HSC Breves/Tips *Hervé Schauer Consultants* ------------------------------------------------------------------------ Minimization of network services on Windows systems par Jean-Baptiste Marchand (02/09/2002) -=[ Minimizing Windows network services ]=- [ Examples with Windows 2000 and Windows XP ] ---[ Introduction ]--- A default Windows system comes with different network services, enabled by default. Usually, it is wise to disable most of them and even all of them, if the system does not offer network services to other systems. In this document, we give a possible methodology to complete this task. Technical details are described in a separate document, 'Services réseaux des systèmes Windows - Etude de cas avec Windows 2000 et Windows XP', available at http://www.hsc.fr/ressources/articles/srv_res_win/ . Systems used as examples are Windows 2000 (server version) and Windows XP, as installed by default (DHCP was disabled and IP address 192.70.106.143 was affected to the unique network interface). Of course, the best solution is to choose only required services at installation, even if it does not exempt you from all the setup described here. ---[ Services identification ]--- A quick way to identify running network services is to list opened TCP and UDP ports with the netstat command. On a Windows 2000 system, the netstat -an command returns: C:\WINNT>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:25 0.0.0.0:0 LISTENING TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING TCP 0.0.0.0:4983 0.0.0.0:0 LISTENING TCP 192.70.106.143:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1028 *:* UDP 0.0.0.0:1029 *:* UDP 0.0.0.0:3456 *:* UDP 192.70.106.143:137 *:* UDP 192.70.106.143:138 *:* UDP 192.70.106.143:500 *:* On a Windows XP system, the netstat -ano command returns: C:\WINDOWS>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976 TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1160 TCP 192.70.106.143:139 0.0.0.0:0 LISTENING 4 UDP 0.0.0.0:135 *:* 884 UDP 0.0.0.0:445 *:* 4 UDP 0.0.0.0:500 *:* 704 UDP 0.0.0.0:1026 *:* 1112 UDP 0.0.0.0:1027 *:* 976 UDP 127.0.0.1:123 *:* 976 UDP 127.0.0.1:1900 *:* 1160 UDP 192.70.106.143:123 *:* 976 UDP 192.70.106.143:137 *:* 4 UDP 192.70.106.143:138 *:* 4 UDP 192.70.106.143:1900 *:* 1160 _Warning_: The netstat command does not exactly report TCP and UDP ports states. Instead, it reports state of TDI endpoints, which is not stricly equivalent to TCP and UDP ports. In particular, when a Windows system establishes an outgoing TCP connection (active open), the local port used as source is reported as in the LISTENING state. In the following example, the local system has established a TCP connection from source port 1367 to destination port 22 of a remote system. The netstat command output, filtered to show only lines containing port number 1367 is: C:\WINDOWS>netstat -anp tcp | find ":1367" TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING TCP 192.70.106.142:1367 192.70.106.76:22 ESTABLISHED Second line shows the established connection, from local port 1367 to remote port 22. However, the first line is incorrect because it reports local port 1367 in the LISTENING state, whereas no TCP server is available on this port. Thus, for each outgoing TCP connection, an additional line will appear in netstat output, showing a TCP port in LISTENING state. It is important to make the difference between an opened TCP port and one incorrectly reported by netstat in the LISTENING state. Note: this bug has been fixed in recent builds of Windows .NET Server, starting with build 3606. Once opened ports are identified, we present recipes to get them closed, step by step. ---[ Disabling unused services ]--- To minimize opened ports, the first thing to do is to disable services. In our examples, we will stop services (using the net stop command). However, to prevent a service from starting at next system restart, startup mode of service must either be set to manual or disabled. Some services have to be explicitly disabled, otherwise they will be manually started by the system. On Windows 2000, the service manager allows modification of startup mode of a service. On Windows XP, the sc command (also available in Windows 2000 Resource Kit) can disable a service, with such a command: C:\WINDOWS> sc config service_name start= disabled (space between start= and disabled is mandatory). The following command C:\WINDOWS> sc config service_name start= manual configures the startup mode of a service to manual. -[ Windows 2000 ]- [ IIS 5 ] On Windows 2000, IIS 5 runs by default and is composed of SMTP, HTTP and IIS administration services. To close TCP ports 25, 80, 443, UDP port 3456, one port used by IIS administration website (4983 in our example) and two ports, higher than 1023 for RPC services, these services must be stopped. The quickest way to stop these services is to stop the iisadmin service (other services depend on it): C:\WINNT> net stop iisadmin The following services are dependent on the IIS Admin Service service. Stopping the IIS Admin Service service will also stop these services. World Wide Web Publishing Service Simple Mail Transport Protocol (SMTP) Do you want to continue this operation? (Y/N) [N]: y The World Wide Web Publishing Service service is stopping. The World Wide Web Publishing Service service was stopped successfully. The Simple Mail Transport Protocol (SMTP) service is stopping. The Simple Mail Transport Protocol (SMTP) service was stopped successfully. ... The IIS Admin Service service was stopped successfully. Output of the netstat -an command shows that the number of opened ports has been reduced: C:\WINNT>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING TCP 192.70.106.143:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1029 *:* UDP 192.70.106.143:137 *:* UDP 192.70.106.143:138 *:* UDP 192.70.106.143:500 *:* Finally, the easiest way to prevent IIS services to start next time is by removing IIS components, via Add/Remove Progams in configuration panel. [ IPsec ] UDP port 500, used by IKE protocol (Internet Key Exchange) can be closed by stopping IPsec services service. C:\WINNT> net stop policyagent The IPSEC Services service is stopping. The IPSEC Services service was stopped successfully. UDP port 500 then disappears from netstat -an output: C:\WINNT>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING TCP 192.70.106.143:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1029 *:* UDP 192.70.106.143:137 *:* UDP 192.70.106.143:138 *:* [ Distributed Transaction Coordinator ] Distributed Transaction Coordinator service is enabled by default on a Windows 2000 server and opens TCP port 3372, and one TCP port higher than 1023 (1025 in our example). Stopping this service closes two TCP ports: C:\WINNT> net stop msdtc The Distributed Transaction Coordinator service is stopping. The Distributed Transaction Coordinator service was stopped successfully. List of opened ports is now: C:\WINNT>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 192.70.106.143:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1029 *:* UDP 192.70.106.143:137 *:* UDP 192.70.106.143:138 *:* -[ Windows XP ]- Services that can easily be disabled are: IPsec services (PolicyAgent) SSDP Discovery Service (SSDPSRV) Windows Time (W32Time) The following commands stop these services: C:\WINDOWS> net stop policyagent The IPSEC Services service is stopping. The IPSEC Services service was stopped successfully. C:\>WINDOWS> net stop ssdpsrv The SSDP Discovery Service service is stopping. The SSDP Discovery Service service was stopped successfully. C:\>WINDOWS> net stop w32time The Windows Time service is stopping. The Windows Time service was stopped successfully. netstat -ano command shows that the number of opened ports has been reduced (TCP ports 5000 and UDP 123, 500 and 1900 have been closed): C:\WINDOWS>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976 TCP 192.70.106.143:139 0.0.0.0:0 LISTENING 4 UDP 0.0.0.0:135 *:* 884 UDP 0.0.0.0:445 *:* 4 UDP 0.0.0.0:1026 *:* 1112 UDP 0.0.0.0:1027 *:* 976 UDP 192.70.106.143:137 *:* 4 UDP 192.70.106.143:138 *:* 4 --[ NetBIOS over TCP/IP (NetBT) ]-- NetBIOS over TCP/IP is typically used on Windows systems to transport the CIFS protocol (also known as SMB). CIFS is the protocol behind ressources sharing (typically, files and printers sharing). NetBIOS over TCP/IP uses UDP ports UDP 137 et 138 and TCP port 139. To close these ports, NetBIOS