Services
Understanding and managing services that appear on the server and clients is an important part of the security procedure. Disabling services not in use reduces the ways in which the server can be attacked.
A sample configuration of services and their start-up state are listed below.
| Name | Caption | State | StartMode |
|---|---|---|---|
| AeLookupSvc | Application Experience | Running | Auto |
| ALG | Application Layer Gateway Service | Stopped | Manual |
| Appinfo | Application Information | Stopped | Manual |
| AppMgmt | Application Management | Stopped | Manual |
| aspnet_state | ASP.NET State Service | Stopped | Disabled |
| AudioEndpointBuilder | Windows Audio Endpoint Builder | Stopped | Manual |
| Audiosrv | Windows Audio | Stopped | Manual |
| BFE | Base Filtering Engine | Running | Auto |
| BITS | Background Intelligent Transfer Service | Stopped | Manual |
| Browser | Computer Browser | Stopped | Disabled |
| CertPropSvc | Certificate Propagation | Running | Manual |
| clr_optimization_v2.0.50727_32 | Microsoft .NET Framework NGEN v2.0.50727_X86 | Stopped | Disabled |
| clr_optimization_v4.0.30319_32 | Microsoft .NET Framework NGEN v4.0.30319_X86 | Stopped | Auto |
| COMSysApp | COM+ System Application | Running | Manual |
| CryptSvc | Cryptographic Services | Running | Auto |
| CscService | Offline Files | Stopped | Disabled |
| DcomLaunch | DCOM Server Process Launcher | Running | Auto |
| Dhcp | DHCP Client | Running | Auto |
| Dnscache | DNS Client | Running | Auto |
| dot3svc | Wired AutoConfig | Stopped | Manual |
| DPS | Diagnostic Policy Service | Running | Auto |
| EapHost | Extensible Authentication Protocol | Stopped | Manual |
| EventLog | Windows Event Log | Running | Auto |
| EventSystem | COM+ Event System | Running | Auto |
| FCRegSvc | Microsoft Fibre Channel Platform Registration Service | Stopped | Manual |
| fdPHost | Function Discovery Provider Host | Stopped | Manual |
| FDResPub | Function Discovery Resource Publication | Stopped | Manual |
| FontCache | Windows Font Cache Service | Running | Auto |
| FontCache3.0.0.0 | Windows Presentation Foundation Font Cache 3.0.0.0 | Stopped | Manual |
| gpsvc | Group Policy Client | Running | Auto |
| hidserv | Human Interface Device Access | Stopped | Manual |
| hkmsvc | Health Key and Certificate Management | Stopped | Manual |
| idsvc | Windows CardSpace | Stopped | Manual |
| IKEEXT | IKE and AuthIP IPsec Keying Modules | Running | Auto |
| IPBusEnum | PnP-X IP Bus Enumerator | Stopped | Disabled |
| iphlpsvc | IP Helper | Running | Auto |
| KeyIso | CNG Key Isolation | Stopped | Manual |
| KtmRm | KtmRm for Distributed Transaction Coordinator | Running | Auto |
| LanmanServer | Server | Running | Auto |
| LanmanWorkstation | Workstation | Running | Auto |
| LICENCESERVER | Geo SCADA Expert License Server | Running | Auto |
| lltdsvc | Link-Layer Topology Discovery Mapper | Stopped | Manual |
| lmhosts | TCP/IP NetBIOS Helper | Running | Auto |
| MatrikonOPC Server for Simulation and Testing | MatrikonOPC Server for Simulation and Testing | Stopped | Manual |
| MMCSS | Multimedia Class Scheduler | Stopped | Manual |
| MpsSvc | Windows Firewall | Running | Auto |
| MSDTC | Distributed Transaction Coordinator | Running | Auto |
| MSiSCSI | Microsoft iSCSI Initiator Service | Stopped | Manual |
| msiserver | Windows Installer | Stopped | Manual |
| napagent | Network Access Protection Agent | Stopped | Manual |
| Netlogon | Netlogon | Running | Auto |
| Netman | Network Connections | Running | Manual |
| NetMsmqActivator | Net.Msmq Listener Adapter | Stopped | Disabled |
| NetPipeActivator | Net.Pipe Listener Adapter | Stopped | Disabled |
| netprofm | Network List Service | Running | Auto |
| NetTcpActivator | Net.Tcp Listener Adapter | Stopped | Disabled |
| NetTcpPortSharing | Net.Tcp Port Sharing Service | Stopped | Disabled |
| NlaSvc | Network Location Awareness | Running | Auto |
| nsi | Network Store Interface Service | Running | Auto |
| OpcEnum | OpcEnum | Stopped | Manual |
| PeerDistSvc | BranchCache | Stopped | Manual |
| pla | Performance Logs & Alerts | Stopped | Manual |
| PlugPlay | Plug and Play | Running | Auto |
| PolicyAgent | IPsec Policy Agent | Running | Auto |
| ProfSvc | User Profile Service | Running | Auto |
| ProtectedStorage | Protected Storage | Stopped | Manual |
| RasAuto | Remote Access Auto Connection Manager | Stopped | Manual |
| RasMan | Remote Access Connection Manager | Running | Manual |
| RemoteAccess | Routing and Remote Access | Stopped | Disabled |
| RemoteRegistry | Remote Registry | Running | Auto |
| RpcLocator | Remote Procedure Call (RPC) Locator | Stopped | Manual |
| RpcSs | Remote Procedure Call (RPC) | Running | Auto |
