denial of service (DoS) attacks. Consider disabling vulnerable or unnecessary services on workstations and servers—you’d be surprised at how many times you can access confidential information or impersonate a high-level user simply by breaking into an unsecured workstation. Let’s look at a few of the services common to Win2K that you might consider disabling on your systems.

The Clipbook service. The Clipbook service is an interesting tool that lets you copy and paste the contents of your computer’s clipboard to another. If you want to try out this tool, run clipbrd and look at the Help file. Although this service lets you configure who has remote access to your clipboard, why enable an open target on your system for attackers? Don’t enable this feature unless you need it.

The Computer Browser Service. The Computer Browser service maintains a list of computers and shared resources available on the network and makes this list available to other computers when a user browses the network using tools such as My Network Places. Windows systems that use the Computer Browser service participate in an election process that selects various browser roles. To learn more about this service, look up Computer Browser in the Win2K Help text index. This service exists because Windows NT relies on NetBIOS broadcast name resolution. With Win2K’s move to DNS, the need for the Computer Browser Service is questionable as more and more systems migrate to Win2K. Before you disable the Computer Browser service on servers in your internal network, research Win2K’s Help file. However, you can safely disable this service on workstations and servers exposed to the Internet. So, why should you? First, you can save some system resources and cut down on network traffic by reducing the number of potential browsers. More important, some DoS attacks over the Internet target this service, and that usually means more of these types of attacks will appear. If this service isn’t on your systems, you won’t need to worry about loading any related hotfixes. In effect, you’ve "bricked up" yet another door.

The IIS Admin Service. The IIS Admin Service appears only on systems where you’ve installed Microsoft IIS. According to the description in the Microsoft Management Console services snap-in, this service "allows administration of Web and FTP services through the Internet Information Services snap-in." Enable this service only on Web servers and where administrators manage the system using the MMC interface rather than through a Web browser and the IIS Administration Web site.

The Internet Connection Sharing service. With the Internet Connection Sharing (ICS) service, you can use one Win2K system to connect your home network or small office network to the Internet. This service is one you don’t want to enable on systems that aren’t being used to connect a SOHO LAN to the Internet. If you need to use the ICS service, be sure to read the Microsoft article "Security Features of Internet Connection Sharing."

The Indexing service. The Indexing service provides fast full-text searching of documents by periodically building a catalog of documents on the system. On Win2K Server, this service is a component of IIS, but on Win2K Professional, the Indexing service is a standalone component. Several exploits have been publicized where attackers viewed confidential information through the Indexing service. Unless you need to use this service, disable it.

The Infrared Monitor service. The Infrared Monitor service lets computers and other devices with infrared support communicate with each other and share files. This scenario is a possible way to attack systems, especially laptops, in close proximity. Unless you use infrared regularly for legitimate purposes, such as printing or Personal Digital Assistant (PDA) synchronization, disable this service.

The NetMeeting Remote Desktop Sharing service. The NetMeeting Remote Desktop Sharing service lets users who have proper authorization access your desktop remotely. Sound dangerous? I agree! NetMeeting is compliant with applicable industry standard protocols and has security features for authentication, authorization, and encryption. However, NetMeeting still represents a significant doorway that you must lock and guard if you choose to enable this service. For information on NetMeeting’s security features, see Microsoft’s Web site.

The Remote Registry service. The Remote Registry service makes the registry available to other authorized users on the network. To try this, load regedt32 and click RegistrySelect Computer. Disabling the Remote Registry service can make it difficult to administer a system remotely, so you will want to disable this service only on hardened systems exposed to a hostile network. For other systems, you need to keep the Remote Registry service enabled, but make sure you "lock the door." To control who has remote access to the registry through this service, you need to edit the permissions for the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurePipeServerswinreg key. For more information see Microsoft’s Web site.

The Routing and Remote Access service. Depending on how you’ve configured the Routing and Remote Access Service (RRAS), you can use this service with dial-up connections on the system’s local modem or VPN connections from the Internet to provide remote access to the local system and to the rest of the network. If you are using a legitimate RRAS server, make sure you’ve properly configured this major doorway. Consult the Win2K Help text for a description of RRAS’s security options. Be aware, however, that you can also use this service on Win2K Pro workstations. I’ve seen instances where employees configured RRAS on a workstation so they could dial in from their home PCs to access the Internet through their employer’s firewall and avoid paying for an ISP account. To avoid exposing your company’s network to dial-up attacks, make sure you disable this service on all user workstations. This task can be a chore if you have a lot of users. Thankfully, Group Policy comes to the rescue for configuring services centrally.

In part 2 of this article, I’ll cover other services you need to consider disabling. I’ll also show you how to use Group Policy to manage and delegate control centrally over services.