You often hear that for security reasons, you should run the least level of functionality to get the job done. For example, if a computer has 15 applications running and only 10 are required, you shut down the 5 applications that aren't required. The reasoning is simple—if the service isn't running, it's not a source of vulnerability.
On Windows 2000 and Windows NT servers, one crucial area of functionality is services. However, you can run your system successfully without several services. For example, you probably rarely use either the Alerter service or the Network Dynamic Data Exchange (NetDDE) service. (For a list of unnecessary and potentially dangerous services, see "Related Reading," page 16.)
So, how do you make sure that you run a minimal set of services on your computers? In Win2K, the easiest way is to use group policy. However, if you run NT 4.0 servers or Win2K servers that don't use Active Directory (AD), you can't use group policy and must find another way. Enter script! Luckily, you can administer NT services remotely. As long as you're a member of the Local Administrators group, you can do almost anything to a service, including start, stop, pause, resume, and interrogate its service status. The Windows Net command—which lets you start, stop, pause, and continue services—doesn't let you define a remote computer name, which rules out using Windows batch commands to manipulate multiple servers.
My favorite way to programmatically administer servers is to use the Win32 additions to the Perl programming language. ActiveState Perl includes the Win32::Service module, which lets you control system services.
The code in Listing 1 shows you how to list a series of servers (the @servers variable) and the services (the @services variable) that you want to stop on those servers. If you want to work further with the Win32::Service module, pay special attention to the last argument of the Win32::Service::GetStatus function. The documentation, which is poor, states, "The third argument must be a hash reference that will be populated with entries corresponding to the SERVICE_STATUS structure of the Win32 API. See the Win32 Platform SDK documentation for details of this structure." To save you some anguish, Web-exclusive Table 1 lists the valid values for the hash with comments about their usefulness. The code in Web-exclusive Listing 1 shows you how to dump these details for any service—in this case, the Microsoft Indexing Service, cisvc.
Windows Management Instrumentation (WMI) is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. In the WMI namespace, you find the Win32_Service object, which lets you perform all the usual service-related work that I describe and more. The "Rosetta stone" scripts in Web-exclusive Listing 2 and Web-exclusive Listing 3 show you how to use Perl and VBScript, respectively, to stop the Schedule service on a server named \\exair. In both code examples, you can change the reference to exair in the wmi string to list another machine's name, and you can change the Name reference in the qry variable to the name of the service you want to stop.
I've discussed methods you can use to stop nonessential services from running on your servers—thereby reducing your services' "attack profile." Remember, the less nonessential software you run, the less chance you have that your system will be compromised. Don't just run these scripts once—run them regularly in case someone accidentally restarts a service on your system.
|Related Articles in Previous Issues|
You can obtain the following articles from the Windows IT Security Web site at http://www.WindowsITsecurity.com.|
RANDY FRANKLIN SMITH
"Dangerous Services, Part 3," January 2001, InstantDoc ID 16476
"Dangerous Services, Part 2," December 2000, InstantDoc ID 16363
"Dangerous Services, Part 1," December 2000, InstantDoc ID 16301