over TCP/IP must be disabled on each network adapter. In Advanced TCP/IP Settings of each network adapter, WINS tab, Disable NetBIOS over TCP/IP must be checked. This will close UDP ports 137 and 138 and TCP port 139 on configured adapter. The lmhosts service, used for NetBIOS name resolution can also be stopped and disabled: C:\WINDOWS>net stop lmhosts The TCP/IP NetBIOS Helper service was stopped successfully. On Windows 2000, the list of opened ports becomes: C:\WINNT>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1029 *:* On Windows XP: C:\WINDOWS>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976 UDP 0.0.0.0:135 *:* 884 UDP 0.0.0.0:445 *:* 4 UDP 0.0.0.0:1026 *:* 1112 UDP 0.0.0.0:1027 *:* 976 --[ CIFS over TCP ]-- Before Windows 2000, the CIFS protocol was typically transported in NetBIOS over TCP/IP, via TCP port 139. Starting with Windows 2000, CIFS can be transported directly in TCP/IP, without an intermediary NetBT layer, via TCP port 445. To disable listening on TCP port 445, two methods are possible: disable NetBT driver add a value in the registry, to disable transport of CIFS in TCP In both cases, a reboot of the system is necessary because port 445 is opened by the NetBT driver at system startup. We prefer to use the second method. With the regedit tool, the following value can be added in the registry: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters Value: SmbDeviceEnabled Type: DWORD value (REG_DWORD) Content: 0 (to disable) After a reboot, TCP port 445 will no longer be opened by the NetBT driver. The following ports remain opened on Windows 2000: C:\WINNT>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING UDP 0.0.0.0:135 *:* UDP 0.0.0.0:1029 *:* Under Windows XP: C:\WINDOWS>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976 UDP 0.0.0.0:135 *:* 884 UDP 0.0.0.0:1026 *:* 1112 UDP 0.0.0.0:1027 *:* 976 --[ RPC services ]-- Remaining ports are used by RPC services (Remote Procedure Call). The RPC portmapper and the COM service control manager (COM SCM) both use port 135. Ports immediately higher than 1023 are used by RPC services and are reachable via RPC or DCOM (ORPC). As these ports are dynamically allocated, a port mapping service is needed, the portmapper, to give the port on which a given RPC service can be reached. The list of registered RPC services in the portmapper database can be obtained with the rpcdump tool (http://razor.bindview.com/tools/desc/rpctools1.0-readme.html ). -[ Windows 2000 ]- With rpcdump, we can determine that UDP port 1029 is used by RPC services, started by the Messenger service. After disabling this service and rebooting the system, this port will be closed. Also, UDP port 135 will no longer be opened because: - the last RPC service reachable via UDP has been disabled - DCOM is not reachable via UDP by default, thus, the COM SCM does not listen on UDP port 135. TCP port 1026 is used by RPC services started by the Task Scheduler service (Schedule). It is thus possible to close this port, after disabling this service and rebooting. Remote Access Connection Manager (RasMan) must also be disabled. -[ Windows XP ]- On our Windows XP system, UDP port 1027 is used by RPC services started by the Messenger service. As in Windows 2000, this port and UDP port 135 will no longer be opened after disabling this service and rebooting. TCP port 1025 is used by RPC services of the Task Scheduler service. Again, as in Windows 2000, this service must be disabled. -[ Interfaces restriction ]- Until now, we have disabled services that start RPC services, in order to close the dynamic ports they use. However, sometimes, some services such as the Task Scheduler are needed. One solution is to create two keys and one value in the registry, to notify RPC services to listen on a list of restricted interfaces. In our case, we restrict listening to the loopback address, 127.0.0.1, which is only reachable locally. The parameter described here controls the network interface(s) on which RPC services will be reachable. Network interfaces are identified by numbers, starting at 1. The value 0 means IP address 127.0.0.1. The two following keys Rpc\Linkage\ must be created under Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services The value to add is: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpc\Linkage Value: Bind Type: REG_MULTISZ Content: "0" Before Windows XP, only regedt32 allows creation of value of type REG_MULTISZ. After a reboot, listening of TCP ports immediately higher than 1023 will be restricted to IP address 127.0.0.1. Precision: This technique applies only to RPC services that do not pass the RPC_C_BIND_TO_ALL_NICS value to the RpcServerUseProtseqEx() function. These services can not be restricted and will always listen on all interfaces. --[ DCOM ]-- The only remaining opened port is TCP port 135. It is opened by the Remote Procedure Call (RpcSS) service and it is not possible to disable it because this service contains the COM service control manager, used by local processes. TCP port 135 remains opened because it is used to receive remote activation requests of COM objects. A global setting allows to disable DCOM (Enable Distributed COM on this computer, in the dcomcnfg tool) but this setting does not close port 135. One solution is to remove RPC protocols sequences usable by DCOM. In our case, the sequence ncacn_ip_tcp (transport on TCP/IP) can be removed. The simplest solution for this is to launch the dcomcnfg tool and to remove 'Connection-oriented TCP/IP' in the 'Default Protocols' tab. Under Windows XP, dcomcnfg launches an MMC console which contains the Component Services component. The tab 'Default Protocols' can be found under the properties of the local system. After a reboot, all ports should be reported as closed, except one UDP port on Windows XP, which we study in the next section. --[ caching DNS service (Windows XP) ]-- Starting with Windows 2000, Windows systems include a caching DNS service (dnscache), that keeps in memory results of DNS requests. On Windows 2000, this service sends DNS requests on UDP, using a different UDP source port for each request. On Windows XP, the same port is always used: it is allocated at the first DNS request and remains the same, as long as the dnscache service is running. On our Windows XP system, port used by the dnscache service is UDP port 1026. If we stop the dnscache service, this port will be closed. Thus, a UDP port will always be opened on a Windows XP system, if the dnscache service is running. --[ RPC services started when using the system ]-- Some RPC services can be started when starting some programs. For instance, using the Component Services component under Windows XP seems to open two TCP ports, used by RPC services. Thus, it is always useful to use IP filtering, in addition to minimization techniques presented here. For instance, you can use PKtFilter, (http://www.hsc.fr/ressources/outils/pktfilter/ ), which configures the IP filtering driver available in Windows 2000/XP/.NET Server. ---[ Summary ]--- Minimization of network services can be realized in three steps: - disabling of unused services - disabling of NetBIOS over TCP/IP and CIFS over TCP - minimization of RPC services Services to disable are: Windows 2000 : - IIS 5 : iisadmin, w3svc, smtpsvc - Others : messenger, msdtc, policyagent, schedule Windows XP : - messenger, policyagent, schedule, ssdpsrv, w32time Disabling of NetBIOS over TCP/IP is specific to each network interface. To globally disable CIFS over TCP (port 445), the SmbDeviceEnabled registry value must be added and set to 0 in the registry. Minimization of RPC services starts by disabling services that register RPC services. Then, two settings can restrict the number of listening RPC services: - Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpc\Linkage\Bind, type REG_MULTI_SZ, with "0" as content. - removal of protocols sequences 'Connection-oriented TCP/IP' in the dcomcnfg utility. ---[ Conclusion ]--- A default installation of a Windows system has many network services. It is possible and wise to minimize them, leaving only services that are strictly necessary. $Id: min_srv_res_win.en.tip,v 1.5 2002/09/19 10:05:56 marchand Exp $ ------------------------------------------------------------------------ Copyright © 1989-2002 Hervé Schauer Consultants Reproduction interdite / please do not reproduce If you refer to this web page please give us the URL HSC