Windows 2000 Server Services, Part 2
By Jordan Ayala
Tools and tips for managing fundamental components of the Windows architecture
This article is from the November 2001 issue of Windows & .NET Magazine.
By default, Windows 2000 Server, Standard Edition (without service packs applied) installs 65 services. (The other Windows 2000 Server products and Windows 2000 Professional install different services. For descriptions of the 65 default services that Windows 2000 Server, Standard Edition installs, see Web Table 1 at https://www.win2000mag.com, InstantDoc ID 22762.) In " Win2K Server Services, Part 1," November 2001, I provide a definition of those services and what they do as well as tools and tips for how to manage them. With that foundation, you can begin to evaluate the services running on your system and tune them to your ideal configuration.
On This Page
What Installs Which Services?
What Can You Afford to Lose?
Security Tune-Up
Tune Up or Tune Out
What Installs Which Services?
To see which services Windows 2000 Server installs by default, I started with a clean Windows 2000 Server installation and accepted all the default settings (except that I opted to install the management and monitoring tools, which Windows 2000 Server doesn't install by default). Next, I ran the Active Directory Installation Wizard (dcpromo.exe) and accepted all the default settings. Using the wizard, I made the server the first domain controller (DC) in the new domain homedomain.com, and I installed DNS locally. The Active Directory (AD) installation process installed only one new service, the DNS Server service, which answers DNS name queries and update requests.
Although the AD installation added only one new service, the installation changed the status of some of the Windows 2000 Server default services from manual or disabled to automatic. Table 1 shows the services that AD requires but that don't run in a default standalone server configuration unless you manually turn them on.
Table 1 Services that Change Status After AD Installation
Service |
Startup Type |
New Startup Type |
---|---|---|
Distributed Link Tracking Server |
Manual |
Automatic |
File Replication |
Manual |
Automatic |
Intersite Messaging |
Disabled |
Automatic |
Kerberos Key Distribution Center |
Disabled |
Automatic |
Net Logon |
Manual |
Automatic |
NTLM Security Support Provider |
Manual |
Manual |
RPC Locator |
Manual |
Automatic |
Telephony |
Manual |
Manual |
Windows Installer |
Manual |
Manual |
Windows Management |
Manual |
Automatic |
Instrumentation (WMI) |
|
|
Windows Time |
Manual |
Automatic |
Finally, using the Control Panel Add/Remove Programs applet, I installed every possible native Windows service and accepted all the default configuration parameters. (Under most circumstances, I would never take this step on a production server. I did so in this case simply to research the services and their options.) This installation added 24 services to my system and changed the Startup Type parameter of the already installed Windows 2000 Server Terminal Services from Disabled to Automatic. Table 2 lists and describes the 24 services that this step added.
Table 2 Optional Windows 2000 Services
Service |
Description |
Status |
Startup Type |
Logon Account |
---|---|---|---|---|
Boot Information Negotiation Layer |
Lets you install Windows 2000 Pro on Preboot Execution Environment (PXE) remote boot-enabled client computers. |
Not started |
Manual |
Local System |
Certificate |
Issues and revokes X.509 certificates for public key-based cryptography technologies. |
Started |
Automatic |
Local System |
DHCP Server |
Provides dynamic IP address assignment and network configuration for DHCP clients. |
Started |
Automatic |
Local System |
File Server for Macintosh |
Lets Macintosh users store and access files on the local server. |
Started |
Automatic |
Local System |
Internet Authentication Service (IAS) |
Enables authentication, authorization, and accounting of dial-up and VPN users. IAS supports the Remote Authentication Dial-In User Service (RADIUS) protocol. |
Started |
Automatic |
Local System |
Message Queuing |
Provides a communications infrastructure for distributed asynchronous messaging applications. |
Started |
Automatic |
Local System |
Network News Transfer Protocol (NNTP) |
Transports network news across the network. |
Started |
Automatic |
Local System |
Online Presentation Broadcast |
No description available. |
Not started |
Manual |
Local System |
Print Server for Macintosh |
Lets Macintosh users send print jobs to a spooler on a Windows 2000 server. |
Started |
Automatic |
Local System |
Remote Storage Engine |
Coordinates the services and administrative tools used for storing infrequently used data. |
Started |
Automatic |
Local System |
Remote Storage File |
Manages operations on remotely stored files. |
Started |
Automatic |
Local System |
Remote Storage Media |
Controls the media that stores remote data. |
Started |
Automatic |
Local System |
Remote Storage Notification |
Notifies the client about recalled data. |
Not started |
Manual |
Local System |
Simple TCP/IP Services |
Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. |
Started |
