Common Windows Services and Recommendations

Alerter

Notifies selected users and computers of administrative alerts. Some programs, such as antivirus consoles, use Alerter to send console messages. Must enable Messenger service to send an Alerter message across the network. A few low-risk vulnerabilities known. Should be disabled unless needed.

Y

Y

Y

Disabled

N

Application Experience LookupService

Installed with Service Pack 1, allows a specially coded application to ensure it is installed only on newer OSs. Only works locally, no network connections allowed. No risk in leaving enabled.

N

N

Y

Automatic

Y

Application Layer Gateway Service

Used by Microsoft and other vendors to interface and control Internet Connection Sharing (ICS) and Internet Connection Firewall (ICF). Keep enabled if you use ICS/ICF. No known vulnerabilities other than malware that sometimes turns off this service without the user's permission.

N

Y

Y

Manual

Y

Application Management

Only used with Active Directory software installation packages. Can be disabled if never used. No known vulnerabilities at this time.

Y

Y

Y

Manual

N

Automatic Updates

Needed for many Microsoft-based software patch management tools, including Automatic Updates service, SUS, and WSUS. No known vulnerabilities, it can be left enabled if used.

Y

Y

Y

Automatic

Y

Background Intelligent Transfer Service

Transfers IIS web site files in the background using idle network bandwidth. If the service is stopped, any services that use it may fail to transfer files if they do not have fail-safe mechanism features. IIS web sites such as Windows Update and MSN Explorer will be unable to automatically download programs and other information. Leave set to manual.

Y

Y

Y

Manual

May be Y

ClipBook

Not the same as the Clipboard app (Cut and Paste) most users are familiar with. Used by some programs as a universal, industrial-sized clipboard. Can be disabled or set to manual in most environments. No known vulnerabilities in years, but it is thought to be a potential future weak point. Requires the Network DDE service to be running.

Y

Y

Y

Disabled in XP and W2K3, Manual in W2K

N

COM+ Event System

Involved with distributing and running COM-based objects and programs. Unless you know that no COM- or DCOM-based applications are being used, it can be set to manual or automatic.

Y

Y

Y

Automatic in W2K3, Manual in XP and W2K

Y

COM+ System Application

Involved with distributing and running COM-based objects and programs. Unless you know that no COM- or DCOM-based applications are being used, it can be left at manual.

N

Y

Y

Manual

N

Computer Browser

Creates and maintains a list of computers on the local network and supplies this list to computers designated as browsers. Contrary to popular belief, NetBIOS is required on most Windows computers, and WINS is in a multi-network Exchange environment. Should be left enabled on all but high-security environments.

Y

Y

Y

Automatic

Y

Cryptographic Services

Heavily involved with providing the operating system and applications access to crypto-graphically protected files and resources. Should be enabled or manual.

N

Y

Y

Automatic

Y

DCOM Server Process Launcher

Provides launch functionality for Distributed COM services. Don't disable unless you are sure you don't have DCOM services in your network.

N

Y

Y

Automatic

Y

DHCP Client

Allows the computer to receive dynamic IP addresses and other DHCP information. Leave enabled if needed.

Y

Y

Y

Automatic

Y

DHCP Server

DHCP Server services. Keep enabled, unless not needed.

N

N

Y

Automatic

Y

Distributed File System

Creates and manages logical namespace storage volumes distributed across a network. Should be enabled on domain controllers in most environments, but can usually be disabled on member servers and clients. However, there are no known vulnerabilities, so it can be left in its default enabled state. Test this one first before disabling, even on member servers, if you have DFS enabled for client files.

N

N

Y

Automatic

Y

Distributed Link Tracking Client

Enables client programs to track linked files that are moved within an NTFS volume to another NTFS volume on the same computer, or to an NTFS volume on another computer. Can be left enabled.

Y

Y

Y

Manual in W2K3, Automatic in XP and W2K

Y in XP and W2K

Distributed Link Tracking Server

Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. Can be left disabled unless needed.

N

N

Y

Disabled

N

Distributed Transaction Coordinator

MSDTC is responsible for coordinating transactions that are distributed across multiple computer systems or resource managers, such as databases, message queues, file systems, or other transaction-protected resources. Should be left enabled in network computers.

Y

Y

Y

Automatic in W2K3, Manual in XP and W2K

Y in W2K3

DNS Client

Resolves computer and service names to IP addresses. Used to locate Active Directory domain controllers and other services. Keep enabled.

