3. Configuring Services
Services are started when
the system starts and before a user logs on. Any Windows system today
includes multiple services that are performing a wide assortment of
tasks behind the scenes. As an example, the Windows Firewall service
starts when Windows starts and will quietly monitor all the traffic,
allowing and blocking traffic based on the rules of the service.
In contrast, applications
are launched by users after the user logs on. For example, a user may
launch the Internet Explorer application to access the Internet.
3.1. Accessing Services
The primary tool used to access services is the Services console. You can launch it by clicking Start => Administrative Tools => Services.
|
You can add the
Administrative Tools menu to the Windows 7 Start menu if it's not
already showing. Right-click the Start button and select Properties.
With the Start Menu tab selected, click Customize. Scroll to the bottom
of the Customize Start Menu section and locate the System Administrative
Tools section. Select Display On The All Programs Menu And The Start
Menu, and click OK twice.
|
|
Figure 7
shows the Services console highlighting the Windows Firewall service
(started). The console allows you easily to see an overview of the
services. Two important columns to which you should pay attention are
Status and Startup Type. In the figure, the Windows Firewall service is
selected. You can see that the service is started and the startup type
is set to Automatic.
When you select a service,
the Extended view gives action links and a description. Since the
Windows Firewall service is running, you can use the action links to
stop or restart the service.
As with most consoles in
Windows 7, you can click any of the headings to reorder the display. The
display is sorted in alphabetical order by the service name by default.
If you click the Name heading, it reorders the services in reverse
order, starting with the Ws. You could also click the Status heading and
quickly sort it by the services that are started or by any heading,
depending on what you're looking for.
3.2. Configuring Services Settings
Each service has several
properties and settings that can be viewed and manipulated. To access
these properties, you can right-click the service and select Properties.
NOTE
You may notice that some
context menus (right-click menus) include a bolded item. This indicates
the default selection if the item is double-clicked. For example, the
Properties selection is bolded when you right-click a service in the
Services console. If you double-click the service, the Properties page
will appear.
Each service has four tabs that include different properties and settings that can be manipulated.
3.2.1. Viewing the General Tab of a Service
Figure 8
shows the General tab of the Windows Search Properties page. It shows
basic information about the service. The Service Name value identifies
the name of the service that is often used when using command-prompt
commands or scripts. The Description is the same as the one shown in the
Extended view of the service.
Startup Type is an important setting on this page. It can be set to one of four types:
Automatic
Services set to Automatic will start when the operating system starts.
Automatic (Delayed Start)
This setting directs a
service to wait until the services set to Automatic have completed
starting. This reduces the contention of so many services competing for
hardware resources at the same time and also reduces the time needed to
boot to the logon screen.
Manual
The service won't
start automatically but will respond to service start commands such as
through the Net Start or the SC Start commands.
Disabled
The service doesn't
start automatically and won't respond to commands to start manually. If
you want to ensure that a service cannot be started, set it to Disabled.
One way to optimize a
system's performance and increase security is to disable any services
that aren't needed. If you identify services that aren't needed for a
system, you can set them to Disabled from this page.
Figure 9 shows the default domain policy opened to the Computer Configuration => Policies => Windows Settings => Security Settings =>
System Services node. The Windows Error Reporting Service selection has
been opened, and the Define This Policy Setting and Automatic startup
options have been selected. This will ensure the service is enabled and
automatically started for all clients in the domain.
Similarly, you could set a
policy to ensure a service is disabled for all clients in the domain.
When settings are managed by a GPO, they become dimmed and unchangeable
on clients affected by the GPO.
3.2.2. Viewing the Log On Tab of a Service
Services must run with
some type of permissions, and the permissions are determined by the
account used to start the service. One of three built-in local accounts
is typically used to start most services, and it's also possible to
configure a service to run using a local or domain account you've
created.
These are the three built-in local are accounts:
Local System
Most services use the
Local System account, which grants them rights and permissions to
perform their designated tasks on the local system. An additional check
box can be selected to allow the service also to interact with the
desktop. The Print Spooler service is one of the few services that has
this selection checked.
