Disabling unnecessary and potentially dangerous services

As most of you probably do know, Windows, be it NT, 2000 or XP (and probably Vista, but I can’t help here) do, by default install, offer services that are not really needed by the average user, but open doors for hackers and alike unwanted intruders.

Many people, for example, like to have their unique XP theme installed.

Since most services, the “Designs” services included, depend on other services that tend to open certain ports while running, it is really recommended to disable those services (even if this means you’ll have the classic windows look)

Yes, and even if you have a firewall installed.

On the other hand, some people who tell you that, after having the ports-opening services disabled, you won’t need any firewall at all, are not right.

The best thing you can do, is, IMHO, to disable unnecessary services AND run a good firewall.

But most people are not aware which services are necessary to run and which are not, so they don’t ever dare to put their hands on them.

How to see which services are running? which services are automatically running at sys start?

very simple: in your starting folder execute field, you just enter: services.msc

well, and there they are

now part 2 about how to disable the dangerous ones

Interesting. In XP is it the Themes service? I just opened up its properties and it states there are no dependencies.

Hi Soya, yes in XP it is the Theme Service I mentioned…

By the way, here is my follow up, I hope I will not disappoint you:

Step one:

Read this site: Der Elektronik-Markt | lan.de

If this is too much for you, just download the following zip file (containing a cmd script which will do the most of it), but remember: only for NT/2K or XP! not working on 98/ME or Vista!

Run the script (cmd)

Choose first, if your PC is on LAN or not, this is essential!

Start the procedure for YOUR configuration.

Wait until finished. Most dangerous services will be disabled.

Restart your system. Now it will be more safe than before. But some things will have to be done manually to totally secure you. Unfortunately the two correspondent sites have not yet been translated into english, but if you need to know what to do, ask me.

Der Elektronik-Markt | lan.de (unfortunately German only, for Windows 2000)

Der Elektronik-Markt | lan.de (unfortunately German only, for Windows XP)

Cheers

Pardon me Soya, I am not sure what this service is called on native english tongued systems, but on my system the service is called “Designs”, and it depends on C:\WINDOWS\System32\svchost.exe -k netsvcs

since I think that svchost.exe is, on most systems, related to the new version of dcom (if I’m right) there’s a possible danger, don’t you think so?

Not disappointed, more like enlightened a bit, but I consider myself somewhat experienced when it comes to XP services as I’ve done numerous tweaking on them. Even though the Themes service and among others are not essential to the OS, they do serve their purposes. For example, I have WindowBlinds (3rd party program for extended styles) and it most likely won’t work without Themes being on. I also prefer to stick with XP’s prefetcher, so unfortunately the Scheduler service is required for it to function properly. I have 16 services running and in Automatic mode (the Manual services only run when certain events occur, and the rest are Disabled.).

My question is are there any other things the script does besides changing the Windows services?

DCOM Server Process Launcher service is: svchost -k DcomLaunch – the only possible danger (that I know of) is it’s required by some Windows functions. I posted it something related here:
https://forums.comodo.com/general_discussion_off_topic_anything_and_everything/questions_on_defrag-t8487.0.html;msg61533#msg61533

I will now try to translate the necessary steps to harden your machine (if running XP) AFTER HAVING RUN the cmd: (I don’t know all those equivalents of expressions used on english machines, but I will try)

First step: Releasing Net-BIOS:

Enter your network connections:

choose your internet connector

disable network sharing

remove all links except the tcp/ip protocoll

choose tcp/ip protocol and, under your options, on the tab WINS, disable (if applicable) “tcp over netbios”

click ok to confirm, then restart to do the same procedure with your LAN.

Again, go to your network settings

Choose Advanced/expanded or whatever they called it in the menu above.

Choose advanced options (or similar, whatever they’ve called it)

All links to LAN/RAS etc connections will be shown. Remove ALL existing links for those connections (some may be not visible, but clickable…:slight_smile: )

ok, next step soon to come…few minutes please (have to translate, remember this)

thanks

Thanks, but I already disabled all those long ago :slight_smile:

Take all the time you need; no one is rushing you :slight_smile: (If someone is, I’ll slap them silly for you ;D)

Soya?

Just to answer your question:

No, the script does only change service behaviour, to my best knowledge, and I’ve been using it for years now, on 4 PC’s, every one of them for it’s lifetime…

It is safe to use, contains no evil things, and I would not, never use this script if being available at download.com or any other commercial site. THIS is the original site, and, although underrated as hell, it is cult for me. Like SSM or DCS (in earlier times) if you know what I mean…

If, after having done all those procedures (I have not yet translated and posted them all, beware) you want to re-enable the XP designs services (or Themes), it won’t be a problem.

