Document Number: SM-401

Windows Services
Lockdown Guide
___________________________________________

March 9, 2012
This manual describes our recommended configuration for the Windows
operating system services on your SCADA system.

Survalent Technology Corporation

Mississauga, Ontario
Copyright © 2012 Survalent Technology Corporation
All rights reserved.

SM-401 Windows Services Lockdown Guide

Survalent Technology Corporation

2600 Argentia Road
Mississauga, Ontario
L5N 5V4

TEL (905) 826-5000

FAX (905) 826-7144

The software described in this document is furnished under

license, and may only be used or copied in accordance with
the terms of such license.

The content of this manual has been carefully checked for accuracy. However, if you find
any errors, please notify Survalent Technology Corporation.
 Revisions

Date Description
March 9, 2012 Initial version

September 9 2013 Added steps for Windows Server 2012

Windows Services Lockdown Guide Revisions

Windows SCADA
 Contents

1 Introduction 1-1

2 Windows Server 2012 2-1

2.1 Windows Services Startup .............................................................................................................. 2-1

3 Windows Server 2008 3-1

3.1 Windows Services Startup .............................................................................................................. 3-1

Windows Services Lockdown Guide Contents i

Windows SCADA
 1 Introduction

The purpose of this document is to help you configure Windows Services so as to eliminate those
services that are not required to run your SCADA system. The goal of this is to enhance the overall
security and reliability of your SCADA servers.

Some, but not all, of the suggestions contained in this manual are also applicable to your workstations.

This document discusses specific versions of the Windows operating system. The principles described
may apply in a similar manner to other versions. However, the lockdown configurations have not been
tested on other versions by Survalent.

This document assumes that you have full administrative access to the SCADA servers, and that you are
familiar with the tools available (such as the Windows Control Panel and other administrative tools) in
order to make the recommended settings adjustments.

Note that your organization may have IT policies in place, as well as IT personnel who may be responsible
for the configuration of these computers. Please ensure that your organization’s requirements will be met
by the procedures described in this document before you make any configuration changes.

Windows Services Lockdown Guide Introduction 1-1

Windows SCADA
 2 Windows Server 2012
This chapter describes the recommended configuration of Windows services for SCADA
servers that are running the Windows Server 2012 operating system.

2.1 Windows Services Startup

For all SCADA host computers in your system, apply (or verify) the Startup Type settings
shown in Table 3-1. Ignore any services that are not shown in the table.

If a script or batch file has been provided by Survalent to configure these services, you
should run it first, and then verify that the settings match those listed.

Windows Services Lockdown Guide 2-1

Windows SCADA
Table 2-1 Windows 2012 Services

Startup Type
Service Name
1 Application Experience Disabled
2 Application Identity Manual
3 Application Information Manual
4 Application Layer Gateway Service Disabled
5 Application Management Disabled
6 Background Intelligent Transfer Service Disabled
7 Background Tasks Infrastructure Service Automatic
8 Base Filtering Engine Automatic
9 Certificate Propagation Disabled
10 CNG Key Isolation Disabled
11 COM+ Event System Automatic
12 COM+ System Application Disabled
13 Computer Browser Disabled
14 Credential Manager Manual
15 Cryptographic Services Disabled
16 DCOM Server Process Launcher Automatic
17 Device Association Service Disabled
18 Device Install Service Manual
19 Device Setup Manager Manual
20 DHCP Client Disabled
21 Diagnostic Policy Service Automatic
(Delayed Start)
22 Diagnostic Service Host Disabled
23 Diagnostic System Host Disabled
24 Distributed Link Tracking Client Disabled
25 Distributed Transaction Coordinator Disabled
26 DNS Client Disabled
27 Encrypting File System (EFS) Manual
28 Extensible Authentication Protocol Disabled
29 Function Discovery Provider Host Disabled
30 Function Discovery Resource Publication Disabled
31 Group Policy Client Automatic
32 Health Key & Certificate Management Disabled
33 Human Interface Device Access Disabled
34 Hyper-V Data Exchange Service Disabled
35 Hyper-V Guest Shutdown Service Disabled
36 Hyper-V Heartbeat Service Disabled
37 Hyper-V Remote Desktop Virtualization Service Disabled
38 Hyper-V Time Synchronization Service Disabled

Windows Services Lockdown Guide 2-2

Windows SCADA
 39 Hyper-V Volume Shadow Copy Requestor Disabled
40 IKE and AuthIP IPsec Keying Modules Disabled
41 Interactive Services Detection Disabled
42 Internet Connection Sharing (ICS) Disabled
43 IP Helper Disabled
44 IPsec Policy Agent Disabled
45 KDC Proxy Server service (KPS) Disabled
46 KtmRm for Distributed Transaction Coordinator Disabled
47 Link-Layer Topology Discovery Mapper Disabled
48 Local Session Manager Automatic
49 Microsoft iSCSI Initiator Service Disabled
50 Microsoft Software Shadow Copy Prov. Manual
51 Multimedia Class Scheduler Disabled
52 Net.Tcp Port Sharing Service Disabled
53 Netlogon Disabled
54 Network Access Protection Agent Disabled
55 Network Connections Manual
56 Network Connectivity Assistant Manual
57 Network List Service Manual
58 Network Location Awareness Automatic
59 Network Store Interface Service Automatic
60 Optimize drives Disabled
61 Performance Counter DLL Host Disabled
62 Performance Logs & Alerts Disabled
63 Plug and Play Manual
64 Portable Device Enumerator Service Disabled
65 Power Automatic
66 Print Spooler Automatic
67 Printer Extensions and Notifications Disabled
68 Problem Reports and Solutions CP Support Disabled
69 Remote Access Auto Connection Manager Manual
70 Remote Access Connection Manager Manual
71 Remote Desktop Configuration Manual
72 Remote Desktop Services Manual
73 Remote Desktop Services UserMode Port Redirector Manual
74 Remote Procedure Call (RPC) Automatic
75 Remote Procedure Call (RPC) Locator Disabled
76 Remote Registry Disabled
77 Resultant Set of Policy Provider Disabled
78 Routing and Remote Access Disabled
79 RPC Endpoint Mapper Automatic
80 Scada Service Automatic
81 Secondary Logon Manual

Windows Services Lockdown Guide 2-3

Windows SCADA
 82 Secure Socket Tunneling Protocol Service Disabled
83 Security Accounts Manager Automatic
84 Server Automatic
85 Shell Hardware Detection Disabled
86 Smart Card Disabled
87 Smart Card Removal Policy Disabled
88 SNMP Trap Disabled
89 Software Protection Automatic
(Delayed Start)
90 Special Administration Console Helper Disabled
91 Spot Verifier Manual
92 SSDP Discovery Disabled
93 Superfetch Manual
94 System Event Notification Service Automatic
95 Task Scheduler Automatic
96 TCP/IP NetBIOS Helper Automatic
97 Telephony Manual
98 Themes Disabled
99 Thread Ordering Server Disabled
100 UPnP Device Host Disabled
101 User Access Logging Service Disabled
102 User Profile Service Automatic
103 Virtual Disk Disabled
104 Volume Shadow Copy Manual
105 Windows All-User Install Agent Disabled
106 Windows Audio Disabled
107 Windows Audio Endpoint Builder Disabled
108 Windows Color System Disabled
109 Windows Driver Foundation - User-mode Driver Manual
Framework
110 Windows Error Reporting Service Disabled
111 Windows Event Collector Disabled
112 Windows Event Log Automatic
113 Windows Firewall Automatic
114 Windows Font Cache Service Disabled
115 Windows Installer Manual
116 Windows Management Instrumentation Automatic
117 Windows Modules Installer Manual
Windows Presentation Foundation Font Cache Disabled
118 3.0.0.0
119 Windows Remote Management (WS-Management) Disabled
120 Windows Store Service (WSService) Manual
121 Windows Time Disabled

Windows Services Lockdown Guide 2-4

Windows SCADA
 122 Windows Update Manual
123 WinHTTP Web Proxy Auto-Discovery Service Disabled
124 Wired AutoConfig Disabled
125 WMI Performance Adapter Disabled
126 Workstation Automatic

Windows Services Lockdown Guide 2-5

Windows SCADA
 3 Windows Server 2008

This chapter describes the recommended configuration of Windows services for SCADA
servers that are running the Windows Server 2008 operating system.

3.1 Windows Services Startup

For all SCADA host computers in your system, apply (or verify) the Startup Type settings
shown in Table 3-1. Ignore any services that are not shown in the table.

If a script or batch file has been provided by Survalent to configure these services, you
should run it first, and then verify that the settings match those listed.

Windows Services Lockdown Guide 3-1

Windows SCADA
Table 3-1 Windows 2008 Services

Startup
Service Service Name Type
AeLookupSvc Application Experience Disabled
AppIDSvc Application Identity Manual
Appinfo Application Information Manual
ALG Application Layer Gateway Service Disabled
AppMgmt Application Management Disabled
aspnet_state ASP.NET State Service Manual
BITS Background Intelligent Transfer Service Disabled
BFE Base Filtering Engine Automatic
CertPropSvc Certificate Propagation Disabled
KeyIso CNG Key Isolation Disabled
EventSystem COM+ Event System Automatic
COMSysApp COM+ System Application Disabled
Browser Computer Browser Disabled
VaultSvc Credential Manager Manual
CryptSvc Cryptographic Services Disabled
DcomLaunch DCOM Server Process Launcher Automatic
UxSms Desktop Window Manager Session Disabled
Dhcp DHCP Client Disabled
DPS Diagnostic Policy Service Automatic
WdiServiceHost Diagnostic Service Host Disabled
WdiSystemHost Diagnostic System Host Disabled
defragsvc Disk Defragmenter Manual
TrkWks Distributed Link Tracking Client Disabled
MSDTC Distributed Transaction Coordinator Disabled
Dnscache DNS Client Disabled
EFS Encrypting File System (EFS) Manual
EapHost Extensible Authentication Protocol Disabled
fdPHost Function Discovery Provider Host Disabled
FDResPub Function Discovery Resource Public. Disabled
gpsvc Group Policy Client Automatic
hkmsvc Health Key & Certificate Management Disabled
hidserv Human Interface Device Access Disabled
IKEEXT IKE and AuthIP IPsec Keying Modules Disabled
UI0Detect Interactive Services Detection Disabled
SharedAccess Internet Connection Sharing (ICS) Disabled
iphlpsvc IP Helper Disabled
PolicyAgent IPsec Policy Agent Disabled
KtmR KtmRm for Distributed Transaction. Coord. Disabled
lltdsvc Link-Layer Topology Discovery Mapper Disabled
clr_optimization_ Microsoft .NET Framework NGEN Disabled
v2.0.50727_64 v2.0.50727_X64

