-1

When I configure a minimal Server (unselecting any role in SCW) I still have quite a number of (obscure) services running or set up as manual.

Requirements in my project say that the Server shall only run well-motivated services, i.e. services that are essential to the custom application running on the server.

I have been looking for official Microsoft documents saying Don't mess with the default services or else you have an unstable system. But the best I found was the STIG listing baseline services. Old rumour has it that it is not a good idea to randomly disable seemingly unneeded services (Disabled Print hindered Update, problems when disabling RPC service) and see if the system still works. Also, given that there are 30+ services, fully testing the system, including software update scenarios, would be a daunting task.

How can I achieve a minimal working system with only services that are truly needed?

MDMoore313
  • 5,531
  • 6
  • 34
  • 73
AHalvar
  • 107
  • 1
  • 2
  • What does your team usually do in situations like this? – MichelZ Jun 23 '14 at 11:30
  • 1
    Why not use the server Core role? – tombull89 Jun 23 '14 at 13:26
  • @tombull89 The Server needs to run a GUI application. But you mean I could start from Server Core and enable what is truly needed? Server Core does not have any default services? Will look into that. – AHalvar Jun 23 '14 at 14:05
  • @AHalvar There are only a handful of services that really take the toll on your server, and I think they are mostly manually installed. What are you aiming at by disabling services? thining? reducing interfaces for security? – EliadTech Jun 23 '14 at 20:26
  • @EliadTech Reducing attack interfaces – AHalvar Jun 23 '14 at 20:40
  • Than I'd go with tombull89, this way you'll only enable what you really need. As for the ones that are already enabled, that depends on the intended role of the server, but generally the best course would be using a firewall to block all useless incoming ports - that would save you from instability. – EliadTech Jun 23 '14 at 20:47
  • Server Core does not reduce the attack surface if you need to install the GUI afterwards. You will have exactly the same as if you install the FULL version and then uninstall all roles/features. – MichelZ Jun 24 '14 at 14:18

1 Answers1

0

Well disabling services is not hard. As for which ones to disable, I usually just read the descriptions of the service, and the majority of the time it becomes clear if I will ever need that service on that system. If there's any doubt, I'll leave it on. To disable a service, I'll make a note of the service name, and just disable them in bulk with Powershell.

When you talk about testing, it's really quite simple. This is a server being used for a specific purpose, your test will be running that machine for it's intended purpose, and troubleshooting if/when any errors occur. Be mindful that errors may or may not be a result of the services you've disabled, so keep an open mind when troubleshooting.

MDMoore313
  • 5,531
  • 6
  • 34
  • 73
  • 1
    I'd vote against bulk-disabling services - if a problem does come up, you'll have a harder time discerning (that's the right word?) the root cause. – EliadTech Jun 23 '14 at 20:23