Docstoc

Windows Server 2008 Attack Surface Reference - Excel - Excel

Document Sample
Windows Server 2008 Attack Surface Reference - Excel - Excel Powered By Docstoc
					Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below. If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons AttributionNonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. Microsoft, ActiveX, Excel, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server,

AD DS Role Service Installed Files

Component Core

Resource file ntds.dit schema.ini schupgr.exe ActiveDirectoryDomainServices.Events.xml domadmin.dll domain.msc

Note

DomainsAndTrusts

Running Services

Display name Active Directory Domain Services DFS Namespace DFS Replication Intersite Messaging Kerberos Key Distribution Center
Firewall Rules

Service name NTDS dfs DFSR IsmServ Kdc

Executable path %systemroot%\System32\lsass.exe %systemroot%\system32\dfssvc.exe %systemroot%\system32\DFSRs.exe %systemroot%\System32\ismserv.exe %systemroot%\System32\lsass.exe

Type Automatic Automatic Automatic Automatic Automatic

Rule name

Service name

Active Directory Domain Controller - LDAP (TCP-In)

Any

Active Directory Domain Controller - LDAP (UDP-In) Any Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)

Any

Active Directory Domain Controller - NetBIOS name resolution (UDP-In) Any Active Directory Domain Controller - SAM/LSA (NPTCP-In) Any Active Directory Domain Controller - SAM/LSA (NPUDP-In) Any Active Directory Domain Controller - Secure LDAP (TCP-In) Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)

Any

Any

Active Directory Domain Controller - W32Time (NTPUDP-In) Any

Description Port Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389) Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389) Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. (TCP 3268) Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. (UDP 138) Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (TCP 445) Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. (UDP 445) Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. (TCP 636) Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. (TCP 3269) Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. (UDP 123) Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service. Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service. Outbound rule for the Active Directory Domain Controller service. (TCP) Outbound rule for the Active Directory Domain Controller service. (UDP)

Path

389 %systemroot%\System32\lsass.exe

389 %systemroot%\System32\lsass.exe

3268 %systemroot%\System32\lsass.exe

138 System

445 System

445 System

636 %systemroot%\System32\lsass.exe

3269 %systemroot%\System32\lsass.exe

123 %systemroot%\System32\svchost.exe

Active Directory Domain Controller (RPC)

Any

Dynamic RPC

%systemroot%\System32\lsass.exe

Active Directory Domain Controller (RPC-EPMAP) Active Directory Domain Controller (TCP-Out) Active Directory Domain Controller (UDP-Out)

rpcss Any Any

RPC Endpoint Mapper Any Any

%systemroot%\System32\svchost.exe %systemroot%\System32\lsass.exe %systemroot%\System32\lsass.exe

Role Dependencies

Dependency

Description Active Directory uses DNS for name resolution. Typically most environments use Active Directory integrated DNS. You can install Active Directory integrated DNS using the Active Directory Domain Services Installation Wizard rather than installing the DNS role separately. Active Directory uses File Replication Service (FRS) to replicate the SYSVOL folder between domain controllers. Active Directory uses DFS Replication to replicate the SYSVOL folder between domain controllers. This service is required by DFS Replication, which replicates the SYSVOL folder between domain controllers.

DNS

File Replication Service DFS Replication

DFS Namespace

Identity Management for UNIX Role Service Server for Network Information Services Installed Files

Component

Resource file

Note

Running Services

Display name Server For NIS
Firewall Rules

Service name NisSvc

Executable path %systemroot%\system32\svchost.exe -k NisSvc

Type Disabled

Rule name Portmap for UNIX-based Software (Portmap-TCP-In) Portmap for UNIX-based Software (Portmap-UDP-In)

Service name

Description A rule to allow all inbound traffic for the Portmap service (TCP 111) A rule to allow all inbound traffic for the Portmap service (UDP 111) An inbound rule for the Open Portmapper service to allow Unix RPC traffic for the NIS Server. (TCP 111) An inbound rule to allow Server for NIS traffic (UDP). An inbound rule to allow Server for NIS to be remotely managed via UNIX RPC/TCP. A rule to allow all outbound traffic for the Portmap service (TCP 111) A rule to allow all outbound traffic for the Portmap service (UDP 111)

Port 111 111

Path System System

Server for NIS (Open Portmapper-In) Server For NIS (UDP-In) Server For NIS (Unix-RPC) Portmap for UNIX-based Software (TCP-Out) Portmap for UNIX-based Software (UDP-Out)
Role Dependency

111 Any Dynamic RPC Any Any

System %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe System System

Dependency

Description Manages the credentials that are authenticated by the Server for Network Information Services.

Active Directory Domain Services

Password Synchronization Installed Files

Component

Resource file

Note

Running Services

Display name

Service name

Executable path

Type

Firewall Rules

Rule name Portmap for UNIX-based Software (TCP-In) Portmap for UNIX-based Software (UDP-In) Password Synchronization (TCP-In) Portmap for UNIX-based Software (TCP-Out) Portmap for UNIX-based Software (UDP-Out)

Service name

Description A rule to allow all inbound traffic for the Portmap service (TCP 111) A rule to allow all inbound traffic for the Portmap service (UDP 111) An inbound rule to allow incoming Password Synchronization traffic. (TCP 6677) A rule to allow all outbound traffic for the Portmap service A rule to allow all outbound traffic for the Portmap service

Port 111 111 6677 Any Any

Path System System %systemroot%\system32\lsass.exe System System

Role Dependency

Dependency

Description Manages the credentials that are authenticated by the Server for Network Information Services.