Automatic |
Local System |
Single Instance Storage Groveler |
Scans Single Instance Storage volumes for duplicate files, and points duplicate files to one data storage point, conserving disk space. |
Not started |
Manual |
Local System |
Site Server Internet Locator Service (ILS) |
Enables IP multicast for network conferencing. |
Started |
Automatic |
Local System |
TCP/IP Print Server |
Provides a TCP/IP-based printing service that uses the Line Printer protocol. |
Started |
Automatic |
Local System |
Terminal Services Licensing |
Installs a license server and provides registered client licenses when connecting to a terminal server. |
Started |
Automatic |
Local System |
Trivial FTP Daemon |
Implements the Trivial FTP Internet standard, which doesn't require a username or password. Part of Remote Installation Services (RIS). |
Not started |
Manual |
Local System |
Windows Media Monitor |
Monitors client and server connections to the Windows Media services. |
Started |
Automatic |
.\NetShowServices |
Windows Media Program |
Groups Windows Media streams into a sequential program for the Windows Media Station service. |
Started |
Automatic |
.\NetShowServices |
Windows Media Station |
Provides multicasting and distribution services for streaming Windows Media content. |
Started |
Automatic |
.\NetShowServices |
Windows Media Unicast |
Provides Windows Media streaming content on demand to networked clients. |
Started |
Automatic |
.\NetShowServices |
WINS |
Provides a NetBIOS name service for TCP/IP clients that must register and resolve NetBIOS-type names. |
Started |
Automatic |
Local System |
What Can You Afford to Lose?
With 90 services running on your Windows 2000 Server system, won't all that code bring your server to its knees? The answer depends on the server's horsepower. Most of these services don't drain system resources unless they're active. For example, if you don't maintain an active Web site on your server, having Microsoft IIS installed and running won't significantly slow your system's performance.
By default, many services are disabled or set to manual start, but the more services your server loads automatically, the more memory and CPU resources it uses during typical operation. Therefore, if fewer services are running, more resources are available to the system, and the system will run faster. Thus, to improve performance, you should enable applications to load automatically only when necessary and disable or remove (or set to manual start) the other services on your server.
Table 3 Services You Might Disable or Remove
Service |
Considerations |
---|---|
Alerter |
Disable only if you don't need the ability to send messages, such as Shut down now, to users. |
DHCP Client |
Disable only if you're statically assigning IP addresses. |
Distributed File System |
Disable only if you aren't using DFS volumes. |
DNS Client |
Disable only in a development or test environment. |
IISAdmin |
Disable only if you aren't running a Web server. However, be aware that many Windows 2000 components are Web based, and disabling this service might affect those components. |
Messenger |
Disabling this service might affect applications that need to send messages between systems or other applications. |
Print Spooler |
Disable only if the system isn't a print server. |
Remote Registry |
Disabling this service might protect your server from attack. |
RunAs |
Disable only if you don't need the ability to use the Run As command to start an application under a different user security context. |
SMTP |
Disable only if you don't need SMTP. |
SNMP |
Disable only if you aren't running any SNMP-based management applications. However, most management applications use SNMP. |
However, be very careful about which services you disable or remove. A good rule of thumb is that if you don't know what it does, don't disable or remove it. Turning off a necessary or dependent service can crash an application, corrupt files, or cause your system to fail. Whether you can safely disable or remove a service depends on your server's configuration, but Table 3 shows services you might be able to turn off to boost performance (provided you've verified that the system or other applications aren't using the services). To properly remove a service, use the Add/Remove Programs applet. Click Add/Remove Windows Components to launch the Windows Components Wizard, which presents a list of available Windows 2000 services. Currently installed services appear with selected check boxes. To remove a service, clear the service's check box; to modify a service, select its check box, then click Next to step through configuration for the services you selected (some services include multiple components). Be sure to clear a check box only if you want to remove that service.
Should you turn on any services that don't run by default? The answer depends on your situation. For example, you might want to enable the Indexing service, but this service slows server performance every time it indexes the server's content. If you need fax capability or RRAS functionality, you should turn on those services. Table 4 lists useful system services that you might want to enable.
