Services: which ones to disable to increase security?

Discussion in 'other software & services' started by jo3blac1, Feb 20, 2013.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,988
    For all practical purposes, no, not really....
     
  2. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Well good to know. I am now only gonna be disabling services which are automatic started as these are the only ones which can affect my CPU. Im gonna leave all the manual ones on.
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,988
    It's been a while since I looked into it, but I think Win 7 does a much better job handling services than XP did. I think 7 actually shuts down services that aren't needed on it's own to some extent. If you start setting automatic services to disabled, watch out for dependencies and I'd try it one at a time with some time off in between to make sure you're not causing problems. Keep track of what you're doing so you can reverse it if something suddenly breaks, etc.. Good luck..

    Edit: I don't think you will save much cpu by disabling them either.. you might pick up a little RAM, but that's about it.
     
    Last edited: Feb 21, 2013
  4. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Significantly? Not at the moment (if you keep your Windows updated).

    If some easily exploitable vulnerability of some default service of supported Windows versions gets discovered and exploited in the wild before a patch is available, you will certainly read in the media or in forums like this about workarounds that may involve the deactivation of the service in question until a patch is available.

    Until this hypothetical moment, it makes little sense to suffer in anticipation - if you need the services, don't disable them.
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Oh my, I had a good laugh at this comment. :thumb: Reminded me of so many times gone by.

    Isn't that what us good security geeks have been doing for years now, anticipating?

    Proactive rather than reactive ;)

    If not, then why bother with any of this until you get hit?

    Sul.
     
  6. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Last edited: Feb 21, 2013
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Just an observation for the thread.

    I shut down services I don't need for many reasons other than security,

    Performance reasons are the main ones. For those who think it doesn't gain anything try it first.

    1) I don't need the W32Time service sending packets out to the weather site or M$ site to get the time of day. My PC knows the time thanks very much.

    2) I don't need DNS service as my router does that this speeds up surfing

    3) I'm not a server site so all services needed to be a server can be shut off.

    4) I turn on the windows update 1 day prior to patch tuesday. I don't need to ask MS minute by miknute have you got a hot update for me now ?

    5) Indexing is another candidate.

    That is enough for now.
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,155
    Location:
    Slovakia
    Well, about 50% windows updates fixes problems with windows services and one of the Microsoft workarounds it to disable them till the fix is issued, so disabling = prevention.
    I was running 7 altered with nLite without windows updates allowed for years, no AV and no firewall, and there were only 2-3 really needed, fixing TCP security problems.

    I have disabled those services in 8, note that disabling some will also disable dependable services, like Network Store Interface Service will also disable those 5, all needed for setting up network settings, but since you do not change it every day, no problem and if you need it, you will only need to start that one service, all others will start then as well. But every computer is different and especially every user needs, so you need to find out yours. Some internet connections might not work or cause problems with DHCP disabled. Also before you disable DNS Client, you need to set up DNS manually. Windows Connection Manager can be disabled as well, but it needs to be enabled for WLAN AutoConfig (wifi). One of the issues in 8 is, that 8 needs DHCP enabled in order to run Windows updates, very silly indeed, without it it assumes, that there is no internet. o_O
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks for that one! Wow if users ever needed proof the M$ doesn't learn squat from one generation of workers to the next and about arrogant as*-up-tions this is it.

    They are assuming that the whole world is on a router. :thumbd:


    I think we all should be but they should know better
     
  10. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Alright. So I decided to keep all manual services without any changes. Since I got plenty of RAM and I don't care about extra .5gb being used. As for the Automatic services, I have disabled the following:

    AMD external events utility - hotkeys, not needed...
    Conexant Audio message service -?? audio works fine without this service
    Conexant SmartAudio service - ?? audio works fine without this service
    Offline files - i don't use this
    Server - I don't have a printer and I don't share files over the network
    Shell Hardware Detection - I don't use Autorun
    Windows Image Aquasition - I get images from cameras manually...
    TCP/IP NetBios - my wireless works fine without this
    Windows Presentation Foundation Font Cache - only few applications use this...
    Portable Device Enumerator Service - don't have any portable devices attached
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Right. Because if Windows had to patch it in the past because it was vulnerable, who's to say that couldn't happen again? So people saying patches have fixed these problems over time, I'd say isn't accurately portraying the situation. It could be only a matter of the next patch Tue. until they we find there's another vulnerability in it that needs patched. So if I don't need it, I'm turning it off, period.

