Recipe 17.4. Disabling or Removing Unused Accounts, Services, and Software

Problem

You want to disable or remove anything that you don't explicitly need or use on a frequent basis on your system. The fewer things you have installed or active, the fewer potential vulnerabilities you have.

Solution

There is no one-size-fits-all rule for the accounts and services you should disable. It really depends on how you use your systems and what you use on them. As far as local accounts go, you should really only have a few on your system. The administrator and guest accounts are standard and you may also have built-in accounts for IIS or other applications. In the case of administrator and guest, you can't actually delete those accounts, but you can disable them. If nothing else, you should consider renaming them so that they aren't easy objects of attack (see Recipe Recipe 17.3 for more on this).

For services, you should review the services that are actively running and determine which ones you can safely disable. Again, there are no hard-and-fast rules here. Review the purpose of each service and determine whether it needs to be running. For example, if you aren't running any scheduled jobs and don't plan to do so, you don't really need the Task Scheduler service to run. Configure its startup type to Disabled. For some of the other services about which you aren't sure, don't just start disabling them on production systems. Test changes on a test system first.

Lastly, you'll want to make sure that all of the software that is installed on your systems is truly needed. Fortunately, Microsoft takes care of providing security updates for the default services that are installed on a system, but it is up to each application vendor to provide you with updates to their software when vulnerabilities are found. Don't forget about those.

See Also

Recipe 17.3 for more on renaming accounts