services.msc

[rcolbert]

You spend so much of your time trying to rephrase my point of view that I barely know what I'm thinking when I'm done reading your comments.

In the middle of it all I got so bored I decided to go and stop and disable the Error Reporting Service on my work PC for absolutely no good reason.

I'm quite certain though that I read somewhere in there that your opinion="the right way" to do things and my opinion="the wrong way" to do things. Am I getting the gist of your point?

As for unanswered questions, if service configuration is not a factor at all why does Microsoft include the ability to control services in their security templates, including those for XP? I'm not trying to prove the right way. I have the much easier task of demonstrating relevance.

 

[Phoenix86]

Acutally, in post #154 I made a clear reference to this distinction and explained why I thought advice varies. In short, there isn't a technical difference in many cases, nor is there a different set of threats applicable. The advice in my opinion is targeted to different levels of users, and that alone is probably the crux of our difference of opinion.

If you appreciate the difference you undrestand why this advice shouldn't apply to all user, specifically home users. After all if you do understand the difference why don't you apply them? In one beath you say only use services you need, and in another you recogonize the need for differing setups. Case in point.

Disabling USB only makes sense in the case where physical access to a device and the ability to copy data from the device once physical access is obtained is of great concern. Clearly this doesn't apply to most home users.

I suppose if you really have a trust issue within your household then USB settings on your PC are the least of your concerns. However, as you are well aware, the USB advice is heavily weighted in the environmental side rather than the technical side of security. In other words, the advice to disable USB is much more akin to the advice to not write your password on a sticky note and place it on your monitor.

So you have problems with people inside the perimeter of your firewall if you disable messenger, but you trust people with physical access? How are these different w/o a poorly configured wireless network? This is why most "disable XYZ service" positions don't apply at home, but might in a corp. or high security environment.

Should I feel ignorant or validated? Possibly both. I have yet to validate the assertions about the messenger service but I take it on faith at this point. Can I prove at this moment in time that in some future release Microsoft will or won't disable additional services? No. Do we all agree that the current XP services configuration is closer to what it ought to be? Yes. Given that not all users are on SP2 now can I at least get a concession on the messenger service alone? I doubt it.

Actually yes you can because now your getting down to nuts and bolts.

Messenger = disabled. I see no environment where this should be left on by default unless you are using this service for whatever reason. Are going to prevent exploits by disabling this, no. Does it make the system more secure? Not really. Does this proove the point of disable services=secure system? Nope.

As far as MS disabling more services, yes, but again does it make it more secure? Depends on the service and why it was disabled. Messneger was not disabled because of an exploit. It was disabled because of cheap messenger spam and we ALL know that.

Again, I'm still waiting for an example of a service based exploit as it applies to XP. Proof is in the pudding. I'll take the lack of actual replies as evidence there isn't an exploit that exists.

In the middle of it all I got so bored I decided to go and stop and disable the Error Reporting Service on my work PC for absolutely no good reason.

As for unanswered questions, if service configuration is not a factor at all why does Microsoft include the ability to control services in their security templates, including those for XP? I'm not trying to prove the right way. I have the much easier task of demonstrating relevance.

LMAO @ the error reporting service. At least you have a good sense of humor.

I already explained why MS makes these templates. For various configurations of which most don't apply here. Want to demonstrate relevance? Show a valid exploit your stopping instead of protecting against the "unknown".

The advice in my opinion is targeted to different levels of users, and that alone is probably the crux of our difference of opinion."

Yes, that's our difference of opinion. Who cares if everyone from home to DoD has to face the same threats? MS, in the document you linked to, realizes that people face the same threats, but require different security based on their environment.

Heck, if you want to take your position, home systems, lacking layered security should need MORE protection. Yet, that's not the case according to MS, nor the real world.

 

[rcolbert]

Show a valid exploit your stopping instead of protecting against the "unknown".

I finally understand why this is going in circles. The "unknown" at this point in time is exactly what stopping unneeded services is about.

"There are things we know that we know, and things that we know that we don't know. But there are also things that we don't know that we know, and things that we don't know that are not known to us." - Donald Rumsfeld


I am not aware of any exploits at this moment in time for unpatched services. Had you asked me back in December I would have answered (for servers) that WINS was left hanging in the wind for quite some time (Dec - Feb) and the bitch there was that you typically don't find WINS installed anywhere that it's not required, so the MS advice to stop the service if it wasn't needed was a moot point. The bottom line is that the answer to that question is always a moving target and you don't know when it's going to show up next. Considering that MS was kind to us with the absence of patches in March, it's pretty easy to let our guard down and forget about the baker's dozen we got back in February.

