Threats and Countermeasures
Chapter 7: System Services
System services are described differently than the other settings in this guide because the vulnerability, countermeasure, and potential impact statements are almost identical for all services. When you first install Microsoft® Windows Server™ 2003 or Microsoft Windows® XP, some services are installed and configured to run by default when the computer starts. There are fewer default services than there were in Windows 2000 Server, and for Windows Server 2003 the specific services will vary in accordance with the role that is assigned to each server. You may not need all of the default services in your environment, and you should disable any unneeded services to enhance security. This chapter will help identify the function and purpose of each service, and explain which services were left enabled in Windows Server 2003 and Windows XP to ensure application compatibility, client compatibility, or to facilitate computer system management. The Microsoft Excel® workbook "Windows Default Security and Services Configuration" (included with the downloadable version of this guide) documents the default system service settings. On This Page
Services OverviewA service must log on to access resources and objects in the operating system, and most services are not designed to have their default logon account changed. If you change the default account, it is likely that the service will fail. If you select an account that does not have permission to log on as a service, the Microsoft Management Console (MMC) Services snap-in automatically grants that account the ability to log on as a service on the computer. However, this automatic configuration does not guarantee that the service will start. Windows Server 2003 includes three built-in local accounts that are used as the logon accounts for various system services:
Important: If you change the default service settings, key services may not run correctly. It is especially important to use caution if you change the Startup type and Log on as settings of services that are configured to start automatically. You can configure the system services settings in the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\System Services\ VulnerabilityAny service or application is a potential point of attack. Therefore, you should disable or remove any unneeded services or executable files in your environment. There are additional optional services available in Windows Server 2003, such as Certificate Services, that are not installed during a default installation of the operating system. You can add these optional services to an existing computer through Add/Remove Programs in Control Panel or the Windows Server 2003 Configure Your Server Wizard. You can also create a customized automated installation of Windows Server 2003. In the Member Server Baseline Policy (MSBP) that is described in the Windows Server 2003 Security Guide (available at http://go.microsoft.com/fwlink/?LinkId=14845), these optional services and all unnecessary services are disabled. Important: If you enable additional services, they may depend on other services. Add all of the services that are needed for a specific server role to the policy for the server role that it performs in your organization. CountermeasureDisable all unnecessary services. For each system service, you can assign a service state through Group Policy. The possible values for these Group Policy settings are:
Another way to manage service security is to configure an access control list (ACL) for each service with a user-defined list of accounts. This method provides a way to control launching of the service and access to the running service. Potential ImpactIf some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. Do Not Set Permissions on Service ObjectsThere are graphical user interface (GUI)–based tools that you can use to edit services. However, previous versions of these tools that were included with earlier versions of the Windows operating system (before Windows Server 2003) automatically apply permissions to each service when you configure any of the properties of a service. Tools such as the Group Policy Object Editor and the MMC Security Templates snap-in use the Security Configuration Editor DLL to apply these permissions. For example, when you use the MMC Security Templates snap-in to configure the startup state of a service in Windows XP, the following dialog box will display: Regardless of whether you click OK or Cancel, the permissions will be applied to the service that is being configured. Unfortunately, the permissions that this dialog box proposes do not match the default permissions for most services that are included with Windows. In fact, the permissions will cause a variety of problems for many services. Microsoft recommends that you not alter the permissions on services that are included with Windows XP or Windows Server 2003 because the default permissions are already quite restrictive. This functionality changed in Windows Server 2003, and its version of the Security Configuration Editor DLL does not force you to configure permissions when you edit the properties of a service. You have several different options to deal with this challenging situation:
Manually Editing Security TemplatesAlthough you can use a text editor such as Notepad to manually edit them, security templates, are complex files. Security templates that are created with an incorrectly defined template specification can make a computer unbootable. Although most types of mistakes will not cause such a serious problem, you must be patient and pay attention to detail if you need to manually edit security templates. When you use one of the GUI–based tools to configure services in a security template, the configuration information is stored in the “Service General Setting” section of the file. The following sample text is from a security template in which the Alerter, ClipBook, and Computer Browser services have had their startup state configured to Disabled and the DHCP Client service has had its startup state configured to Automatic. [Service General Setting] Alerter,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" ClipSrv,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" Browser,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" Dhcp,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" The format for each entry includes three comma-separated fields.
You do not have to understand the details of SDDL to use the Security Configuration Wizard. You can find more information about SDDL in the article "Security Descriptor Definition Language" on MSDN® at http://msdn2.microsoft.com/en-us/library/Aa302364. To resolve potential problems with permissions on the service objects, remove the SDDL string in the third field but leave the pair of double-quotation marks. The following example shows the correct text for the four referenced services: [Service General Setting] Alerter,4,"" ClipSrv,4,"" Browser,4,"" Dhcp,2,"" After you remove the SDDL information from all of the services in the security template, save the file. You can than apply the security template through any of the typical methods. Of course, it is extremely important that you test security templates thoroughly before you apply them to production computers. Descriptions of System ServicesThe following subsections describe the Windows Server 2003 and Windows XP services in alphabetical order. Services that are installed by default are included as well as additional services that can be added to the computer. Note: If a service is not started, other services that depend on that service will also fail to start. Therefore, if you change the status of one service you may affect other seemingly unrelated services. Such dependencies exist for all of the services that are described in this section. To check the dependencies for a service, click the Dependencies tab of the service's properties dialog in the MMC Services snap-in. AlerterThe Alerter service notifies selected users and computers of administrative alerts. You can use this service to send alert messages to specified users that are connected on your network. Alert messages warn users about security, access, and user session problems. Alert messages are sent from a server to a client computer, and the Messenger service must be running on the client computer for the user to receive alert messages. (The Messenger service is disabled by default in Windows XP and Windows Server 2003 so that malicious users cannot send false notifications.) If the Alerter service is turned off, applications that use the NetAlertRaise or NetAlertRaiseEx application programming interfaces (APIs) will be unable to notify a user or computer—by means of a message box that the Messenger service displays—that the administrative alert took place. For example, many uninterruptible power supply (UPS) management tools use the Alerter service to notify administrators of significant events that are related to the UPS. If you want to use this service, you should configure its startup state to Automatic so that external components can use it when needed. Application Experience Lookup ServiceThe Application Experience Lookup Service (AELookupSvc) is a part of the Application Compatibility Administrator. It processes application compatibility lookup requests for applications as they are launched, provides support for Windows Server 2003 computers on a domain, reports on compatibility issues, and automatically applies software updates to programs. The Application Experience Lookup Service must be active for application compatibility software updates be applied. You cannot customize this service; the operating system uses it internally. This service does not use any network, Internet, or Active Directory® directory service resources. If you disable the Application Experience Lookup Service, the service will continue to run but no calls will be made to the service. You cannot stop the actual process. Application Layer Gateway ServiceThe Application Layer Gateway Service is a subcomponent of the Windows networking subsystem. It provides support for plug-ins that allow network protocols to pass through the firewall and work behind Internet connection sharing. Application Layer Gateway (ALG) plug-ins can open ports and change data that is embedded in packets, such as ports and IP addresses. File Transfer Protocol (FTP) is the only network protocol that has a plug-in included with Windows Server 2003 Standard Edition and Windows Server 2003 Enterprise Edition. The ALG FTP plug-in is designed to support active FTP sessions through the Network Address Translation (NAT) engine that is included with Windows. To do this, the ALG FTP plug-in redirects all traffic that passes through the NAT and that is destined for port 21 to a private listening port in the 3000-5000 range on the loopback adapter. The ALG FTP plug-in then monitors/updates traffic on the FTP control channel so that the FTP plug-in can plumb port mappings through the NAT for the FTP data channels. The FTP plug-in will also update ports in the FTP control channel stream. If the Application Layer Gateway Service stops, network connectivity for the referenced protocols will be unavailable and adversely affect the network. For example, if you disable this service the Windows Messenger and MSN® Messenger instant messaging applications will fail. Application ManagementThe Application Management service provides software installation services