Questions for the PROS concerning securing SVCHOST.EXE

Hello,

I am posting this thread in hopes of asking some questions that I hope are well thought out and understandable about SVCHOST.EXE and what it is used for and what can be done about securing certain ports within Windows XP. I have done alot of searching and found many threads about how to secure ports within your firewall rules as well as what SVCHOST.EXE does and why it should be secured in certain instances. I hope my questions are intelligent and understandable. If I am incorrect in any of my questions/ideas/or understanding please feel free to let me know.... NICELY as I am trying to learn how to make informed decisions about my machines and thier security.

#1) DNS Client Service. This service in Windows XP does the lookups for your particular DNS servers to access the net.
Question: If your are behind a router/firewall on a Dynamic IP (Cable/DSL) does DNS Client Service need to be enabled?
I would also ask this question concerning DHCP.

#2) SSDP.( Simple Service Discovery protocall) This service is used to to discover UPnP devices on the network such as (printers).
Question: Does this service use port 1900 strictly? Could I create a rule for SSDP and limit it to my IP's only to secure it from the net?

Sample Rule: Allow( SSDP Local Lan) UDP (both directions) local single port (1900) remote port (1900) my IP's/networkmask
Sample Rule: Deny All Other SSDP (both Directions) Any/Any

Would this above sample rule insure security for my SSDP Service?

#3) UPnP (Universial Plug and Play) This service if I am correct is a TCP connect only and uses port 5000 and can a rule be defined as it is above for SSDP?

Sample Rule: (Allow UPnP Local Lan) TCP (both directions) local single port (5000) remote port (5000) limit to my IP's/Network mask
Sample Rule: (Deny All Other UPnP) both directions Any/Any

#4) RPC/DCOM: This service I am not sure of yet I have to do more investigation on it as of now I have a rule, WINDOWS SERVICES BLOCK for ports 135, 445, 500 Deny All both directions.

These are my questions/theories concerning these services and keeping them from broadcasting out over the internet. I know there are a few others such as Time Sync and Allow Help Web Access. I will need to do a bit more research on these two services and how to approach them. I hope I have been somewhat knowledgable and understanable. Thanks in advance for your time and patience.

Regards,
~FIREDANCER~

 

Behind a router, or not, most can probably disable this service with no ill effect. It can also be used safely, so from a security point of view, there is no need to disable it.

Unless you have configured your LAN systems with static IP's, you will need this service. This service will be used to obtain IP's from the router.

Will leave these two together as they go hand in hand. Before you get too carried away with rules, do you use/require UPnP? If not, you could disable the SSDP service and not worry about it. If you do have applications using it, you will likely require rules allowing more that just LAN access.

Providing your rules accommodate any required LAN traffic, these rules are OK. Your router will also be protecting the LAN systems from unsolicited inbound traffic.

Regards,

CrazyM

 

FireDancer, those are good questions. You should probably read through parts of the following Microsoft Knowledge Base Article: 832017 - Port Requirements for the Microsoft Windows Server System. It should answer most of your questions.

As you likely have already discovered, svchost.exe is just a small "wrapper" for system services. It is a convenient way for Microsoft to place the various services in either the same or differing process space as they see fit. Placing services in the same process can be convenient and efficient, but separating services can lead to higher security and reliability. Thus, your typical WinXP system will likely have four different svchost.exe processes running. DNS Client will be in one, RPC will be in another, the WebDAV Client & TCP/IP NetBIOS Helper in a third, and basically everything else in a fourth. They break them out so that they can assign them differing process "ownership" for security reasons, among several other reasons. On an XP system, the easiest way to see what services are running in a given "svchost.exe" process is to use the following command line command: "tasklist /svc". You can also use the excellent Process Explorer utility from Sysinternals.