In order to follow my train of thought you have to understand a simple premise that may have not been clearly articulated:

Premise: Any service, regardless of prior patching, may at some future point require a new patch to remediate an as-yet undiscovered vulnerability.

Proof: Here are two patches both for vulnerabilities in Messenger. One from 10/03 and the other from 02/05.

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx

If you still think that turning off Messenger was to protect us from spamming, that's fine. The point is that here's a service that MS finally acknowledged we don't need and finally got up the nerve to turn it off by default. Good for them.

They haven't yet done the same with the Error Reporting Service, for example, and I don't know of an exploit for that particular service, but the premise isn't that you turn off services once you know about an exploit. The premise is that you don't run services that you know that you don't need.

So here's my theory. If we were having this argument back in November of 2003 regarding the Messenger service, that you would be saying that the service has been patched so it doesn't need to be disabled. It would have taken until February of 2005 for me to come back and say, well it seems that the patch didn't equal a secure service. Hell, in the 2003 notes even though a patch was available, and even though MS didn't intend to disable the service out of the box for another year, that their own mitigating factor was that you could disable the service.

This is an example. I know now that Messenger has been turned off, although I assert that it has been turned off primarily for security reasons since this was the main theme behind SP2 in the first place. What this proves however is that you can't look at all the services running on an XP box and say with certainty that none of them are vulnerable. The reality is that most of them probably still are in some yet undiscovered way. The problem is that you can't start disabling everything at random or according to some quack's tweaking guide on the Internet. But what you can do is disable the few things remaining (post SP2) that you know for a fact that you don't need. I submit that Error Reporting Service is at least one service that remains that can be disabled with no ill effect.

I submit that in the very big picture, that a fundamental premise of security is dealing with unknown threats. Services may be a small part, and you may never get burned by not turning them off. But the evidence above shows that if you had this same positon in March of 2004 you would have been vulnerable, and there's nothing on the table now that proves that MS has completed the process of patching Windows XP as of this moment in time.

 

[rcolbert]

Heck, if you want to take your position, home systems, lacking layered security should need MORE protection. Yet, that's not the case according to MS, nor the real world.

Two points. First the "need" for protection in the cases that are differentiated by MS and others is based upon the perceived value of the systems that are being protected, not by the level of risk each system is exposed to. That is a sociological matter, not a technical one. Second, most of the compromised systems in the world that end up in botnets tend to be home systems simply by virtue of the fact that home systems as a population are more exposed and vulnerable due to a great many factors. They are often directly connected to the Internet, unpatched, located on easily identifiable IP address ranges, and yes, have the largest exposed surface area for attack including running all the default services. Now I ask you, which processes in Windows do you think hackers spend the most time looking to exploit? (hint: probably not obscure or 3rd party services)

 

[rcolbert]

So you have problems with people inside the perimeter of your firewall if you disable messenger, but you trust people with physical access? How are these different w/o a poorly configured wireless network? This is why most "disable XYZ service" positions don't apply at home, but might in a corp. or high security environment.

Two answers here as well. Physical access is pretty much an absolute. Remote access is all that messenger requires. Do I trust the NAT at the perimeter to prevent access to messenger? Do I trust that my wife didn't pickup an exploit on her laptop by surfing to some strange website or opening a file in email from an untrusted source? Mmmmm, can I get back to you on that? Also, in some cases forum members might have their computers connected in dorms to college networks. You really have to narrow down the scope to eliminate prudence as a course of action. One could call it reducto ad absurdum, but there's that damn Latin that I was talking about (j/k - that's actually not relevant.) And yes, there is barely ever any layering at home beyond the NAT/Firewall, software firewall, and perhaps a few ports exposed in a DMZ. This surely isn't a corporate network we're talking about. But again, chewy on the inside, right?

Do any of you run a firewall exclusively on your external router, but no firewall software on your PC? You trust all the other PC's on your own internal network, don't you?

But on the upside, I do trust my wife not to try and sneak up on my computer with a USB drive and steal all the data, so there is that....

 

[Ranma_Sao]

Yes, but having your wife double click on IWantToOwnYourBox.exe and running it, no matter what preventive measurements you have in place, she's still owned. LUA won't solve it, since I can definatly write an application that turns my box into a spam zombie box that runs entirely in user mode. This is why education is important, and attack vectors are important. Disabling services in this case will give you a false sense of security, since I could write an app entirely in assembly that was a spam bot with no external dependacies as long as I got the user to double click it.

