S 4.420 Secure use of the Maintenance Center under Windows 7

Initiation responsibility: Administrator, IT Security Officer

Implementation responsibility: Administrator

The Maintenance Center under Windows 7 is the successor of the Security Center. The Security Center has already been used since Microsoft Windows Vista. The Maintenance Center is available without distinction in the range of functions in all Windows 7 editions.

In the Maintenance Center, the security settings, maintenance settings as well as troubleshooting can be centrally monitored and configured. The Maintenance Center depends on the following Windows services, which ensure that problems are diagnosed automatically and reported to the user via the Maintenance Center:

Diagnostic Policy Service (DPS):

This Windows service allows the detection and elimination of problems under Windows. The problems can have various causes such as storage, hard disk or network problems. The service diagnoses problems and reports them subsequently via the Maintenance Center to the user.
Diagnostic Service Host (WDiSvcHost):

This Windows service is required for analyses which have to run as local service. The service depends directly on the Diagnostic Policy Service.
Diagnostic System Host (WDiSystemHost):

This Windows service diagnoses, addresses and solves problems which are directly related to Windows components. The service depends directly on the Diagnostic Policy Service.
Windows Error Reporting Service (WerSvc):

The error reporting service collects information on existing problems and provides pre-existing proposals for solutions. In addition to this, this service generates problem reports that can be sent to Microsoft, if necessary, to obtain further potential solutions.

"Troubleshooting" is a collection of applications and collects information and approaches to existing problems which might occur in Windows 7-based IT systems. An Internet connection is required to call up proposals for solutions from Microsoft. Furthermore, new approaches and components are searched for at regular intervals on Microsoft servers and downloaded. To avoid sending organisation- or computer-specific configurations to Microsoft, this setting should be deactivated.

If a specific problem occurs, data is collected to obtain specific proposals for solutions on the Windows client and sent to Microsoft. Information on which data is collected in the individual case can be found in the detailed information contained in the problem report. The problem report always contains information on the operating system as well as on the hard- and software of the IT system. The report may also include personal data. If a problem was detected, troubleshooting can try to solve it independently. For this purpose, it makes changes to the configuration of the system.

For the secure use of the Maintenance Center and its functions, the following aspects should be implemented:

Since the Windows services cause problems with other services, the default start settings of the Windows services must be retained. Otherwise, important Windows services might not function properly.

Windows service	Default start type
Diagnostic Policy Service (DPS)	Automatic
Diagnostic Service Host (WDiSvcHost)	Manual
Diagnostic System Host (WDiSystemHost)	Manual
Windows Error Reporting Service (WerSvc)	Automatic

Furthermore, the following settings should be implemented for each group policy and for each Windows 7-based IT system:

Setting: Call up latest troubleshooting from the Windows Online Service for troubleshooting
Path in the control panel: Control Panel | All Control Panel Elements | Troubleshooting
Group policy paths:
Computer Configuration | Policies | Administrative Templates | System | Troubleshooting and Diagnostics | Microsoft Support Diagnostics Tool | Restrict Tool Download
Computer Configuration | Policies | Administrative Templates | System | Troubleshooting and Diagnostics | Microsoft Support Diagnostics Tool | Configure Execution Level
Recommendation: Deactivate settings
Reason(s): Prevents data from being exchanged with the Microsoft Support via the Internet for troubleshooting purposes without the user's knowledge and consent
Setting: Send error reports
Path in the control panel: does not exist
Group policy paths:
Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Error Reporting | Configure Error Reporting
Computer Configuration | Policies | Administrative Templates | System | Internet Communication Management | Internet Communication Settings | Deactivate Error Reporting
Recommendation: Deactivate settings
Reason(s): These settings should be deactivated so as not to send organisation- or computer-specific configurations to Microsoft.
Setting: Send data on computer configuration at regular intervals to Microsoft
Path in the control panel: does not exist
Group policy path:
Computer Configuration | Administrative Templates | Windows Components | Application Compatibility | Deactivate Program Inventory
Recommendation: Deactivate settings
Reason(s): If this setting is not prevented by means of group policies, it is possible that data on the installed software products can be sent to Microsoft without this being ordered by the user or without the user obtaining knowledge of this.

In order to prevent further security-endangering functions, the following settings should be configured:

Setting: Windows backup
Path in the control panel:
Control Panel | All Control Panel Elements | Maintenance Center | Change Maintenance Center Settings
Recommendation: Deactivate setting
Reason(s): The message might induce users with local rights on the IT system to create a backup of the data on a local data medium out of ignorance. This cannot be tracked down by the IT department, resulting in further security risks.
Setting: Program for user-friendliness
Path in the control panel:
Control Panel | All Control Panel Elements | Maintenance Center | Change Maintenance Center Settings | Settings for the Program to Improve the User-Friendliness
Recommendation: Deactivate setting
Reason(s): This setting prevents that data on the behaviour of the users are sent to Microsoft.
Setting: Computer maintenance
Path in the control panel:
Control Panel | All Control Panel Elements | Troubleshooting | Change Settings
Recommendation: Activate setting
Reason(s): This setting should be activated so that the computer is searched through for problems and the user is informed about any problems found.
Setting: Troubleshooting - other settings
Path in the control panel:
Control Panel | All Control Panel Elements | Troubleshooting | Change Settings
Recommendation: Deactivate settings
Reason(s): These settings should be deactivated so that neither new Microsoft troubleshooting solutions can be downloaded or sent nor problems solved automatically. Therefore, this setting is not recommended, since configurations of the IT system should not be changed automatically.

For the handling of the Maintenance Center and the potential dialogue still displayed to the user following the implementation of the settings, a binding regulation on how the user has to proceed should be defined. In addition, the regulation should also include if and when the user may start the Maintenance Center component manually (see S 2.4 Maintenance / repair regulations). Normally, problems occurring during the operation of an IT system should be escalated to the persons intended for this purpose (see S 2.1 Specification of responsibilities and provisions).

Review questions:

Was a binding regulation for the handling of the Maintenance Center by the users defined under Windows 7?
Are the default start settings of the Windows 7 services DPS, WDiSvcHost and WerSvc used?
Were the settings for "Call up latest troubleshooting from the Windows Online Service for troubleshooting", "Send error reports", "Send data on computer configuration at regular intervals to Microsoft", "Windows backup", "Program for user-friendliness" and "Troubleshooting - other settings" deactivated under Windows 7?
Was the setting for "Computer maintenance" activated under Windows 7?