Should You Disable "Unnecessary" Services on a PC?

Discussion in 'polls' started by Brandonn2010, Aug 27, 2014.

?

Should You Disable "Unnecessary" Services on a PC?

  1. Yes

    34 vote(s)
    68.0%
  2. No

    16 vote(s)
    32.0%
  1. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I have been, for a while, using BlackViper's Safe configuration for family member's PCs, as well as my neighbor's computer, and another person's computer, in order to improve security and speed, yet just recently on this forum a bunch of people were saying it is unnecessary and shouldn't be done, even though this forum convinced me to start doing it in the first place.

    So I want your opinion on whether it is a good practice, or should I stop doing it, and restore services on their computers to their default startups?
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    The computer is just like a car, you can leave it as it is, it will run just fine or you can tweak it to get a little more from it or to push it beyond limits. :shifty:
     
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    This isn't a one size fits all thing, which I just got done explaining in another thread. So there's no right option for me, which would be: "It depends". As I look at your OS in your sig my answer would probably be no. For one thing I assume you have a bunch of RAM already in your box running a x64 OS. For another, you just can't tweak/trim post-XP OS's the way you could XP. You need most of those services now for proper functionality of your system, for better or worse... I have my opinion on which is the case but won't get into that here. And a few tweaks won't make any noticeable difference, even on XP, let alone modern x64 OS's with a ton of RAM and modern CPU's (i3-i7's). Unless there's one that's a known vulnerability, like a few on XP like: "SSDP Discovery Service" (which even 3 letter agencies recommended you disable), and Remote Registry, I'd say just leave them alone in your case. Maybe Superfetching and Indexing Services as they'll reduce the write times/amounts and don't seem to do any good anyway. I've heard people say that reduces CPU load, obvious because their activity light doesn't blink as much anymore. Which also saves your hardware. After that I'm not sure much else is necessary on post-XP OS's.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This really depends on what version of Windows you're using and your reasons for disabling those services. Even on old hardware, it's hard to justify on performance grounds. The only real improvement will be in boot time. On the other hand, if you're disabling services to close open ports and reduce the attack surface, I'd say it's worthwhile, at least on XP. With Vista onwards, it may not even be possible.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,055
    Yes, I like to disable unnecessary services. The biggest problem is to find which of them are unnecessary for each system and each user.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's only half of the problem. On Win2K, the services were quite independent of each other. On XP they became more interdependent and interconnected. Disabling one often disables others that depend on it. On XP, this increased substantially from SP2 to SP3. From Vista onwards, sorting through the services and their interdependency is like untangling a potful of spaghetti. On the newer versions of Windows, the services that are responsible for the open ports have so many others dependent on them that closing those ports becomes impossible. Reducing your attack surface and eliminating points of vulnerability has been "Security 101" on anything where security is an issue. It's interesting to say the least that right after the NSA supposedly helps Microsoft with securing Windows Vista that we end up with a larger attack surface that can't be eliminated or reduced by configuration. Given all of the revelations we've seen regarding NSA weakening, backdooring, and outright sabotaging security on internet equipment, draw your own conclusions as to why we can't close the open ports on these systems.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,055
    Yes services have become really interdependent as you say. I usually check which services are depending on any service I wan't to stop. If there are many dependent services I just let it run. I don't want to break my system just to "close all holes". So I usually disable just those that are considered safe to disable using my system setup. I gave up on closing all ports on newer Windows versions. I put my system behind router so those ports are not accessible from internet.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With the ongoing discoveries and revelations regarding router vulnerabilities, hard coded passwords, etc, those ports are one exploit away from all being accessible.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,055
    Yes you're right - there is just no more security when using computers. Don't even wanna know what backdoors got installed on my computer hardware...
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Not to mention a router could take a crap on you at any time. And when they break they don't always break altogether, as in you try to turn it on and just doesn't turn on. Then you would know where you stand and be able to just buy a new one, no biggie. But sometimes functions of them will fail/get glitchy instead while leaving it seemingly functional. You could have internet connectivity but be oblivious to the fact that it's no longer stealthing ports properly. And you could remain oblivious to this for a long time, until the next time you run a port scan at GRC or whatnot. And who knows what you could do in the meantime... ordering things online using CC/Paypal info., doing online banking, etc...

    This is why it's always best to harden the OS at the source first and foremost as your primary approach to securing your system/network, IMO. Make it so that those ports are closed even if your router/firewall were to fail to work/load properly.

