Securing IIS 5.0 Using Batch-Oriented Command Files
On This Page
What, When, and How to Secure
Configuring with Command Files
Customizing the Command File
Types of Tools and Settings
Other Security Configuration Steps
For More Information
This white paper describes the use of command files or batch programs to automate the security settings on a Web server running Windows 2000 Server or Windows 2000 Advanced Server and Internet Information Services 5.0 in an enterprise environment. This white paper is intended for system administrators and assumes familiarity with Windows 2000 Server and IIS 5.0, registry settings in the operating system, and metadata settings in IIS 5.0. This paper will not attempt a detailed explanation of registry settings or metadata settings. For that information, turn to the documentation for Windows 2000 Server and IIS 5.0.
The command files and supporting utilities discussed in this white paper can be found on the Windows 2000 Web Server Rapid Deployment Guide CD, or on the Web in this zip file: http://www.microsoft.com/windows2000/techinfo/reskit/default.asp
It is important to note that the Windows Management Interface (WMI) provides a more robust interface for managing the server operating system than provided by command files and utilities. The use of command files is discussed here because many administrators are familiar with using these in legacy operating systems.
This white paper draws on experience gained by Microsoft engineers who upgraded Web servers to Windows 2000 Advanced Server at the MSN Hotmail® Web-based e-mail service. The security and performance considerations in that upgrade are relevant for many Web hosting environments, including large e-commerce enterprises. The performance and security settings outlined in this paper are not exhaustive. There are excellent resources and related links available on http://www.microsoft.com/windows2000 .
A list of related articles can be found in the For More Information section at the end of this white paper. However, a good starting point for further reading is the Microsoft Security Web site at http://www.microsoft.com/security . For information on performance tuning, read The Art and Science of Web Server Tuning with Internet Information Services 5.0 at http://www.microsoft.com/technet/security/chklist/iis5chk.mspx .
Caution: Do not use these tools indiscriminately. These settings will create a highly secure Web server. However, applying them to a Web server will most likely break existing applications. The settings may restrict customer access to Web sites. Before configuring security, system administrators must understand the effect and proper use of each setting. This paper includes command files that contain the types of performance and security settings used in the Hotmail deployment. These are not identical to the actual command files used at Hotmail, but they are similar enough to be used as a model.
It is strongly recommended that one tests proposed modifications to security or performance settings in a lab environment prior to implementing on production systems.
What, When, and How to Secure
Understanding Security Needs
Administrators should be keenly aware of the security needs and considerations at their organization before configuring security settings. As mentioned, the settings that are included in command files in this paper are for illustration purposes only. These command files can be modified as needed before they are applied to Web servers in other organizations. For example, an organization running Web applications that require less restrictive access to public Web servers must amend the settings in the command files to allow such access. Otherwise, the Web applications will not work. Additionally, these command files were built specifically for use on Web servers, running the Windows 2000 Server operating system and IIS 5. They need to be modified if used on servers supporting different roles.
Modifying the Command File to Match Specific Needs
Administrators should study all of the parameters being modified in the command file and understand the effects of those modifications on Web applications.
The command files described in this white paper illustrate how to automate common administrative tasks, such as maintaining security, tuning performance and preventing denial of service (DOS) attacks.
For more information on aspects of a Web server that should be secured, along with why and how to secure them, read the article titled Secure Internet Information Services 5 Checklist at http://www.microsoft.com .
System administrators can use the checklist in that article to help them determine security goals and requirements for their organizations. They can customize the command file herein to automate the implementation of those requirements.
Configuring with Command Files
Two Options for Securing Servers
When thinking about deploying Windows 2000 Server in a Web hosting environment, many system administrators face the questions: How can we make this system secure? How do we keep hackers out?
Those questions are usually followed by another: How can we make this system secure in a quick, automated and consistent fashion?
System administrators can choose from two methods to answer those questions. As they migrate front-end Web servers to Windows 2000 with IIS 5.0, they can configure security on each server using the Microsoft Management Console. Alternatively, all security settings can be handled via the command line.
Some administrators prefer to use command files, also known as batch files, because they are familiar with using command files in legacy operating systems. Administrators who oversee hundreds or thousands of Web servers want as much automation as possible when configuring security as they upgrade, and command files can provide additional automation.