Y

Y

Y

Automatic

Y

DNS Server

Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will not occur. Keep enabled on servers providing DNS services to DNS clients.

N

N

Y

Automatic

Y

Error Reporting Service

Collects, stores, and sends unexpected application crash data to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults and some types of user mode faults. Keep enabled unless you don't want users to have this service. No known vulnerabilities.

N

Y

Y

Automatic

Y

Event Log

Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Keep enabled in all environments.

Y

Y

Y

Automatic

Y

Fast User Switching Compatibility

Allows multiple users to log on to a single computer without first logging the other users off. When enabled, disables many features, including security features. Should be disabled.

N

Y

N

Manual

N

Fax Service

Allows the PC to send and receive faxes. Disable if not needed.

Y

N

N

Manual

N

File Replication Service

Used by file servers and domain controllers for domain communications and DFS. Should remain enabled.

N

N

Y

Automatic

Y

Help and Support

Enables the Help and Support Center to run on this computer. Although it can usually be left enabled, a few vulnerabilities have been found using it, so in a high-security environment consider disabling instead.

N

Y

Y

Automatic

Y

HTTP SSL

Allows IIS and other server apps to use HTTPS. Needed if HTTPS is used; otherwise, you can disable. No known vulnerabilities.

N

Y

Y

Manual

N

Human Interface Device Access

Allows "smart" keyboards, with predefined hot buttons, etc. Can also be used for some USB devices. Can be disabled if not needed. Could be used in an attack, but no known vulnerabilities.

N

Y

Y

Disabled

N

Indexing Service

Indexes contents and properties of files on local and remote computers. Has been involved in several vulnerabilities. Disable if not needed.

Y

Y

Y

Disabled in W2K3, Manual in XP and W2K

N

Internet Connection Sharing

Provides NAT and DNS services for computers connecting through ICS. Can be disabled if not needed. Could be used in an exploit, but so far no known vulnerabilities.

Y

N

N

Manual

N

Intersite Messaging

Used for intersite domain controller communications; otherwise, not needed and can be disabled. No known exploits.

N

N

Y

Disabled

N

IPSEC Services (called IPSEC Policy Agent in W2K)

Enables IPSec. Can be disabled if not needed, but IPSec is very helpful in many situations. Some low-risk vulnerabilities found when only using AH (and not ESP also) and with weak PSK. Can usually be left enabled.

Y

Y

Y

Automatic

Y

Kerberos Key Distribution Center

Needed on Active Directory domain controllers for Kerberos authentication, which is critical for Windows 2000 and later domains. Although a few low-risk exploits have been announced, including one Kerberos sniffing/brute-force attack, it should be left enabled.

N

N

Y

Automatic

Y

License Logging

Being phased out by Microsoft, this is used to track legacy licensing issues. Has been subjected to at least one exploit. Can be left disabled.

N

N

Y

Disabled

N

Logical Disk Manager

Used to manage logical disk activities and reports to different tools, such as Disk Manager. Can be set to manual, or disabled if not needed.

Y

Y

Y

Automatic

Y

Logical Disk Manager Administrative Service

Used to manage logical disk activities and reports to different tools, like Disk Manager. Can be set to manual, or disabled if not needed. The service only runs for configuration processes and then stops.

Y

Y

Y

Manual

Y

Messenger

Transmits net send and Alerter service messages between clients and servers. Has been involved in a few exploits and nuisance attacks (i.e., spam, phishing, fraud sales, etc.). Should be left disabled unless needed.

Y

Y

Y

Disabled

N

Microsoft Search

Creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data. No known vulnerabilities, it can be disabled or left enabled if needed.

N

N

Y

Automatic

Y

Microsoft/MS Software Shadow Copy Provider

Involved in Volume Shadow Copying used for file restoration and backups. Disable if not needed. No known vulnerabilities.

N

Y

Y

Manual

N

Net Logon

Maintains a secure channel between computers and domain controllers for authenticating users and services. Required for most computers — for logon, for registering SRV resource records in DNS, and for supporting NT 4.0 replication. Leave enabled.

Y

Y

Y

Automatic

Y

NetMeeting Remote Desktop Sharing

Allows a user to use NetMeeting to access a computer remotely. Can be disabled if not needed.

Y

Y

Y

Disabled in W2K3, Manual in XP and W2K

Y

Network Connections

Manages connections and objects in the Network and Dial-Up Connections. If disabled, users will not be able to view, browse, and modify network connections. Leave enabled at manual.

