March 17, 2007

Lockdown Windows 2003 & XP with Simple Scripts

Windows Advanced ScriptingNow that DST 2007 is over, we are going to start a series of articles on securing systems and networks. I have built a lot of systems for various companies over the years. The challenge is to create repeatable processes that work in a variety of operating environments. Having a strong scripting toolkit can make all the difference, especially when you are under deadline.

The first script in the series is a Windows Services lockdown script for Windows XP & 2003. Disabling services is generally a good idea to reduce the threat profile of your computer, and to improve its performance. Every security guide out there tells you to disable unnecessary services. A few of them also give some guidance as to which services are unnecessary. Few of them tell you how to disable them consistently.

There are three ways to disable services: 1) Use the Services MMC GUI. This is a time consuming process and is prone to mistakes. 2) Use Group Policy. This works well for environments that use Group Policy, but is harder to implement for stand-alone servers, such as web servers. 3) Use the sc.exe command line utility.

If you do not know the sc command, learn it! sc is a powerful utility for controlling services on local or remote hosts. sc will let you configure how services start, change the user account and password they run under, and start/stop/pause the services. The basic syntax of sc is:

sc <server> [command] [service name] <option1> <option2>

We are going to use 2 different sc commands in our service lockdown script: config & stop. These should be self explanatory, but config will allow us to disable the service, and stop will stop the service. To make this work, we need three files: 1) The script batch file; 2) a list of servers by name called hosts.txt; 3) a list of services we want to disable called services.txt. The two text files must be in the same directory as the batch file. The code is fairly simple:

REM***(c) 2007 William L. Dougherty
REM***Script created by Bill Dougherty to disable services on Windows 2003 & XP
for /f %%a in (hosts.txt) do call :serviceconfig %%a
goto :eom
:serviceconfig
for /f %%b in (services.txt) do (sc \\%1 config %%b start= disabled)
for /f %%c in (services.txt) do (sc \\%1 stop %%c)
:eom

Pretty simple, huh? We loop through a list of servers, and then for each server, we loop through a list of services. The service list must be the service name and not the display name of the services. Some service names are less than intuitive, such as the service name for IPSEC Services is PolicyAgent. You can get the service name from the services MMC by clicking the service and looking at its properties, or from the command line using sc query. Either way, once you build your service list the first time, you’ll rarely need to revist this.

This script requires you to have administrator access on the target host. This works great in a domain environment, but what if you are dealing with stand-alone servers? You can still use this script so long as the user credentials you are logged in as have admin access on the target. If not, the you’ll need to log into each server and run the script locally. If this is the case, you only need the script file and the list of services. You should modify the script like this:

for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c
:eom

This script works with both Windows XP and Windows 2003, although the two platforms have different services. There are several good sources for figuring out which services are unnecessary. I highly recommend the TechRepublic guides: XP Services Guide and 2003 Services Guide. Over the years, I have developed my own lists. I highly recommend you spend the time to research these services, and test the impact of disabling them BEFORE you run this script against your production network!

Windows 2003 services that can be disable:

Alerter
AppMgmt
ClipSrv
TrkWks
TrkSvr
MSDTC
ERSvc
helpsvc
HidServ
ImapiService
IsmServ
LicenseService
Messenger
mnmsrvc
NetDDE
NetDDEdsdm
nla
NtLmSsp
WmdmPmSM
appmgr
RemoteAccess
SCardSvr
SENS
LmHosts
TapiSrv
TlntSvr
Tssdis
Themes
uPS
uploadmgr
WebClient
AudioSrv
stisvc
WZCSVC

Windows XP services that can be disabled:

Alerter
AppMgmt
ClipSrv
TrkWks
MSDTC
ERSvc
FastUserSwitchingCompatibility
helpsvc
HidServ
CiSvc
Messenger
mnmsrvc
NetDDE
NetDDEdsdm
nla
NtLmSsp
SysmonLog
WmdmPmSM
RSVP
RemoteAccess
SCardSvr
SSDPSRV
LmHosts
TapiSrv
TlntSvr
Themes
uPS
upnphost
WZCSVC

I hope you find this script useful. Check back often for additional scripts in the series.

-Bill

Thanks for stopping by.
If you found this article useful, please leave a tip.

6 Comments »

  1. Inyou Crash said,

    April 12, 2007 @ 6:56 am

    Thanks for the Tips. I plan on using modified versions of this script.

    Windows Media Player 11 has a particularly nasty little service that seems to devour resources. wmpnetwk.exe is the little bugger, and now with my new script, I have pushed this out to the network and hope to utilize netware for distribution.

  2. Stan said,

    February 8, 2010 @ 4:35 am

    Thanks! Very usefull article. I’m going to add modifications to suite my needs and post it on my blog => http://blog.omotech.com

  3. Kris said,

    June 9, 2010 @ 6:08 am

    Thanks for the script Bill. I don’t have a lot of experience with this, therefore I don’t understand how this can be executed on remote servers. Don’t I need something like psexec? And to specify the remote host, you use \\%1, but where does this variable come from? I hope you have a minute to help me out here.
    Many thanks in advance!

  4. bill said,

    June 9, 2010 @ 10:54 am

    Kris,

    SC will execute against remote hosts via a secure RPC call. It will pass whatever credentials are used to run it, so if you are a domain admin, it will execute on the remote host with your creds. In the script, I am using nested loops

    for /f %%a in (hosts.txt) do call :serviceconfig %%a
    goto :eom
    :serviceconfig
    for /f %%b in (services.txt) do (sc \\%1 config %%b start= disabled)

    The first loop passes the variable %%a to the call to :serviceconfig. :serviceconfig receives that variable and shoves it into the variable %1. If you passed it 2 variables, the first would be %1 and the second would be %2. The value of %%a is read from a file hosts.txt, which is just a list of fully qualified domain names for the target machines. When the sub-routine :serviceconfig completes, it returns back to the 1st loop and we read the second value in hosts.txt and repeat the process.

    I hope this helps.

    -B

  5. Lockdown Windows 7 Services with Simple Script | edgeblog said,

    February 6, 2012 @ 5:45 pm

    […] in 2007, I published a script for locking down Windows XP and Windows 2003 services, using the sc command. Recently I had need to lockdown a fresh Windows 7 image and realized the […]

  6. Matthew said,

    November 18, 2012 @ 4:14 pm

    Good respond in return of this query with real arguments
    and describing all about that.

RSS feed for comments on this post · TrackBack URI

Leave a Comment