Re: Implications of Uninstalling Server Service?

Interesting Mark, and I believe I see how in effect you are attempting
to reverse effects of netserv.inf install (but doing so only partially, i.e
dependent services parts)

But I just have to ask.
What is it that you feel you have accomplished?
I mean, if the binaries are present and all registered, but disabled,
what risk is addressed by fudging the ability to enable it?
I am just trying to understand the use case here.
It seems to me that if I were penetrating, and so able to enable the
service, then I could find other ways to transfer things out or in; and,
on the other side of things, if Srv is totally crippled or disabled it could
not be used unless I first penetrated to enable it (but then I am there).

Thanks for the post,
Roger
"M. Burnett" <mb@xxxxxxxx> wrote in message
news:Ok76wsW8GHA.2288@xxxxxxxxxxxxxxxxxxxxxxx
Just in case you are interested, below is how you completely remove the
Server service and File/Printer sharing. I wouldn't recommend doing this
without testing, unless you know what you're doing, and you don't mind
having to reinstall windows if necessary, but I have done it on some
extremely hardened standalone win2003 servers and it worked fine. Note
that you always get extra errors in the event log when you start messing
with stuff like this but, depending on your server configuration, you can
often ignore those errors.

Remove these files (in safe mode):
%SystemRoot%\System32\srvsvc.dll
%SystemRoot%\System32\drivers\srv.sys
%SystemRoot%\inf\netserv.inf


Remove these reg keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANSERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F368827-9516-11D0-83D9-00A0C911E5DF}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Srv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{DD83F814-E87B-4609-BE54-0313A4DDC749}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E974-E325-11CE-BFC1-08002BE10318}


Again, I don't recommend doing this, I'm just showing you that it can be
done.



Mark Burnett





"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message
news:OnL3o867GHA.4632@xxxxxxxxxxxxxxxxxxxx:

It's perfectly OK to disable the service if you wish. I do that on my
own laptop. However, uninstalling it is untested, unsupported, and not
even documented -- in other words, I don't know of any way to do it.

_________________________________
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley


server hardening
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:O88VVc17GHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
Well, unbinding F&P will meet your objective of preventing
them from sharing those; but of course, if they could share
them then they would be empowered to bind F&P back on
to the interface (or to start the Server service)
With the Server service not present or not started they would
not be able to browse. I have seen corps that do intentionally
want browse of neighborhood to not work.
Anyway, RPC is not impacted and I have not seen Server
service not installed, just disabled but installed.


"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:U7ydnQ8SDYQ-lq3YnZ2dnUVZ_tednZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OSKqNMs7GHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
You speak of uninstalling F&P service, and also of uninstalling
Server service, but I am again wondering whether you mean
uninstall, or just unchecking (i.e. not binding) in the interface
properties. Obviously if Server service is gone then all of the
dependents are crippled (which, IIRC includes browser, which
seems odd at first until one thinks into how browser operates).

The Subject line here was my error. I mean uninstalling not
unchecking
the
"File and Print Sharing" item in the list of items for each
interface. Windows 2003 server

I had (maybe wrongly) assumed that uninstalling this item would in
fact
uninstall the Server service, but I'm not sure and I am just
checking.

On some machines we don't want users sharing any part of the file
system
or
any printer attached to the computer.

--
Will

windows hardening





.

Relevant Pages

  • Re: Implications of Uninstalling Server Service?
    ... eliminate dependent services, and there are plenty that depend on the Server ... The third reason is attack surface. ... If I review a patch's files and I don't have those files on my system, I don't have to install ... I hope that ripping out the Server service doesn't appear on some ...
    (microsoft.public.windows.server.security)
  • Re: Enable/Disable File and Printer Sharing
    ... >> I can install and uninstall the service successfully. ... >> server service is installed and running. ... >Export the registry key ... >Microsoft MVP Scripting and WMI, ...
    (microsoft.public.win2000.cmdprompt.admin)
  • Re: Server Services
    ... If you need to add the server service back again: ... and reboot, and then install F&PS (it will install ... Export the registry key ... Microsoft MVP Scripting and WMI, ...
    (microsoft.public.windowsxp.security_admin)
  • PES service missing ?
    ... but after rebooting there is no Paswword Export ... Server service to start. ... the pwdmig.exe from the ADMTv3 install with the same result. ...
    (microsoft.public.windows.server.migration)
  • Re: Implications of Uninstalling Server Service?
    ... as a protocol for an interface (whether checked, ie.whether bound, ... You speak of uninstalling F&P service, ... Server service, but I am again wondering whether you mean ... implications of uninstalling File and Print Sharing? ...
    (microsoft.public.windows.server.security)