Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience

I believe some of my fellow Windows Admin's would be interested in this article and accompanying XLS spreadsheet that breaks down what should and should not be enabled or disabled in a Windows 2016 Environment.

The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were chosen carefully for each service to balance performance, functionality and security for typical customers.

However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers—one that reduces their attack surface to the absolute minimum—and may therefore wish to fully disable all services that are not needed in their specific environments. For those customers, Microsoft is providing the accompanying guidance regarding which services can safely be disabled for this purpose.

The guidance is for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Each service on the system is categorized as follows:

- Should Disable: A security-focused enterprise will most likely prefer to disable this service and forgo its functionality (see additional details below).
- OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it.
- Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles/features from functioning correctly. It therefore should not be disabled.
- (No guidance): These services should not be disabled.

Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation. In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself. 

Want more? - Click Here

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Latest Content

  • Snag-It 2018 - Best Screen Capture Tool - PERIOD!
    Written by

    Da Boss!

    Snag-It 2018 - Best Screen Capture Tool - PERIOD! Well, it's almost here but I was graced by the…
    Read more...
  • Windows 10 Fall Creators Update: Lots of small changes—and maybe the revolution
    Written by

    Da Boss!

    Windows 10 Fall Creators Update: Lots of small changes—and maybe the revolution Hopefully this one will go a little smoother than the…
    Read more...
  • VirtualBox 5.1.30
    Written by

    Da Boss!

    VirtualBox 5.1.30 If you are looking for a VM program\utility that can…
    Read more...
  • Microsoft employees can now work from tree houses
    Written by

    Da Boss!

    Microsoft employees can now work from tree houses Damn...can't seem to find my resume. How freaking cool would…
    Read more...
  • US CERT advisory: severe flaw in popular WiFi security protocol WPA2 leaves WiFi traffic open to eavesdropping, connection hijacking, and malicious injection
    Written by

    Da Boss!

    US CERT advisory: severe flaw in popular WiFi security protocol WPA2 leaves WiFi traffic open to eavesdropping, connection hijacking, and malicious injection And I haven't even finished my first cup of coffee…
    Read more...

Visit the Digitalsmind Video YouTube Page!

Did you know we have a video page on YouTube? 

Well... WE DO! 

Check us out! 

- Our Video page.