such as Assign, Publish, and Remove. It processes requests to enumerate, install, and remove applications that are deployed through an organization’s network. When you click Add in Add/Remove Programs in Control Panel on a domain-joined computer, the program calls this service to retrieve the list of your deployed applications. The service is also called when you use Add/Remove Programs to install or remove an application. It is also called when a component (such as the shell or COM) makes an install request for an application to handle a file extension, Component Object Model (COM) class, or ProgID that is not present on the computer. The service is started by the first call that is made to it, and it does not terminate after it is started. Note: For more information about COM, COM classes, or ProgIDs, see the Software Development Kit (SDK) information in the MSDN Library on the Windows Resource Kits - Web Resources page at www.microsoft.com/windows/reskits/webresources. If the Application Management service stops or if you disable it, users will be unable to install, remove, or enumerate applications that are deployed in Active Directory through Microsoft IntelliMirror® management technologies. If you disable this service, it will not retrieve deployed application information and this information will not appear in the Add New Programs section of Add/Remove Programs in Control Panel. The Add programs from your network dialog box will display the following message: No programs are available on the network. You cannot stop this service after it is started without restarting the computer. If you do not require this service and do not want it to start, you must disable it. ASP .NET State ServiceThe ASP .NET State Service provides support for out-of-process session states for ASP.NET. ASP.NET has a concept of session state—a list of values that are associated with the client session is accessible from ASP.NET pages through the Session setting. Three options are provided to store the session data: in process, Microsoft SQL Server™ database, and out-of-process session state server. The ASP.NET State Service stores session data out-of-process. The service communicates with ASP.NET, which runs on the Web server using sockets. If this service stops or if you disable it, no out-of-process requests will be processed. The executable code for this service is installed by default, but the service itself is disabled until you manually change its startup type to Automatic or Manual. Automatic UpdatesThe Automatic Updates service enables the download and installation of security updates for Windows and Office. It automatically provides Windows computers with the latest updates, drivers and enhancements. You no longer need to manually search for security updates and information; the operating system delivers them directly to your computer. The operating system recognizes when you are online and uses your Internet connection to search for applicable updates from the Windows Update service. Depending on your configuration settings, the service will either notify you before download, before installation, or the service will automatically install updates for you. You can turn off the Automatic Update feature through the Systems setting in Control Panel. Alternatively, you can right-click My Computer and then click Properties. You can also use the MMC Group Policy Object Editor snap-in to configure an intranet server that is configured with Windows Server Update Services to host updates from the Microsoft Update sites. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. Note: For more information about Windows Server Update Services (WSUS), see the Windows Server Update Services Web site at http://technet.microsoft.com/en-us/wsus/default.aspx. If the Automatic Updates service stops or if you disable it, updates will not be automatically downloaded to the computer automatically. You will need to search for, download, and install applicable fixes through the Windows Update Web site at http://update.microsoft.com. Background Intelligent Transfer Service (BITS)The Background Intelligent Transfer Service is a background file transfer mechanism and queue manager. BITS transfers files asynchronously between a client and an HTTP server. By default, requests to BITS are submitted and the files are transferred through otherwise idle network bandwidth so that other network-related activities, such as browsing, are not affected. BITS suspends the transfer if a connection is lost or if the user logs off. The BITS connection is persistent, and transfers information while the user is logged off, across network disconnects, and during computer restarts. When the user logs on, BITS resumes the user's transfer job. BITS uses a queue to manage file transfers. You can prioritize transfer jobs within the queue and specify whether the files are transferred in the foreground or background. Background transfers are optimized by BITS, which increases and decreases (or throttles) the rate of transfer based on the amount of idle network bandwidth that is available. If a network application begins to consume more bandwidth, BITS decreases its transfer rate to preserve the user's interactive experience. BITS provides one foreground and three background priority levels that you can use to prioritize transfer jobs. Higher priority jobs pre-empt lower priority jobs. Jobs at the same priority level share transfer time and round-robin scheduling prevents blockage of the transfer queue by a large job. Lower priority jobs do not receive transfer time until all higher priority jobs are complete or in an error state. BITS is set to start manually on both Windows Server 2003 and Windows XP. It is started on demand when the first job is submitted. When all outstanding jobs are completed, BITS stops. If BITS stops, features such as Automatic Update will be unable to automatically download programs and other information. This functionality means that the computer will also be unable to receive automatic updates from the organization’s Windows Server Update Services server if one has been configured through Group Policy. If you disable this service, any services that explicitly depend on it will fail to transfer files unless they have a fail-safe mechanism to transfer files directly through other methods, such as Internet Explorer. Certificate ServicesThe Certificate Services service functions as part of the core operating system to enable a business to act as its own certificate authority (CA) and issue and manage digital certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IP Security (IPsec), and smart card logon. Windows Server 2003 supports multiple levels of a CA hierarchy and cross-certified trust network, including offline and online CAs. Certificate Services is not installed by default. Administrators must install it through Add/Remove Programs in Control Panel. If Certificate Services stops or if you disable it after installation, certificate requests will not be accepted and certificate revocation lists (CRLs) and delta CRLs will not be published. If the service stops long enough for CRLs to expire, existing certificates will fail to validate. Client Service for NetWareServers with the Client Service for NetWare service installed provide access to file and print resources on NetWare networks for interactively logged-on users. With Client Service for Netware, you can access file and print resources on Netware servers that run Novell Directory Services (NDS) or bindery security (NetWare versions 3.x or 4.x) from your computer. Client Service for NetWare does not support the IP protocol and therefore cannot be used to interoperate with NetWare 5.x in an IP-only environment. To provide this capability, you must load the Internetwork Packet Exchange (IPX) protocol on the NetWare 5.x server or use a redirector that is compatible with Netware Core Protocol (NCP) and supports native IP. If the Client Service for NetWare service stops or if you disable it, you will lose access to file and print resources on NetWare networks unless you install the Novell Client for NetWare. This service is not installed or enabled by default. ClipBookThe ClipBook service enables the ClipBook Viewer to create and share pages of data for review by remote users. This service depends on the Network Dynamic Data Exchange (NetDDE) service to create the actual file shares that other computers can connect to. The ClipBook application and service allow you to create the pages of data to share. The ClipBook service is installed by default, but its startup state is configured to Disabled. When this service stops, the ClipBook Viewer will not be able to share information with remote computers. Clipbrd.exe can still be used to view the local Clipboard, which is where data is stored when a user highlights text and either clicks Copy from the Edit menu or presses CTRL+C on the keyboard. Cluster ServiceThe Cluster Service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that work together to provide load balancing and failover support. Cluster-aware applications such as Microsoft Exchange Server and Microsoft SQL Server use the cluster to present a single virtual computer to users. The cluster software spreads data and computation tasks among the nodes of the cluster. When a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data and computation tasks to that node. There are two different types of cluster solutions for the Windows platform that support different application styles: server clusters and Network Load Balancing (NLB) clusters. Server clusters provide a highly available environment for applications that must run reliably for long periods of time (such as databases or file servers), and provide failover support with tightly integrated cluster management. NLB clusters provide a highly available and highly scalable environment for other types of applications such as front-end Web servers, and load balance client requests among a set of identical servers. The Cluster Service provides support for server clusters. It is the essential software component that controls all aspects of the cluster operation and manages the cluster database. Each node in a cluster runs one instance of the Cluster Service. Windows Server 2003 supports up to eight-node server clusters in both the Enterprise Server and Datacenter Server editions of Windows. However, a cluster can only consist of nodes that run one Windows edition or the other; different editions cannot run within a single cluster. Server clusters can have one of three different configurations:
The Cluster Service is not installed or enabled by default. If the Cluster Service stops after it is installed, clusters will be unavailable. For additional information about how to configure security for Windows clusters, review the relevant links in the "More Information" section at the end of this chapter. COM+ Event SystemThe COM+ Event System service provides automatic event distribution to COM components that subscribe to it. COM+ events extend the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system. The event system notifies event consumers as information becomes available, and does not repeatedly poll the server. The COM+ Event System service handles most of the event semantics for the publisher and subscriber. Publishers offer to publish event types, and subscribers request event types from specific publishers. Subscriptions are maintained outside the publisher and subscriber and retrieved when needed, which simplifies the programming model for both. The subscriber does not need to contain the logic to build subscriptions—it is possible to build a subscriber as easily as a COM component. The life cycle of the subscription is separate from that of either the publisher or the subscriber. You can build subscriptions before either the subscriber or publisher are made active. This service is installed by default, but is not started until an application requests its services. When COM+ Event System stops, the System Event Notification service will close and will not be able to provide logon and logoff notifications. The Volume Shadow Copy service, which is needed for Windows Backup and backup applications that rely upon the Windows Backup API, requires this service. COM+ System ApplicationThe COM+ System Application service manages the configuration and tracking of COM+-based components. If this service stops, most COM+-based components will not function properly. The Volume Shadow Copy service, which is needed for Windows Backup and backup applications that rely upon the Windows Backup API, requires this service. This service is installed and enabled by default. Computer BrowserThe Computer Browser service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that need to view network domains and resources. Computers that are designated as browsers maintain browse lists, which contain all shared resources that are used on the network. Earlier versions of Windows applications, such as My Network Places, the NET VIEW command, and Windows NT® Explorer, all require browsing capability. For example, if you open My Network Places on a Windows 95–based computer, a computer that is designated as a browser generates the list of domains and computers that displays. There are several different roles a computer might perform in a browsing environment. Under some conditions, such as failure or shutdown of a computer that is designated for a specific browser role, browsers or potential browsers may change to a different operational role. The Computer Browser service is enabled and started by default. If it stops, the browser list will not be updated or maintained. Cryptographic ServicesThe Cryptographic Services service provides key-management services for your computer. Cryptographic Services is actually comprised of three different management services:
The Cryptographic Services service is enabled and started automatically by default. If it stops, the management services that are referenced in the preceding paragraphs will not function properly. DCOM Server Process LauncherIn earlier versions of Windows, the Remote Procedure Call (RPC) service (RPCSS) ran as Local System. To reduce the attack surface of Windows and provide defense in depth, the RPC service functionality was split into two services in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. The RPCSS service retains all of the original functionality that did not require Local System privileges, and it now runs under the Network Service account. The DCOM Server Process Launcher (DCOMLaunch) service incorporates the functions of the old RPC service that required Local System privileges; it runs under the Local System account. This service is enabled and started by default. If the DCOM Server Process Launcher service stops, remote procedure calls and DCOM requests on the local computer will not function properly. In particular, the Windows Firewall service will fail if this service stops. DHCP ClientThe DHCP Client service manages network configuration. It registers and updates IP addresses and DNS names for your computer. You do not have to manually change the IP settings for a client computer, such as a laptop, that connects from different locations throughout the network. The client computer is automatically given a new IP address, regardless of the subnet it reconnects to (if a DHCP server is accessible from the subnets). There is no need to manually configure settings for DNS or WINS. The DHCP server can provide these settings to the client if the DHCP server is configured to issue such information. To enable this option on the client, simply click the Obtain DNS Server Address Automatically option. No conflicts are caused by duplicate IP addresses. If the DHCP Client service stops, your computer will not receive dynamic IP addresses and automatic dynamic DNS updates will stop being registered on the DNS server. DHCP ServerThe DHCP Server service allocates IP addresses and enables advanced configuration of network settings such as DNS servers and WINS servers to DHCP clients automatically. DHCP uses a client/server model. The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration information and provide the information to client computers. The server database includes the following:
DHCP is an IP standard that is designed to reduce the complexity of address configuration administration. It uses a server computer to centrally manage IP addresses and other related configuration details for your network. The Windows Server 2003 family provides the DHCP service, which enables the server computer to perform as a DHCP server and configure DHCP-enabled client computers on your network as described in the current DHCP draft standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 2131. DHCP includes the Multicast Address Dynamic Client Assignment Protocol (MADCAP), which is used to perform multicast address allocation. When registered client computers are dynamically assigned IP addresses through MADCAP they can participate efficiently in the data stream process, such as for real-time video or audio network transmissions. With a DHCP server installed and configured on your network, DHCP-enabled client computers can obtain their IP addresses and related configuration parameters dynamically each time they start and join the network. DHCP servers provide this configuration in the form of an address-lease offer to the client computers. If the DHCP Server service stops, the server will no longer issue IP addresses or other configuration parameters automatically. This service is only installed and activated if you configure a Windows Server 2003 computer as a DHCP server. Distributed File SystemThe Distributed File System service manages logical volumes that are distributed across a local or wide area network (WAN) and is required for the Active Directory SYSVOL share. Distributed File System (DFS) is a distributed service that integrates disparate file shares into a single logical namespace. This namespace is a logical representation of the network storage resources that are available to users on the network. If the Distributed File System service stops, you will be unable to access file shares or network data through the logical namespace. To access the data when the service is stopped, you will need to know the names of all the servers and all the shares in the namespace, and access each of these targets independently. This service is installed and run by default on Windows Server 2003 computers. Distributed Link Tracking ClientThe Distributed Link Tracking Client service maintains links between the NTFS file system (NTFS) files within your computer or across computers in your network domain. This service ensures that shortcuts and Object Linking and Embedding (OLE) links continue to work after the target file is renamed or moved. When you create a shortcut to a file on an NTFS volume, distributed link tracking stamps a unique object identifier (ID) into the target file, which is known as the link source. The file that refers to the target file (known as the link client) also stores information about the object ID internally. Distributed link tracking can use this object ID to locate the link source file in the following scenarios:
In a Windows 2000 or Windows Server 2003 domain in which the Distributed Link Tracking Server service is available, the link source file can be found in the following additional scenarios:
The scenarios that involve the Distributed Link Tracking Server service require that the client computer—the computer on which the Distributed Link Tracking Client service is running—have the DLT_AllowDomainMode system policy configured for clients that run Windows XP with SP1 or SP2. For all of the above scenarios, the link source file must be on an NTFS volume that runs either Windows 2000, Windows XP, or the Windows Server 2003 family. The NTFS volumes cannot be on removable media. Note: The Distributed Link Tracking Client service monitors activity on NTFS volumes and stores maintenance information in a file called Tracking.log, which is located in a hidden folder called System Volume Information at the root of each volume. This folder is protected by permissions that allow only the computer to have access to it. The folder is also used by other Windows services, such as the Indexing Service. If the Distributed Link Tracking Client service stops, any links to content on that computer will not be maintained or tracked. Distributed Link Tracking ServerThe Distributed Link Tracking Server service stores information so that files that are moved between volumes can be tracked for each volume in the domain. When enabled, the Distributed Link Tracking Server service runs on each domain controller in a domain. This service enables the Distributed Link Tracking Client service to track linked documents that have been moved to a location in another NTFS volume in the same domain. The Distributed Link Tracking Server service is disabled by default. If you enable it, you must do so on all domain controllers of a domain. If the Distributed Link Tracking Server service is enabled on a domain controller that is upgraded to a newer version of Windows Server, the service must be re-enabled manually. If the Distributed Link Tracking Server service is enabled, then the DLT_AllowDomainMode system policy must be enabled for Windows XP client computers to be able to use it. If the Distributed Link Tracking Server service is enabled and then later disabled, purge its entries in Active Directory. For more information, see the Microsoft Knowledge Base article “Distributed Link Tracking on Windows–based domain controllers” at http://support.microsoft.com/kb/312403/. If the Distributed Link Tracking Server service stops or if you disable it, links that are maintained by the Distributed Link Tracking Client service will eventually become less reliable In Windows Server 2003, the Distributed Link Tracking Server service is installed but disabled by default. Distributed Transaction CoordinatorThe Distributed Transaction Coordinator service coordinates transactions that are distributed across multiple computers and/or resource managers, such as databases, message queues, file systems, and other transaction–based resource managers. This service is necessary if transactional components are to be configured through COM+. It is also required for transactional queues in Message Queuing (MSMQ) and SQL Server operations that span multiple computers. The Distributed Transaction Coordinator service is installed and active by default. If it stops, transactions that use this service will not be executed. Clustered installations of Microsoft Exchange, SQL Server, or other applications that make use of transaction services may be affected if this service stops. DNS ClientThe DNS Client service resolves and caches DNS names for your computer. The DNS Client service must run on every computer that performs DNS name resolution. DNS name resolution is needed to locate domain controllers in Active Directory domains. The DNS Client service is also needed to enable location of the devices that are identified through DNS name resolution. The DNS Client service that runs on Windows Server 2003 implements the following features:
If the DNS Client service stops, the computer will not be able to resolve DNS names or locate Active Directory domain controllers and users may not be able to log on to the computer. DNS ServerThe DNS Server service enables DNS name resolution. It answers queries and update requests for DNS names. DNS servers are needed to locate devices that are identified by their DNS names and to locate domain controllers in Active Directory. If the DNS Server service stops or if you disable it, DNS updates will not occur. The DNS Server service does not need to run on every computer. However, if there is no authoritative DNS server for a particular portion of the DNS namespace, then the location of the devices that use DNS names in that portion of the namespace will fail. Absence of an authoritative DNS server for the DNS namespace that is used to name Active Directory domains will result in an inability to locate domain controllers in that domain. The DNS Server service is only installed and activated if you configure a Windows Server 2003 computer as a DNS server. Error Reporting ServiceThe Error Reporting Service collects, stores, and reports unexpected application errors or closures to Microsoft. It also authorizes error reporting for services and applications that run in non-standard environments. This service provides Microsoft product groups with efficient and effective information to debug driver and application faults. You can configure error reporting to send Microsoft-specific error information and to generate reports for operating system errors, Windows component errors, or program errors. An operating system error causes the computer to display a stop screen with error codes. A program or component error causes the program or component to stop working. If you have an Internet connection, you can report these errors directly to Microsoft. You can configure error reporting to respond to program errors in one of two ways: as soon as an error occurs, the Error Reporting dialog box can prompt any user to send the error to Microsoft, or the next time an administrator logs on, the Error Reporting dialog box can prompt the administrator to send the error report to Microsoft. Windows treats operating system errors and unplanned shutdowns differently from the way it treats program errors. When operating system errors or unplanned shutdowns occur, Windows writes the error information to a log file. The next time an administrator logs on, the Error Reporting dialog box prompts them to report the error. When you send an error report to Microsoft through the Internet, you provide technical information that people at Microsoft use to enhance future versions of the product. This data is used for quality control purposes only and is not used to track individual users or installations for any marketing purpose. If information is available to help you solve the problem, Windows displays an additional Error Reporting dialog box with a link to that information. Alternatively, if your organization has configured Group Policy, administrators in your IT department can use Corporate Error Reporting to collect and report only those errors that they think are important. To configure workstations and servers for Corporate Error Reporting, administrators can enable the Report Errors policy setting and configure the Corporate upload file path to the local file server where the Corporate Error Reporting tool is installed. When errors occur, information is automatically redirected to this file server. Administrators can then review the error information, identify the important data, and submit it to Microsoft with the Corporate Error Reporting tool. You can download the Corporate Error Reporting tool from the Office XP Resource Kit Web site at www.microsoft.com/office/ork/xp/default.htm. If the Error Reporting Service stops, error reporting will not occur. If the Display Error Notification setting is enabled in the Error Reporting dialog box, users will still see a message that indicates a problem occurred, but they will not have the option to report this information to Microsoft or a local network share. This service is installed and run by default. Event LogThe Event Log service enables event log messages that are issued by Windows–based programs and components to be viewed in Event Viewer. These event log messages contain information that can help diagnose problems with applications, services, and the operating system. The logs can be viewed through the Event Log APIs or through the MMC Event Viewer snap-in. By default, a computer that runs a Windows Server 2003 family operating system records events in three different logs:
A Windows Server 2003–based computer that is configured as a domain controller records events in two additional logs:
A computer that runs Windows and is configured as a DNS server records events in an additional log:
You cannot stop the Event Log service. If you disable the service, it would be impossible to track events, which will significantly reduce the ability to successfully diagnose computer problems. Also, security events would not be audited, and you would not be able to view previous event logs with the MMC Event Viewer snap-in. Fast User Switching CompatibilityThe Fast User Switching Compatibility service provides management for applications that require assistance in a multiple user environment. The Fast User Switching feature in Windows XP allows multiple users who are logged on to the computer at the same time to easily switch between sessions. They do not need to shut down applications and log off. Many programs were not designed to run in a multiple-user environment, and they can experience problems when multiple users log on to the computer. The Fast User Switching Compatibility service performs one of four different actions when a specific problematic program is in use and when Fast User Switching is activated:
If you disable the Fast User Switching Capability service, some applications might not work properly on a computer that has the Fast User Switching feature enabled. Fax ServiceThe Fax Service, a Telephony Application Programming Interface (TAPI)-compliant service, provides fax capabilities from users’ computers. The Fax Service allows users to send and receive faxes from their desktop applications through either a local fax device or a shared network fax device. The service offers the following features:
If you disable the print spooler or telephony service, the Fax Service will not start successfully. If this service stops, users will not be able to send or receive faxes. The Fax Service stops when there is no fax activity and is restarted on an as-needed basis. File ReplicationThe File Replication service allows files to be automatically copied and maintained simultaneously on multiple servers. The File Replication Service (FRS) is the automatic file replication service in Windows 2000 and the Windows Server 2003 family, and its function is to replicate the contents of the system volume (SYSVOL) between all domain controllers in a domain. It can also be configured to replicate files among alternate targets that are associated with the fault-tolerant DFS. If the File Replication service stops, file replication will not occur and server data will not synchronize. Also, a domain controller’s ability to function could be seriously affected if this service stops. The File Replication service is installed by default on Windows Server 2003, but its startup state is configured to Manual. File Server for MacintoshThe File Server for Macintosh service enables Macintosh computer users to store and access files on computers that run Windows Server 2003. If you turn off this service, Macintosh client computers will not be able to store and access files on Windows Server 2003–based computers. This service is not installed or started by default. FTP Publishing ServiceThe FTP Publishing Service provides FTP connectivity and administration through the Microsoft Internet Information Server (IIS) snap-in. Features include the ability to throttle bandwidth, security accounts, and extensible logging. This service includes the new FTP User Isolation feature, which allows users to access only their files on an FTP site. Also, there is improved international support. If the FTP Publishing Service stops, the server cannot function as an FTP server. This service is not installed by default. Help and SupportThe Help and Support service allows the Help and Support Center application to run on users’ computers, supports the application, and enables communication between the client application and the help data. This service provides access to stores and services such as the taxonomy database that contains metadata and information about the help topics, the support automation framework that enables data collection for registered support providers, user history and preference information, and the search engine manager. When you interact with the Help and Support Center features such as search, index, or table of contents, the service allows for data transaction support of all these features. If the Help and Support service is configured to Manual, the service will start if a user accesses the Help and Support Center from the desktop. If you disable or stop this service, the Help and Support Center application will be essentially unusable and users will see the following message: Windows cannot open Help and Support because a system service is not running Users will be able to access some high-level topics that might be cached on the local computer, but most of the Help and Support Center application features (including Remote Assistance) cannot function if the Help and Support service is not enabled. However, users can still view the *.HLP and *.CHM files that are located in the Windows\Help folder. The Help and Support service is installed and started automatically by default in both Windows XP and Windows Server 2003. HTTP SSLThe HTTP SSL service enables IIS to perform Secure Sockets Layer (SSL) functions. SSL is an open standard that establishes secure communications channels to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well. If the HTTP SSL service stops, IIS will not be able to perform SSL functions. This service is installed when IIS is installed and is not present or active otherwise. Human Interface Device AccessThe Human Interface Device Access service enables generic input access to Universal Serial Bus (USB) devices such as keyboards and mice. The service activates and maintains predefined hot buttons on keyboards, remote controls, and other multimedia devices. This service is installed and started by default on Windows XP and Windows Server 2003 computers. If the Human Interface Device Access service stops, hot buttons that are controlled by this service will no longer function. For instance, hotkey buttons for back, forward, volume, previous track, etc. on USB keyboards and volume buttons on USB speakers will not function. IAS Jet Database AccessThe IAS Jet Database Access service uses the Remote Authentication Dial-in User Service (RADIUS) protocol to provide authentication, authorization, and accounting services. It is only available in 64-bit versions of Windows. With Internet Authentication