Physical access is just that, all bets are off. You will be owned. I have to trust my wifes computer on my LAN since she could walk to my computer and do the same things...

Dorm rooms are a different story, but not by much. Physical access you will be owned, otherwise try to mitigate all attack vectors. Disabling services is even a worse solution since most people in a dorm are there to learn, and use there computer to work, and if a service dependency bites the user in the butt, it might be a failing grade. Anyway, I have basically stated my point in a few different ways in this thread, that disabling services for security in a home environment is gonna cause a support call someday. (And if you say that people know what they're doing who disables services, then why is the first question out of my mouth what did you disable, and usually they disabled something, set it to defaults and it all mysteriously works again.)

And disabling error reporting service guarantees one thing, that if your computer crashes in a way like everybody else's does, (Say like a virus), and microsoft posts a fix on there website, you will never see it.

 

[GreNME]

You spend so much of your time trying to rephrase my point of view that I barely know what I'm thinking when I'm done reading your comments.

Says the guy who's been shifting goalposts throughout the thread to the guy who said the same thing on page eight that he did way back in the beginning on page one.

Thanks for agreeing that this has been totally useless.

And please point out name dropping that I've done that actually includes "names."

Number one. And I quote:

I have been involved directly with Microsoft for many years, and recently to great extent on Windows security. In fact, last week I had a LiveMeeting with a number of folks from Microsoft including the very person who is responsible for the security and patch management policy and implementation for their own worldwide internal IT operations. I am by no means an authority on the subject, although I oversee the same policies and procedures for our company's North American operations, spanning more than 300 sites in the US and Canada.

Wow, you must be on a first name basis with those guys by now!

But wait! There's more!

Number two.

I played Pebble Beach and stayed the night in a suite at Spanish Bay all on Microsoft's dime.

- or -

I sat with Drew Major and debugged Netware 2.0a using a hex editor in the 1980's.


(both true)

Better yet: I flew with the San Jose Sharks on their charter plane and had all access for games in St. Louis and Dallas as a guest of Compaq. Only 3 non-team affiliated people (including the Compaq host) were present.

(just had to slip that one in there.)

Said with tongue planted in cheek, but you just had to make sure you validated yourself with the little parentheses.

And then your assumptive "Microsoft Security Conference" crap, the assumption that my attendance there made my opinion less valid as if I didn't know what gets discussed. Meanwhile, there is a guy from Microsoft posting in this thread countering your assumptions claiming to know Microsoft general policy and outlook. You claim to know more of the opinions of Microsoft than those who work there. Golden.

Ahh, then the irony of ironies:

Debate for the sake of debate produces some interesting and tangible side effects. So long as we aren't name-calling there may be some value to be had yet.

And as soon as someone complained about your format (posting six different posts in answer to a single one), you contradict yourself:

How about doing your chores or your homework instead of telling me how to post?

I don't happen to like the dissection method of posting and I do like to take my time and respond to each point as I see fit. I'd rather focus on the content of my statements than worry about cutting and pasting and moving tags around simply for the convenience of someone who clearly has plenty of time on his hands to read my responses regardless of the surrounding formatting.

If you don't like it, scroll on by..

And when that unnecessary flame was complained about, more flaming flame-ness:

Why don't you both try and stay on topic. I don't need a fucking ettiquite lesson from the peanut gallery. And like I give a shit about my post count.

But wait! There's more:

I don't appreciate those folks who just got out of a freshman critical thinking class and decided to use all the terminology they just learned to debate the quality of the arguments on the other side by attacking the logical structure of any given phrase or post without actually addressing the quality or point of the information. Bottom line is that anyone who needs to use Latin to tell me why my point is invalid is a total asshat.

Funny that I never used Latin, I used English terms for the ridiculous tactics you were using.

The problem is that you can't start disabling everything at random or according to some quack's tweaking guide on the Internet.

That is what I said from the start, and what I have maintained throughout. Everything else was attacking an argument I was not making or playing silly games with semantics, as I also already pointed out. That is the whole of it, and yet this thread had to come to nine pages and pissy words for it.

But what you can do is disable the few things remaining (post SP2) that you know for a fact that you don't need. I submit that Error Reporting Service is at least one service that remains that can be disabled with no ill effect.

If you don't want to have it, then go right ahead and disable it. That is your prerogative with your system and your license. There is still not anything worth being alarmed about outside of extremely paranoid wondering, and no amount of quoting someone who in my opinion has undermined the rights of citizens for a false sense of security (Rumsey) is going to convince me otherwise.

