Windows NT default services

Windows NT default services

Service Name

Default Startup

File Name

Definition

Methods of Securing this Service

Alerter

Manual

SERVICES.EXE

Sends system announcements and alerts to users and machines in conjunction with the Messenger Service.

Can be disabled.

ClipBook Server

Manual

SERVICES.EXE

Can be disabled.

Computer Browser

Automatic

SERVICES.EXE

Works with other Windows machines on the network to maintain a current list of available resources.

Though it is not really a security issue, I recommend selecting a few machines to maintain browser lists (including your DC’s) and then setting the following on all other machines and/or disabling the Computer Browser Service:
HKLM\SYSTEM\CurrentControlSet\Services\Browser\Paramters
MaintainServerList [RegSZ] False This will keep browser election traffic down and prevent your server logs from being spammed with election announcements.

Directory Replicator Service

Manual

Synchronizes files from domain controller %SERVER%\c$\Winnt\System32\REPL\Export\Scripts to C:\Winnt\System32\REPL\IMPORT\Scripts

Can be disabled.
Ensure that proper ACL’s have been set on the Domain Controllers so that only authorized users may change these files. Set the actual names of the exporting Domain Controllers on the Workstations’ Replicator Services instead of using the Domain name.

EventLog

Automatic

SERVICES.EXE

System logging service

Should NEVER be disabled.
Use a syslog compliant service such as Addiscon’s (http://www.addiscon.com//) EventSlog to reformat and forward all NT Event Log messages to a central logging server

Messenger

Automatic

Allows the sending of NetBIOS messages between Windows machines and is needed for the Alerter Service to function between machines.

Can be disabled if you don’t want to be able to use NET SEND to confuse and aggravate users.

NetLogon

Manual

LSASS.EXE

Local Security Authority Service handles

These Services cannot be disabled.
Set an account lockout policy in UserManager to hinder "brute force" password attacks.

NT LM Security Support Provider

Manual

Plug and Play

Automatic

SERVICES.EXE (and PNPISA.SYS in "Devices" if you install it)

Enables "Plug and Play" capabilities for Windows NT 4.0

Probably should not be disabled.
This has actually become reasonably functional under the latest Service Packs and I know of no security holes that it opens up.

Remote Procedure Call (RPC) Locator

Manual

RPCSS.EXE

Remote Procedure Call Services.

Cannot be disabled.

Remote Procedure Calls are used by many basic functions within the Windows NT Operating System and its applications. You cannot disable them and can only really secure them by tightening general security

Remote Procedure Call (RPC) Service

Automatic

RPCSS.EXE

Schedule

Manual

System event scheduler

Should be disabled unless needed.
Restrict who may add jobs to the Scheduler using the AT or WINAT commands
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
SubmitControl [Reg_DWORD] =0 Admins only
SubmitControl [Reg_DWORD] =1 Admins & Server Operators Set the ACL on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule and it’s subkeys to either “Administrators” or “Administrators and Server Operators”

Spooler

Automatic

SPOOLS.EXE

Print spooler

Disable on machines that do not print locally or act as a print server.
Print drivers run in the SYSTEM context and can be trojaned. Make the Administrators group the owner of all print drivers in C:\Winnt\System32\Spool\Drivers and set the ACL on this directory so that only Administrators can change or add files (other users will still need “Read” permissions).
Add the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Service\Servers
AddPrintDrivers [Reg_DWORD] =1

TCP/IP NetBIOS Helper

Automatic

Passes normal TCP/IP connection requests to the sockets interface to allow NetBIOS resolution.

Can be disabled on systems not requiring NetBIOS functionality. Microsoft recommends this for IIS servers. However, the Computer Browser and Net Logon services depend on this service so it is necessary for remote access to the machine

Server

Automatic

SERVICES.EXE / SRV.SYS

Remote redirector

Required as long as Microsoft specific network protocols (e.g. SMB) are used.

Workstation

Automatic

SERVICES.EXE / RDR.SYS

Local redirector

Required as long as Microsoft specific network protocols (e.g. SMB) are used.

Network DDE

Manual

NDDEAGNT.EXE

Network Dynamic Data Exchange

Inherently vulnerable and can probably be disabled depending on the custom applications you use.