Services (IAS), you can centrally manage user authentication, authorization, and accounting. You can also use IAS to authenticate users against domain controllers that run Windows NT® 4.0, Windows 2000, or Windows Server 2003 operating systems. IAS works equally well in homogeneous and heterogeneous networks. IAS can be used as a RADIUS proxy to route RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When used as a RADIUS proxy, IAS is a central switch or routing point through which RADIUS access and accounting messages flow. IAS records information in an accounting log about the messages that are forwarded. A RADIUS authentication, authorization, and accounting infrastructure consists of the following components: There are two IAS Jet databases. Ias.mdb is used to configure IAS, and Dnary.mdb is used to validate the dictionary that IAS uses to track the vendor specific attributes of RADIUS-compatible network access servers. Do not modify the Jet databases. If the IAS Jet Database Access service stops, remote network access that requires user authentication will be unavailable. For example, remote access dial-up, VPN, wireless LAN (802.1x), and Ethernet 802.1x LAN access will not work. If you disable this service, both the Routing and Remote Access Service (RRAS) and IAS services will not start. You will also be unable to administer RRAS or IAS either locally or remotely. This service is not installed by default on any version of Windows; it is only available on the Itanium–based versions of the Windows Server 2003 family. IIS Admin ServiceThe IIS Admin Service allows administration of IIS components such as FTP, application pools, Web sites, Web service extensions, and both Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers. If you stop or disable this service, you will not be able to run Web, FTP, NNTP, or SMTP sites. In Windows 2000, the IIS Admin Service and related services are installed by default. In the Windows Server 2003 family, you must install the IIS components through Add/Remove Windows Components or Configure Your Server. IMAPI CD-Burning COM ServiceThe IMAPI CD-Burning COM Service manages the creation of CDs through the Image Mastering Applications Programming Interface (IMAPI) COM interface and performs CD-Recordable (CD-R) writes when requested by the user through Windows Explorer, Windows Media® Player (WMP) or third-party applications that use this API. IMAPI allows an application to stage and burn simple audio or data images to CD-R and CD Rewritable (CD-RW) devices. The API supports Redbook audio and data disc formats with both Joliet and ISO 9660. The architecture allows for future expansion of the supported format set. If the IMAPI CD-Burning COM Service stops or if you disable it, your computer will be unable to record CDs with the built-in features of Windows XP and Windows Server 2003. If you turn off this service and use a third party CD-RW application, your ability to record CDs will not be affected (if the third-party software does not rely on the service). If this service is started after logon, you must log off of your computer and then log back on to write data to CD-R media with your CD-R device through Windows Explorer. This service is installed by default on Windows XP, but it is not started until a user requests CD-R writing through Windows Explorer. It is installed but disabled by default on Windows Server 2003. Indexing ServiceThe Indexing Service indexes the contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. The Indexing Service also enables quick document search capability on local and remote computers and a search index for content that is shared on the Web. The service builds indexes of all textual information in files and documents. After the initial index build is complete, the Indexing Service maintains its indexes whenever a file is created, modified, or deleted. Initial indexing can be resource-intensive. By default, the Indexing Service is set to start manually. When the service is active it will index only when the computer is idle, although you can use the MMC Index snap-in to configure the service to work at non-idle times. MMC also allows you to optimize the service's resource allocation configuration for query or indexing usage patterns. If the Indexing Service stops, text-based searches will be slower. Infrared MonitorThe Infrared Monitor service enables you to share files and images through infrared connections. This service is installed by default on Windows XP if an infrared device is detected during operating system installation. This service is not available on Windows Server 2003 Web, Enterprise, or Datacenter Server editions. If the Infrared Monitor service stops, files and images cannot be shared through infrared connections. Internet Authentication ServiceThe Internet Authentication Service (IAS) performs centralized authentication, authorization, audit, and accounting of users who connect to a network—either LAN or remote—through VPN equipment, Remote Access Equipment (RAS), or 802.1x Wireless and Ethernet/Switch Access Points. IAS implements the IETF standard RADIUS protocol, which enables heterogeneous network access equipment. If IAS stops or if you disable it, authentication requests will fail over to a backup IAS server, if it is available. If no backup IAS servers are available, users will not be able to connect to the network. This service must be installed manually and is only available on members of the Windows Server 2003 family. Intersite MessagingThe Intersite Messaging service enables message exchanges between computers that run Windows Server sites. This service is used for mail-based replication between sites. Active Directory includes support for replication between sites through SMTP over IP transport. SMTP support is provided by the SMTP service, which is a component of IIS. The set of transports that are used for communication between sites must be extensible. Therefore, each transport is defined in a separate add-in dynamic link library (DLL) file. These add-in DLL files are loaded into the Intersite Messaging service, which runs on all domain controllers that can perform communication between sites. The Intersite Messaging service directs send and receive requests to the appropriate transport add-in DLL files, which then route the messages to the Intersite Messaging service on the destination computer. If the Intersite Messaging service stops, messages will not be exchanged, intersite messaging replication will not work, and site-routing information will not be calculated for other services. This service is installed by default on Windows Server 2003 computers, but it is disabled until the server is promoted to the domain controller role. IP Version 6 Helper ServiceThe IP Version 6 Helper Service offers Internet Protocol version 6 (IPv6) connectivity over an Internet Protocol version 4 (IPv4) network. IPv6 is a new suite of standard protocols for the network layer of the Internet. It is designed to solve many IPv4 problems with regard to address depletion, security, auto-configuration, and extensibility. This service, often referred to as "6to4," allows IPv6-enabled sites and hosts to communicate through IPv6 over an IPv4 infrastructure—for example, the Internet. IPv6 sites and hosts can use their 6to4 address prefix and the Internet to communicate. They do not need to obtain an IPv6 global address prefix from an Internet service provider (ISP) and connect to the 6bone—the IPv6-enabled portion of the Internet. 6to4 is a tunneling technique that is described in RFC 3056. 6to4 hosts do not require any manual configuration and uses standard auto-configuration to create 6to4 addresses. 6to4 uses the global address prefix of 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colon-hexadecimal representation of a public IPv4 address (w.x.y.z) that is assigned to a site or host, also known as the Next Level Aggregator (NLA) portion of a 6to4 address. The IPv6 Helper Service also supports 6over4, also known as IPv4 multicast tunneling, a technique that is described in RFC 2529. 6over4 allows IPv6 and IPv4 nodes to communicate through IPv6 over an IPv4 infrastructure. 6over4 uses the IPv4 infrastructure as a multicast-capable link. For 6over4 to work correctly, the IPv4 infrastructure must be IPv4 multicast-enabled. If the IP Version 6 Helper Service stops, the computer will only have IPv6 connectivity if it is connected to a native IPv6 network. This service is not installed or activated by default. IPSec Policy Agent (IPSec Service)The IPSec Policy Agent (IPSec Service) service provides end-to-end security between clients and servers on TCP/IP networks, manages IPsec policy, starts the Internet Key Exchange (IKE) and coordinates IPsec policy settings with the IP security driver. The service is controlled by using the NET START or NET STOP command. IPsec operates at the IP layer and is transparent to other operating system services and applications. The service provides packet filtering, and can negotiate security between computers on IP networks. You can configure IPsec to provide:
IPsec also provides security for Layer Two Tunneling Protocol (L2TP) VPN connections. If the IPSec Policy Agent (IPSec Service) service stops, it will impair TCP/IP security between clients and servers on the network. This service is installed and activated by default on Windows Server 2003 and Windows XP computers. Kerberos Key Distribution CenterThe Kerberos Key Distribution Center service enables users to log on to the network and be authenticated by the Kerberos v5 authentication protocol. As in other implementations of the Kerberos protocol, the Kerberos Key Distribution (KDC) is a single process that provides two services:
If the Kerberos Key Distribution Center service stops, users will be unable to log on to the network and access resources. This service is installed on all Windows Server 2003 computers, but it only runs on domain controllers. If you disable this service, users will not be able to log on to the domain. License Logging ServiceThe License Logging Service monitors and records client access license information. It works with portions of the operating system, such as IIS, Terminal Services, file and print sharing, and also with products that are not a part of the operating system, such as SQL Server or Microsoft Exchange server. If the License Logging Service stops or if you disable it, licensing will be enforced but will not be monitored. This service is disabled by default on Windows Server 2003 computers. Logical Disk ManagerThe Logical Disk Manager service detects and monitors new hard disk drives and sends disk volume information to the Logical Disk Manager Administrative Service for configuration. This service monitors Plug and Play events to detect new drives and uses an administrator service and a watchdog service. Do not disable the service if dynamic disks are present in the computer. The Logical Disk Manager service runs by default on Windows Server 2003 and Windows XP computers. If it stops, dynamic disk status and configuration information might become outdated. For example, hard disk drives will not be detected. The administrator service and the watchdog service are essentially one component. The administrative service only starts when you configure a drive, partition, or when a new drive is detected. Logical Disk Manager Administrative ServiceThe Logical Disk Manager Administrative Service performs administrative services for disk management requests and configures