Disabling Windows Services to Improve Security

A stopped service is almost certainly an un-hackable service. A server may never be truly hack proof, but we can get much closer to that goal by eliminating avenues of attack. The case for disabling networked services that are not in use is a simple one. If we are not using a service, disable it. We no longer have to worry about a new, recently discovered vulnerability, or worry about known types of attacks. The service is not running; it's not listening on its TCP/IP port, so connections can't be made to it.

Most services are going to be network-capable or enabled on modern systems, but there are still some services present that are only local, or only listen on the internal, localhost IP address (127.0.0.1).

Some Windows services running are application servers, and some of them act as clients. If we disable one acting as a server, for example a service providing file sharing, that function won't be available to any hosts or clients trying to connect. If we disable a client service, then our system won't be able to access that application on our local system or on any servers providing it.

If we want to see what sort of services are present, and what TCP and UDP ports our network services are using and listening on, we can use the netstat command. Netstat can show us what executables and what process ids are involved in particular connections or listening ports. The command:

netstat -abnp tcp

will show us that information for all active TCP traffic and listening services. We can run netstat, save the output, stop a service, run netstat again, and compare the results. A single process can be listening on multiple ports, so using these command line options with netstat can help sort out which service is involved. Since this command also provides the executable file names, it is simple to determine which service is associated with which connections and ports.

If you don't use file shares or remote desktop, and don't plan to, disabling the Server service and Terminal Services (the Remote Desktop Service) is a good idea. Disabling the Remote Registry service is highly recommended. There are numerous others that you should examine on a case-by-case basis, but that's a start. Businesses and home users will have different criteria for determining if a service is needed.

I've been able to shut down enough non-essential services, (and replace others) so that even some of the best scanning and penetration testing software could not identify the operating system as Windows, along with finding no vulnerabilities.

When services are stopped, they don't take up CPU cycles or use memory. While any given individual service may not place much load on your CPU, several idle services consume enough cycles that it can be a noticeable improvement. A bigger impact is found in available RAM. Applications running as services allocate memory for their use, and can have a significant memory footprint even while idle. In my experience, over long periods of time, memory leaks can cause services to consume more and more RAM. This is often the case for servers that are not rebooted frequently. System startup will be faster as well, with fewer services to initialize and start up.

When disabling services, it's important to stop & disable one at a time, and then verify that the system still works as needed. Test your changes and make sure that everything that you need running still works properly! This can take a significant amount of time. Some services have dependencies, and stopping one that you think you don't need will require one, two, or more other services to stop. Be sure to disable not just the one service, but the dependent services as well. Check your Event Viewer System and Application logs during and after making changes, to be sure that you don't have an unforeseen problem with another service or application.