The command files in this paper use commands available natively in the Windows 2000 Server operating system (OS), along with native OS utilities, and utilities available in the Windows 2000 Resource Kit. Some of the security settings are implemented by making changes directly to the Windows 2000 registry and the IIS 5.0 metadata information.
Customizing the Command File
Use the File as a Template
Any Web-hosting enterprise, including most e-commerce enterprises, can follow a process similar to that used at MSN Hotmail to make servers highly secure when upgrading to Windows 2000 Server and IIS 5.0.
The command file in Appendix 1, w2kseccfg.cmd, will automatically apply security settings very similar to those used on the Hotmail servers. That is not recommended. As mentioned previously, these settings will most likely break some Web applications. The recommended best practice is for administrators to use the command file as a template for the most common security settings to modify on a Web server. For example, the command file provides a setting necessary to change password expiration policy on Web servers. This setting can be customized to fit the needs of any organization.
It should not be necessary to manually copy the files to each computer. There are several automated ways to do this. At Hotmail, administrators used the command file to apply the settings to a master build image. Interim updates can be distributed via a software distribution utility, or with the rdist.exe utility available with Windows 2000 Services for Unix.
Disable Unnecessary Security Commands
If the command file is applied without modification, a Web server may stop functioning as expected and/or some remote administration functionality may become inoperable.
For example, the command file disables remote access to the registry for some users. If an administrative function requires remote access to the registry, that function would become inoperable. To prevent this, administrators should:
Disable, or "comment out," the lines of code in the services.cmd file that prevent remote access to the registry; the remote registry command.
Or use an administrative function which invokes a function that accesses the registry in the context of the local machine.
Similar consideration and customization should be used with each of the settings in the command file. Several of the settings in the command file could disable a Web server application. Therefore, administrators should thoroughly test their custom configurations on servers in a lab before deploying them on production Web servers.
Administrators should install Windows 2000 Server Service Pack 1 on all servers before running the command file. As Microsoft releases future hot fixes, these should be added to the command file and installed on Web servers to maintain security and performance.
The default security settings in Windows 2000 Server and Windows 2000 Advanced Server with IIS 5.0 are more secure than in previous operating systems. The default security settings in the previous version of IIS were designed for greater ease of connectivity, and were more appropriate security settings for small businesses, home users, or intranets. The default settings in Windows 2000 with IIS 5.0 are designed for the greater security required in Web-hosting enterprises.
IIS 5.0, out of the box, is very, very secure.
At the same time, however, IIS 5.0 includes sample applications to help developers write programs. IIS 5.0 also includes ActiveX controls to make development easier. These aids, although useful, open potential security gaps that must be closed on Web servers before the public is granted access.
White papers on the Windows 2000 Web Server Rapid Deployment Guide CD and the Microsoft.com Web site provide security checklists for system administrators preparing to host Web applications. These address items such as sample applications and ActiveX controls. The command file, w2kseccfg.cmd, provides an automated implementation of the checklists.
Types of Tools and Settings
The files in Appendix 1 contain the commands and utilities that were used on the Hotmail Web site to apply more restrictive security settings than the defaults, and to install fixes for security vulnerabilities which were identified after the commercial release of Windows 2000.
The command file, commands, and utilities include:
The w2kseccfg.cmd file is the main command file, which implements several enforcements. For example, it can modify the services that will run on the system (services.cmd); set audit policy (auditpol.exe); and apply hot fixes such as 262694_W2K_SP2_x86_en.EXE. It uses regini.exe for modifying the Windows 2000 registry in an unattended fashion. For the latest list of security and denial of service advisories see http://www.microsoft.com/security . The w2kseccfg.cmd file assumes that W2KregSec.dat and the executables referenced by the command file are saved to the same directory as w2kseccfg.cmd. This file contains the nested utilities and commands for settings discussed in this white paper.
This is a tool for editing the registry in Windows 2000. The registry is a database for information about a computer's configuration. Registry setting modifications for security include such things as restricting hidden file system shares, and modifying TCP/IP settings to optimize the server for attachment to the public Internet.
By running regini.exe, administrators can automate any of the registry-related security settings. The w2kregsec.dat file provides the input. Administrators must edit the registry keys in the w2kregsec.dat file to make the appropriate security modifications for a particular system. For more information, see the Windows 2000 Server Resource Kit at http://www.microsoft.com/windows2000/techinfo/reskit/default.asp .
This is the primary input file used by regini.exe. This file contains the registry keys that will be modified. For more information about registry keys and their values, see the Windows 2000 Server Resource Kit.
This utility can be used for renaming the administrator account. The following command line provides an example of how the utility is used:
cryptpwd.exe -r JimBob
This command renames the local administrator account to jimbob. Cryptpwd.exe is available at http://www.jsiinc.com/SUBA/tip0300/rh0349.htm.
Normally, the Administrator account cannot be locked out if a hacker attempts to guess the password. However, this tool in the Windows 2000 Resource Kit, passprop, supports the lockout option for logons to the administrator account over the network. The command below locks out the Administrator account from network access if a hacker attempts a brute force or dictionary attack, but the administrator can still log on locally at the server using this account:
passprop /adminlockout /complex
This setting also enforces complex passwords. A complex password is one that requires at least one upper case, one lower case and numeric or special characters.
This is a resource kit utility for setting the audit policy on a server. It enables the user to modify the audit policy of the local computer or of any remote computer. To run AuditPol, the user must have administrator privileges on the target computer. AuditPol can set the computer to monitor such things as system events, logon/logoff events, use of privileges, security policy changes and more. For further explanation of this utility's function, type auditpol.exe /? at the command prompt and Windows 2000 will display help text.
262694_W2K_SP2_x86_en.EXE -z -q -m
File names in this format are Windows 2000 operating system fixes. The file name given here is one example; there are several fixes with similarly structured names. Periodically Microsoft releases service packs that contain applicable fixes. Normally administrators install individual patches only when instructed to do so by a premier support professional or a Microsoft security advisory. When Microsoft identifies a security vulnerability the most current information is posted at the Microsoft Security Web site at http://www.microsoft.com/security .
262694 _W2K_SP2_x86_en.EXE is a self-extracting executable, an example of a fix issued from Microsoft. The switches; -z, -q, -m do the following:
-z: Do not reboot after running the hot fix
-q: Quiet mode – No user interface
-m: unattended Mode
262694 is the reference number that describes what this particular fix does. For more information, search for the reference number on the Microsoft Knowledge Base Web at http://support.microsoft.com/default.aspx?scid=FH;EN-US;KBHOWTO&sd=GN&ln=EN-US .
If any of the fixes listed here are included in Service Pack 2 when it is released, it would no longer be necessary to include the patch in the command file.
Windows 2000 IIS 5.0 Hot fix Checking Tool
This is a useful tool, HFCINST.exe, for auditing a Web server. The HFCheck tool allows IIS 5.0 administrators to ensure that their servers are up to date on all security patches. The tool can be run continuously or periodically, on a local machine or a remote one, using either a database on the Microsoft Web site or a locally-hosted copy. When the tool finds a patch missing, it can display a dialogue box or write a warning to the event log.
Administrators can run this tool on their reference machine after executing w2kseccfg.cmd to validate that all of the pertinent hot fixes were applied.
Visit this Web site to download the Windows 2000 IIS 5.0 Hotfix Checking Tool at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 .
Windows 2000 Commands
The Windows 2000 commands used by the command file in Appendix 1 include basic commands such as reg.exe, cmd.exe, and Net.exe. Other examples include:
Net accounts -- for setting password length, expiration and other properties.
Net user -- to disable the guest account.
Reg.exe -- to modify or view the registry (See services.cmd)
For more information about any command, type the command name followed by /? in a command prompt. For a complete list of Windows 2000 commands, see Windows 2000 Server Help ( http://windows.microsoft.com/windows2000/en/server/help/ )
Adsutil.vbs can be used to modify IIS 5.0 metadata settings. A detailed list of metadata settings can be found in the IIS 5.0 Help. Adsutil.vbs can be found in the \inetpub directory on an IIS 5.0-based server.
IIS 5.0 Help describes how administrators can use the adsutil.vbs command, and the following list of commands to modify various metadata settings in IIS 5.0:
ADSUTIL.VBS <cmd> [<path> [<value>]] GET, SET, ENUM, DELETE, CREATE, COPY, APPCREATEINPROC, APPCREATEOUTPROC, APPDELETE, APPUNLOAD, APPGETSTATUS
For specific examples of how adsutil.vbs commands can be used in security configuration, see the appendix.
