March 17, 2007
Now that DST 2007 is over, we are going to start a series of articles on securing systems and networks. I have built a lot of systems for various companies over the years. The challenge is to create repeatable processes that work in a variety of operating environments. Having a strong scripting toolkit can make all the difference, especially when you are under deadline.
The first script in the series is a Windows Services lockdown script for Windows XP & 2003. Disabling services is generally a good idea to reduce the threat profile of your computer, and to improve its performance. Every security guide out there tells you to disable unnecessary services. A few of them also give some guidance as to which services are unnecessary. Few of them tell you how to disable them consistently.
There are three ways to disable services: 1) Use the Services MMC GUI. This is a time consuming process and is prone to mistakes. 2) Use Group Policy. This works well for environments that use Group Policy, but is harder to implement for stand-alone servers, such as web servers. 3) Use the sc.exe command line utility.
If you do not know the sc command, learn it! sc is a powerful utility for controlling services on local or remote hosts. sc will let you configure how services start, change the user account and password they run under, and start/stop/pause the services. The basic syntax of sc is:
sc <server> [command] [service name] <option1> <option2>
We are going to use 2 different sc commands in our service lockdown script: config & stop. These should be self explanatory, but config will allow us to disable the service, and stop will stop the service. To make this work, we need three files: 1) The script batch file; 2) a list of servers by name called hosts.txt; 3) a list of services we want to disable called services.txt. The two text files must be in the same directory as the batch file. The code is fairly simple:
REM***(c) 2007 William L. Dougherty
REM***Script created by Bill Dougherty to disable services on Windows 2003 & XP
for /f %%a in (hosts.txt) do call :serviceconfig %%a
for /f %%b in (services.txt) do (sc \\%1 config %%b start= disabled)
for /f %%c in (services.txt) do (sc \\%1 stop %%c)
Pretty simple, huh? We loop through a list of servers, and then for each server, we loop through a list of services. The service list must be the service name and not the display name of the services. Some service names are less than intuitive, such as the service name for IPSEC Services is PolicyAgent. You can get the service name from the services MMC by clicking the service and looking at its properties, or from the command line using sc query. Either way, once you build your service list the first time, you’ll rarely need to revist this.
This script requires you to have administrator access on the target host. This works great in a domain environment, but what if you are dealing with stand-alone servers? You can still use this script so long as the user credentials you are logged in as have admin access on the target. If not, the you’ll need to log into each server and run the script locally. If this is the case, you only need the script file and the list of services. You should modify the script like this:
for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c
This script works with both Windows XP and Windows 2003, although the two platforms have different services. There are several good sources for figuring out which services are unnecessary. I highly recommend the TechRepublic guides: XP Services Guide and 2003 Services Guide. Over the years, I have developed my own lists. I highly recommend you spend the time to research these services, and test the impact of disabling them BEFORE you run this script against your production network!
Windows 2003 services that can be disable:
Windows XP services that can be disabled:
I hope you find this script useful. Check back often for additional scripts in the series.