Table 4 Useful System Services to Enable
Service |
Reason to Enable |
---|---|
Net Logon |
Enable only if this server will support user logons. |
NetMeeting Remote Desktop Sharing |
Useful for supporting remote Help desk activities. |
RRAS |
Lets you support dial-in and Internet logons directly. |
SNMP Trap |
Necessary when running management applications that use SNMP. |
Telnet |
Useful for server access in a mixed Windows and UNIX environment. |
Windows Time |
Lets other computers on the network sync their clocks to this server. |
When tuning your system's services, perform a full backup before you significantly alter your server's configuration and to log configuration changes. Backups and logs are your primary vehicles for troubleshooting problems if a configuration change results in a broken application or performance degradation.
Security Tune-Up
Disabling security-related services on any server—but especially on a DC—sacrifices the system's protection and endangers your network environment. However, you can tune service settings to ease systems management.
In Part 1, I discussed how to create service accounts for applications and services. These accounts control the security context under which the applications and services run, help you control the access rights and interactivity of multiple related services, and secure the system's core management and application functions.
Using Windows 2000's native security object model, you can control access to individual server properties and actions. So, for example, you can control which services your Help desk technicians can access, what actions they can take, and even what management information they can view. By setting ACLs on individual services, you can delegate control and access rights to those services. Alternatively, you can use Microsoft BackOffice Server 2000 to determine, through logon credentials and locked-down Microsoft Management Console (MMC) files, what a technician has permission to do. For example, you can customize a context menu to display only Start Service (and not Stop). The Microsoft Windows 2000 Resource Kit Service ACL Editor tool also lets you administer services at a granular level. (For a complete list of related resource kit tools, see Part 1.)
You can set logon credentials for services, enter passwords, and set interaction with the desktop through the Log On tab of a service's Properties window. Through the logon account, you can determine which rights a service or application will have on your server. Thus, for services that are potential security risks, you can limit access to server resources. You can create a unique user account and manually assign the account to the groups that contain the permissions necessary to work with that service. When you do so, create the user account in the Local User and Groups container. (If your system is a DC, create a unique domain account rather than a local or system account.) Make sure that you limit the account's functional scope as much as possible (e.g., provide limited logon rights and no general server access unless the service requires it). Setting up service-management accounts that have different names and strong passwords will make cracking your network more difficult.
However, creating a multitude of service accounts can result in a hassle when you must change accounts' passwords (according to your company's password policies). One option is to set these accounts' passwords to never expire. This setting protects you from finding yourself with a dead server if a password times out and prevents the associated service from logging on and running. But this setting is also a security risk. Rather than create many accounts with passwords that don't expire, you can create a few, nonprivileged service accounts and develop a process for changing their passwords as needed.
Desktop interaction for a service means that the service can bring itself up in the Windows desktop environment for input by anyone logged on to the system. Selecting the Allow service to interact with desktop check box in the service's Properties window exposes the service's UI so that users can change the service's settings. Leaving this check box clear prevents logged-on users from interfering with the service. This configuration option is available only when a service is running under the Local System account. Usually, you wouldn't change the interaction settings of common Windows components and services because doing so could have detrimental effects on your server's operation. However, in a development environment or if you're running an application as a service, permitting desktop interaction might be necessary to control a service or to provide user-input settings.
What if you mess up? You mistakenly set the Server service to log on under a user account with an expired password. Now, you find that you can't log on to your system. Don't panic. Reboot the server into Safe Mode, which is a minimal service and driver configuration. Through one of the various Safe Mode startup options, you can get back into Windows and fix your error.
Tune Up or Tune Out
You've learned your way around services' administration tools and interfaces, and now you know how to apply that knowledge through enabling and disabling services and tweaking services' security-related settings. You can use these articles as a Windows 2000 services primer to ease service management, and you can consult Windows Help and the resource kit documentation for more information about tuning your system's services.
© 2002 Windows & .NET Magazine. All rights reserved.
Try a sample issue of Windows & .NET Magazine at: https://www.windowsitpro.com/sub.cfm?code=fsWI201XTN.
Windows & .NET Magazine UPDATE is a free email newsletter containing news, tips and other resources for Windows IT Professionals. Subscribe now at https://email.winnetmag.com/winnetmag/winnetmag_prefctr.asp.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.