Y

Y

Y

Manual

Y

Network DDE

Needed for Dynamic Data Exchange (DDE)-enabled programs. Used by ClipBook service and sometimes by Microsoft Office applications. Can be disabled if not needed.

Y

Y

Y

Disabled in W2K3 and XP, Manual in W2K

N

Network DDE DSDM

Manages Dynamic Data Exchange (DDE) network shares, which are used by some programs. Used by ClipBook service and sometimes by Microsoft Office applications. Can be disabled if not needed.

Y

Y

Y

Disabled in W2K3 and XP, Manual in W2K

N

Network Location Awareness (NLA)

Notes when the computer's network location has been changed, and notifies interested applications. For example, if the PC uses DHCP, it will request a new lease when the network changes, such as when a laptop is plugged into a new location. Leave enabled. No known exploits, although theoretically there could be some attacks.

N

Y

Y

Manual

Y

Network Provisioning Service

Manages XML configuration files on a domain basis for automatic network provisioning. Can be disabled if not needed (most networks don't use it).

N

Y

Y

Manual

N

NT LM Security Support Provider

Provides security to remote procedure call (RPC) programs that use transports other than named pipes. Often needed, leave enabled at manual.

Y

Y

Y

Manual

Y in W2K3

Performance Logs and Alerts

Needed for Performance Log and Alerts monitoring. Can be disabled if not needed.

Y

Y

Y

Manual

N

Plug and Play

Used for Plug and Plug feature. Supposedly, stopping this service will result in system instability. Keep enabled even though it has been involved in more than one exploit. This should be able to be disabled, but it can't be without adverse legitimate effects.

Y

Y

Y

Automatic

Y

Portable Media Serial Number Service

For DRM, allows remote content providers to retrieve the unique serial number of any portable media player connected to the computer. If stopped, protected content will not download. Disable if not needed.

N

Y

Y

Manual

N

Print Spooler

Manages local and remote printer queues. Should be enabled if printing is needed, although it has been involved in at least one exploit.

Y

Y

Y

Automatic

Y

Protected Storage

Older Windows cryptographic method for protecting sensitive information, such as cryptographic keys, service passwords, etc. Being phased out, but still needed. Keep enabled. It h as not been exploited, but it can be used by malicious programs logged in as admin to access protected content.

Y

Y

Y

Automatic

Y

QoS RSVP

Provides control setup functionality for QoS-aware applications. Should be disabled unless needed.

Y

Y

N

Manual

N

Remote Access Auto Connection Manager

Per Microsoft, "Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. If this service is stopped, users will need to manually connect." Should be left enabled and manual unless remote connections are not needed.

Y

Y

Y

Manual

N

Remote Access Connection Manager

Manages dial-up and virtual private network (VPN) connections from the computer to remote locations. Should be enabled unless dial-up or VPN connections are not needed.

Y

Y

Y

Manual

Y in W2K

Remote Desktop Help Session Manager

Manages Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Can be disabled if not needed.

N

Y

Y

Manual

N

Remote Procedure Call (RPC)

The RPC Endpoint Mapper on TCP port 135 and COM Service Control Manager. If this service is stopped, programs using Remote Procedure Call (RPC) or COM services will not function properly. Leave enabled. Although it has been involved in several exploits, when disabled it creates many problems in Windows.

Y

Y

Y

Automatic

Y

Remote Procedure Call (RPC) Locator

Enables Remote Procedure Call (RPC) clients using RPCNs* APIs to locate RPC servers. RPCNs* APIs are not used internally in Windows, but can be used by other programs, such as Exchange. Leave enabled at manual unless you are sure you don't need them.

Y

Y

Y

Manual

N

Remote Registry

Enables remote users to modify registry settings and remotely administrate Windows machines. If stopped, will prevent many remote management applications from working. Leave enabled unless otherwise unneeded.

Y

Y

Y

Automatic

Y

Removable Storage

Manages and catalogs removable media devices and software. If this service is stopped, programs using removable storage, such as Backup, will operate more slowly. Leave enabled if needed.

Y

Y

Y

Manual in W2K3 and XP, Automatic in W2K

Y in W2K

Resultant Set of Policy Provider

Allows a remote user to verify effective group policy settings. No known vulnerabilities. Leave enabled at manual unless you don't want RSoP capabilities.

N

N

Y

Manual

N

Routing and Remote Access

Enables Routing and Remote Access (RRAS) services. Can be disabled unless needed.

Y

Y

Y

Disabled

N

Secondary Logon (called RunAs Service in W2K)

Allows programs and processes to be started using alternate user credentials. Leave enabled unless you intentionally want to disable the function.