Maybe your PC will be more unsecure again, but, what the hell…

it IS, in fact necessary, to disable this service to finally disable other services without bugs…

you CAN enable this service again after ALL is done.

I’ve tried it many times and it worked for me, at least.

But I still don’t use the fine looks anymore. Totally secure, very secure, secure, a bit secure, not secure…well everyone will have to decide on his own…

I forgot, the cmd will, besides disabling most crucial services, remove certain dependencies, and, as well, disable the Microsoft Security Center.

Evil thing? or good thing?

You must decide.

You can, of course, test this without firewall then against any “stealth” or “intrusion information” site…

but I’m not yet ready, as said, with my explainings of how to succeed further…

One moment…

It’s not that I suspect the script is dangerous in the sense that it’s not legit, but I just wanted to know if it had other neat functions like disabling some registry keys or other security features that I wasn’t aware of (forgive me as I am not familiar with reading batch files).

True. It’s a matter of user preference. However, for the average user who aren’t familiar with what we’ve posted here, I agree that it can only benefit them. (:CLP)

Ok next step: Real disabling of epmap

the cmd script will have disabled dcom already.
to go on, we will have to ENABLE dcom for a while.

via services.msc we will ENABLE the Distributed Transaction Coordinator again. (Change properties to “manual” and start the service.

enter “dcomcnfg” in your start panel’s field

go to console/component services/computer/workstation (or whatever they call it in your tongue)

click at the computer symbol in the upper bar

choose the menu standard
disable dcom

then choose the tab protocol

remove all protocol bindings (if applicable) to the dcom (may be not visible, but click if there is one!)

click ok

Restart your PC

change the “Distributed transaction coordinator” via services.msc to “Disabled”

Now here’s the last procedures:

start services.msc and BE SURE that the following settings have been applied, if not, change them in the following manner: (sorry, only german for today, but if you wisely compare, you will find them out)

Set to MANUAL:

  • Ablagemappe
  • Anwendungsverwaltung- COM±Ereignissystem
  • COM±Systemanwendung
  • Computerbrowser
  • Designs
  • DHCP-Client
  • Distributed Transaction Coordinator
  • DNS-Client
  • Gatewaydienst auf Anwendungsebene
  • Hilfe und Support
  • IMAPI-CD-Brenn Com Dienste
  • Intelligenter Hintergrundübertragungsdienst
  • Internetverbindungsfirewall/Gemeinsame Nutzung der Internetverbindung
  • IPSEC-Dienste
  • Leistungsdatenprotokolle und Warnungen
  • Kompatibilität für schnelle Benutzerumschaltung
  • Konfigurationsfreie drahtlose Verbindung
  • MS Software Shadow Copy Provider
  • NetMeeting-Remotedesktop-Freigabe
  • Netzwerk-DDE-Dienst
  • Netzwerk-DDE-Serverdienst
  • Netzwerkverbindungen
  • NLA (Network Location Awareness)
  • NT-LM-Sicherheitsdienst
  • QoS RSVP
  • RAS-Verbindungsverwaltung
  • Remote-Registrierung
  • Sekundäre Anmeldung
  • Seriennummer der tragbaren Medien (SP1) / Dienst für Seriennummern der tragbaren Medien (SP2)
  • Sicherheitskontenverwaltung
  • Sitzungs-Manager für Remotedesktophilfe
  • Smartcard
  • Smartcard-Hilfsprogramm (nur SP1)
  • Taskplaner
  • TCP/IP-NetBIOS-Hilfsprogramm
  • Telefonie
  • Terminaldienste
  • Treibererweiterungen für Windows-Verwaltungsinstrumentation
  • Überwachung verteilter Verknüpfungen (Client)
  • Universeller Plug & Play-Gerätehost (siehe auch 4. Beenden von ssdp)
  • Unterbrechungsfreie Stromversorgung
  • Verwaltung für automatische RAS-Verbindung
  • Verwaltungsdienst für die Verwaltung logischer Datenträger
  • Volumeschattenkopie
  • Wechselmedien
  • Windows Installer
  • Windows-Bilderfassung (WIA)
  • Windows-Verwaltungsinstrumentation
  • Windows-Zeitgeber
  • WMI-Leistungsadapter

Set to AUTOMATIC:

