Necessary Services on a Domain Controller

Domain controllers are those very important servers in every network. Active Directory service is installed on a domain controller and there is very important data about objects and resources stored in every domain controller. In order to secure a domain controller or generally every other computer, we need to reduce the attack surface by reducing the number of applications and services running on top of that server or computer.

Windows Server 2008 R2 is actually an OS with a lot of different services that can be running on top of it but the question is that how many and which of them need to be running or stopped?

I tried to come up with this table below to specify the state of different services in every domain controller:


Service

State

Alerter Disabled
Application Layer Gateway Service Manual
Application Management Disabled
ASP.NET State Services Disabled
Automatic Updates Automatic
Background Intelligent Transfer Service Manual
Certificate Services Disabled
MS Software Shadow Copy Provider Manual
Client Service for NetWare Disabled
ClipBook Disabled
Cluster Service Disabled
COM+ Event System Manual
COM+ System Application Disabled
Computer Browser Automatic
Cryptographic Services Automatic
DHCP Client Automatic
DHCP Server Disabled, unless acting as a DHCP server
Distributed File System Automatic
Distributed Link Tracking Client Disabled
Distributed Transaction Coordinator Disabled
DNS Client Automatic
DNS Server Automatic
Error Reporting Service Disabled
Event Log Automatic
Fax Service Disabled
File Replication Service Automatic
File Server for Macintosh Disabled
FTP Publishing Service Disabled
Help and Support Disabled
HTTP SSL Disabled
Human Interface Device Access Disabled
IAS Jet Database Access Disabled
IIS Admin Service Disabled
IMAPI CD-Burning COM Service Disabled
Indexing Service Disabled
Internet Authentication Service Disabled
Windows Firewall/Internet Connection Sharing (ICS) Disabled
Intersite Messaging Automatic, if using SMTP for intersite replication
IP Version 6 Helper Service Disabled
IPSec Policy Agent (IPSec Service) Automatic
Kerberos Key Distribution Center Automatic
License Logging Service Disabled
Logical Disk Manager Manual
Logical Disk Manager Administrative Ser-vice Manual
Message Queuing Disabled
Message Queuing Down Level Clients Disabled
Message Queuing Triggers Disabled
Messenger Disabled, unless using a UPS
Microsoft POP3 Service Disabled
MSSQL$UDDI Disabled
MSSQLServerADHelper Disabled
.NET Framework Support Service Disabled
Net Logon Automatic
NetMeeting Remote Desktop Sharing Disabled
Network Connections Manual
Network DDE Disabled
Network DDE DSDM Disabled
Network Location Awareness (NLA) Manual
Network News Transfer Protocol (NNTP) Disabled
NTLM Security Support Provider Automatic
Performance Logs and Alerts Manual
Plug and Play Automatic
Portable Media Serial Number Disabled
Print Server for Macintosh Disabled
Print Spooler Disabled
Protected Storage Automatic
QoS RSVP Not Applicable
Remote Access Auto Connection Manager Disabled
Remote Access Connection Manager Disabled
Remote Administration Service Manual
Remote Desktop Help Session Manager Disabled
Remote Installation Disabled
Remote Procedure Call (RPC) Automatic
Remote Procedure Call (RPC) Locator Disabled
Remote Registry Automatic
Remote Server Manager Disabled
Remote Server Monitor Disabled
Remote Storage Notification Disabled
Remote Storage Server Disabled
Removable Storage Disable
Resultant Set of Policy Provider Automatic
Routing and Remote Access Disabled
SAP Disabled
Secondary Logon/RunAs Service Disabled
Security Accounts Manager Automatic
Server Automatic
Shell Hardware Detection Disabled
Simple Mail Transfer Protocol (SMTP) Automatic, if using SMTP for replication
Simple TCP/IP Services Disabled
Single Instance Storage Groveler Disabled
Smart Card Automatic, if using smart cards
SNMP Service Disabled unless required in your network
SNMP Trap Service Disabled
Special Administration Console Helper Disabled
SQLAgent$* (*UDDI or WebDB) Disabled
System Event Notification Automatic
Task Scheduler Manual
TCP/IP Net BIOS Helper Service Automatic
TCP/IP Print Server Disabled
Telephony Disabled
Telnet Disabled
Terminal Services Automatic
Terminal Services Licensing Disabled
Terminal Services Session Directory Disabled
Themes Disabled
Trivial FTP Daemon Disabled
Uninterruptible Power Supply Automatic, if using a UPS; otherwise, Disabled
Upload Manager Disabled
Virtual Disk Service Disabled
Volume Shadow Copy Manual
WebClient Disabled
Web Element Manager Disabled
Windows Audio Disabled
Windows Image Acquisition (WIA) Disabled
Windows Installer Manual
Windows Internet Name Service (WINS) Disabled, unless the domain controllers is hosting a WINS server
Windows Management Instrumentation Automatic
Windows Management Instrumentation Driver Extensions Manual
Windows Media Services Disabled
Windows System Resource Manager Disabled
Windows Time Automatic
WinHTTP Web Proxy Auto-Discovery Service Disabled
Wireless Configuration Disabled
WMI Performance Adapter Manual
Workstation Automatic
World Wide Web Publishing Service Disabled

 Of course, it still depends on your services that need to be necessarily running on your domain controller and if for instance you want to configure your DC as a DHCP server, then you will have to change the “DHCP Server” service state to Automatic.

You want to learn more specifically about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

I hope you enjoyed it

Cheers

7 thoughts on “Necessary Services on a Domain Controller

  1. Pingback: Elektrische Zahnbuerste

  2. Esmaeil,

    Why is the remote registry service required on domain controllers? I’ve seen conflicting information about needing this service on a DC for it to function properly. If you can answer my question, may be that will clear things up for me.

Leave a Reply

Your email address will not be published. Required fields are marked *