Y

Y

Y

Automatic

Y

Security Accounts Manager

Interfaces with other programs to let them know the Security Accounts Management (SAM) database is ready to process requests. Leave enabled. If disabled, it can cause many problems.

Y

Y

Y

Automatic

Y

Security Center

Added in XP SP2, adds centralized Security Center console to manage Windows Firewall, antivirus software, and a multitude of security services and settings. Can be left enabled, but can be disabled if features and interface are not needed.

N

Y

N

Automatic

Y

Server

All file, print, and named-pipe sharing over the network for this computer. Usually leave enabled, but can be disabled if sharing is not needed.

Y

Y

Y

Automatic

Y

Shell Hardware Detection

Provides notifications for Auto Play hardware events, from CD-ROMs, USB memory devices, digital cameras, etc. Can disable to prevent "autoplay" attacks, but will also prevent "auto-display" events. If you disable, just remember the side effects.

N

Y

Y

Automatic

Y

Smart Card

Allows Smart Cards to be read by Windows without additional driver support. Disable unless used.

Y

Y

Y

Automatic in W2K3 and XP, Manual in W2K

Y in W2K3 and XP

Smart Card Helper

Needed for legacy Smart Card readers. Disable unless used.

Y

N

N

Manual

N

Special Administration Console Helper

Allows administrators to remotely access a command prompt using Emergency Management Services (EMS). Leave enabled unless not needed.

N

N

Y

Manual

N

SSDP Discovery Service

Enables discovery of UPnP devices on the local network. Disable unless needed.

N

Y

N

Manual

Y

System Event Notification

Monitors system events and notifies subscribers to COM+Event System of these events. Leave enabled unless you know you don't have COM+Event-enabled applications. If disabled, it can cause problems with synchronizing applications and applications that pay attention to whether the computer is offline or online.

Y

Y

Y

Automatic

Y

System Restore Service

Performs and allows System Restore events. Leave enabled for backup purposes, but disable when cleaning up malware or to increase system performance.

N

Y

N

Automatic

Y

Task Scheduler

Enables the Task Scheduler application. Used by many applications for periodic jobs. Used maliciously in the past, it has been tightened by Microsoft. Leave enabled unless not needed.

Y

Y

Y

Automatic

Y

TCP/IP NetBIOS Helper Service

Provides NetBIOS over TCP/IP (NetBT) support allowing users to share files, print, and log on to the network. Leave enabled (disable only if NetBIOS is not needed, and NetBIOS is still needed often).

Y

Y

Y

Automatic

Y

Telephony

Provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections. Disable if not needed.

Y

Y

Y

Manual

N

Telnet

Telnet server. Allows remote telnet users to telnet in to command-line prompt. Disable unless used.

Y

Y

Y

Disabled in W2K3 and XP, Manual in W2K

N

Terminal Services

Allows users to connect inter-actively to a remote computer using many services using the RDP protocol, including Remote Desktop, Fast User Switching, Remote Assistance, and Terminal Server. RDP is commonly used, so leave enabled (can be disabled if not needed). A few exploits have been accomplished using RDP and Terminal Services.

N

Y

Y

Manual

Y

Terminal Services Session Directory

Only needed for Terminal Service clustering; otherwise, leave disabled.

N

N

Y

Disabled

N

Themes

Allows desktop themes to be activated. Disable if not needed.

N

Y

Y

Disabled N in W2K3, Automatic in XP

N

Uninterruptible Power Supply

Manages an Uninterruptible Power Supply (UPS) connected to the local computer. Leave enabled unless not needed.

Y

Y

Y

Manual

N

Universal Plug and Play Device Host

Provides support to host Universal Plug and Play devices. Has been involved with exploits before. Can disable unless needed.

N

Y

N

Manual

N

Upload Manager

Per Microsoft, "Manages file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feed-back Server asks the client's per-mission to upload the computer's hardware profile and then search the Internet for information about how to obtain the appropriate driver or get support. If this service stops, Microsoft will not have access to the driver data." Leave enabled at manual.

N

N

Y

Manual

N

Utility Manager

Allows accessibility tools to be Y configured from one window. Can be disabled unless used.

Y

N

N

Manual

N

Virtual Disk Service

Provides software volume and N hardware volume management service to VDS-enabled storage devices. Disable unless used.

N

N

Y

Manual

N

Volume Shadow Copy

Manages Volume Shadow Copies N used for backup and user restoration purposes. If this service is stopped, shadow copies will be unavailable. Can be disabled unless used.