This tool allows administrators to set file-system security options for NTFS partitions, from the command line. XcAcls does this by displaying and modifying the access control lists (ACLs) of files. With this tool, administrators can set the initial access rights for folders in which the operating system resides. The ACLs determine which users have permission to read, write, execute or modify a particular file. When administrators distribute software to servers or workstations, XcAcls also offers one-step protection against deletion of directories or files by users.
Although this procedure is somewhat application-dependent, some rules of thumb apply. Guides for setting the appropriate ACLs can be found in the IIS 5.0 Resource Guide and in the Windows NT Security Guidelines study for NSA Research by Trusted Systems Services Inc. at http://www.trustedsystems.com/tss_nsa_guide.htm .
In the command file w2kseccfg.cmd, the following command line is an example of modifying the ACLs on all of the .asp files.
cmd /c "xcacls.exe *.asp /t /e /c /p everyone:x administrators:f system:f"
Administrators should extensively test any modified ACLs in a lab before moving the configuration into a production environment. For more information on setting up a test lab, see Chapter 4 of the Windows 2000 Deployment Planning Guide at http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp
Table 1 on the following page lists the most common types of files for which Web administrators modify ACLs, and the recommended ACL settings for those file types. On the left are the file types. On the right are the recommended ACL settings.
Access Control Lists
CGI (.exe, .dll, .cmd, .pl)
Script files (.asp)
Include files (.inc, .shtm, .shtml)
Static content (.txt, .gif, .jpg, .html)
Other Security Configuration Steps
The command files discussed in this paper also provide the means for accomplishing other modifications recommended for security on a Web server. These recommendations can be found in the IIS 5 Security Checklist white paper. The command files automate such things as the deleting of sample applications, disabling of unneeded COM components, and removal of unnecessary directories.
Disabling or Removing All Sample Applications
Samples are just that, samples. They should never be installed on a production server. Note that some samples install so that they can be accessed only from http://localhost, or 127.0.0.1; however, these should also be removed.
Table 2 below lists the default locations for some of the samples. The command file in Appendix 1 automatically deletes these directories.
Table 2 Sample files included with IIS 5.
c:\program files\common files\system\msadc
Disabling or Removing Unneeded COM Components
Some COM components are not required for most applications and should be removed. Most notably, consider disabling the File System Object component, but note that this will also remove the Dictionary object. Be aware that some programs might require components you're disabling. For example, Site Server 3.0 uses the File System Object. The following command will disable File System Object:
regsvr32 scrrun.dll /u
Removing the IISADMPWD Virtual Directory
This directory allows administrators to reset Windows NT and Windows 2000 passwords. It's designed primarily for intranet scenarios and is not installed as part of IIS 5, but it is not removed when an IIS 4.0 server is upgraded to IIS 5.0. It should be removed if it is not used for an intranet or if the server is connected to the Web. Refer to Microsoft Knowledge Base article 184619 for more information about this functionality.
Post Implementation Auditing
Although not specifically used in the command files illustrated in this paper, there are several Windows 2000 tools that can help administrators identify vulnerabilities. Some examples include:
This tool displays protocol statistics, current TCP/IP network connections, all connections and listening ports, and so forth.
Similar to Netstat except this tool displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).
This displays directories being shared on a server.
System administrators must carefully plan security requirements for their enterprise and study the security settings and configurations available in IIS 5.0 and Windows 2000 Server. Then administrators can use the command files in Appendix 1, as a sample template, to automate the configuration of security settings on Web servers. While the Microsoft Management Console provides a more intuitive method of configuring security, some administrators may prefer to use this method system for convenience because they are familiar with using command files on legacy Web server operating systems or changes must be implemented concurrently, on dozens or thousands of Web servers.
