Windows Tip: Building a supportable enterprise, part 3

July 30, 2007 —

Send your Windows question to Mitch today! | See other Windows tips

It's called the law of unintended consequences -- you do "A" to take care of "B", and then "C" unexpectedly happens. In a previous tip [1], I talked about "leaving well enough alone" and gave the example that when you uninstall Outlook Express from your domain controller (Why not? Who needs an email client on a domain controller? What could go wrong?), an unintended consequence can occur: it breaks your CDO interfaces on your server. While this example might seem a bit obscure to some, there are many more such "hidden dependencies" in Windows, and casual tweaking (in the name of "hardening") can often cause you to run up against these dependencies.

Here's another real-world example of how things can go wrong when you try and harden your domain controllers by disabling what you think are "unneeded services" on your machines. In enterprise environments it's common to segregate server roles onto separate boxes. For example, you've got your domain controllers on this rack, your file/print servers on this rack, and so on. Rarely would you use a domain controller as a print server, especially in a medium or large network environment. So it couldn't hurt if you disabled the Print Spooler service on all your domain controllers, right? Think again.

I know someone who tried this in a multi-site enterprise and some time later they found that orphaned print queues were no longer being scavenged from their network. The reason for this is because printer pruning, the process by which Active Directory automatically removes orphaned print queue objects from its database, requires that the Print Spooler service be running on at least one domain controller in each site (printer pruning runs as a thread within the spooler process).

So, my tip is that if you're going to disable these so-called "unneeded services" on your servers in order to make them "more secure" then you've really got to know first what each service does. A good resource for learning about the intricacies of Windows services is Chapter 7 of the Threats and Countermeasures Guide[2] which goes into excruciating detail concerning the myriad security settings of Windows Server 2003 and Windows XP Professional.

Or you could just leave well enough alone and concentrate on installing a better lock on your server room door.

Building a supportable enterprise, part 1

Building a supportable enterprise, part 2

Building a supportable enterprise, part 4

Chapter 7 of the Threats and Countermeasures Guide

ITworld.com