    People saying you experience little to not performance gain... I have first hand experience that shows me to the contrary. If you just disable a few, probably not. If you comb through them like I do where it's to the point you only leave a few running, with a low-mid spec machine, you will notice quite a difference. Add a bunch more hardening/slimming tweaks into the equation, and you notice even more. By the time I'm done my box is 3 times more responsive than it was after a fresh Windows install. And more secure.

    Add to the reasons a quieter box. If your working parts (namely HD) aren't working as hard, they're not as noisy. It makes for a cooler box as well, which increases your hardware life. So theres 3 other good reasons to do it even if you don't think you'll have any performance gain because you have high end specs: security, noise, hardware life.

    No reason to do it? I think there is no reason NOT to do it, provided you know what you're doing.
     
  12. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Depends what kind of "box" you are running. I got an old Windows XP laptop on which I have 256mb ram. I disable almost all services and yeah I do get HUGE performance boost. On my newer computer I have 6GB of ram and since manual services don't use I/O or CPU, there is no reason for me to disable them. However the automatic services are another story, that's why I disabled those that I don't use.
    So as you see, the HUGE boost depends what you run. Most newer systems have at least 6GB or 8GB ram and so ram is no longer any kind of bottleneck as it used to be few years ago.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,155
    Location:
    Slovakia
    Well 95% people do not have a gaming computer, usually notebooks. And overall performance is not just about a few MB of RAM, is about system responsiveness. Running with AV or default services might not affect games and other software, but while working in Windows, you can literally feel the difference sometimes. But I like to work fast. :)
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Excellent! Agree 100%!

    Key phrase is
    The only adon I would make is do them one by one one a day and ensure you take regular backup images as you go in case you "scr.. up"
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Personally when I started with services I just wrote them all down in thier default states.

    Then I read up on the services using Black Vipers guides.

    Then I read up on what services were, how you control them and what to expect in a general sense when a needed one is not running.

    Then I disabled any service I thought I might not need, but made sure to leave the ones enabled that were known to be vital.

    The system broke.

    It was easy then as I turned them back on to see what I needed. They even tell you other services are required for a given service to run, so you get to know dependencies at the same time.

    Thats how I did it in XP, and in win7 I did the same thing. Didn't take long to understand what services I needed running. Maybe a couple hours total.

    While this doesn't give you an in-depth understanding of EXACTLY what a service does, it will give you a great understanding of controlling your services, knowing how to manage them. And once you get over the fear of services, they become just another application you set to auto-start or not.

    The fear of them is based on not understanding IMO. They evoke some pretty strong taboo/voodoo feelings in people, much like the registry. Personally I think the registry is a thousand more times fragile and scary than the services...

    Sul.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I simply disable any service I don't need. Anything can be exploited.

    Print spooler has been exploited multiple times, and by stuxnet. Wouldn't have run on my system - I don't print, and I disabled the service.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Any service that uses or listens for incoming connections (opens ports) can potentially be exploited. Remote registry definitely qualifies. Relying on a firewall to block access to open ports is IMO a bandaid approach. You don't leave your house door open, put a small fence in front of it, and call that safe. The simplest approach is the best. If you don't need/use it, shut it off. If you don't need or want incoming connections, don't just barricade it with a firewall. Close the door. A UPnP exploit for instance can make a firewall meaningless.

    Just because there's no known exploit in the wild for a given service doesn't mean it's secure. There's been several instances of Windows services being exploited by vulnerabilities that were previously unknown. Services that are disabled (or removed) can't be exploited via previously unknown vulnerabilities. Reducing your exposed attack surface is one of the best proactive things you can do to protect your system.
     
  18. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    svchost connections.Can they be blocked altogether.?
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Svchost is involved in a wide range of services, several of which are necessary on most systems. DHCP relies on svchost,as does the DNS service. Most of these services use specific ports. You can block specific services by blocking the specific ports each uses. Others like DHCP can't be blocked without manually assigning static IPs to each device on the network. You need to look at each service individually. Depending on your needs and your local network, it might be possible to completely block svchost, but not without making changes to your system and network configuration.
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, yes and YES!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.