Recommended Service Startup Types for Windows Server 2003
From Provider Wiki
The following is a general template of recommended Service Startup Types for Windows Server 2003 for an example server. This template is generally geared towards a webserver, with exceptions where noted. Please note that these are only recommendations and actual needed services will differ by server and environment.
Suggested alternate settings, when applicable, are highlighted in the third or fourth column, depending on how specific the recommendation is to a particular environment. Administrators wanting a fuller approach to security, extending beyond services, may want to consider using the Security Configuration Wizard for Windows Server 2003.
| Service Name | Default Startup Type | Recommended Startup Type | Notes |
|---|---|---|---|
| Alerter | Disabled | ||
| Application Layer Gateway Service | Manual | ||
| Application Management | Manual | On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software. | |
| Automatic Updates | Automatic | This can and probably should be disabled when updates are done manually | |
| Background Intelligent Transfer Service | Manual | This can and probably should be disabled when updates are done manually | |
| ClipBook | Disabled | ||
| COM+ Event System | Manual | ||
| COM+ System Application | Manual | ||
| Computer Browser | Automatic | ||
| Cryptographic Services | Automatic | ||
| DHCP Client | Automatic | ||
| Distributed File System | Automatic | Disabled | |
| Distributed Link Tracking Client | Automatic | Disabled | |
| Distributed Link Tracking Server | Manual | Disabled | |
| Distributed Transaction Coordinator | Automatic | ||
| DNS Client | Automatic | ||
| Error Reporting Service | Automatic | Disable on dedicated web servers | |
| Event Log | Automatic | ||
| Fax Service | Manual | Disabled | |
| File Replication Service | Manual | ||
| Help and Support | Automatic | ||
| HTTP SSL | Manual | ||
| Human Interface Device Access | Disabled | ||
| IIS Admin | Enabled | Only present when installed from media, disable or perferably uninstall if not in use. | |
| IMAPI CD-Buring COM Service | Disabled | ||
| Indexing Service | Manual | Disable on dedicated web servers unless used for searching site content | |
| Internet Connection Firewall/Internet Connection Sharing | Disabled | ||
| Intersite Messaging | Disabled | Enable if you require DFS | |
| IPSec Services | Automatic | ||
| Kerberos Key distribution center | Disabled | ||
| License Logging Service | Disabled | ||
| Logical Disk Manager | Automatic | ||
| Logical Disk Manager Administrative Service | Manual | ||
| Messenger | Disabled | ||
| Microsoft Software Shadow Copy | Can be disabled when shadow copies not in use | ||
| Net Logon | Manual | ||
| NetMeeting Remote Desktop Sharing | Manual | Disabled | Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting. |
| Network Connections | Manual | ||
| Network Dynamic Data Exchange | Disabled (DDE) | ||
| Network DDE Distributed Share Database Manager (DSDM) | Disabled | ||
| Network Location Awareness (NLA) | Manual | ||
| NTLM Security Support Provider | Manual | ||
| Performance Logs and Alerts | Manual | Can be set to Automatic when performance data or alerts should be generated without an admin logged on | |
| Plug and Play | Automatic | ||
| Portable Media Serial Number Service | Manual | ||
| Protected Storage | Automatic | ||
| Remote Access Auto Connection Manager | Manual | Can be disabled when no VPN or dial-up connections are initiated | |
| Remote Access Connection Manager | Manual | Can be disabled when no VPN or dial-up connections are initiated | |
| Remote Desktop Help Sessions Manager | Manual | Disabled | Terminal Services should probably be used instead |
| Remote Procedure Call (RPC) | Automatic | ||
| Remote Procedure call (RPC) Locater | Manual | Disabled if no applications using RpcNs* APIs | |
| Remote Registry Service | Automatic | ||
| Removable Storage | Manual | Can be disabled when removable media directly connected to server | |
| Resultant Set of Policy Provider | Manual | ||
| Routing and Remote access | Disabled | ||
| Secondary Logon | Automatic | ||
| Security Accounts Manager | Automatic | ||
| Server | Automatic | ||
| Shell Hardware detection | Automatic | ||
| Smart Card | Manual | ||
| Simple Mail Transport Protocol (SMTP) | Enabled | Only present when installed from media, disable or perferably uninstall if not in use. | |
| Special Administration Console Helper | Manual | ||
| System Event Notification | Automatic | ||
| Task Scheduler | Automatic | Disable unless specifically needed | |
| TCP/IP NetBIOS Helper Service | Automatic | Disable if NetBIOS not needed | |
| Telephony | Manual | Disable when Telephony API not needed | |
| Telnet | Manual | Disabled | |
| Terminal Services | Manual | Disable unless being used for remote administration | |
| Terminal Services Session Directory | Disabled | ||
| Themes | Disabled | ||
| Uninterruptible Power Supply (UPS) | Automatic | ||
| Upload Managers | Manual | Uploads driver data to Microsoft. Should probably be disabled on web servers. | |
| Virtual Disk Services | Manual | ||
| WebClient | Disabled | ||
| Windows Audio | Disabled | ||
| Windows Image Acquisition (WIA) | Disabled | ||
| Windows Installer | Manual | ||
| Windows Management Instrumentation (WMI) | Automatic | ||
| Windows Management Instrumentation Driver Extensions | Manual | ||
| Windows Time | Automatic | ||
| WinHTTP Web Proxy Auto-Discovery Service | Manual | Can probably be disabled on dedicated web servers | |
| Wireless Configuration | Automatic | Disabled | Disable unless server has active wireless adapter |
| WMI Performance Adapter | Manual | Can be disabled on servers that don't use WMI to provide performance library info | |
| Workstation | Automatic |
Most of these settings were culled from Microsoft's documentation here.