hard disk drives and volumes. It only starts when you configure a drive or partition, or when a new drive is detected. This service does not start by default, but is activated whenever dynamic disk configuration changes occur or when the MMC Disk Management snap-in or the Diskpart.exe tool are opened. Changes that can activate this service include conversions of basic disks to dynamic, recovery of fault-tolerant volumes, volume formatting, or changes to a page file. The Logical Disk Manager Administrative Service only runs for configuration processes and then stops. If you disable this service, attempts to use the MMC Disk Management snap-in to configure disks will display the following error message: Unable to connect to Logical Disk Manager service Machine Debug ManagerThe Machine Debug Manager service manages local and remote debugging for a number of applications, including the Microsoft Script Editor, various versions of the Office application suite, and Microsoft Visual Studio. If you disable the Machine Debug Manager service, attempts to debug scripts or processes will fail and display the following error message: Unable to start debugging. The Machine Debug Manager Service is disabled. Also, users will not be given the opportunity to debug script errors in Web pages. Message QueuingThe Message Queuing service is a messaging infrastructure and development tool that can be used to create distributed messaging applications for Windows. Such applications can communicate across heterogeneous networks and send messages between computers that may be temporarily unable to connect to each other. This service provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It also supports the ability to send messages within transactions, and it provides both Microsoft Win32® and COM APIs for all programmatic functionality, including administration and management. The implementation of the remote read features in the Windows XP version of the Message Queuing service allows unauthenticated users to connect to queues. A malicious user could purge a queue and create a denial of service condition. Also, Message Queuing remote read data is transmitted over the network in plaintext, which means it could be read by a malicious user who is able to capture network data. For these reasons, Microsoft recommends that you not install the Message Queuing service on Windows XP computers that are exposed to untrusted networks such as the Internet. The service is not installed by default in Windows XP, so most organizations should be protected from this vulnerability already. If the Message Queuing service stops, distributed messages will be unavailable. If you disable this service, any services that explicitly depend on it will not start. Also, COM+ Queued Component (QC) functionality, some functionality of Windows Management Instrumentation (WMI), and the Message Queuing Triggers service will be affected. This service is not installed by default on Windows Server 2003 computers. Message Queuing Down Level ClientsThe Message Queuing Down Level Clients service provides Active Directory access for Windows NT 4.0, Windows 9x, and Windows 2000 clients that use the Message Queuing service on domain controllers. The Message Queuing service optionally uses information that is published in Active Directory to obtain routing information for security-related objects, such as destination public keys, and to learn about public queues. If you install Message Queuing in workgroup mode, then Active Directory is never accessed. This service is only required on Windows Server 2003 domain controllers that run the Message Queuing service. If the Message Queuing Down Level Clients service stops on a domain controller, then versions of the Microsoft Message Queuing client earlier than version 3.0 will not be able to obtain Active Directory services on the specified domain controller for public queue discoverability, message routing, and site recognition. This service is not installed by default on Windows Server 2003 computers. Message Queuing TriggersThe Message Queuing Triggers service provides a rule-based system to monitor messages that arrive in a Message Queuing service queue and, when the conditions of a rule are satisfied, invoke a COM component or a stand-alone executable program to process the message. The Message Queuing Triggers service is installed as an integral part of the Message Queuing service, which is an optional Windows component that is available on all versions of Windows except Windows XP Home Edition. If the Message Queuing Triggers service stops, you will not be able to apply rule-based monitoring or invoke programs to process messages automatically. This service is not installed by default on Windows Server 2003 computers. MessengerThe Messenger service sends messages to or receives messages from users, computers, administrators, and the Alerter service. This service is not related to Windows Messenger, a free instant-messaging service that is available through MSN. If you disable the Messenger service, notifications cannot be sent to or received by the computer or by users who are currently logged on. Also, the NET SEND and NET NAME shell commands will no longer function. This service is installed but disabled by default on Windows Server 2003 and Windows XP computers. Microsoft POP3 ServiceThe Microsoft POP3 Service provides e-mail transfer and retrieval services. Administrators can use this service to store and manage e-mail accounts on a mail server. When you install the Microsoft POP3 Service on a mail server, users can connect to that server and retrieve e-mail messages with an e-mail client program that supports the POP3 protocol, such as Microsoft Outlook®. The Microsoft POP3 Service works in combination with the SMTP Service, which allows users to send outgoing e-mail. The Microsoft POP3 Service is the mechanism that allows users to retrieve their e-mail messages from a mail server. Sender's and recipient's computers connect to the Internet through their respective Internet service providers (ISPs). When the sender uses an e-mail client to send a message, the SMTP Service transfers the message to the sender's ISP. The message is then routed to the Internet and relayed through various intermediate servers. When the message reaches the recipient's ISP, it is placed in the recipient's mailbox. When the recipient's computer connects to their ISP, the ISP transfers the message to the recipient's e-mail client on the local computer in accordance with POP3 protocol standards. If the Microsoft POP3 Service stops, e-mail transfer and retrieval services will no longer function. This service must be manually installed on Windows Server 2003 computers. Microsoft Software Shadow Copy ProviderThe Microsoft Software Shadow Copy Provider service manages software-based shadow copies that are taken by the Volume Shadow Copy service. A shadow copy is a snapshot copy of a disk volume that represents a consistent read-only point in time for that volume. This point-in-time snapshot then stays constant and allows an application, such as backup software, to copy data from the shadow copy to tape. There are two general classes of shadow copies:
Shadow copies can resolve three classic data backup challenges:
The platform for shadow copies consists of the following:
If the Microsoft Software Shadow Copy Provider service stops, software-based volume shadow copies cannot be managed, which could cause Windows Backup to fail. This service is installed by default on Windows Server 2003, but it only runs when requested. MSSQL$UDDIThe MSSQL$UDDI service is installed when the Universal Description, Discovery, and Integration (UDDI) feature of the Windows Server 2003 family is installed. (This feature provides UDDI capabilities within an organization.) When this service is installed, a SQL Server database instance is also installed. This instance manages all of the files that comprise the databases that are used by the service, and it processes all Transact-SQL statements that are sent from SQL Server client applications. The MSSQL$UDDI service allocates computer resources effectively between multiple concurrent users. It also enforces business rules that are defined in stored procedures and triggers, ensures the consistency of the data, and prevents logical problems, such as two people who try to update the same data at the same time. UDDI is an industry specification for the description and discovery of Web services. The UDDI specification builds on the Simple Object Access Protocol (SOAP), Extensible Markup Language (XML), and HTTP/S protocol standards that were developed by the World Wide Web Consortium (W3C) and the IETF. UDDI services are standards-based XML Web services that allow developers to efficiently publish, discover, share, and re-use Web Services directly through their development tools. Built on the Microsoft .NET Framework, UDDI services use proven Microsoft SQL Server technology and tools to provide a scalable storage mechanism. IT managers can leverage UDDI services' support for standard categorization schemes and Active Directory authentication, which allows easy integration within an enterprise environment. The MSSQL$UDDI service must be manually installed on Windows Server 2003 computers; when installed, its startup type is configured to Manual. If this service stops, the UDDI SQL Server database will no longer be available and clients will no longer be able to query or access the data in its databases. MSSQLServerADHelperThe MSSQLServerADHelper service enables Microsoft SQL Server and Microsoft SQL Server Analysis Services to publish information in Active Directory when those services are not invoked by the Local System account. Only one instance of MSSQLServerADHelper service is allowed to run on a computer. All instances of Microsoft SQL Server and Microsoft SQL Server Analysis Services use it on an as-needed basis. MSSQLServerADHelper is not a server service and does not service requests from the client. The service does not use a UDP or TCP port. You cannot stop the MSSQLServerADHelper service. This service is dynamically started by an instance of SQL Server or Analysis Manager when needed. The service stops as soon as it has completed its work. This service should always be run by the Local System account; do not start it manually from the console. If you disable this service, the ability to add, update, or delete SQL Server-related Active Directory objects may be affected. This service must be manually installed on Windows Server 2003 computers. When installed, its startup type is configured to Manual. .NET Framework Support ServiceThe .NET Framework Support Service notifies a subscriber client when a specified process initializes the Client Runtime Service. The .NET Framework Support Service provides a run-time environment called the Common Language Runtime (CLR), which manages code execution and provides services that make the development process easier. Compilers and tools expose the runtime’s functionality and enable you to write code that benefits from this managed execution environment. The CLR enables you to design components and applications whose objects interact across languages. Objects that are written in different languages can communicate with each other, and their behaviors can be tightly integrated. This service is normally installed as part of the Visual Studio.NET development environment and will not be present or active unless manually installed. If the .NET Framework Support