Windows Services Lockdown Guide 3-2

Windows SCADA
 clr_optimization_ Microsoft .NET Framework NGEN Disabled
v2.0.50727_32 v2.0.50727_X86
clr_optimization_ Microsoft .NET Framework NGEN Automatic
v4.0.30319_64 v4.0.30319_X64
clr_optimization_ Microsoft .NET Framework NGEN Automatic
v4.0.30319_32 v4.0.30319_X86
FCRegSvc Microsoft Fibre Ch. Platform Reg. Serv Disabled
MSiSCSI Microsoft iSCSI Initiator Service Disabled
swprv Microsoft Software Shadow Copy Prov. Manual
MMCSS Multimedia Class Scheduler Disabled
NetMsmqActivator Net.Msmq Listener Adapter Disabled
NetPipeActivator Net.Pipe Listener Adapter Disabled
NetTcpActivator Net.Tcp Listener Adapter Disabled
NetTcpPortSharing Net.Tcp Port Sharing Service Disabled
Netlogon Netlogon Disabled
napagent Network Access Protection Agent Disabled
Netman Network Connections Manual
netprofm Network List Service Manual
NlaSvc Network Location Awareness Automatic
nsi Network Store Interface Service Automatic
PerfHost Performance Counter DLL Host Disabled
pla Performance Logs & Alerts Disabled
PlugPlay Plug and Play Automatic
IPBusEnum PnP-X IP Bus Enumerator Disabled
WPDBusEnum Portable Device Enumerator Service Disabled
Power Power Automatic
Spooler Print Spooler Automatic
wercplsupport Problem Reports and Solutions CP Support Disabled
ProtectedStorage Protected Storage Manual
RasAuto Remote Access Auto Conn. Manager Manual
RasMan Remote Access Connection Manager Manual
SessionEnv Remote Desktop Configuration Manual
TermService Remote Desktop Services Manual
UmRdpService RDS User Mode Port Redirector Manual
RpcSs Remote Procedure Call (RPC) Automatic
RpcLocator Remote Procedure Call (RPC) Locator Disabled
RemoteRegistry Remote Registry Disabled
RSoPProv Resultant Set of Policy Provider Disabled
RemoteAccess Routing and Remote Access Disabled
RpcEptMapper RPC Endpoint Mapper Automatic
seclogon Secondary Logon Manual
SstpSvc Secure Socket Tunneling Protocol Ser. Disabled
SamSs Security Accounts Manager Automatic
LanmanServer Server Automatic
ShellHWDetection Shell Hardware Detection Disabled

Windows Services Lockdown Guide 3-3

Windows SCADA
 SCardSvr Smart Card Disabled
SCPolicySvc Smart Card Removal Policy Disabled
SNMP SNMP Service Automatic
SNMPTRAP SNMP Trap Disabled
sppsvc Software Protection Automatic
sacsvr Special Administration Console Helper Disabled
sppuinotify SPP Notification Service Manual
SSDPSRV SSDP Discovery Disabled
SENS System Event Notification Service Automatic
Schedule Task Scheduler Automatic
lmhosts TCP/IP NetBIOS Helper Automatic
TapiSrv Telephony Manual
THREADORDER Thread Ordering Server Disabled
TBS TPM Base Services Disabled
upnphost UPnP Device Host Disabled
ProfSvc User Profile Service Automatic
vds Virtual Disk Disabled
VSS Volume Shadow Copy Manual
AudioSrv Windows Audio Disabled
AudioEndpointBuilder Windows Audio Endpoint Builder Disabled
WcsPlugInService Windows Color System Disabled
wudfsvc Windows Driver Foundation Manual
User-mode Driver Framework
WerSvc Windows Error Reporting Service Disabled
Wecsvc Windows Event Collector Disabled
eventlog Windows Event Log Automatic
MpsSvc Windows Firewall Automatic
FontCache Windows Font Cache Service Disabled
msiserver Windows Installer Manual
Winmgmt Windows Management Instrumentation Automatic
TrustedInstaller Windows Modules Installer Manual
WinRM Windows Remote Management (WS-Mgmt) Disabled
W32Time Windows Time Disabled
wuauserv Windows Update Automatic
WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service Disabled
dot3svc Wired AutoConfig Disabled
wmiApSrv WMI Performance Adapter Disabled
LanmanWorkstation Workstation Automatic

Windows Services Lockdown Guide 3-4

Windows SCADA