Local Service
This account is used for services that need fewer rights and permissions than the Local System service.
|
Security in Windows services
has been improved through an internal Microsoft process referred to as
Windows Service Hardening. Whenever possible, services are configured to
use the Local Service or Network Service accounts to limit the rights
and permissions of a service. This is a change from operating systems
before Windows Vista, which would often use the Local System account by
default.
|
|
Network Service
This account is used for
services that need fewer rights and permissions than the Local System
service but need access to network resources. As an example, the
BranchCache and DNS Client services are configured to use the Network
Service account.
Figure 10
shows the Log On tab of the Branch Cache service. It also shows the
extra screens that would be selected to use a different account.
To select a different
service account, you'd select Browse, click the Advanced button, click
Find Now, and select one of the accounts displayed in the Search
Results. When adding the Local Service or Network Service account, you
don't need to enter a password.
Notice that you can also
select a regular user account. Some server applications require the
creation of a user account that will be assigned specific permissions
and be used to start a specific service. However, this is rarely needed
on Windows 7 desktop computers.
Managed service accounts
are a new feature available in Windows 7 and Windows Server 2008 R2.
This is a special class of domain account that can be created for
applications that need to be started with service accounts.
In the past, regular domain
user accounts were created to start services and were referred to as
service accounts. Passwords either needed to be changed regularly on
these accounts to prevent them from being locked out, or security could
be weakened to ensure passwords never expired on these accounts.
However, you can now create
a single managed-service account for a computer and use it to run
services on the system. The passwords for these accounts will be reset
automatically, so passwords don't need to be managed for a managed
service account. Managed serviced accounts work only on Windows 7 or
newer desktops and Windows Server 2008 R2 or newer servers.
|
Managed-service accounts are
available in Windows 7 and Windows Server 2008 R2. A significant
feature of a managed service account is that passwords are reset
automatically, removing the need to manage passwords manually for
service accounts. For more information, check out this TechNet article: http://technet.microsoft.com/library/dd367859.aspx.
|
|
3.2.3. Viewing the Recovery Tab of a Service
The Recovery tab of any service allows you configure actions to take if the service fails. Figure 11 shows the Recovery tab with several actions configured.
The actions you can select if a service fails are as follows:
Restart
The Service This attempts to start the service again if it fails.
Run A Program
The program can be any executable including a script or batch file. The program is specified in the Run Program section.
Restart The Computer
If you select Restart
The Computer, you can also configure restart options. This allows you to
select the time to wait (in minutes) before restarting and have the
computer send a message to other computers before restarting.
3.2.4. Viewing the Dependencies Tab of a Service
The Dependencies tab shows
two lists. If you plan to modify the start state of a service, you
should check the dependencies. This is especially true if you change the
start state to Disabled.
This Service Depends On The Following System Components
This list shows
services and components that this service depends on to run. If the
listed services or components are not running, the service will usually
not even start.
The Following System Components Depend On
This Service The
second list identifies services that depend on this service. If this
service is not running and can't be started, services in the list will
not be able to start.
3.3. Using Service Control to Manipulate Services
Services can be queried, started, stopped, and manipulated from the command line using the Service Control (SC)
command. SC communicates with the Service Controller and the installed
services, and it allows you to perform most of the actions from the
command prompt that you can do from the Services console.
NOTE
Remember, the value of
using any command-line commands is that they can be scripted. SC
commands can be added to any batch file to manipulate services.
As an example, if you want to start the fax service, you can use the following command:
SC start fax
Table 1
shows some of the common SC commands you can use to query and
manipulate services, with examples of how the command could be used.
Table 1. SC commands
| Command | Description |
|---|
| SC query | Retrieves a listing of running services, or if a service name is included, it will retrieve details on the named service. SC query SC query defragsvc |
| SC queryex | Retrieves
a listing of running services with extended details. If a service name
is included, it will retrieve extended details on the named service. SC queryex SC queryex defragsvc |
| SC query type= all | Can be used to provide a list of all services. Notice that a space must be added after the = sign.SC query type= all |
| SC stop | Stops a service. The service name must be provided.SC stop defragsvc |
| SC start | Starts a service. The service name must be provided.SC start defragsvc |
| SC pause | Pauses a running service. The service name must be provided.SC pause defragsvc |
| SC continue | Continues a paused service. The service name must be provided.SC continue defragsvc |
