Comparing default services on Windows Server 2003 R2 and Windows Server 2008 (Core and Full)
I have been experimenting with Windows Server 2008 for a while now and I recently did a number of comparisons between the Core and Full versions of the new OS. This time I am looking at Services configured in a default installation and I also included Windows Server 2003 R2 in the mix, since there were significant changes that are easy to spot. I have seen a lot of documentation about how those services are more secure in the new release, but I wanted to check for myself.
I installed the Enterprise edition of Windows Server 2003 R2 and compared to both the Full and Core installs of Windows Server 2008 Enterprise June CTP. As usual, please note that this is still a pre-release version and the default services settings might still change before the final release. To gather the information, I used the Services Control command-line tool (SC.EXE), which is available in all versions tested. I first gathered a list of all services and stored in a text file using:
sc query | find “SERVICE_NAME:” > servicelist.txt
Then I used the good old FOR command to loop through each service and query its complete configuration using the qc option of the sc tool, storing everything in another text file:
for /f “delims=: tokens=2” %1 in (servicelist.txt) do sc qc %1 >>serviceconf.txt
With that data at hand for all three different systems, I pasted it all into Excel and started playing with a pivot table. The results are included in the table below. Although I double-checked everything, please note that some of the data manipulation was not fully automated, so the results might include some inacuracies.
What you see consistently is that Windows Server 2008 is moving away from using the admin-level LocalSystem context and leveraging the user-level LocalService and NetworkService contexts. Even with the new features and services in Windows Server 2008, the number of LocalSystem services are down from a total of 27 on Windows Server 2003 R2 to 23 on a Full install of Windows Server 2008 and only 16 on a Core install.
There are also a few details that are significant but are not well-captured by the table below. One is the fact that the advanced firewall puts further restrictions on these services (for instance, you can only communicate with certain services using specific ports, both inbound and outbound). Another detail is that some services do not start by default (start_type = demand_start). Those are marked in the table with a (*) sign. Although not security-related, there are also services that will have a delayed start (start_type = auto_start (delayed)) and those are marked in the table with a (-) sign.
The table also makes it easy to spot services present in a Full install but not in a Core install, which I mentioned in previous post. It also exposes other details, like the fact that Wireless Networks are now an optional component in the new Server.
|
Service Name |
Service Display Name | Windows Server 2003 R2 | Windows Server 2008 Core | Windows Server 2008 Full |
| AeLookupSvc | Application Experience | LocalSystem | LocalSystem | LocalSystem |
| BFE | Base Filtering Engine | LocalService | LocalService | |
| BITS | Background Intelligent Transfer Service | LocalSystem- | LocalSystem- | |
| Browser | Computer Browser | LocalSystem | ||
| CryptSvc | Cryptographic Services | LocalSystem | NetworkService | NetworkService |
| DcomLaunch | DCOM Server Process Launcher | LocalSystem | LocalSystem | LocalSystem |
| Dhcp | DHCP Client | NetworkService | LocalService | LocalService |
| dmserver | Logical Disk Manager | LocalSystem | ||
| Dnscache | DNS Client | NetworkService | NetworkService | NetworkService |
| DPS | Diagnostic Policy Service | LocalService | LocalService | |
| ERSvc / WerSvc | Windows Error Reporting Service | LocalSystem | LocalSystem | |
| Eventlog | Windows Event Log | LocalSystem | LocalService | LocalService |
| EventSystem | COM+ Event System | LocalSystem | LocalService | LocalService |
| gpsvc | Group Policy Client | LocalSystem | LocalSystem | |
| helpsvc | Help and Support | LocalSystem | ||
| IKEEXT | IKE and AuthIP IPsec Keying Modules | LocalSystem | LocalSystem | |
| iphlpsvc | IP Helper | LocalSystem | LocalSystem | |
| KtmRm | KtmRm for Distributed Transaction Coordinator | NetworkService- | NetworkService- | |
| lanmanserver | Server | LocalSystem | LocalSystem | LocalSystem |
| lanmanworkstation | Workstation | LocalSystem | LocalService | LocalService |
| LmHosts | TCP/IP NetBIOS Helper | LocalService | LocalService | LocalService |
| MpsSvc | Windows Firewall | LocalService | LocalService | |
| MSDTC | Distributed Transaction Coordinator | NetworkService | NetworkService- | NetworkService- |
| Netman | Network Connections | LocalSystem* | LocalSystem* | |
| netprofm | Network List Service | LocalService | LocalService | |
| Network Location Awareness | LocalSystem* | NetworkService | NetworkService | |
| nsi | Network Store Interface Service | LocalService | LocalService | |
| PlugPlay | Plug and Play | LocalSystem | LocalSystem | LocalSystem |
| PolicyAgent | IPsec Policy Agent | LocalSystem | NetworkService | NetworkService |
| ProfSvc | User Profile Service | LocalSystem | LocalSystem | |
| ProtectedStorage | Protected Storage | LocalSystem | ||
| RemoteRegistry | Remote Registry | LocalService | LocalService | LocalService |
| RpcSs | Remote Procedure Call (RPC) | NetworkService | NetworkService | NetworkService |
| SamSs | Security Accounts Manager | LocalSystem | LocalSystem | LocalSystem |
| Schedule | Task Scheduler | LocalSystem | LocalSystem | LocalSystem |
| seclogon | Secondary Logon | LocalSystem | LocalSystem | LocalSystem |
| SENS | System Event Notification Service | LocalSystem | LocalSystem | LocalSystem |
| ShellHWDetection | Shell Hardware Detection | LocalSystem | LocalSystem | |
| slsvc | Software Licensing | NetworkService | NetworkService | |
| Spooler | Print Spooler | LocalSystem | LocalSystem | |
| TermService | Terminal Services | LocalSystem* | NetworkService | NetworkService |
| TrkWks | Distributed Link Tracking Client | LocalSystem | LocalSystem | |
| TrustedInstaller | Windows Modules Installer | LocalSystem* | LocalSystem* | |
| UxSms | Desktop Window Manager Session Manager | LocalSystem | ||
| W32Time | Windows Time | LocalService | LocalService | LocalService |
| WdiSystemHost | Diagnostic System Host | LocalSystem* | ||
| WinHttpAutoProxySvc | WinHTTP Web Proxy Auto-Discovery Service | LocalService* | LocalService* | |
| winmgmt | Windows Management Instrumentation | LocalSystem | LocalSystem | LocalSystem |
| WinRM | Windows Remote Management (WS-Management) | NetworkService- | NetworkService- | |
| wuauserv | Automatic Updates or Windows Update | LocalSystem | LocalSystem- | LocalSystem- |
| WZCSVC | Wireless Configuration | LocalSystem | ||
| Totals | ||||
| Local System | 27 | 16 | 23 | |
| Local Service | 3 | 13 | 13 | |
| Network Service | 4 | 10 | 10 | |
| Grand Total | 34 | 39 | 46 | |
To learn more about services, check https://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx