none
Disabling services for stand-alone servers in DMZ RRS feed

  • Question

  • I am trying to use SCM and the included guides to harden several 2008R2 servers in the DMZ. While the security guides and baseline policies are useful, they all assume AD integrated servers. The first step I am looking for is limiting the services that are running, especially those that listen to TCP/UDP ports. I see no mention of disabling DCOM/RPC/SMB/Netbios/etc. Where can I find that information?

    The servers will be running non-Microsoft applications on their own TCP ports, so I am not affraid turning off these Windows services will influence the application behaviour.

    Monday, September 10, 2012 3:16 PM

Answers

  • Richie;

    Disabling the service will prevent the service from listening on any network ports. Also remember how Server Manager works in more recent versions of Windows. When you add or remove server roles and features it adds and removes firewall rules as needed. So the Windows Firewall will be locked down as much as possible so that only the things you installed will be able to accept incoming traffic. Have you looked at the Attack Surface spreadsheets we included in SCM for Windows Server? It has information about which firewall rules are created for each role, which named pipes are needed, etc. You can also use the Attack Surface Analyzer discussed in chapter 2 of the Windows Server 2008 R2 guide to gather that sort of information yourself.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Friday, September 14, 2012 6:40 PM
    Moderator

All replies

  • Richie;

    The WS2008R2 baselines for specific server roles include recommendations for which services to enable for that role. We don't disable any services in those baselines, we rely on the default configuration that gets applied by Server Manager when you add or remove roles. You could specifically disable some services in your custom baselines, however you have to be very careful in doing so and should only disable services that you are certain will not be needed on the server. For example, you can probably disable the Computer Browser service because WS2008R2 uses DNS and AD to locate network services rather than SMB broadcasts; however you should test your business applications to ensure that none of them rely on the Computer Browser service. You can apply your custom baselines by exporting them from SCM as GPO backups, and then apply them using the LocalGPO tool that's bundled with SCM.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Monday, September 10, 2012 5:49 PM
    Moderator
  • Kurt,

    Thanks for your reply. I am going through all the Windows services now to see which ones can safely be disabled. However, my question is more regarding closing network (TCP/UDP) ports. Windows by default listens on ports 135, 137, 138, 139, 445, etc. I know these are used by DCOM/RPC/SMB/Netbios/etc. I would expect a Windows security guide/baseline to go into stopping the services that use these ports. This will limit the attack surface for Windows servers more than anything else. I'm quite surprised SCM does not touch this topic at all.

    All I have been able to find so far is official MS documentation on how to disable DCOM. This still leaves RPC/SMB/Netbios/etc. Is official documentation available on how to disable those services?

    Kind regards,

    Richie

    Tuesday, September 11, 2012 9:40 AM
  • Richie;

    Disabling the service will prevent the service from listening on any network ports. Also remember how Server Manager works in more recent versions of Windows. When you add or remove server roles and features it adds and removes firewall rules as needed. So the Windows Firewall will be locked down as much as possible so that only the things you installed will be able to accept incoming traffic. Have you looked at the Attack Surface spreadsheets we included in SCM for Windows Server? It has information about which firewall rules are created for each role, which named pipes are needed, etc. You can also use the Attack Surface Analyzer discussed in chapter 2 of the Windows Server 2008 R2 guide to gather that sort of information yourself.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Friday, September 14, 2012 6:40 PM
    Moderator