  • Druckwarteschlange
  • Ereignisprotokoll
  • Geschützter Speicher
  • Anmeldedienst
  • Kryptografiedienste
  • Plug & Play
  • Remoteprozeduraufruf (RPC)
  • Shellhardwareerkennung
  • Systemereignisbenachrichtigung
  • Systemwiederherstellungsdienst
  • Upload-Manager (nur SP1)
  • Verwaltung logischer Datenträger
  • WebClient
  • Windows Audio

Set to DEACTIVATED:

  • Automatische Updates (Automatic updates)
  • Eingabegerätezugang
  • Fehlerberichterstattungsdienst
  • Indexdienst
  • Routing und RAS
  • SSDP Suchdienst (siehe auch 4. Beenden von ssdp)
  • Telnet

If you are sure you have done it alright, then do a restart.

this procedure will finally stop mtaskp (port 1026)
ssdp (1900, 5000)
alg (3000)
microsoft ds (445) from ever responding/existing

Next Step:

Enter your Hardware Manager

Choose in the menu: View all gear (or what they called it) even the non-shown…

go to non PnP drivers

in the context menu, choose “NetBios over TCP/IP” (right mouse click)
deactivate the driver for that function.

Restart your PC

After restart, go back and test und "NetBios over TCP/IP:

view the “Properties”

Set the driver to “On demand” or “Deactivated”

Well, that was it… :slight_smile:

Cheers

if there’s some problem at the end, because of the many German terms, I will try to help anybody here, of course. It’s sad, but MS does’nt always use standards in Translation technology so I would and could not simply use a dictionary for all that. I tried my best. Still, I’m but German, so pardon me…

Maybe Soya can help me with finding out the english translations of those evil services?

If you are insecure because of all of that, it will still be a PLUS for the average user’s security if only using the “cmd” and not trying the advanced user steps. At the least, the script is both in German and in English, and it will ask you in your tongue which step has to be taken.

Cheers :slight_smile: Hope this was of some interest to some of you

Maybe because I didn’t perform things in the order presented in your instructions, but I always find this to be the case when removing the items in the Network properties (leaving only Internet Protocol (TCP/IP)):
Some of the services are no longer listed in service.msc, such as Computer Browser and Server.

There are a number of Services you are showing as being left set to Manual, that I would never have as anything other than Disabled; they are not generally needed and cause headaches if left in any way enabled. Without even translating, these would include: IPSEC, QoS, Secondary Logon, Remote Registry, SmartCard (unless you’re using one), TCP/IP NetBIOS, Telephony, and Universal Plug & Play. Several of these (IMO) absolutely must be completely disabled, rather than left at Manual.

Also, a quick warning to anyone who wants to disable the TCP/IP driver in devmgmt.msc. If you are on a Network, be prepared to not be able to connect to the internet any longer. You may safely disable TCP/IP NetBios in Network Connections, and in Services. The driver may cause you trouble though. If it doesn’t, great; but if it does, you need to know where to look.

Please take steps slowly, do only a small amount of changes at a time, so that you can easily track down any problems thus created. Every system is different, and you may find you need something you just got rid of. I fully encourage everyone to know more about the guts of their computer, and how to secure it. TechRepublic’s website has lists of services that may be disabled (along with detailed explanations for each one, of what the ramifications may be), registry tweaks to help with security, and so on. That may be of some help to those wanting details and explanations.

Thanks for all the info, MorphOS; it’s much appreciated, and should help steer users in the direction of taking charge of their security. For everyone’s further benefit, would you mind posting text versions of the scripts so that users who are not familiar with changing the file extensions can see the code?

Tnx,

LM

The same site covers known issues with disabling some services if you scroll down just a bit after the download section.

Some services that I never use I still leave in Manual instead of Disabled because I don’t like to have errors in the Windows Event Log (start > run > type eventvwr)

Thanks for your kind words!

Btw, [ at ] Little Mac, it is really easy to safely read what’s inside the script, so do you really think it’s necessary for me to post this long file here?

But for everyone who might think this could possibly not be safe, well, here it is:

[attachment deleted by admin]

REBOL, any ideas on my Reply #14 ? Thanks.

Tnx for posting the text version. I know it’s long, it’s licensed under GNU, and also available online. Since the .cmd file was posted directly, I figure it’s a good idea in relation to full disclosure (and since it’s not a Comodo product), to post the full code as well, so there is no hint of any impropriety.

BTW, I will be looking into some of the more detailed settings you gave, for DCOM and whatnot. I don’t think I’ve done all of that yet… :wink:

LM