Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.
In this part of the series, we’ll harden the AD FS Server installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces.
Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. However, as management of AD FS on Server Core installations is PowerShell-only, we also include information for AD FS Servers running Windows Server 2016with Desktop Experience (Full).
Unnecessary services
By default
The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:
- Computer Browser (browser)
- Net.Tcp Port Sharing Service (NetTcpPortSharing)
- Routing and Remote Access (RemoteAccess)
- Smart Card (SCardSvr)
- Auto Time Zone Update (tzautoupdate)
- Microsoft App-V Client (AppVClient)
- Offline files (cscService)
- User Experience Virtualization Service (UevAgentService)
- Windows Search (WSearch)
These services do not require any further attention.
Additional services
The following Windows services are enabled and have Manual or Automatic startup types on installations of Windows Server 2016 with the Desktop Experience (Full Installations). These can be disabled:
- ActiveX Installer (AxInstSV) (AxInstSV)
- Bluetooth Support Service (bthserv)
- CDPUserSvc (CDPUserSvc)
- Contact Data (PimIndexMaintenancesvc)
- dmwappushsvc (dmwappushsvc)
- Downloaded Maps Manager (MapsBroker)
- Geolocation Service (lfsvc)
- Internet Connection Sharing (ICS) (SharedAccess)
- Link-Layer Topology Discovery Mapper (lltdsvc)
- Microsoft Account Sign-in Assistant (wlidsvc)
- Microsoft Passport (NgcSvc)
- Microsoft Passport Container (NgcCtnrSvc)
- Network Connection Broker (NcbService)
- Phone Service (PhoneSvc)
- Print Spooler (Spooler)
- Printer Extensions and Notifications (PrintNotify)
- Program Compatibility Assistant Service (PcaSvc)
- Quality Windows Audio Video Experience (QWAVE)
- Radio Management Service (RmSvc)
- Sensor Data Service (SensorDataService)
- Sensor Monitoring Service (SensrSvc)
- Sensor Service (SensorService)
- Shell Hardware Detection (ShellHWDetection)
- Smart Card Device Enumeration Service (ScDeviceEnum)
- SSDP Discovery (SSDPSRV)
- Still Image Acquisition Events (WiaRpc)
- Sync Host (OneSyncSvc)
- Touch Keyboard and Handwriting Panel (TabletInputService)
- UPnP Device Host (upnphost)
- User Data Access (UserDataSvc)
- User Data Storage (UnistoreSvc)
- WalletService (WalletService)
- Windows Audio (Audiosrv)
- Windows Audio Endpoint Builder (AudioEndpointBuilder)
- Windows Camera Frame Server (FrameServer)
- Windows Image Acquisition (WIA) (stisvc)
- Windows Insider Service (wisvc)
- Windows Mobile Hotspot Service (icssvc)
- Windows Push Notifications System Service (WpnService)
- Windows Push Notifications User Service (WpnUserService)
- Xbox Live Auth Manager (XblAuthManager)
- Xbox Live Game Save (XblGameSave)
Unnecessary tasks
On Windows Server installations with Desktop Experience, two scheduled tasks exist that can be removed without consequences on AD FS Servers:
- \Microsoft\XblGameSave\XblGameSaveTask
- \Microsoft\XblGameSave\XblGameSaveTaskLogon
Harden Services
As the AD FS Servers are part of Active Directory Domain Services, the best way to disable the unnecessary Windows Services is through Group Policy.
Follow these steps:
- Sign in with an account that is a member of the Domain Admins group, or with an account that is delegated to create and link Group Policy objects (GPOs) to Organizational Units (OUs).
- Open the Group Policy Management console (gpmc.msc).
- In the left navigation pane, navigate to the Organizational Unit (OU) where the AD FS Servers reside.
- Right-click the OU and select Create a GPO in this domain, and Link it here….
- In the New GPO pop-up, provide a name for the Group Policy Object, corresponding to the naming convention for Group Policy objects in the environment.
- Click OK
- Back in navigation pane of the Group Policy Management console, expand the OU and click on the Group Policy object link.
- Click OK in the Group Policy Management Console pop-up, explaining You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other location where this GPO is linked.
- Right-click the Group Policy object and select Edit… from the context menu.
The Group Policy Management Editor window appears. - In the left navigation pane, under Computer Configuration, expand the Policies node.
- Expand the Windows Settings node.
- Expand the Security Settings node.
- Select System Services.
![Disable a service through Group Policy (click for original screenshot)]( "Disable a service through Group Policy (click for original screenshot)")
- In the main pane, for each service in the above list, double-click the service, and then select the Define this policy setting option and select the Disabled service startup mode.
- When done, close the Group Policy Management Editor window.
- Close the Group Policy Management Console window.
- Sign out.
Remove Scheduled Tasks
As the AD FS Servers are part of Active Directory Domain Services, the best way to remove the unnecessary scheduled tasks is through Group Policy Preferences.
Note:
Do not place Group Policy settings and Group Policy preferences in the same Group Policy object, as this will result in synchronous processing behavior and slowness during startups of the AD FS Servers.
Follow these steps:
- Sign in with an account that is a member of the Domain Admins group, or with
an account that is delegated to create and link Group Policy objects (GPOs) to
Organizational Units (OUs). - Open the Group Policy Management console (gpmc.msc).
- In the left navigation pane, navigate to the Organizational Unit (OU) where
the AD FS Servers reside. - Right-click the OU and select Create a GPO in this domain, and Link
it here…. - In the New GPO pop-up, provide a name for the Group Policy
Object, corresponding to the naming convention for Group Policy objects in the
environment. - Click OK
- Back in navigation pane of the Group Policy Management console,
expand the OU and click on the Group Policy object link. - Click OK in the Group Policy Management
Console pop-up, explaining You have selected a link to a Group
Policy Object (GPO). Except for changes to link properties, changes you make
here are global to the GPO, and will impact all other location where this GPO is
linked. - Right-click the Group Policy object and select Edit… from
the context menu.
The Group Policy Management Editor window
appears. - In the left navigation pane, under Computer Configuration,
expand the Preferences node. - Expand the Control Panel Settings node.
- Expand the Scheduled Tasks node.
- In the main pane, right-click on Scheduled Tasks and select New and then Scheduled Task from the context menu.
![GPPDisableScheduledTask]( "GPPDisableScheduledTask")
- In the New Task Properties window,select Delete as the action and provide the name of the scheduled task, exactly as provided above.
- Click OK.
- Repeat steps 13-15 for the second task.
- When done, close the Group Policy Management Editor
window. - Close the Group Policy Management Console window.
- Sign out.
Concluding
Disable unnecessary services on all AD FS Servers throughout the Hybrid Identity implementation using Group Policy.
The post HOWTO: Disable Unnecessary Services and Scheduled Tasks on AD FS Servers appeared first on The things that are better left unspoken.