    With modern OS's this feat is impossible to accomplish. And this is just one of many reasons I feel safer on XP all things considered.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, that's by design. The current versions require a separate device to protect them from inbound traffic from the internet in addition to its own built in firewall. By comparison, a 9X system with TCP/IP unbound could connect directly to the web, no router or software firewall, and expose nothing. With some effort, one could configure XP to the same standard. From Vista onwards, forget it. Windows has a strange definition of security. I'm pretty much convinced that the "security" they refer to isn't ours. It's corporate and government, aka "national security" they're referring to, and these design decisions improve their security at the expense of ours.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @luciddream
    Totally agree. Regarding Shields Up, it's a very limited scan at that, unless you want to scan 65 thousand ports 50 at a time. With DSL modems for example, every one I've used has some undocumented port open to the web. The port number seems to vary with the brand/model. I don't use separate routers but I've heard that they have the same problem.

    As for online purchasing, banking, etc, there's no way I'll even consider it any more. Recent hacks of stores, businesses, etc have proven one thing beyond all doubt, namely that it doesn't matter how careful you are or how well you secure your end. You can't count on them to secure their end. I'm forced to have either a debit card or a bank account with direct deposit because they no longer issue checks. I chose the card. Sick of banks and policies that border on legal theft. Since the card allows one free withdrawal per month, I pull all of the cash off on the day it's added. If there's no money on the card, no one can steal it. IMO, plastic is the equivalent of marked money. Where and how I spend it is not their concern.
     
  13. guest

    guest Guest

    If it was my PC, I'll disable services as much as I like. If it was not my PC, I'll leave them at their default configurations.
     
  14. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    271
    Location:
    USA
    Using a Chromebook is the way to go on this one.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Chromebook can't fix poor security on their end.
     
  16. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Actually this is an interesting point. What would incline 3 letter agencies to increase the security of your own computer.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It was not a secret exploit that only the 3 letter agencies were aware of. How to exploit SSDP was widely available knowledge. Many others were already doing it for a long time. Even the default ruleset for Kerio 2.1.5, which is over 10 years old, contained a rule that blocked inbound traffic to the port used by SSDP.
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I did on slower computers, but not anymore on my gaming laptop. Just no point potentially breaking something for little to no gain.
     
  19. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    I like to disable, or set to manual all unnecessary services. The biggest problem i believe is that people generally forget what they have changed. So when all of a sudden they want to access a remote PC and Vice versa, it doesnt work and they wonder why. Peoples needs and wants change over time, same is true for ones PC configuration.

    I always keep notes of any changes iv made to these services, should i need to revert.

    There is a handy tool called Turbo services manager. It allows you to export and import your services settings.

    http://www.softpedia.com/get/System/System-Miscellaneous/Turbo-Services-Manager.shtml

    regards.
     
  20. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    271
    Location:
    USA
    Yes I know I did not mean for it to sound like that. I meant for just online banking, should I have read the whole post I just read the first sentence my bad.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,055
    I also always make notes when I do any changes to my system. I also write down date and time when change was made so I can easily restore system backup from time before problematic change was made and then re-apply non-problematic changes that were created after backup time.
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Microsoft knows more about this than you. Leave it alone. (Not directed at any particular individual.)
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I use pserv.cpl from p-nand-q, on XP, version 2.7. It's a standalone utility. The newer versions for Vista onwards are part of G-Tools. It's similar to the services interface on XP but give more information. It also lets you export your services configuration as an XML file. Restoring is as simple as importing and applying the XML.
     
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    From the developer's Homepage for that tool: "Warning: This tool is dangerous and you can easily prevent your PC from working if you do not know what you are doing.." :-(

    http://www.turboirc.com/tsm/

    Which really is the fundamental answer to this poll. Whether you should disable unecessary services depnds upon your degree of knowledge.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    And the foresight to create a full system backup (not just a restore point) or at the very least, a backup of your starting services configuration, and verifying that it works before you start changing anything. Configuring services should be treated like editing the registry. This is especially true when you consider that the settings for the services are stored in the registry. Document what you do and your reasons for doing it. Remembering why you changed something a week later is easy. Finding it a year or 2 later and remembering why it was changed is much harder. I still find instances like this from years ago that I kick myself for. As long as you have a reliable way to get back to where you started from, both are quite safe. A full backup is the difference between a learning experience and a wrecked system.
     
Loading...