So, in the spirit of making odoe's ulcer stop flaring up from reading this thread, let's do something we as adults are capable of doing and start from scratch in the spirit of real discourse:

Hey there, rcolbert. I'm GreNME. How ya doing? That memsnap.exe looks useful, and I think I'll try to talk to Phoenix86 about possibly using it (or its code, if MS lets me) for something Phoenix and I have talked about before.

 

[mdlsFREAK]

geez...chill guys....the whole purpose of this thread was to answer a question i had...you've turned it into a pissing contest of wits

 

[rcolbert]

geez...chill guys....the whole purpose of this thread was to answer a question i had...you've turned it into a pissing contest of wits

Actually it is more like a pissing contest of the witless. We've beaten this horse into dogfood. Of course GreNME hasn't actually provided any new information in about four days, and seems fixated on goalposts and strawmen and presenting quotes of mine without context in order to prove what a complete ass I am, but other than that Phoenix and I are having one dandy of a party.

Next up, let's resume talk about the DX9 partial precision codepath that should or should not have been included in HL2.

C'mon, there must be a point to this now that we've all invested this much time....

 

[GreNME]

Why should I change what I say when what I already said is correct (quackviper is not a good guide) and even you agreed?

Are you going to be adult about this, or continue like a petulant teenager? The olive branch has been offered. It's in your court now.

 

[Badger_sly]

Why should I change what I say when what I already said is correct ...........

^^ Which is nothing more than your opinion. And by your method of argument, everyone that differs must change/agree with your opinion in order for there to be peace.

Perhaps someday you'll realize that because of your method, people don't take you too seriously.

 

[GreNME]

^^ Which is nothing more than your opinion. And by your method of argument, everyone that differs must change/agree with your opinion in order for there to be peace.

You must have a problem reading, then. I said waaay back that if you don't agree you can go ahead and futz with services with all the impunity you wish.

Perhaps someday you'll realize that because of your method, people don't take you too seriously.

Perhaps someday you'll realize that because of you trying to speak for "people" all the time instead of yourself, "people" don't normally want to be your friend. Perhaps. Someday. People.

 

[rcolbert]

GreNME, the simple fact that you dissect every single thing everyone who disagrees with you says is in and of itself disconcerting. We all do it from time to time, but IMO you do it so much that the totality of your posting looks as if in order to argue a point you feel that you have to rip at every single statement the opposition makes. Even folks who disagree on interpretation of evidence or conclusions usually still have a large percentage of common ground. Having a negative response to 100% of someone else's statements undermines your credibility as it makes you appear contrarian for the sake of it.

In order to adequately respond to your posts I would have to go back to each quote you counter and read the preceding 5 to 10 posts to reacquaint myself with the context of what was being said at that moment in time, and then forumlate a lengthy response to get things back on track. And that process takes away from the time I have to respond to any of the legitimate points that you might make. I'd appreciate fewer counterpoints from you, and more new information. I will admit thought that with the volumnous amount of re-reading you have demonstrated that you're willing to do, you'd make a good editor for some sort of publication (so long as the topic wasn't computer security, that is ).

Context is key. Here are my two favorite quotes from the Bible: "Judas hung himself." "Jesus said, go and do the same."

 

[rcolbert]

Yes, but having your wife double click on IWantToOwnYourBox.exe and running it, no matter what preventive measurements you have in place, she's still owned.

My point was not about my wife's computer, but more to the point that if her computer was compromised I'd want the OTHER computers on my home network to not be easy targets for additional infection from her compromised machine. This was in response to an unusual line of reasoning where physical security (i.e. USB exploits) and therefore the trust of the people in my house were being extrapolated to include the trust of other devices on the home network. My point is simply that those are two different concerns.

 

[rcolbert]

Why should I change what I say when what I already said is correct (quackviper is not a good guide) and even you agreed?

Are you going to be adult about this, or continue like a petulant teenager? The olive branch has been offered. It's in your court now.

I've seldom received an olive branch with the words "petulant teenager" inscribed upon them.

(sorry for the sequencing, I tend to read from the newest post backwards.)

 

[odoe]

This thread is going in circles. You guys are beating a dead horse.
I would say this a great thread was some pretty valid arguments, but you guys are chasing your own tails at this point and no one, and I do mean no one in this thread is willing to let it go and concede that there are no absolutes here. Not in the way you guys are going about it.

So I'm ending it for you.