N

Y

Y

Manual

N

WebClient

Enables Windows-based programs N to create, access, and modify Web DAV-based files. Normally, not needed, as its functions are covered in Microsoft Office and Internet Explorer. Has been involved in at least one exploit. Disable unless needed.

N

Y

Y

Disabled Y in W2K3, Automatic in XP

in XP

Windows Audio

Manages Windows audio devices. N If this service is stopped, audio devices will stop working. Enable if needed.

N

Y

Y

Disabled in W2K3, Automatic in XP

Y in XP

Windows Firewall/Internet Connection Sharing (ICS)

Needed for Windows Firewall N or Internet Connection Sharing. Enable if either of those two features are being used.

N

Y

Y

Automatic

Y

Windows Installer

Adds, modifies, and removes applications installed or uninstalled by the Windows Installer (*.msi) package. Also needed for group policy software installs. Can be left enabled at manual.

Y

Y

Y

Manual

N

Windows Management Instrumentation

Provides a common interface to WMI objects. Starting to be used heavily in Windows (e.g., RSoP) and other management software. Should be left enabled, although it could be used in an exploit.

Y

Y

Y

Automatic

N

Windows Management Instrumentation Driver Extensions

Used by WMI to monitor all driver and event trace providers that are configured to publish Windows Management Instrumentation (WMI) or event trace information. Should be left enabled.

Y

Y

Y

Manual

Y in W2K

Windows Time

Used for date and time synchronization on all clients and servers in the network. Required for Kerberos and other time-dependent services. Should be left enabled.

Y

Y

Y

Automatic

Y

WinHTTP Web Proxy Auto-Discovery Service

Per Microsoft, "Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a legacy protocol to enable an HTTP client to automatically discover a proxy configuration. If this service is stopped or disabled, the WPAD protocol will be executed within the HTTP client's process instead of an external service process; there would be no loss of functionality as a result." Can be disabled unless needed.

N

N

Y

Manual

N

Wireless (Zero) Configuration

Enables automatic configuration for IEEE wireless 802.11 adapters. If this service is stopped, automatic configuration will be unavailable. If enabled, Windows will often attempt to connect to any available wireless network (unless configured otherwise). Should be disabled unless needed.

Y

Y

Y

Automatic in W2K3 and XP, Manual in W2K

Y in W2K3 and XP

WMI Performance Adapter

Per Microsoft, "Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated." Can be left enabled on manual.

N

Y

Y

Manual

N

Workstation

Creates and maintains client network SMB (file and printer) connections to remote servers. Both local file system requests and remote file or print network requests are routed through the Workstation service. This service determines where the resource is located and then routes the request to the local file system or the net-working components. When the Workstation service is stopped, all requests are assumed to be local requests. If disabled, effectively disables file and printer sharing. Has been involved in several exploits, but is usually a necessary part of Windows. Leave enabled in all but high-risk environments.

Y

Y

Y

Automatic

Y

ASP.NET State Service

Provides support for out-of-process session states for IIS web sites running ASP.NET and using ASP.NET session states. There have been some ongoing concerns regarding ASP.NET. If enabled, opens port 42424.

N

Y

Y

Boot Information Negotiation Layer

Used in Remote Installation Services (RIS)

Y

Y

Y

Certificate Services

Installed with Certificate Services. Available in NT, 2000, and 2003 server products.

N

N

Y

Cluster Services

Installed with Cluster Services. Available in NT, 2000, and 2003 server products.

N

N

Y

File Service for Macintosh

Enables Macintosh computers to use NTFS shares. Available in NT, 2000, and 2003 server products.

N

N

Y

FTP Publishing Service

Installed as a component of IIS. Although FTP allows plaintext communications, no other known vulnerabilities have been found. Will probably invite a lot of hacker probes.

Y

Y

Y

Gateway Services for Netware

Allows access to file and print resources on Netware networks. Can be installed on NT, 2000, and 2003 server products.

N

N

Y

IIS Admin Service

Allows administration of IIS. If service is not running, you will not be able to run Web, FTP, NNTP, or SMTP sites, or configure IIS.

Y

Y

Y

IMAPI CD-Burning COM Service

Manages CD recording that uses IMAPI. No known vulnerabilities

N

Y

Y

Infrared Monitoring Service

Used for Infrared devices (often found on laptops and PDAs)

N

Y

Y

Internet Authentication Service (IAS)

Microsoft's version of the RADIUS authentication server. Can be installed in Windows Server 2000 or 2003.

