In Part 1 and Part 2 of this article, I described several services in Windows 2000 that open potential doors to attackers or present Denial of Service (DoS) targets. Here, in Part 3, I'll show you how to use Group Policy to centrally control services on all the computers in your domain. I'll also share some tips about Group Policy security settings that you might want to use to keep your systems secure from network attacks.
You can use a Group Policy Object (GPO) to set the startup mode and ACL for services by defining settings in Computer Configuration, Windows Settings, Security Settings, System Services, as Figure 1 shows. You can configure a service to start automatically with each system boot, or you can set a service to manual startup mode, which waits for the administrator to start the service from the Microsoft Management Console (MMC) Services snap-in. Win2K also starts a service configured for manual startup if another service that depends on it starts. You can view the dependencies for each service in the Services snap-in by double-clicking the service and selecting the Dependencies tab. However, if you disable a service that you decide might be a security risk, Win2K lets you start the service only if you first switch to manual or automatic startup mode.
A service's ACL specifies who can start, stop, and change the service. As with everything in Win2K, you can delegate authority over services to nonadministrators. For instance, you might have a SQL Server operator who needs to start and stop the SQL service on several computers. In Windows NT, you had to make the SQL Server operator a member of the Administrators group. In Win2K, you can grant the operator Start, Stop, and Read access to the SQL Server service in a GPO that you apply to all computers. For each computer with SQL Server, Win2K adjusts the permissions on the service as you’ve configured them.
The first time you edit a newly created GPO and look in Computer Configuration, Windows Settings, Security Settings, System Services, you see a list of services. The startup and permissions columns read "Not defined" for each service. The services listed in the GPO are based on the services you’ve installed on the local workstation where you logged on, so the services listed might vary depending on which computer you log on to when you edit the GPO. This approach might cause problems. For instance, if you are at your workstation trying to create a GPO that disables the Simple TCP/IP Services service and you don't have the Simple TCP/IP Services service installed on your computer, this service won’t appear in the list. The simplest way to add this service is to log on as a domain administrator to a computer running the Simple TCP/IP Services service, edit the GPO, and disable this service . Then, you can close the GPO, log out, go back to your workstation, and edit the GPO from there. When you look under System Services, you should see the new service; however, it might not have the full name that you saw on the other computer. In the case of Simple TCP/IP Services, you will only see SimpleTcp because Group Policy stores only the comparatively short service name. However, when you edit the System Services section of a GPO, Win2K looks at the actual services installed on the local computer (specified in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) and tries to translate the service name into the service’s longer display name. If the service isn’t installed, Win2K displays the service’s name as stored in Group Policy.
When you configure either the startup mode or the ACL of a service in Group Policy, you must configure the other as well. In other words, when you configure the startup mode of Simple TCP/IP Services in a GPO, that GPO also modifies the service’s ACL. This interaction is important because the default ACL on services in a GPO grants Full Control to Everyone for the service. If you disable a dangerous service but leave the ACL at its default, you are vulnerable to anyone who starts the service. Therefore, whenever you disable a potentially dangerous service in a GPO, you should also tighten control of the ACL by changing the default service ACL from granting everyone Full Control to granting Administrators and SYSTEM users with Full Control and granting Authenticated Users with Read access only.
Consider the various types of computers in your domain including workstations, file servers, domain controllers (DCs), and other types of servers. As I discussed in Parts 1 and 2 of this series, you typically need to disable different services on each type of computer. To disable these services, you need to create a different GPO for each type of computer and disable the appropriate services in each GPO. You have two options for controlling to which computers you apply each GPO. First, you can use organizational units (OUs) to control how Win2K applies Group Policy. For instance, if you have created a Workstations OU and put all your workstations into it, open Active Directory Users and Computers, select the Group Policy tab from the Workstations OU Properties dialog box, and disable the appropriate services.
You should be aware that some computers aren’t arranged into different OUs according to the type of computer; instead, they might be divided according to geographical or departmental OUs. In this case, you need to use the GPO’s ACL and a Security Group to control which computers receive changes from the GPO. Create a new Security Group in Active Directory Users and Computers called Workstations. Don’t put any users in this group; instead, add all the workstations in the domain as members in this group. Next, right-click the root of the domain and select Properties. Click the Group Policy tab and create a new GPO called "Services Disabled on Workstations," as Figure 2 shows. Edit the GPO, disable the appropriate services, and close the GPO. Back at the OU’s dialog box, select the Group Policy tab from the Workstations OU Properties dialog box you just edited, and click the Properties button to display the Properties dialog box for this GPO. Select the Security tab, and remove the entry that grants Authenticated Users with Read and Apply Group Policy access. Add a new entry to let the Workstations group Read and Apply Group Policy access, as Figure 3 shows. Click OK, and close the Properties dialog boxes for the GPO and domain. Now only computers that are members of the Workstations group will apply the changes in the "Services Disabled on Workstations" GPO, regardless of your domain’s OU structure. The only downside to this method is that you must keep the Workstations group and other groups of computers up-to-date when you install new computers.