The PnP-X IP Bus Enumerator service, which first came with Windows Vista, functions to connect devices over the network such as printers through Plug and Play Extensions. It uses Simple Service Discovery Protocol (SSDP) and WS-Discovery to provide an abstraction layer between the network and the devices. These two methods utilize communication protocols over the network that may not be something most administrators want to utilize in the client or server spaces.
The Net.TCP Port Sharing service is described as a user-mode mechanism to accept connections in processes in net.tcp:// format. The service manages connections by inspecting the transmission and forwarding to a destination address, from the application perspective. In terms of managing security and traffic flow, I can’t imagine administrators liking this capability. This MSDN blog post explains Net.TCP Port Sharing and its use case, but in favor of keeping network traffic at face value, I’d opt to disable the service.
To disable these services for computer accounts, navigate in Group Policy to the Computer Configuration | Policies | Windows Settings | Security Settings | System Services area of the Group Policy Management Editor. Figure A shows this for a Windows Server 2008 R2 domain.
Figure A
PnP-X IP Bus Enumerator and Net.TCP Port Sharing are disabled by default for Windows Server 2008 installations, but that doesn’t keep Windows 7, Windows Vista, or server side programs from utilizing these services by changing the startup type.
Do you go through the extra effort to implement this type of protection for services that you want to prohibit even if you don’t foresee using them? Let us know in the discussion.
No comments:
Post a Comment