Couldn't agree with you more, I too have gone down long road many many times before; Hence this is why we have been forced to derive a solid buckup strategy.
Even this isn't enough to tell if it was a good tweak to make or not. In some cases your system can be left looking as if it's perfectly fine, but there's something you're oblivious to. Like for instance, if you have a 3'rd party FW you can disable the Windows Firewall/ICS service with "seemingly" no ill effects. But I've heard from people much smarter than me that you shouldn't disable that no matter what. I forget exactly what they said but something about possibly glitching out your TCP/IP stack, messing with the NAT sync/communication between your router and your box. And messing around with other things like IPsec configuration (N/A in my case) and other things. So I let that one on even though I'm anal about disabling unneeded stuff period (not just services). You really need to know the services inside and out, and how they affect you on an individual basis. I feel that reading lists like Black Viper and taking other people's (broad) advice is very irresponsible. This also goes to show even more what you said about backing up (to multiple means), and imaging. And that the latter is by no means a substitute for the former, but a good compliment to it.
I use XP SP-2 and always disable anything involving remote access, Messenger, NetMeeting, and I also disable Java and Adobe reader and Flash unless needed.
I personally turned off some services not only (and barely) for security purpose, but also (mainly) performance. When I was still on 7 I always disabled NGEN service because it will eat up the CPU usage. Such a pity it's not listed anymore in the list of services in 8. Annoyingly, WD also can't be disabled via services.msc anymore after the 8.1 upgrade (IIRC it still can be disabled in 8.0).
Operating system hardening/configuration ranks closer to the bottom of the 35 security mitigations listed here in terms of effectiveness. App hardening, however, ranks closer to the top.
On the other hand, the other paper mentioned in that link lists "use of standard, secure system configurations" as one of its "First Five Quick Wins."
Yes, the question remains if standard configuration is secure and if it can't be made even more secure. Since it's made to work for most people I would say it's not the most secure.
That article seems to be referring to the WF's from Vista on, but it holds true for XP as well. And I'm pretty sure the consequences are even more potentially dire than they mention. I only have 10 (services) running on my box, but WF/ICS is one of them. For that matter there's really no reason to turn the XP FW itself off either, even if you use a 3'rd party FW. I've never seen a conflict. But then again I've been using only Comodo for over 5 years now.
I would think that a "security pro" could reap some benefits from it. It's people that don't have advanced knowledge about the services & implications of disabling them that shouldn't be messing with them. And even the people that do... shouldn't be advocating the approach to other people. That's why I don't like Black Viper. Or telling people to stick with XP, as I'm doing. As generally staying with an unpatched OS is terrible advice. People should do what's best for them but realize it's a case by case basis, not one size fits all. And not get others to follow their example like the Pied Piper.
It started for me on my EMachines with only a 4.3 GB HD to save space originally. Then on XP with 512 MB of RAM to save resources. At that time I wasn't a security buff and that wasn't a reason. But then over time I realized it was helping achieve that end as well. Not to mention I noticed it actually made my machine quieter... the HD & fan(s) not working as hard. Which I can logically assume will extend the life of my hardware as well. It may have something to do with the fact that I've never had hardware failure in my life... ever. And have only owned 4 different generations of computers. The other 3 still work perfectly fine, they're just dated and sitting in the basement. So there are several (good) reasons to tweak, not just one or two. But these reasons are never acknowledged when people speak in condemnation of it.
@luciddream Good analysis in both posts. In many ways, the question is similar to "Can I keep using XP after support ended?" or "Can I stop using an AV?" The best answer I've found to all of those questions is "If you're asking if you can or should, you're probably not ready to do so."
Exactly. In most cases I even just say no, flat out. And I remember when using no real-time AV became vogue in here. It happened for me when I discovered Sandboxie, and VT Hash Check... and how the latter could be used in combination with an add-on (Download Statusbar) for Firefox. But I didn't like how people just jumped on the bandwagon when it really wasn't in their best interest in their particular case. And yeah, I remember a lot of people saying: "If you even have to ask, the answer is probably no."... to people asking if they should drop their real-time AV's.
So it seems the consensus is that it is fairly pointless for security reasons unless you run XP, and pointless for performance reasons unless you run a really old computer. In that case I will restore all computers I have worked on to default services, except search indexing, as I have witnessed that services sucking up a lot of resources on computers.
An example of how turning off services can save you from an attack. http://forums.sandboxie.com/phpBB3/...408633f1bd27ed03f9ae4bcf2469&start=15#p102897
I can't view security as a "black or white" issue. That's like saying if I can't secure one window, there's no point in locking any of the doors. Just because you can't close a few ports doesn't mean that it's pointless to close the ones that you can. Security is a matter of degrees, secure against who/what for how long? The most effective way to prevent an unneeded service from being targeted is to remove it completely. It can't be attacked if it doesn't exist. The next best solution is to disable it, and make sure that updates and other changes to your system don't re-enable it. When that's impossible, block access to it with routers, hardware and software firewalls, eliminating the easy bypasses like UPnP. Each is effective against a different level of adversary. Just blocking access with firewalls will stop most malware. Over the years, Microsoft has made some very stupid decisions regarding the Windows attack surface. I would have thought that Slammer and other Warhol-like worms would have taught them that having open ports exposing unneeded services is a disaster waiting to happen. One only has to look at how many open ports are created by default with Win 7 or 8 to see that the opposite has happened. Then consider that the only thing preventing those open ports from being exposed are routers and modems, most of which are vulnerable and are currently being targeted for exploitation. Regarding performance, on more current hardware, most of the performance gain will be in boot time. There is some improvement to be gained, but for most usage the improvement won't be noticed. Every service uses some processor time and consumes some RAM. Compared to most user apps, what most of these services use is a drop in a bucket. Saving a few hundred kilobytes of RAM means almost nothing when you have several gigabytes available. That said, current operating systems have dozens of these services. Combined, they use more than a few hundred kilobytes and do consume some of your processor time. It just goes unnoticed on new hardware with multiple processors and nearly unlimited RAM. Their combined load is one of the reasons that new operating systems often run poorly on older hardware. Even on newer hardware, if you're running heavy loads such as multiple virtual systems, eliminating excess services can be the difference between the work all running in memory or being moved to the swap file. Here the performance difference will be noticed. I apologize for some of my "old school" views regarding RAM, load and performance. I've spent too many years using equipment where disk space, resources, and RAM was limited and expensive, where performance was more a question of what you could get out of that limited hardware. It's deeply ingrained in me that performance equals efficiency, making the maximum use of what you have. AFAIC, the OS should consume as little of all of these as possible so that they're available to the users applications. By comparison, todays operating systems and software consume 10 times as much or more of everything than the older versions did just to accomplish the same tasks. It makes me wonder what new hardware could really do if the operating systems and applications were coded to be efficient like they used to be. Sorry for the rant.
I followed the Blackviper recommendations for XP, years ago. They seem to have been fine, on my system.
Used BlackVipers guides for XP, Vista & Win 7. Not so much with Win 8.1 as a lot of the services only run when needed but will probably use the guides at a later date. Never had any issues disabling services as I know what is needed & do agree that it can secure a PC even more than the default service states.
