Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

Let’s harden the Web Application Proxy installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces even further.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations. If your Web Application Proxies are domain-joined, use Group Policy to disable unnecessary services instead of PowerShell.

Unnecessary services

Services that are of no use to Web Application Proxies can be disabled.

By default

The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:

• Computer Browser (browser)
• Net.Tcp Port Sharing Service (NetTcpPortSharing)
• Routing and Remote Access (RemoteAccess)
• Smart Card (SCardSvr)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on Server Core installations of Windows Server 2016. These can be disabled:

• Internet Connection Sharing (ICS) (SharedAccess)
• Link-Layer Topology Discovery Mapper (lltdsvc)
• Print Spooler (Spooler)
• Printer Extensions and Notifications (PrintNotify)
• Smart Card Device Enumeration Service (ScDeviceEnum)
• Windows Insider Service (wisvc)

Harden services

Disable unnecessary services

To disable these services, run the following Windows PowerShell script, when logged on with an account that has local administrative privileges on the Web Application Proxy:

Set-Service SharedAccess –StartupType Disabled

Stop-Service SharedAccess

Set-Service lltdsvc –StartupType Disabled

Stop-Service lltdsvc 

Set-Service Spooler –StartupType Disabled

Stop-Service Spooler 

Set-Service PrintNotify –StartupType Disabled

Stop-Service PrintNotify 

Set-Service ScDeviceEnum –StartupType Disabled

Stop-Service ScDeviceEnum 

Set-Service wisvc –StartupType Disabled

Stop-Service wisvc

Re-enable services

To re-enable the above services to their previous state, run the following Windows PowerShell script, when logged on with an account that has local administrative privileges on the Web Application Proxy:

Set-Service SharedAccess –StartupType Manual

Set-Service lltdsvc –StartupType Manual

Set-Service Spooler –StartupType Automatic

Start-Service Spooler 

Set-Service PrintNotify –StartupType Manual

Set-Service ScDeviceEnum –StartupType Manual

Set-Service wisvc –StartupType Manual

Concluding

Disable unnecessary services on all Web Application Proxies throughout the Hybrid Identity implementation using the Windows PowerShell script above.

The post HOWTO: Disable Unnecessary Services on Web Application Proxies appeared first on The things that are better left unspoken.