1) DNS Client. Pretty much all systems will want to leave this enabled, and - yes - you will need to leave it enabled even behind a router on a Dynamic IP. DNS converts human-readable URL's into the actual IP addresses (ie, www.microsoft.com --> 207.46.144.188, for example). The "real" service name for the DNS Client is "Dnscache", and as that name implies it caches these name-to-IP lookups for future reference. It also performs what is called "negative caching". Negative caching basically is a representation of the fact that a prior name lookup resulted in no valid IP mapping, so don't bother trying again. Pretty much all web clients will need this functionality and dynamic IP's / DHCP have no bearing on this (those protocols affect YOUR IP mapping NOT the mapping of valid, widely-known, public IP names like yahoo.com, google.com, microsoft.com, etc.) The Dnscache service uses TCP 53.

2 & 3) SSDP/UPnP. I recommend that most people disable these services. I have found that UPnP isn't really all that important right now. Of course the goal is to have network-pluggable hardware devices that announce and configure themselves on an automated basis. Almost all such hardware has, of course, a manual detection and setup process as well... and I'm just far more comfortable with manual hardware configuration. There have been a few UPNP exploits already, and I just really don't like the idea (at this point) of network hardware automatically setting itself up and talking to my PCs "behind my back". My prior link states that SSDP uses UDP 1900 and TCP 2869, with TCP 5000 being a legacy useage; UPnP uses TCP 2869 according to that link (but I also have seen referrences to UPnP using TCP 5000, so I'm not sure if that is confusion between the actual SSDP & UPnP protocols or if it is some legacy useage on UPnP as well).

4) RPC. Whew! That's a biggie. RPC, as you probably know, stands for Remote Procedure Call. There is an international, vendor-neutral consortium called the "Open Group" (I believe used to be called the Open Software Foundation, or OSF). Quite a few years back, these guys came up with something called the Distributed Computing Environment in which they first outlined RPC. RPC is meant to be a way for one computer to invoke (or "call") executable routines (or "procedures") on a remote computer. So, there is this "standard", but apparently vendors have sort of tweaked and interpreted RPC in their own ways. So often you will hear of Microsoft RPC, or MSRPC, and Sun RPC, etc. Unix/Linux systems do make use of RPC as the underpinning of protocols like NFS. Microsoft uses RPC in tons of places, everything from DCOM (as you noted) to the print spooler, Kerberos key distribution, terminal services, windows management instrumention (WMI), etc., etc.

You cannot disable RPC on a current Windows OS. The Services MMC applet won't let you, and even if you could figure out the registry settings to disable it... it is my understanding that the OS wouldn't complete the loading process. You basically have to have RPC on an current LAN. But, as you noted, you should definitely block RPC ports from access from the internet.

Hope this helps...

 

Svchost is a real problem in Windows XP. Some network access is critical, others are optional and some (RPC/DCOM in particular) should be blocked due to their widespread abuse by worms and other malware.

In addition to the items listed previously, svchost also handles DHCP (Dynamic Host Configuration Protocol - used to obtain a lease of an IP address and critical if you use a LAN connection without a static address), time synchronisation and Windows Help web access on an XP system.

Rather than go into details on suggested rules here, I'd just like to point you at the Outpost forum FAQ A Guide to Producing a Secure Configuration for Outpost - section E2 has extensive recommendations for svchost and while this is written for Outpost, it should be applicable to any other rules-based firewall. Hope that helps.

 

Thank you all for your replys, please excuse me replying so late as I have been very Ill for the past 4-5 days. All of your info and links have been very helpfull and informitive. I belive with the information/advise you have givin me I will be able to make some very informed decisions as to how better control SVCHOST.EXE within my network. Thanks again all for your replys I will post back if i have more question, as always the PROS at Wilders have done another great job!!!! Keep it up.

Very best regards,
~FIREDANCER~

 

Thanks so much for the info.
I tried to disable this service but I dont see any entry of it in "MMC". I temporarily blocked it blocking it from running by PG "exe protection"
Any help, thanks.

 

That's right. One time, because as a tester I couldn't not to test, I just disabled it. After a reboot, I had the login screen, but after to have enter my login/password, explorer took a while to load, and when loaded, the system was completly unstable and sometimes unresponsive, the color scheme wasn't applied, and Windows was definitly acting strangely

Do not do the test unless you know how to revert back your modification

regards,

gkweb.