Service stops or if you disable it, the user will not receive a notification when a .NET application starts the CLR. Net LogonThe Net Logon service maintains a secure channel between your computer and the domain controller that it uses to authenticate users and services. It passes user credentials through the secure channel to a domain controller and returns the domain security identifiers and user rights for the user, which is commonly referred to as pass-through authentication. The service is installed on all Windows Server 2003 and Windows XP computers, and its startup type is set to Manual. After the computer joins a domain, the service starts automatically. In the Windows 2000 Server family and the Windows Server 2003 family, the Net Logon service publishes service resource records in DNS and uses DNS to resolve names to the IP addresses of domain controllers. The service also implements the replication protocol that is based on remote procedure call (RPC) to synchronize Windows NT 4.0 primary domain controllers (PDCs) and backup domain controllers (BDCs). If the Net Logon service stops, the computer may not authenticate users and services and the domain controller cannot register DNS records. Specifically, it might deny NTLM authentication requests, and domain controllers will not be discoverable by client computers. NetMeeting Remote Desktop SharingThe NetMeeting Remote Desktop Sharing service allows authorized users to remotely access your Windows desktop with the Microsoft NetMeeting® application from another personal computer over an intranet. The service is installed and disabled by default. It must be explicitly enabled by the user through NetMeeting, and can be disabled in NetMeeting or shut down by means of a Windows tray icon. If the NetMeeting Remote Desktop Sharing service stops or if you disable it, the NetMeeting display driver is unloaded and the computer will not be able to provide remote access to its desktop. Network ConnectionsThe Network Connections service is installed by default on Windows Server 2003 and Windows XP computers. This service manages objects in the Network Connections folder, from which you can view both network and remote connections. This service is responsible for client network configuration and displays connection status in the notification area on the taskbar. You may also view and configure network interface settings through this service. The Network Connections service will start automatically when the startup type is Manual and the Network Connections interface is invoked. If this service stops, client-side configuration of LAN, dial-up, and VPN connections will be unavailable. If you disable this service, the following might result:
Network DDEThe Network DDE service provides network transport and security for Dynamic Data Exchange (DDE) for programs that run on the same computer or on different computers. You can create Network DDE “shares” programmatically or with Ddeshare.exe and make them visible to other applications and computers. Traditionally, the user who creates the share will create and run a server process to handle inbound requests from client processes and/or applications, whether they run on the same computer or remotely. After they are connected, these processes can exchange any kind of data over a secure network transport. This service is installed but disabled by default. To use network DDE functionality, you must set the service startup type to Manual, after which the service is only started when invoked by an application that uses Network DDE, such as Clipbrd.exe or Ddeshare.exe. If the Network DDE service stops, DDE transport and security will be unavailable. If you disable this service, any applications that depend on it will time out when they try to start the service. If an application on a remote computer tries to start the Network DDE service on another computer, the remote computer will not be visible on the network. Network DDE DSDMThe Network DDE DSDM service manages DDE network shares. This service is used only by the Network DDE service to manage shared DDE conversations. You can create and trust DDE shares with Ddeshare.exe to allow remote computers and applications to connect and share data. The Network DDE DSDM service maintains a database of DDE shares that includes information about trusted shares. For each connection request that is made from or to an application, the service queries the database and validates your security settings to determine if the request should be granted. The Network DDE DSDM service is installed but disabled by default. To use network DDE functionality, you must set the service startup type to Manual, after which the service is only started when invoked by an application that uses Network DDE. If the Network DDE DSDM service stops, DDE network shares will be unavailable. If you disable this service, any applications that depend on it will time out when they try to start the service. Network Location Awareness (NLA)The Network Location Awareness (NLA) service collects and stores network configuration information, such as IP address and domain name changes, as well as location change information. The service notifies compatible applications when this information changes so that they can reconfigure themselves to use the current network connection. The Network Location Awareness (NLA) service is a default service on Windows XP. Even if you configure this service with a startup type of Manual, it will usually be started by dependent services. If this service stops, network location awareness functionality will not be available. Network Provisioning ServiceThe Network Provisioning Service provides the ability to download and manage XML configuration files from network provisioning services such as the Microsoft Wireless Provisioning Services (WPS), which enable automatic network provisioning for Internet service providers and private networks. This service works with the Wireless Zero Configuration service to provide support for the latest wireless security standards. If the Network Provisioning Service stops or if you disable it, wireless network interface configuration and operation may not succeed, even if the network environment does not use WPS or an equivalent. Network News Transfer Protocol (NNTP)The Network News Transfer Protocol (NNTP) service allows computers that run Windows Server 2003 to act as news servers. Client computers can use a news client application such as the Microsoft Outlook Express messaging client to retrieve newsgroups from the server and read headers or bodies of the articles in each newsgroup. The client computers can then post back to the server. NNTP is an Internet standard. The NNTP service that is included with Windows Server 2003 does not support feeds, in which two news servers replicate their contents between each other. However, the version that is included with Exchange 2000 does include this functionality. This service is not installed or enabled by default. It can only be installed in conjunction with IIS. If the Network News Transfer Protocol (NNTP) service stops, client computers will not be able to connect and read or retrieve posts. NTLM Security Support ProviderThe NTLM Security Support Provider service provides security to RPC programs that use transports other than named pipes. It also enables users to log on to the network and be authenticated by the NTLM authentication protocol, which authenticates clients that do not use the Kerberos version 5 authentication protocol. The Windows NT Challenge/Response NTLM authentication protocol is used on networks that include systems that run versions of the Windows NT operating system and on stand-alone systems. NTLM stands for Windows NT LAN Manager, a name that was chosen to distinguish this more advanced challenge/response-based protocol from its weaker predecessor LAN Manager (LM). Windows 2000 used the Kerberos version 5 authentication protocol, which provides greater security to computer networks than NTLM. Although the Kerberos protocol is the authentication protocol of choice for Windows 2000 and Windows Server 2003 networks, NTLM is still supported and must be used for network authentication if the network includes computers that run versions of Windows NT, Windows 98, or Windows Millennium Edition. Logon authentication on stand-alone computers also requires NTLM. NTLM credentials are based on data that is obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user, but does not send the user's password over the network. Instead, the computer that requests authentication must perform a calculation that proves it has access to the secured NTLM credentials. Interactive NTLM authentication over a network typically involves two computers: a client computer, in which the user is requesting authentication, and a domain controller that stores information that is related to the user's password. Non-interactive authentication—which may be required to permit an already logged-on user to access a resource such as a server application—typically involves three computers: a client, a server, and a domain controller that does the authentication calculations on behalf of the server. The NTLM Security Support Provider service is installed and runs by default on all Windows XP and Windows Server 2003 computers. If this service stops or if you disable it, clients that use the NTLM authentication protocol will not be able to log on or access network resources. Microsoft Operations Manager (MOM) relies on this service. Performance Logs and AlertsThe Performance Logs and Alerts service collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. This service starts and stops each named performance data collection based on the information that is contained in the named log collection setting. This service only runs if at least one collection is scheduled. However, it is installed by default on Windows XP and Windows Server 2003. If the Performance Logs and Alerts service stops or if you disable it, performance information will not be collected. Also, any data collections that are currently active will terminate and future scheduled collections will not occur. Plug and PlayThe Plug and Play service enables a computer to recognize and adapt to hardware changes with little or no user input. This service enables you to add or remove devices without any detailed knowledge of your computer hardware, and you do not need to manually configure the hardware or the operating system. For example, you can plug in a USB keyboard and the Plug and Play service will detect the new device, find a driver for it, and install it. Or you can dock a portable computer and use the docking station’s Ethernet card to connect to the network; you do not need to change any configuration settings. Then you can undock the same computer and use a modem to connect to the network—again, without any manual configuration changes. The Plug and Play service is installed and configured to run automatically on Windows Server 2003 and Windows XP. You cannot stop or disable the service through the MCC Services snap-in because of the impact on operating system stability. If you use the MSCONFIG troubleshooting tool and this service stops, the Device Manager interface will appear blank and no hardware devices will be displayed. Portable Media Serial NumberThe Portable Media Serial Number service retrieves the serial number of any portable music player that is connected to your computer. The service allows Windows Media Device Manager (WMDM) to acquire the serial number from portable music devices so that media content can be copied securely to those devices. Without the serial number, you cannot associate content to a specific device, which might prevent protected content from being transferred to the device. To uniquely identify portable media, many storage media manufacturers have implemented a unique serial number that is stored on a non-volatile area of the storage device. For example, the CompactFlash Association (CFA) CompactFlash specification revision 1.3 requires CompactFlash cards to have a unique serial number. Some types of removable storage media also have unique serial numbers on them. For a portable media reader or adapter to be Windows Media-compliant, it must allow an application to retrieve media serial numbers. The Portable Media Serial Number service is installed by default on Windows XP and Windows Server 2003. Its startup type is configured to Manual, and it is launched on request by WMDM. If the service stops or if you disable it, protected content might not be allowed to transfer to the device and the serial number might not be retrieved from portable media devices. Print Server for MacintoshThe Print Server for Macintosh service enables Apple Macintosh clients to route print jobs to a print spooler that is located on a computer that runs Windows Server 2003. This service also allows Windows Server 2003 Enterprise Edition to communicate with a print device that uses the AppleTalk protocol. This service is not installed by default. If the Print Server for Macintosh service stops, Macintosh AppleTalk clients will not be able to route print jobs to a Windows Server 2003–based print spooler. Print SpoolerThe Print Spooler service manages all local and network print queues and controls all print jobs. The print spooler communicates with printer drivers and input/output (I/O) components, such as the USB port and the TCP/IP protocol suite, and is the center of the Windows printing subsystem. It is installed and activated by default on Windows XP and Windows Server 2003 computers. If the Print Spooler service stops, you will not be able to either print or send faxes from your local computer. When the Print Spooler service stops on a server that runs Terminal Services, the System hive of the registry will slowly grow until it fills the system volume and causes the server to crash. This problem is caused by the fact that when new clients log on to the server through Terminal Services, the system automatically tries to map the client’s local printer to a printer port on the server, and it records this mapping in the registry. However, the Print Spooler service is supposed to delete each record when the user ends their session, and if the service is not running the unused records will never be deleted. Also, the Printer Pruner feature of Active Directory relies on the Print Spooler service. For the Printer Pruner to operate across the organization and allow orphaned queues to be scavenged on an unmanaged basis, every site in the organization must have at least one domain controller that runs the Print Spooler service. If you configure this service to Disabled or Manual, it will not automatically start when print jobs are submitted. Protected StorageThe Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself. The storage location that is provided by this service is secure and protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user’s master key. This component requires no configuration. The Protected Storage service was originally introduced in Windows 2000. In Windows XP and Windows Server 2003, this service was replaced by the Data Protection API (DPAPI), which is currently the preferred service for protected storage. Unlike DPAPI, the interface to the Protected Storage service is not publicly exposed. If the Protected Storage service stops, private keys will be inaccessible, the Windows Certificate Services service will not operate, Secure Multipurpose Internet Mail Extensions (S/MIME) and SSL will not work, and smart card logon will fail. QoS RSVP ServiceQuality of Service (QoS) is an industry-wide standard that was developed to achieve more efficient use of network resources. It allows clients and servers to differentiate between different data types and to prioritize end-to-end network traffic. The IETF (Internet Engineering Task Force) has played a central role to help ensure that QoS standards enable all affected network devices to participate in the end-to-end QoS-enabled connection. Quality of Service provides applications (or network administrators) with a means by which network resources—such as available bandwidth and latency—can be predicted and managed on both local computers and devices throughout the network. The QoS RSVP Service implements Windows' QoS support. It is installed by default on Windows XP, but is not installed on Windows Server 2003 computers. When installed, its startup type is configured to Manual. If this service is disabled or uninstalled, the computer will not be able to participate in QoS connections or make resource reservation requests for QoS-controlled bandwidth. Remote Access Auto Connection ManagerThe Remote Access Auto Connection Manager service detects unsuccessful attempts to connect to a remote network or computer and provides alternate methods for connection. When a program fails in an attempt to reference a remote DNS or NetBIOS name or address or when network access is unavailable, the service displays a dialog box that allows you to make a dial-up or VPN connection to the remote computer. To assist you, the Remote Access Auto Connection Manager service maintains a local database of connections that were previously used to reach named computers or shares. When the service detects an unsuccessful attempt to reach a remote computer or share, it will offer to dial the connection that was last used to reach this remote device. This service is installed by default on Windows XP and Windows Server 2003 computers, but its startup type is configured to Manual. It is started automatically on an as-needed basis. If you disable the Remote Access Auto Connection Manager service, you will need to manually establish connections to remote computers when you need to access them. Remote Access Connection ManagerThe Remote Access Connection Manager system service manages dial-up and VPN connections from your computer to the Internet or other remote networks. When you double-click a connection in the Network Connections folder and click the Connect button, the Remote Access Connection Manager service either dials the connection or sends a VPN connection request and handles subsequent negotiations with the remote access server to set up the connection. The Remote Access Connection Manager service will unload itself when no requests are pending. The Network Connections folder calls this service to enumerate the set of connections and to display the status of each one. Although its default startup state is configured to Manual, this service will be started if there are one or more VPN or dial-up connections in the Network Connections folder. If the Remote Access Connection Manager service stops or if you disable it, your computer will not be able to make dial-up or VPN connections to a remote network or accept inbound connection requests. Also, the Network Connections folder will not display any VPN or dial-up connections, and the Internet Options Control Panel will not allow the user to configure any options that pertain to dial-up or VPN connections. Remote Administration ServiceThe Remote Administration Service performs the following remote administration tasks when a server restarts:
The Remote Administration Service starts to execute the appropriate tasks when it is requested to do so by the Remote Server Manager through a COM interface. The service uses the Local System account, and requests on the COM interface are only accepted from clients that use the Administrator or Local System accounts. If the Remote Administration Service is configured to Manual, it will start when called by the Remote Server Manager service. It can subsequently be stopped with no effect on any server functionality. This service installs and is configured to automatically start by default on Windows Server 2003 computers. If the Remote Administration Service stops, some Remote Administration Tools features may not function properly, such as Web interface for remote administration. Remote Desktop Help Session ManagerThe Remote Desktop Help Session Manager service manages and controls the Remote Assistance feature within the Help and Support Center application (Helpctr.exe). It is installed by default on Windows XP and Windows Server 2003, but it is only started when a Remote Assistance request is made or received. If the Remote Desktop Help Session Manager service stops, Remote Assistance and the ability to request help through Remote Assistance will be unavailable. Remote InstallationThe Remote Installation service provides the ability to install Windows 2000, Windows XP, and Windows Server 2003 on Pre-Boot Execution Environment (PXE) remote boot-enabled client computers. The Boot Information Negotiation Layer (BINL) service, the primary component of Remote Installation Services (RIS), answers PXE clients, checks Active Directory for client validation, and passes client information to and from the server. The BINL service is installed when you add the RIS component from Add/Remove Windows Components or when you select it during initial operating system installation. RIS is a Windows deployment feature that is included in the Windows Server 2003 family. With RIS, you can support on-demand image-based or script-based operating system installations over a network connection from a RIS server to a client computer. RIS is designed to simplify the deployment of operating systems and applications and to improve failure recoverability. You can use RIS in a variety of ways, including the following:
The Remote Installation service is not installed by default. If you install the service and then stop it, PXE-enabled client computers will be unable to install Windows remotely or use other RIS-based tools from the computer. Remote Procedure Call (RPC)The Microsoft Remote Procedure Call (RPC) service is a secure inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. The different process can be on the same computer, on the local area network, or across the Internet. The Remote Procedure Call (RPC) service serves as the RPC endpoint mapper and COM Service Control Manager (SCM). More than 50 services depend on the RPC service to start successfully. You cannot stop or disable the Remote Procedure Call (RPC) service. If this service is not available, the operating system will not load. Remote Procedure Call (RPC) LocatorThe Remote Procedure Call (RPC) Locator service enables RPC clients that use the RpcNs* family of APIs to locate RPC servers. It also manages the RPC name service database. This service is turned off by default, and it has not been used by many applications that were published after Windows 95 shipped. For more information about the RpcNs family of APIs, see the SDK information in the MSDN Library link on the Web Resources page at www.microsoft.com/windows/reskits/webresources. If the Remote Procedure Call (RPC) Locator service stops or if you disable it, RPC clients that need to locate RPC services on other computers may be unable to locate servers, or they may fail to sta |