N

N

Y

IP Version 6 Help (6to4) Service

Allows IPv6 traffic to be tunneled over IPv4

N

Y

Y

Machine Debug Manager Service

The Machine Debug Manager, Mdm.exe, is a program installed with the Microsoft Script Editor and other programs (i.e., Visual Studio) to provide support for program debugging. The Microsoft Script Editor is included with Microsoft Office 2000, or can be obtained from the Microsoft Windows Update website. It is needed only for programmer debugging purposes and can almost always be turned off.

N

Y

Y

Message Queuing Service

Message Queuing Down Level Clients Service

Message Queuing Triggers Service

Microsoft Exchange Event

Microsoft Exchange IMAP4

Microsoft Exchange Information Store

Microsoft Exchange Management

Microsoft Exchange MTA Stacks

Microsoft Exchange POP3

Microsoft Exchange Routing Engine

Microsoft Exchange Site Replication Service

Used for developing and implementing messaging applications. Commonly used with SQL applications.

N

N

Y

Microsoft Exchange System Attendant

Microsoft Exchange Server. Available on all Windows server products.

N

N

Y

MSSQL$UDDI Service

Used to find and identify new or available services in a web service application directory service. Most companies using web services aren't using the UDDI service yet, which can be likened to a whitepage directory lookup of web services. As web services mature and become plentiful, it is thought that Internet- and intranet-available UDDI services will be necessary.

N

N

Y

MSSQLServerAD Helper Service

Used by SQL services when SQL isn't running in the local system context

N

N

Y

.NET Framework Support Service

Provides .NET client run-time environment. Only needed when .NET programming exists in your environment.

Y

Y

Y

Print Server for Macintosh

Allows Macintosh computers to print to Windows printers. Installed on NT, 2000, and 2003 servers.

N

N

Y

Network News Transfer Protocol (NNTP)

Supports NNTP outside of Exchange on Windows 2000 and 2003 servers

N

N

Y

Office Source Engine

Installed with Microsoft Office 2003

N

Y

Y

Remote Storage Notification

Used only with Hierarchical Storage Management (HSM) secondary storage solutions

N

N

Y

Remote Storage Server Services

SAP Agent Service

Used when connecting to Novell networks

N

N

Y

Simple TCP/IP Services

Provides Echo, Discard, Character Generator, Daytime, and Quote of the Day services

N

N

Y

Single Instance Storage Groveler Service

Used only by Remote Installation Services

N

N

Y

Simple Mail Transfer Protocol (SMTP)

Supports SMTP outside of Exchange

N

Y

Y

SNMP and SNMP Trap Services

Provides SNMP functionality. SNMP has been used in some attacks.

Y

Y

Y

SQLAgent$* Service

Needed for SQL server applications, such as tape backups

Y

Y

Y

TCP/IP Print Server Service

Allows Unix Line Printer Daemon emulation

N

N

Y

Trivial FTP Daemon Service

Unsecurable FTP server (no user name or password needed). RIS uses it, and all Windows 2000 and later clients have the TFTP client (Tftp.exe) installed by default.

N

N

Y

Web Element Manager

Used for web site remote administration

Y

Y

Y

Windows Image Acquisition (WIA)

Optional service added when digital image devices are added. Needed for scanners and cameras.

N

Y

Y

Windows Internet Naming Service (WINS)

Used for NetBIOS name to IP address conversion. Installed on Windows Server products.

N

N

Y

Windows Media Services

Used by Windows Media Services, a server version for distributing digital content

N

N

Y

Windows User Mode Driver Framework

Installed with Windows Media Player 10. If disabled, prevents synchronization between external player devices and WMP.

N

Y

Y

World Wide Publishing Service

Used for IIS

Y

Y

Y

Kerberos Key Distribution Center

Not Started, Disabled

Started, Automatic

Net Logon

Not Started, Disabled

Started, Automatic

Distributed Link Tracking Client

Started, Automatic

Not Started, Manual

Distributed Link Tracking Server

Not Started, Disabled

Not Started, Disabled (some Microsoft documents state this service is Started and Automatic on domain controllers)

DNS Server

Not installed

Started, Automatic (if DNS server is installed on domain controller)

File Replication Service

Not Started, Manual

Started, Automatic

Intersite Messaging Service

Not Started, Disabled

Started, Automatic

Remote Procedure Call (RPC) Locator

Not Started, Manual

Not Started, Manual (some Microsoft documents state this service is Started and Automatic on domain controllers)