For More Information
Other Related Links include:
Microsoft Security Web site (http://www.microsoft.com/security) and for Security Bulletin Search page (http://www.microsoft.com/technet/security/default.mspx)
Windows Web Services Deployment page (http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/default.mspx)
The Art and Science of Web Server Tuning with Internet Information Services 5.0 white paper (http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/optimize/iis5tune.mspx)
All of the command files and supporting utilities can be found on the Windows 2000 Web Server Rapid Deployment Guide CD, or in this zip file: http://www.microsoft.com/windows2000/techinfo/reskit/default.asp
REM Windows 2000 Security configuration utility. Developed for Windows 2000 by firstname.lastname@example.org REM includes input from w2k.com REM This .cmd file assumes that W2KregSec.dat and the executables are in the same REM directory as w2kseccfg.cmd last updated 5/12/00 REM REM The following line makes the applicable registry changes. These changes are REM applicable to all systems. However, use with caution, it may cause some applications REM to quit working. This was developed for a specific customer scenario REM and is only intended to be used as a template for other scenarios. REM Updated 9/1/00 to reflect Windows 2000 SP1 availability. Run the Windows 2000 SP1 update before running this tool. REM REM cmd /c "regini w2kregsec.dat" REM Set Password expirations net accounts /minpwlen:9 /maxpwage:60 /uniquepw:6 REM Rename the administrator account REM cryptpwd.exe -r JimBob REM -Lockout net access to Admin acct on failed attempts passprop /complex /adminlockout Rem -Disable Guest net user guest /active:no REM enable auditing - log size characteristics set it W2Kregsec.dat REM auditpol /logon:all REM The following are security vulnerabilities which will be fixed in W2K SP1 REM 251170_W2K_SP1_X86_en.EXE -Z -Q -M REM 260838_W2K_SP1_x86_en.EXE -Z -Q -M REM 259622_W2K_SP1_x86_en.EXE -z -q -m REM 259401_W2K_SP1_x86_en.EXE -z -q -m REM 257870_W2K_SP1_x86_en.EXE -z -q -m REM 254142_w2k_sp1_x86_en.exe -z -q -m REM 249599_W2K_SP1_X86_en.EXE -z -q -m REM 260205_W2K_SP1_x86_en.EXE -z -q -m REM 259728_W2K_SP1_x86_en.EXE -z -q -m 262694_W2K_SP2_x86_en.EXE -z -q -m REM - Com Objects - (This may break your applications) regsvr32 scrrun.dll /u for /f "tokens=2 delims= " %%i in ('tlist') do if [%%i]==[inetinfo.EXE] goto ThisIsAWebServer GOTO Exit :ThisIsAWebServer REM Insert the xcacl.exe commands here to modify the NTFS permissions for selected applications. REM See the 'Securing IIS 5.0 Using Batch-Oriented Command Files' for details REM type xcacls.exe /? at a command prompt for syntax REM Note: You will need to add additional xcaclc commands to set ntfs permissions outlined in the REM 'Secure Internet Information Services 5 Checklist' cmd /c "xcacls.exe *.asp /t /e /c /p everyone:x administrators:f system:f" REM When running Xcacls.exe you should change the working directory to the root of your web site. REM preceding the xcacls command with the following works great cmd /c "cd D:\inetpub&& xcacls.exe *.asp......" REM Prevents NT pwds from being changed in intranet scenarios i.e. this deletes the web based admin.tools rd %systemroot%\system32\inetsrv\iisadmpwd /s /q REM This deletes the sample apps directories rd <drive>:\inetpub\iissamples /s /q rd <drive>:\inetpub\adminscripts /s /q rd "<drive>:\program files\common files\system\msadc\samples" /s /q cd\del htimage.exe /s del imagemap.exe /s REM sites with ASP - A complete explanation of what these settings do can be found REM in the help on IIS5 servers. csript adsutil set w3svc/UseHostName "True" csript adsutil.vbs set w3svc/ASPEnableParentPaths "False" csript adsutil.vbs set w3svc/AspAllowSessionState "False" REM csript adsutil.vbs set w3svc/CGITimeOut "900" REM csript adsutil.vbs set w3svc/NTAuthenticationProviders " Negotiate,NTLM" REM csript adsutil.vbs set w3svc/AuthBasic "False" csript adsutil.vbs set w3svc/AspScriptFileCacheSize "-1" csript adsutil.vbs set w3svc/AspScriptEngineCacheMax "30" REM csript adsutil.vbs set w3svc/ASPQueueTimeout "30" csript adsutil.vbs set w3svc/AspEnableTypelibCache "True" csript adsutil.vbs set w3svc/ASPErrorsToNTlog "False" csript adsutil.vbs set w3svc/ASPRequestQueueMax "1000" csript adsutil.vbs set w3svc/LogExtFileDate "False" csript adsutil.vbs set w3svc/LogExtFileServerIp "False" csript adsutil.vbs set w3svc/LogExtFileBytesSent "False" csript adsutil.vbs set w3svc/LogExtFileProtocolVersion "False" REM csript adsutil.vbs set w3svc/ServerListenBacklog "1000" REM csript adsutil.vbs set w3svc/MaxEndPointConnections "1000" csript adsutil.vbs set w3svc/AspScriptFileCacheSize "1200" csript adsutil.vbs set w3svc/AppAllowDebugging "False" REM csript adsutil.vbs set w3svc/ServerSize "2" csript adsutil.vbs set w3svc/ASPLOGERRORREQUESTS "1" REM csript adsutil.vbs set w3svc/ASPSCRIPTTIMEOUT "30" REM csript adsutil.vbs set w3svc/MAXENDPOINTCONNECTIONS "1000" REM csript adsutil.vbs set w3svc/MAXCONNECTIONS "6000" REM - SP1 should be applied once certified services.cmd :Exit
reg add "hklm\System\CurrentControlSet\Control\FileSystem\LastAccessUpdateDisabled"="1" REG_DWORD reg update "hklm\System\CurrentControlSet\Control\FileSystem\NtfsDisable8Dot3NameCreation"="1" reg update "hklm\System\CurrentControlSet\Services\Alerter\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Browser\Start"="3" reg update "hklm\System\CurrentControlSet\Services\LicenseInfo\Start"="3" reg update "hklm\System\CurrentControlSet\Services\LicenseService\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Messenger\Start"="3" reg update "hklm\System\CurrentControlSet\Services\CertSvc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\CiSvc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Dfs\Start"="3" reg update "hklm\System\CurrentControlSet\Services\DhcpServer\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Dns\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Fax\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Ias\Start"="3" REM reg update "hklm\System\CurrentControlSet\Services\IisAdmin\Start"="3" reg update "hklm\System\CurrentControlSet\Services\ImdbServer\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Irmon\Start"="3" reg update "hklm\System\CurrentControlSet\Services\IsmServ\Start"="3" reg update "hklm\System\CurrentControlSet\Services\MsDtc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\MsFtpSvc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\MqAc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\MsMq\Start"="3" reg update "hklm\System\CurrentControlSet\Services\NntpSvc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Ntfrs\Start"="3" reg update "hklm\System\CurrentControlSet\Services\NtMsSvc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\RasAcd\Start"="3" reg update "hklm\System\CurrentControlSet\Services\RasAuto\Start"="3" reg update "hklm\System\CurrentControlSet\Services\RasMan\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Remote_Storage_Engine\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Remote_Storage_File_System_Agent\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Remote_Storage_Subsystem\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Remote_Storage_User_Link\Start"="3" reg update "hklm\System\CurrentControlSet\Services\RemoteAccess\Start"="3" reg update "hklm\System\CurrentControlSet\Services\RemoteRegistry\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Rsvp\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Schedule\Start"="3" reg update "hklm\System\CurrentControlSet\Services\SecLogon\Start"="3" reg update "hklm\System\CurrentControlSet\Services\Spooler\Start"="3" REM reg update "hklm\System\CurrentControlSet\Services\SmtpSvc\Start"="3" REM reg update "hklm\System\CurrentControlSet\Services\Snmp\Start"="3" REM reg update "hklm\System\CurrentControlSet\Services\SnmpTrap\Start"="3" reg update "hklm\System\CurrentControlSet\Services\TermServLicensing\Start"="3" reg update "hklm\System\CurrentControlSet\Services\TrkWks\Start"="3" reg update "hklm\System\CurrentControlSet\Services\TrkSrv\Start"="3" REM reg update "hklm\System\CurrentControlSet\Services\W3Svc\Start"="3" reg update "hklm\System\CurrentControlSet\Services\NetBT\Parameters\EnableLMHOSTS"="0" reg add "hklm\System\CurrentControlSet\Services\NetBT\Parameters\NodeType"="8" REG_DWORD