Security guidelines for system services in Windows Server 2. Applies to: Windows Server 2. The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual), and some are disabled by default and must be explicitly enabled before they can run. These defaults were chosen carefully for each service to balance performance, functionality, and security for typical customers.

When you installed Microsoft’s Word Flow keyboard on your iPhone, you probably thought it was an app or extension. Turns out, it was an “experiment,” an. A DHCP server still owns DNS records when it is a member of the DnsUpdateProxy group? A user account may be inconsistent across a Windows. I'm currently working for Microsoft as a Premier Field Engineer specializing in Microsoft Azure as a cloud solution. Please note that I am not speaking on behalf-of. InformationWeek.com: News, analysis and research for business technology professionals, plus peer-to-peer knowledge sharing. Engage with our community.

Get your copy of the German language "Microsoft ISA Server 2004 - Das Handbuch" Let's begin. As an Exchange Aministrator you know the question from your Exchange. Windows Server 2003, Windows Server 2003 SP1 and SP2, and Windows Server 2003 R2 retired content. The content you requested has already retired. It's available to. NTFS ("New Technology File System") is a proprietary file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of Windows NT family.

However, some enterprise customers may prefer a more security- focused balance for their Windows PCs and servers, one that reduces their attack surface to the absolute minimum, and may therefore wish to fully disable all services that are not needed in their specific environments. For those customers, Microsoft.

Each service on the system is categorized as follows: Should Disable: A security- focused enterprise will most likely prefer to disable this service and forego its functionality (see additional details below). OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security- focused enterprises that don’t use it can safely disable it. Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles or features from functioning correctly. Therefore it should not be disabled.(No guidance): The impact of disabling these services has not been fully evaluated. Therefore, the default configuration of these services should not be changed. Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using Power. Shell automation.

In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself. Microsoft recommends that customers disable the following services and their respective scheduled tasks on Windows Server 2.

Desktop Experience: Services: Xbox Live Auth Manager. Xbox Live Game Save.

Scheduled tasks: \Microsoft\Xbl. Game. Save\Xbl. Game. Save. Task\Microsoft\Xbl. Game. Save\Xbl. Game. Save. Task. Logon(You can also access the information on all services detailed in this article by viewing the attached Microsoft Excel spreadsheet: Guidance on Disabling System Services on Windows Server 2.

Desktop Experience)Disabling services not installed by default. Microsoft recommends against applying policies to disable services that are not installed by default. The service is usually needed if the feature is installed. Installing the service or the feature requires administrative rights. Disallow the feature installation, not the service startup.

Blocking the Microsoft Windows service doesn't stop an admin (or non- admin in some cases) from installing a similar third- party equivalent, perhaps one with a higher security risk. A baseline or benchmark that disables a non- default Windows service (for example, W3. SVC) will give some auditors the mistaken impression that the technology (for example, IIS) is inherently insecure and should never be used. If the feature (and service) is never installed, this just adds unnecessary bulk to the baseline and to verification work.

For all system services listed in this document, the two tables that follow offer an explanation of columns and Microsoft recommendations for enabling and disabling system services in Windows Server 2. Desktop Experience: Explanation of columns. Service description. The service's description, from sc. Name. Key (internal) name of the service. Installation. Always installed: Service is on Server Core and Server with Desktop Experience Only on Datacenter Edition: Service is on Server 2.

Desktop Experience, but is not on Server Core. Start. Type. Service start type on Windows Server 2. Recommendation. Microsoft recommendation/advice about disabling this service on Windows Server 2. Comments. Additional explanation. Explanation of Microsoft recommendations. Do not disable. This service should not be disabled. OK to disable. This service can be disabled if the feature it supports is not being used.

Already disabled. This service is disabled by default; no need to enforce with policy. Should be disabled. This service should never be enabled on a well- managed enterprise system. The following tables offer Microsoft guidance on disabling system services on Windows Server 2. Desktop Experience: Active. X Installer (Ax. Inst.

SV)Service description. Provides User Account Control validation for the installation of Active. X controls from the Internet and enables management of Active. X control installation based on Group Policy settings. This service is started on demand and if disabled the installation of Active. X controls will behave according to default browser settings. Service name. Ax.

Inst. SVInstallation. Only on Datacenter Edition. Start. Type. Manual.

Recommendation. OK to disable. Comments. OK to disable if feature not needed. All. Joyn Router Service. Service description. Routes All. Joyn messages for the local All. Joyn clients. If this service is stopped the All.

Joyn clients that do not have their own bundled routers will be unable to run. Service name. AJRouter. Installation. Only on Datacenter Edition. Start. Type. Manual. Install Adobe Acrobat Distiller 4 X 5 X 6. Recommendation. No guidance. Comments. App Readiness.

Service description. Gets apps ready for use the first time a user signs in to this PC and when adding new apps. Service name. App. Readiness. Installation.

Only on Datacenter Edition. Start. Type. Manual. Recommendation. Do not disable. Comments. Application Identity.

Service description. Determines and verifies the identity of an application. Disabling this service will prevent App. Locker from being enforced.

Service name. App. IDSvc. Installation. Always installed. Start. Type. Manual. Recommendation. No guidance.

Comments. Application Information. Service description. Facilitates the running of interactive applications with additional administrative privileges. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start.

Service name. App. Mgmt. Installation. Always installed. Start. Type. Manual.

Recommendation. No guidance. Comments. App. X Deployment Service (App.

XSVC)Service description. Provides infrastructure support for deploying Store applications. This service is started on demand and if disabled Store applications will not be deployed to the system, and may not function properly. Service name. App. XSvc. Installation. Always installed. Start. Type. Manual.

Recommendation. No guidance. Comments. Auto Time Zone Updater. Service description. Automatically sets the system time zone.

Service nametzautoupdate. Installation. Only on Datacenter Edition. Start. Type. Disabled. Recommendation. Already disabled.

Comments. Background Intelligent Transfer Service. Service description. Transfers files in the background using idle network bandwidth.

If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to automatically download programs and other information. Service name. BITSInstallation.

Always installed. Start. Type. Manual.

Recommendation. No guidance. Comments. Background Tasks Infrastructure Service. Service description. Windows infrastructure service that controls which background tasks can run on the system.

Service name. Broker. Infrastructure. Installation. Only on Datacenter Edition.

Start. Type. Automatic. Recommendation. No guidance.

Comments. Base Filtering Engine. Service description. The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system.

It will also result in unpredictable behavior in IPsec management and firewall applications.