| RSoPProv | Resultant Set of Policy Provider | Stopped | Manual |
| sacsvr | Special Administration Console Helper | Stopped | Manual |
| SamSs | Security Accounts Manager | Running | Auto |
| SCardSvr | Smart Card | Stopped | Manual |
| Schedule | Task Scheduler | Running | Auto |
| SCPolicySvc | Smart Card Removal Policy | Stopped | Manual |
| seclogon | Secondary Logon | Running | Auto |
| SENS | System Event Notification Service | Running | Auto |
| SepMasterService | Symantec Endpoint Protection | Running | Auto |
| SessionEnv | Terminal Services Configuration | Running | Manual |
| SharedAccess | Internet Connection Sharing (ICS) | Stopped | Disabled |
| ShellHWDetection | Shell Hardware Detection | Running | Auto |
| slsvc | Software Licensing | Running | Auto |
| SLUINotify | SL UI Notification Service | Stopped | Manual |
| SmcService | Symantec Management Client | Running | Manual |
| SNAC | Symantec Network Access Control | Stopped | Manual |
| SNMPTRAP | SNMP Trap | Stopped | Manual |
| Spooler | Print Spooler | Running | Auto |
| SSDPSRV | SSDP Discovery | Stopped | Disabled |
| SstpSvc | Secure Socket Tunneling Protocol Service | Running | Manual |
| swprv | Microsoft Software Shadow Copy Provider | Stopped | Manual |
| SysMain | Superfetch | Stopped | Disabled |
| TapiSrv | Telephony | Running | Manual |
| TBS | TPM Base Services | Stopped | Auto |
| TermService | Terminal Services | Running | Auto |
| Themes | Themes | Stopped | Disabled |
| THREADORDER | Thread Ordering Server | Stopped | Manual |
| TrkWks | Distributed Link Tracking Client | Running | Auto |
| TrustedInstaller | Windows Modules Installer | Running | Manual |
| UI0Detect | Interactive Services Detection | Stopped | Manual |
| UmRdpService | Terminal Services UserMode Port Redirector | Running | Manual |
| upnphost | UPnP Device Host | Stopped | Disabled |
| UxSms | Desktop Window Manager Session Manager | Running | Auto |
| vds | Virtual Disk | Stopped | Manual |
| VMTools | VMware Tools | Running | Auto |
| vmvss | VMware Snapshot Provider | Stopped | Manual |
| VSS | Volume Shadow Copy | Stopped | Manual |
| W32Time | Windows Time | Running | Auto |
| WcsPlugInService | Windows Color System | Stopped | Manual |
| WdiServiceHost | Diagnostic Service Host | Stopped | Manual |
| WdiSystemHost | Diagnostic System Host | Running | Manual |
| Wecsvc | Windows Event Collector | Stopped | Manual |
| wercplsupport | Problem Reports and Solutions Control Panel Support | Stopped | Manual |
| WerSvc | Windows Error Reporting Service | Running | Auto |
| WinHttpAutoProxySvc | WinHTTP Web Proxy Auto-Discovery Service | Running | Manual |
| Winmgmt | Windows Management Instrumentation | Running | Auto |
| WinRM | Windows Remote Management (WS-Management) | Running | Auto |
| wmiApSrv | WMI Performance Adapter | Stopped | Manual |
| WPDBusEnum | Portable Device Enumerator Service | Stopped | Manual |
| WPFFontCache_v0400 | Windows Presentation Foundation Font Cache 4.0.0.0 | Stopped | Manual |
| wuauserv | Windows Update | Running | Auto |
| wudfsvc | Windows Driver Foundation - User-mode Driver Framework | Stopped | Manual |
We recommend that you review the permissions of services, particularly those added by third-party software, and check whether users other than administrators can access them.
We also recommend that service paths are enclosed in quotes. A command to discover these is:
wmic service get name,displayname,pathname,startmode |findstr /i /v "Disabled" |findstr /i /v "c:\windows\\" |findstr /i /v """
Virtual Accounts
With ClearSCADA 2017 (Geo SCADA Expert) onwards, you can use virtual accounts for ancillary processes, such as the License Server for client licensing, Port Server, and AEPrinter services
When virtual accounts are used for ancillary processes such as those mentioned above, the 'NT SERVICE\ALL SERVICES' account has to be assigned the 'Log on as a service' user right. For details on how to do this, see https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx. With virtual accounts used for licensing services, you also need to grant permissions for the virtual user account to read the directory in which the license file is stored.
If the 'NT SERVICE\ALL SERVICES' account is not assigned the 'Log on as a service' user right, the virtual account will not work and an error will be shown in the system log files in Windows.
User Account for Virtual ViewX
A user account, VVXLocalUser, is created automatically in Windows on the Virtual ViewX server machine when you install Virtual ViewX. The user account is required to run the ViewX processes that are created on that server machine. It is important that this user account is not deleted, nor its password changed, otherwise Virtual ViewX will be unable to operate.