Re: Implications of Uninstalling Server Service?



Steve, I agree with you and I remember agreeing with that blog post when I first read it.

I am tired of bad advice blindly propagating from one security checklist to another. I am tired of explaining to clients why results on a vulnerability scan that some company did doesn't matter because they are leftovers from NT4. If anyone has ever tried to perfectly follow standards like those published by DISA or NSA you realized that the recommendations just aren't practical for many situations.

But when you consider that some very sensitive things are running Windows, why not take the time to do some extreme hardening--if you do it right? No one should be doing this stuff without careful research and testing. And you obviously can't blame Microsoft when things go wrong.

Ripping out the Server service admittedly is breaking a lot of compatibility for the security it gains, but there are so many thousands of files and registry keys that you can safely rip out of a dedicated server and feel pretty safe you aren't going to break anything in the future. Things like DirectPlay, NetMeeting, imaging services, sound recorder, msagent, address book, animated cursers, speech engines, in some cases modem and dialup support, joystick support, pcmcia drivers, web printing, fax imaging, etc. can all be removed without too much worry about breaking some future update or service pack.

And just for the record--this isn't for everyone. I also feel reasonably safe exposing a Windows 2003 server on the internet with nothing more than updates, a firewall, and minimal additional hardening.


Mark





"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message news:Oj7x8zW8GHA.4740@xxxxxxxxxxxxxxxxxxxx:

I've never really understood these kinds of hacks. While it's always
interesting to discover such things, understand that you've just put
your system in a state that we do not test. There's no way we can
predict how the machine will behave, and certainly there's no guarantee
that any updates or service packs will install or perform properly.

See http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx for
a description of similar issues.

_________________________________
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley



"M. Burnett" <mb@xxxxxxxx> wrote in message
news:Ok76wsW8GHA.2288@xxxxxxxxxxxxxxxxxxxxxxx
Just in case you are interested, below is how you completely
remove the
Server service and File/Printer sharing. I wouldn't recommend
doing this
without testing, unless you know what you're doing, and you
don't mind
having to reinstall windows if necessary, but I have done it on
some
extremely hardened standalone win2003 servers and it worked
fine. Note
that you always get extra errors in the event log when you start
messing
with stuff like this but, depending on your server
configuration, you
can often ignore those errors.

Remove these files (in safe mode):
%SystemRoot%\System32\srvsvc.dll
%SystemRoot%\System32\drivers\srv.sys
%SystemRoot%\inf\netserv.inf


Remove these reg keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANSERVE
R

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lan
manServer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F368827-9516-11D0-83D9-00A0C
911E5DF}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Srv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E3
25-11CE-BFC1-08002BE10318}\{DD83F814-E87B-4609-BE54-0313A4DDC749}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D
36E974-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E974-E325
-11CE-BFC1-08002BE10318}


Again, I don't recommend doing this, I'm just showing you that
it can be
done.



Mark Burnett





"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in
message
news:OnL3o867GHA.4632@xxxxxxxxxxxxxxxxxxxx:

> It's perfectly OK to disable the service if you wish. I do
that on my
> own laptop. However, uninstalling it is untested, unsupported,
and not
> even documented -- in other words, I don't know of any way to
do it.
>
> _________________________________
> Steve Riley
> steve.riley@xxxxxxxxxxxxx
> http://blogs.technet.com/steriley
>
>
> server hardening
> "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
> news:O88VVc17GHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
> Well, unbinding F&P will meet your objective of preventing
> them from sharing those; but of course, if they could share
> them then they would be empowered to bind F&P back on
> to the interface (or to start the Server service)
> With the Server service not present or not started they would
> not be able to browse. I have seen corps that do
intentionally
> want browse of neighborhood to not work.
> Anyway, RPC is not impacted and I have not seen Server
> service not installed, just disabled but installed.
>
>
> "Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
> news:U7ydnQ8SDYQ-lq3YnZ2dnUVZ_tednZ2d@xxxxxxxxxxxxxxx
> > "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
> > news:OSKqNMs7GHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
> >> You speak of uninstalling F&P service, and also of
uninstalling
> >> Server service, but I am again wondering whether you mean
> >> uninstall, or just unchecking (i.e. not binding) in the
interface
> >> properties. Obviously if Server service is gone then all
of the
> >> dependents are crippled (which, IIRC includes browser,
which
> >> seems odd at first until one thinks into how browser
operates).
> >
> > The Subject line here was my error. I mean uninstalling
not
> unchecking
> > the
> > "File and Print Sharing" item in the list of items for each
> interface. Windows 2003 server
> >
> > I had (maybe wrongly) assumed that uninstalling this item
would in
> fact
> > uninstall the Server service, but I'm not sure and I am just
> checking.
> >
> > On some machines we don't want users sharing any part of the
file
> system
> > or
> > any printer attached to the computer.
> >
> > --
> > Will
> >
> > windows hardening
>
>


.



Relevant Pages

  • Re: Implications of Uninstalling Server Service?
    ... as a protocol for an interface (whether checked, ie.whether bound, ... You speak of uninstalling F&P service, ... Server service, but I am again wondering whether you mean ... implications of uninstalling File and Print Sharing? ...
    (microsoft.public.windows.server.security)
  • Re: Implications of Uninstalling Server Service?
    ... to reverse effects of netserv.inf install (but doing so only partially, ... dependent services parts) ... Server service and File/Printer sharing. ... However, uninstalling it is untested, unsupported, and not ...
    (microsoft.public.windows.server.security)
  • Re: Implications of Uninstalling Server Service?
    ... However, uninstalling it is untested, unsupported, and not even documented -- in other words, I don't know of any way to do it. ... With the Server service not present or not started they would ... or just unchecking in the interface ... > "File and Print Sharing" item in the list of items for each interface. ...
    (microsoft.public.windows.server.security)
  • Re: Implications of Uninstalling Server Service?
    ... Just in case you are interested, below is how you completely remove the Server service and File/Printer sharing. ... I wouldn't recommend doing this without testing, unless you know what you're doing, and you don't mind having to reinstall windows if necessary, but I have done it on some extremely hardened standalone win2003 servers and it worked fine. ... However, uninstalling it is untested, unsupported, and not ...
    (microsoft.public.windows.server.security)
  • Re: Network shares issue
    ... > the server with the shares on it, not the client accessing the shares. ... > Windows NT and Windows 2000+ use two different Autodisconnect parameters; ... > for disconnecting LAN connections. ... > Server Service Configuration and Tuning: ...
    (microsoft.public.windows.server.networking)