Services: which ones to disable to increase security?

For all practical purposes, no, not really....

 

Well good to know. I am now only gonna be disabling services which are automatic started as these are the only ones which can affect my CPU. Im gonna leave all the manual ones on.

 

It's been a while since I looked into it, but I think Win 7 does a much better job handling services than XP did. I think 7 actually shuts down services that aren't needed on it's own to some extent. If you start setting automatic services to disabled, watch out for dependencies and I'd try it one at a time with some time off in between to make sure you're not causing problems. Keep track of what you're doing so you can reverse it if something suddenly breaks, etc.. Good luck..

Edit: I don't think you will save much cpu by disabling them either.. you might pick up a little RAM, but that's about it.

 

Significantly? Not at the moment (if you keep your Windows updated).

If some easily exploitable vulnerability of some default service of supported Windows versions gets discovered and exploited in the wild before a patch is available, you will certainly read in the media or in forums like this about workarounds that may involve the deactivation of the service in question until a patch is available.

Until this hypothetical moment, it makes little sense to suffer in anticipation - if you need the services, don't disable them.

 

Oh my, I had a good laugh at this comment. Reminded me of so many times gone by.

Isn't that what us good security geeks have been doing for years now, anticipating?

Proactive rather than reactive

If not, then why bother with any of this until you get hit?

Sul.

 

I was waiting for someone to come along and cite the BV List.

Both dangerous if you don't know the consequences of messing with your Windows Services and somewhat alarmist as well.

 

Just an observation for the thread.

I shut down services I don't need for many reasons other than security,

Performance reasons are the main ones. For those who think it doesn't gain anything try it first.

1) I don't need the W32Time service sending packets out to the weather site or M$ site to get the time of day. My PC knows the time thanks very much.

2) I don't need DNS service as my router does that this speeds up surfing

3) I'm not a server site so all services needed to be a server can be shut off.

4) I turn on the windows update 1 day prior to patch tuesday. I don't need to ask MS minute by miknute have you got a hot update for me now ?

5) Indexing is another candidate.

That is enough for now.

 

Well, about 50% windows updates fixes problems with windows services and one of the Microsoft workarounds it to disable them till the fix is issued, so disabling = prevention.
I was running 7 altered with nLite without windows updates allowed for years, no AV and no firewall, and there were only 2-3 really needed, fixing TCP security problems.

I have disabled those services in 8, note that disabling some will also disable dependable services, like Network Store Interface Service will also disable those 5, all needed for setting up network settings, but since you do not change it every day, no problem and if you need it, you will only need to start that one service, all others will start then as well. But every computer is different and especially every user needs, so you need to find out yours. Some internet connections might not work or cause problems with DHCP disabled. Also before you disable DNS Client, you need to set up DNS manually. Windows Connection Manager can be disabled as well, but it needs to be enabled for WLAN AutoConfig (wifi). One of the issues in 8 is, that 8 needs DHCP enabled in order to run Windows updates, very silly indeed, without it it assumes, that there is no internet.

 

Thanks for that one! Wow if users ever needed proof the M$ doesn't learn squat from one generation of workers to the next and about arrogant as*-up-tions this is it.

They are assuming that the whole world is on a router.


I think we all should be but they should know better

 

Alright. So I decided to keep all manual services without any changes. Since I got plenty of RAM and I don't care about extra .5gb being used. As for the Automatic services, I have disabled the following:

AMD external events utility - hotkeys, not needed...
Conexant Audio message service -?? audio works fine without this service
Conexant SmartAudio service - ?? audio works fine without this service
Offline files - i don't use this
Server - I don't have a printer and I don't share files over the network
Shell Hardware Detection - I don't use Autorun
Windows Image Aquasition - I get images from cameras manually...
TCP/IP NetBios - my wireless works fine without this
Windows Presentation Foundation Font Cache - only few applications use this...
Portable Device Enumerator Service - don't have any portable devices attached

 

Right. Because if Windows had to patch it in the past because it was vulnerable, who's to say that couldn't happen again? So people saying patches have fixed these problems over time, I'd say isn't accurately portraying the situation. It could be only a matter of the next patch Tue. until they we find there's another vulnerability in it that needs patched. So if I don't need it, I'm turning it off, period.