Network DDE DSDM

Manual

Service Name	Default Startup	File Name	Definition	Methods of Securing this Service
Alerter	Manual	SERVICES.EXE	Sends system announcements and alerts to users and machines in conjunction with the Messenger Service.	Can be disabled.
ClipBook Server	Manual	SERVICES.EXE		Can be disabled.
Computer Browser	Automatic	SERVICES.EXE	Works with other Windows machines on the network to maintain a current list of available resources.	Though it is not really a security issue, I recommend selecting a few machines to maintain browser lists (including your DC’s) and then setting the following on all other machines and/or disabling the Computer Browser Service: HKLM\SYSTEM\CurrentControlSet\Services\Browser\Paramters MaintainServerList [RegSZ] False This will keep browser election traffic down and prevent your server logs from being spammed with election announcements.
Directory Replicator Service	Manual		Synchronizes files from domain controller %SERVER%\c$\Winnt\System32\REPL\Export\Scripts to C:\Winnt\System32\REPL\IMPORT\Scripts	Can be disabled. Ensure that proper ACL’s have been set on the Domain Controllers so that only authorized users may change these files. Set the actual names of the exporting Domain Controllers on the Workstations’ Replicator Services instead of using the Domain name.
EventLog	Automatic	SERVICES.EXE	System logging service	Should NEVER be disabled. Use a syslog compliant service such as Addiscon’s (http://www.addiscon.com//) EventSlog to reformat and forward all NT Event Log messages to a central logging server
Messenger	Automatic		Allows the sending of NetBIOS messages between Windows machines and is needed for the Alerter Service to function between machines.	Can be disabled if you don’t want to be able to use NET SEND to confuse and aggravate users.
NetLogon	Manual	LSASS.EXE	Local Security Authority Service handles	These Services cannot be disabled. Set an account lockout policy in UserManager to hinder "brute force" password attacks.
NT LM Security Support Provider	Manual
Plug and Play	Automatic	SERVICES.EXE (and PNPISA.SYS in "Devices" if you install it)	Enables "Plug and Play" capabilities for Windows NT 4.0	Probably should not be disabled. This has actually become reasonably functional under the latest Service Packs and I know of no security holes that it opens up.
Remote Procedure Call (RPC) Locator	Manual	RPCSS.EXE	Remote Procedure Call Services.	Cannot be disabled. Remote Procedure Calls are used by many basic functions within the Windows NT Operating System and its applications. You cannot disable them and can only really secure them by tightening general security
Remote Procedure Call (RPC) Service	Automatic	RPCSS.EXE
Schedule	Manual		System event scheduler	Should be disabled unless needed. Restrict who may add jobs to the Scheduler using the AT or WINAT commands HKLM\SYSTEM\CurrentControlSet\Control\Lsa SubmitControl [Reg_DWORD] =0 Admins only SubmitControl [Reg_DWORD] =1 Admins & Server Operators Set the ACL on HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule and it’s subkeys to either “Administrators” or “Administrators and Server Operators”
Spooler	Automatic	SPOOLS.EXE	Print spooler	Disable on machines that do not print locally or act as a print server. Print drivers run in the SYSTEM context and can be trojaned. Make the Administrators group the owner of all print drivers in C:\Winnt\System32\Spool\Drivers and set the ACL on this directory so that only Administrators can change or add files (other users will still need “Read” permissions). Add the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Service\Servers AddPrintDrivers [Reg_DWORD] =1
TCP/IP NetBIOS Helper	Automatic		Passes normal TCP/IP connection requests to the sockets interface to allow NetBIOS resolution.	Can be disabled on systems not requiring NetBIOS functionality. Microsoft recommends this for IIS servers. However, the Computer Browser and Net Logon services depend on this service so it is necessary for remote access to the machine
Server	Automatic	SERVICES.EXE / SRV.SYS	Remote redirector	Required as long as Microsoft specific network protocols (e.g. SMB) are used.
Workstation	Automatic	SERVICES.EXE / RDR.SYS	Local redirector	Required as long as Microsoft specific network protocols (e.g. SMB) are used.
Network DDE	Manual	NDDEAGNT.EXE	Network Dynamic Data Exchange	Inherently vulnerable and can probably be disabled depending on the custom applications you use.
Network DDE DSDM	Manual