S 4.246 Configuration of the system services under Windows XP, Vista and Windows 7

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The secure configuration of individual system services running on an IT system contributes significantly to the overall security of the information system. Every unneeded service that is still enabled can be a source of danger. It is therefore necessary to perform a requirements analysis before configuring Windows XP, Windows Vista and Windows 7 systems. It must be ensured that only those services actually needed are executed. For a centralised configuration of the services, it is recommended to use corresponding group policies in an Active Directory environment. To implement the policies, individual services are activated or deactivated in the Computer section of a group policy object in Computer Configuration | Windows Settings | Security Settings | System Services. In a Windows Server 2003 domain structure, the services can only be configured in Windows Vista and Windows 7 systems in group policies using the GPOAccelerator tool. This applies to the following:

• The configuration of the Automatic (Delayed Start) start mode for the services
• The configuration of the new services added to Windows Vista and Windows 7.

See S 4.243 Windows client operating system administration tools for more information on the GPOAccelerator tool.

The Resources for IT-Grundschutz provide specifications for the configurations of the system services that can be used as an initial basis for the security settings. However, we must point out that the configurations of individual system services always depend on the local conditions and requirements and therefore always need to be viewed in this specific context. In some cases, it may be necessary to use less secure configurations due to the local conditions. In this case, though, additional safeguards should be implemented to compensate for the lack of security in the service configurations. Examples of such additional safeguards include the use of an extra firewall or possibly organisational safeguards.

Review questions:

• Was a requirements analysis under Windows performed for the necessary system services?
• Are all unneeded services disabled under Windows?