People saying you experience little to not performance gain... I have first hand experience that shows me to the contrary. If you just disable a few, probably not. If you comb through them like I do where it's to the point you only leave a few running, with a low-mid spec machine, you will notice quite a difference. Add a bunch more hardening/slimming tweaks into the equation, and you notice even more. By the time I'm done my box is 3 times more responsive than it was after a fresh Windows install. And more secure.

Add to the reasons a quieter box. If your working parts (namely HD) aren't working as hard, they're not as noisy. It makes for a cooler box as well, which increases your hardware life. So theres 3 other good reasons to do it even if you don't think you'll have any performance gain because you have high end specs: security, noise, hardware life.

No reason to do it? I think there is no reason NOT to do it, provided you know what you're doing.

 

Depends what kind of "box" you are running. I got an old Windows XP laptop on which I have 256mb ram. I disable almost all services and yeah I do get HUGE performance boost. On my newer computer I have 6GB of ram and since manual services don't use I/O or CPU, there is no reason for me to disable them. However the automatic services are another story, that's why I disabled those that I don't use.
So as you see, the HUGE boost depends what you run. Most newer systems have at least 6GB or 8GB ram and so ram is no longer any kind of bottleneck as it used to be few years ago.

 

Well 95% people do not have a gaming computer, usually notebooks. And overall performance is not just about a few MB of RAM, is about system responsiveness. Running with AV or default services might not affect games and other software, but while working in Windows, you can literally feel the difference sometimes. But I like to work fast.

 

Excellent! Agree 100%!

Key phrase is

The only adon I would make is do them one by one one a day and ensure you take regular backup images as you go in case you "scr.. up"

 

Personally when I started with services I just wrote them all down in thier default states.

Then I read up on the services using Black Vipers guides.

Then I read up on what services were, how you control them and what to expect in a general sense when a needed one is not running.

Then I disabled any service I thought I might not need, but made sure to leave the ones enabled that were known to be vital.

The system broke.

It was easy then as I turned them back on to see what I needed. They even tell you other services are required for a given service to run, so you get to know dependencies at the same time.

Thats how I did it in XP, and in win7 I did the same thing. Didn't take long to understand what services I needed running. Maybe a couple hours total.

While this doesn't give you an in-depth understanding of EXACTLY what a service does, it will give you a great understanding of controlling your services, knowing how to manage them. And once you get over the fear of services, they become just another application you set to auto-start or not.

The fear of them is based on not understanding IMO. They evoke some pretty strong taboo/voodoo feelings in people, much like the registry. Personally I think the registry is a thousand more times fragile and scary than the services...

Sul.

 

I simply disable any service I don't need. Anything can be exploited.

Print spooler has been exploited multiple times, and by stuxnet. Wouldn't have run on my system - I don't print, and I disabled the service.

 

Any service that uses or listens for incoming connections (opens ports) can potentially be exploited. Remote registry definitely qualifies. Relying on a firewall to block access to open ports is IMO a bandaid approach. You don't leave your house door open, put a small fence in front of it, and call that safe. The simplest approach is the best. If you don't need/use it, shut it off. If you don't need or want incoming connections, don't just barricade it with a firewall. Close the door. A UPnP exploit for instance can make a firewall meaningless.

Just because there's no known exploit in the wild for a given service doesn't mean it's secure. There's been several instances of Windows services being exploited by vulnerabilities that were previously unknown. Services that are disabled (or removed) can't be exploited via previously unknown vulnerabilities. Reducing your exposed attack surface is one of the best proactive things you can do to protect your system.

 

svchost connections.Can they be blocked altogether.?

 

Svchost is involved in a wide range of services, several of which are necessary on most systems. DHCP relies on svchost,as does the DNS service. Most of these services use specific ports. You can block specific services by blocking the specific ports each uses. Others like DHCP can't be blocked without manually assigning static IPs to each device on the network. You need to look at each service individually. Depending on your needs and your local network, it might be possible to completely block svchost, but not without making changes to your system and network configuration.

 

Yes, yes and YES!