Professional Documents
Culture Documents
SM-401 Windows Services Lockdown Guide
SM-401 Windows Services Lockdown Guide
Windows Services
Lockdown Guide
___________________________________________
March 9, 2012
This manual describes our recommended configuration for the Windows
operating system services on your SCADA system.
The content of this manual has been carefully checked for accuracy. However, if you find
any errors, please notify Survalent Technology Corporation.
Revisions
Date Description
March 9, 2012 Initial version
1 Introduction 1-1
The purpose of this document is to help you configure Windows Services so as to eliminate those
services that are not required to run your SCADA system. The goal of this is to enhance the overall
security and reliability of your SCADA servers.
Some, but not all, of the suggestions contained in this manual are also applicable to your workstations.
This document discusses specific versions of the Windows operating system. The principles described
may apply in a similar manner to other versions. However, the lockdown configurations have not been
tested on other versions by Survalent.
This document assumes that you have full administrative access to the SCADA servers, and that you are
familiar with the tools available (such as the Windows Control Panel and other administrative tools) in
order to make the recommended settings adjustments.
Note that your organization may have IT policies in place, as well as IT personnel who may be responsible
for the configuration of these computers. Please ensure that your organization’s requirements will be met
by the procedures described in this document before you make any configuration changes.
If a script or batch file has been provided by Survalent to configure these services, you
should run it first, and then verify that the settings match those listed.
Startup Type
Service Name
1 Application Experience Disabled
2 Application Identity Manual
3 Application Information Manual
4 Application Layer Gateway Service Disabled
5 Application Management Disabled
6 Background Intelligent Transfer Service Disabled
7 Background Tasks Infrastructure Service Automatic
8 Base Filtering Engine Automatic
9 Certificate Propagation Disabled
10 CNG Key Isolation Disabled
11 COM+ Event System Automatic
12 COM+ System Application Disabled
13 Computer Browser Disabled
14 Credential Manager Manual
15 Cryptographic Services Disabled
16 DCOM Server Process Launcher Automatic
17 Device Association Service Disabled
18 Device Install Service Manual
19 Device Setup Manager Manual
20 DHCP Client Disabled
21 Diagnostic Policy Service Automatic
(Delayed Start)
22 Diagnostic Service Host Disabled
23 Diagnostic System Host Disabled
24 Distributed Link Tracking Client Disabled
25 Distributed Transaction Coordinator Disabled
26 DNS Client Disabled
27 Encrypting File System (EFS) Manual
28 Extensible Authentication Protocol Disabled
29 Function Discovery Provider Host Disabled
30 Function Discovery Resource Publication Disabled
31 Group Policy Client Automatic
32 Health Key & Certificate Management Disabled
33 Human Interface Device Access Disabled
34 Hyper-V Data Exchange Service Disabled
35 Hyper-V Guest Shutdown Service Disabled
36 Hyper-V Heartbeat Service Disabled
37 Hyper-V Remote Desktop Virtualization Service Disabled
38 Hyper-V Time Synchronization Service Disabled
This chapter describes the recommended configuration of Windows services for SCADA
servers that are running the Windows Server 2008 operating system.
If a script or batch file has been provided by Survalent to configure these services, you
should run it first, and then verify that the settings match those listed.
Startup
Service Service Name Type
AeLookupSvc Application Experience Disabled
AppIDSvc Application Identity Manual
Appinfo Application Information Manual
ALG Application Layer Gateway Service Disabled
AppMgmt Application Management Disabled
aspnet_state ASP.NET State Service Manual
BITS Background Intelligent Transfer Service Disabled
BFE Base Filtering Engine Automatic
CertPropSvc Certificate Propagation Disabled
KeyIso CNG Key Isolation Disabled
EventSystem COM+ Event System Automatic
COMSysApp COM+ System Application Disabled
Browser Computer Browser Disabled
VaultSvc Credential Manager Manual
CryptSvc Cryptographic Services Disabled
DcomLaunch DCOM Server Process Launcher Automatic
UxSms Desktop Window Manager Session Disabled
Dhcp DHCP Client Disabled
DPS Diagnostic Policy Service Automatic
WdiServiceHost Diagnostic Service Host Disabled
WdiSystemHost Diagnostic System Host Disabled
defragsvc Disk Defragmenter Manual
TrkWks Distributed Link Tracking Client Disabled
MSDTC Distributed Transaction Coordinator Disabled
Dnscache DNS Client Disabled
EFS Encrypting File System (EFS) Manual
EapHost Extensible Authentication Protocol Disabled
fdPHost Function Discovery Provider Host Disabled
FDResPub Function Discovery Resource Public. Disabled
gpsvc Group Policy Client Automatic
hkmsvc Health Key & Certificate Management Disabled
hidserv Human Interface Device Access Disabled
IKEEXT IKE and AuthIP IPsec Keying Modules Disabled
UI0Detect Interactive Services Detection Disabled
SharedAccess Internet Connection Sharing (ICS) Disabled
iphlpsvc IP Helper Disabled
PolicyAgent IPsec Policy Agent Disabled
KtmR KtmRm for Distributed Transaction. Coord. Disabled
lltdsvc Link-Layer Topology Discovery Mapper Disabled
clr_optimization_ Microsoft .NET Framework NGEN Disabled
v2.0.50727_64 v2.0.50727_X64