Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience

I believe some of my fellow Windows Admin's would be interested in this article and accompanying XLS spreadsheet that breaks down what should and should not be enabled or disabled in a Windows 2016 Environment.

The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were chosen carefully for each service to balance performance, functionality and security for typical customers.

However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers—one that reduces their attack surface to the absolute minimum—and may therefore wish to fully disable all services that are not needed in their specific environments. For those customers, Microsoft is providing the accompanying guidance regarding which services can safely be disabled for this purpose.

The guidance is for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Each service on the system is categorized as follows:

- Should Disable: A security-focused enterprise will most likely prefer to disable this service and forgo its functionality (see additional details below).
- OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it.
- Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles/features from functioning correctly. It therefore should not be disabled.
- (No guidance): These services should not be disabled.

Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation. In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself. 

Want more? - Click Here

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Latest Content

Visit the Digitalsmind Video YouTube Page!

Did you know we have a video page on YouTube? 

Well... WE DO! 

Check us out! 

- Our Video page.