Microsoft KB Archive/164885

= Default Services Required for Internet Information Server Services =

Article ID: 164885

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 2.0
 * Microsoft Internet Information Server 3.0

-



This article was previously published under Q164885



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
This article describes the service dependencies of the Microsoft Internet Information Server (IIS) WWW (http), FTP, and Gopher services with the default Windows NT services.



MORE INFORMATION
There are certain cases in which it may be desirable to disable particular services on a Windows NT installation. This article describes the minimum windows NT services that are required for the IIS services to function and will explore some of considerations that must be taken before employing these methods. These methods are used to increase the security of an IIS installation through the limitation of available services.


 * WARNING**********

Extreme care must be taken when disabling NT services because specific functionality is provided by each windows NT service. You must thoroughly understand the implications of changing particular service startup values. This text is not a comprehensive discussion of all Windows NT services but a guideline for particular services that are required for the IIS services to function. You WILL lose or limit certain features of IIS functionality when particular services are disabled. For this reason, these methods may not apply to your particular Windows NT installation nor be desirable in your implementation of IIS. These suggestions should be thoroughly tested on a another computer or in a test lab prior to implementation on production servers. Additionally, you may have other services installed that are not covered in this test that have dependencies that are outside the scope of this article.

If the desired functionality of an IIS computer is only to only provide IIS services. In the context of this article IIS or IIS services refers to WWW, FTP, or Gopher services. The following default services in addition to the IIS service you are implementing are needed for base IIS functionality.

At least one of the following:


 * Gopher Publishing Service: Optional
 * FTP Publishing Service: Optional
 * World Wide Web Publishing Service: Optional

All of the following:


 * EventLog: Required
 * NT LM Security Support Provider: Required (NOTE: If this service is not listed, check to make sure RPC Configuration is loaded in Control Panel Network Services.)
 * Remote Procedure Call (RPC) Service: Required

These represent the minimum configuration needed for the IIS services to function. You will in most probability need to ensure some of the following services are functioning for normal server operation. Each of the default services found in a Windows NT installation will be discussed next and the specific functionality used by the IIS services will be described.

Services marked with an asterisk will cause loss of functionality if disabled; disabling these services may be detrimental to overall server functionality.

Services marked with a hyphen have no dependency relationship with IIS or may have little server impact if disabled.


 * WARNING**********

Care should be taken before altering the startup values of these services. These services may have complex dependencies with other services not listed here.

You MUST understand what functionality is provided by these services before changing the settings.

Improper changes of services will risk the loss of needed capabilities or server functionality.


 * WARNING**********


 * Alerter: Not Required. No IIS dependency
 * Clip Book Viewer: Not Required. No IIS dependency
 * *Computer Browser: Recommended. If disabled, no browse list will be available and no computer browsing will be allowed. You must know the network path on remote computers.

NOTE: The Computer Browser service must be running in order for the computer to have the capability to become a master or backup browser, however it has nothing to do with whether or not a computer announces itself on the network. As long as the Server service is running, and the computer is not hidden, a Windows NT computer will make Host Announcements. If a master or backup browser in the same domain or workgroup receives these Announcements, the computer making the Announcements will be added to the server list, and clients will see it in the list when they browse the workgroup or domain.


 * *EventLog: Recommended. This logs server operation. You will receive alerts logged by disabling some of these services that are not required for base functionality.
 * *DHCP Client: Not Required if all Network interfaces use a static IP address.
 * *Directory Replicator: Not Required. No IIS dependency. However, directory replication will not take place if this is disabled. This is a common services to use on large multi-server web installations to synchronize Web content across servers.
 * Messenger: Not Required. No IIS dependency
 * *Net Logon: Recommended. If you want Windows NT domain or remote logins this service must to be enabled. There will be few cases where it is desirable to disable this service.
 * Network DDE: Not Required. No IIS dependency
 * Network Monitor Agent: Not Required. No IIS dependency
 * *NT LM Security Support Provider: Required for security and RPC implementation. There will not be any cases when you will want to disable this service.
 * Plug & Play: Not Required. No IIS dependency
 * *Remote Procedure Call (RPC) Locator: Recommended. Not required, unless you are doing remote administration from computer. This is what IIS uses to register computers available for remote administration. This can be disabled if remote administration is not desired. In most cases you will not disable this service as other this is a commonly used by administrative tools and some applications. Take care when disabling this service.
 * *Remote Procedure Call (RPC) Service: Required. It is not recommended you pause or stop this service in any IIS installation.
 * *Server Service: Recommended. This service provides SMB server services. Other services are dependent on this services Some of these include Computer Browser, replication services, network logon and RAS service. Note that you will need to start it if you want to run User Manager.
 * Simple TCP/IP Services: Not Required. No IIS dependency.
 * Spooler: Not Required. No IIS dependency.
 * *TCP/IP NetBIOS Helper: Recommended for NetBIOS support and name resolution. Disabling this service will also disable Computer Browser and Net Logon services. It is not recommended to disable this service in most cases.
 * Telephony Service: Not Required unless access is via dial-up.
 * UPS: Recommended for mission-critical servers.
 * *Workstation: Recommended. Disabling this service shuts down the network redirector. You must use this service if you are using UNC paths or making network shares available via the IIS services. It is not normally recommended to disable this service.

There are many other services you may have installed, such as the Remote Access Service, DHCP, DNS, or WINS service that you may need to enable that are not covered here for particular implementations of IIS. Consult the Windows NT Server resource kit or product documentation for more complete descriptions of particular Windows NT services. Your needs must be carefully considered before changing the default state of any of the described services. The preceding list provides only a minimal guide to the requirements of a particular IIS server installation. Your requirements and mileage may vary especially in an Intranet scenario where services such as WINS, DHCP and DNS may be necessary.

For more information on Windows NT Services and Web Security consult the following resources along with proper testing before implementing these suggestions on production servers:


 * Windows NT Online Help: Query in the Index Tab on services : overview.
 * Windows NT Server Resource Kit

Keywords: KB164885

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.