Tools and tips for managing fundamental components of the Windows architecture

By default, Windows 2000 Server, Standard Edition (without service packs applied) installs 65 services. (The other Win2K Server products and Win2K Professional install different services. For descriptions of the 65 default services that Win2K Server, Standard Edition installs, see Web Table 1 at http://www.win2000mag.com, InstantDoc ID 22762.) In "Win2K Server Services, Part 1," November 2001, I provide a definition of those services and what they do as well as tools and tips for how to manage them. With that foundation, you can begin to evaluate the services running on your system and tune them to your ideal configuration.

What Installs Which Services?
To see which services Win2K Server installs by default, I started with a clean Win2K Server installation and accepted all the default settings (except that I opted to install the management and monitoring tools, which Win2K Server doesn't install by default). Next, I ran the Active Directory Installation Wizard (dcpromo.exe) and accepted all the default settings. Using the wizard, I made the server the first domain controller (DC) in the new domain homedomain.com, and I installed DNS locally. The Active Directory (AD) installation process installed only one new service, the DNS Server service, which answers DNS name queries and update requests.

Although the AD installation added only one new service, the installation changed the status of some of the Win2K Server default services from manual or disabled to automatic. Table 1, page 40, shows the services that AD requires but that don't run in a default standalone server configuration unless you manually turn them on.

Finally, using the Control Panel Add/Remove Programs applet, I installed every possible native Windows service and accepted all the default configuration parameters. (Under most circumstances, I would never take this step on a production server. I did so in this case simply to research the services and their options.) This installation added 24 services to my system and changed the Startup Type parameter of the already installed Win2K Server Terminal Services from Disabled to Automatic. Table 2 lists and describes the 24 services that this step added.

What Can You Afford to Lose?
With 90 services running on your Win2K Server system, won't all that code bring your server to its knees? The answer depends on the server's horsepower. Most of these services don't drain system resources unless they're active. For example, if you don't maintain an active Web site on your server, having Microsoft IIS installed and running won't significantly slow your system's performance.

By default, many services are disabled or set to manual start, but the more services your server loads automatically, the more memory and CPU resources it uses during typical operation. Therefore, if fewer services are running, more resources are available to the system, and the system will run faster. Thus, to improve performance, you should enable applications to load automatically only when necessary and disable or remove (or set to manual start) the other services on your server.

However, be very careful about which services you disable or remove. A good rule of thumb is that if you don't know what it does, don't disable or remove it. Turning off a necessary or dependent service can crash an application, corrupt files, or cause your system to fail. Whether you can safely disable or remove a service depends on your server's configuration, but Table 3, page 42, shows services you might be able to turn off to boost performance (provided you've verified that the system or other applications aren't using the services). To properly remove a service, use the Add/Remove Programs applet. Click Add/Remove Windows Components to launch the Windows Components Wizard, which presents a list of available Win2K services. Currently installed services appear with selected check boxes. To remove a service, clear the service's check box; to modify a service, select its check box, then click Next to step through configuration for the services you selected (some services include multiple components). Be sure to clear a check box only if you want to remove that service.

Should you turn on any services that don't run by default? The answer depends on your situation. For example, you might want to enable the Indexing service, but this service slows server performance every time it indexes the server's content. If you need fax capability or RRAS functionality, you should turn on those services. Table 4, page 42, lists useful system services that you might want to enable.

When tuning your system's services, perform a full backup before you significantly alter your server's configuration and to log configuration changes. Backups and logs are your primary vehicles for troubleshooting problems if a configuration change results in a broken application or performance degradation.

Security Tune-Up
Disabling security-related services on any server—but especially on a DC—sacrifices the system's protection and endangers your network environment. However, you can tune service settings to ease systems management.

In Part 1, I discussed how to create service accounts for applications and services. These accounts control the security context under which the applications and services run, help you control the access rights and interactivity of multiple related services, and secure the system's core management and application functions.

Using Win2K's native security object model, you can control access to individual server properties and actions. So, for example, you can control which services your Help desk technicians can access, what actions they can take, and even what management information they can view. By setting ACLs on individual services, you can delegate control and access rights to those services. Alternatively, you can use Microsoft BackOffice Server 2000 to determine, through logon credentials and locked-down Microsoft Management Console (MMC) files, what a technician has permission to do. For example, you can customize a context menu to display only Start Service (and not Stop). The Microsoft Windows 2000 Resource Kit Service ACL Editor tool also lets you administer services at a granular level. (For a complete list of related resource kit tools, see Part 1.)

You can set logon credentials for services, enter passwords, and set interaction with the desktop through the Log On tab of a service's Properties window. Through the logon account, you can determine which rights a service or application will have on your server. Thus, for services that are potential security risks, you can limit access to server resources. You can create a unique user account and manually assign the account to the groups that contain the permissions necessary to work with that service. When you do so, create the user account in the Local User and Groups container. (If your system is a DC, create a unique domain account rather than a local or system account.) Make sure that you limit the account's functional scope as much as possible (e.g., provide limited logon rights and no general server access unless the service requires it). Setting up service-management accounts that have different names and strong passwords will make cracking your network more difficult.

However, creating a multitude of service accounts can result in a hassle when you must change accounts' passwords (according to your company's password policies). One option is to set these accounts' passwords to never expire. This setting protects you from finding yourself with a dead server if a password times out and prevents the associated service from logging on and running. But this setting is also a security risk. Rather than create many accounts with passwords that don't expire, you can create a few, nonprivileged service accounts and develop a process for changing their passwords as needed.

Desktop interaction for a service means that the service can bring itself up in the Windows desktop environment for input by anyone logged on to the system. Selecting the Allow service to interact with desktop check box in the service's Properties window exposes the service's UI so that users can change the service's settings. Leaving this check box clear prevents logged-on users from interfering with the service. This configuration option is available only when a service is running under the Local System account. Usually, you wouldn't change the interaction settings of common Windows components and services because doing so could have detrimental effects on your server's operation. However, in a development environment or if you're running an application as a service, permitting desktop interaction might be necessary to control a service or to provide user-input settings.

What if you mess up? You mistakenly set the Server service to log on under a user account with an expired password. Now, you find that you can't log on to your system. Don't panic. Reboot the server into Safe Mode, which is a minimal service and driver configuration. Through one of the various Safe Mode startup options, you can get back into Windows and fix your error.

Tune Up or Tune Out
You've learned your way around services' administration tools and interfaces, and now you know how to apply that knowledge through enabling and disabling services and tweaking services' security-related settings. You can use these articles as a Win2K services primer to ease service management, and you can consult Windows Help and the resource kit documentation for more information about tuning your system's services.