Active Directory Domain Services

Installed Files

Installed Files Component DHCP Server MIB DHCP Server Migration Plugin DHCP Server Optional Component Installer DHCP Server Runtime DHCP Server Runtime DHCP Server Runtime DHCP Server Runtime DHCP Server Runtime helper scripts DHCP Server Runtime Perf Counters DHCP Server Runtime Perf Counters Windows Server Help for dhcp Windows Server Help for dhcp

Resource file dhcpmib.dll DhcpSrvMigPlugin.dll dhcpsoc.dll dhcpssvc.dll DhcpServer.Events.xml dhcpsapi.dll dsauth.dll DhcpServerRole.cmd dhcpctrs.h dhcpctrs.ini dhcp.h1s dhcp.chm

Note

Running Services Running Services

Display name DHCP Server
Firewall Rules Firewall Rules

Service name DHCPServer

Executable path C:\Windows\system32\svchost.exe -k DHCPServer

Type Automatic

Rule name DHCP Server v4 (UDP-In) DHCP Server v4 (UDP-In) DHCP Server v6 (UDP-In) DHCP Server v6 (UDP-In) DHCP Server (RPC-In) DHCP Server (RPCSS-In)
Role Dependency Role Dependency

Service name dhcpserver dhcpserver dhcpserver dhcpserver dhcpserver rpcss

Description Port An inbound rule to allow traffic so that rogue detection works in V4. [UDP 68] An inbound rule to allow traffic to the IPv4 Dynamic Host Control Protocol Server. [UDP 67] An inbound rule to allow traffic so that rogue detection works in V6. [UDP 546] An inbound rule to allow traffic to the IPv6 Dynamic Host Control Protocol Server. [UDP 547] An inbound rule to allow traffic to allow RPC traffic for DHCP Server management. An inbound rule to allow traffic to allow RPCSS traffic for DHCP Server management.

68 67 546 547 Dynamic RPC RPC Endpoint Mapper

Dependency None

Description

Path %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

Installed Files

Installed Files Component DNS Server
Running Services Running Services

Resource file dnsmgr.dll

Note

Display name DNS Server
Firewall Rules Firewall Rules

Service name DNS Server

Executable path %windir%\System32\dns.exe

Type Automatic

Rule name DNS (TCP, Incoming) DNS (UDP, Incoming) RPC (TCP, Incoming) RPC Endpoint Mapper (TCP, Incoming) All Outgoing (TCP) All Outgoing (UDP)

Service name dns dns dns

Description Port Inbound rule to allow remote TCP access to the DNS service 53 Inbound rule to allow remote TCP access to the DNS service 53 Inbound rule to allow remote RPC/TCP access to the DNS service Dynamic RPC Inbound rule for the RPCSS service to allow RPC/TCP traffic to the DNS Service Outbound rule to allow all TCP traffic from the DNS service Outbound rule to allow all UDP traffic from the DNS service

Path %systemroot%\System32\dns.exe %systemroot%\System32\dns.exe %systemroot%\System32\dns.exe

dns dns dns

RPC Endpoint Mapper Any Any

%systemroot%\System32\dns.exe %systemroot%\System32\dns.exe %systemroot%\System32\dns.exe

Common HTTP Features Installed Files

Component Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection
Running Services

Resource Files Static.dll Defdoc.dll Dirlist.dll Custerr.dll Redirect.dll

Description This component allows the Web server to publish static Web file formats, such as HTML pages and image files. This component allows you to configure a default file for the Web server to use if this file is missing from the requesting URL. This component allows users to see the contents of a folder on the Web server. This component allows you to customize error messages for user browsers. This component supports redirection of user requests to a specific destination.

Service Name W3SVC WAS AppHostSvc
Firewall Rules

Display Name World Wide Web Publishing Service Windows Process Activation Service Application Host Helper Service

Executable path C:\Windows\System32\svchost.exe -k iissvcs C:\Windows\System32\svchost.exe -k iissvcs C:\Windows\System32\svchost -k apphost

Type Automatic Manual Automatic

Rule Name World Wide Web Services HTTPS Traffic In World Wide Web Services HTTP Traffic In

Description Enables/disables firewall support for port 443 incoming traffic. Enables/disables firewall support for port 80 incoming traffic.

Port TCP 443 TCP 80

Path System System

Application Development Installed Files

Component

Resource Files

Description

ASP.NET .NET Extensibility ASP

None wbhst_pm.dll asp.dll aspperf.dll asp.mof asp.mfl browscap.dll browscap.ini cgi.dll isapi.dll filter.dll iis_ssi.dll

This component provides the server side object oriented programming (OOP) environment for building Web sites and Web applications using managed code. ASP.NET is part of the Microsoft .NET Framework. Then this option is selected, the ASP.NET setup configures ASP.NET in the IIS configuration store. This component allows developers to extend the Web server functionality using .NET Framework managed APIs. This component provides support for Active Server Pages (ASP).

CGI ISAPI Extensions ISAPI Filters Server Side Includes
Running Services

The Common Gateway Interface (CGI) component permits interactivity between a Web browser client and a Web server application. This component adds support for Internet Server Application Programming Interface (ISAPI) Extensions This component adds support for ISAPI Filters that are used to select a request that fits the filter specifications and needs processing. This component adds support for SSI scripting that is used to dynamically generate HTML pages.

Service Name None

Display Name None

Executable path None

Type None

Firewall Rules

Rule Name None

Description None

Port None

Path None

Health and Diagnostics Installed Files

Component HTTP Logging Logging Tools Custom Logging ODBC Logging
Running Services

Resource Files loghttp.dll logscrpt.dll logcust.dll logtemp.sql

Description This component provides support for logging of Web site activity on the server. This component adds the tools necessary to manage the server logs and logging tasks. This component allows custom logging modules to load on to the Web Server to add troubleshooting. This component allows logging to be reported to an ODBC-compliant database.

Service Name None

Display Name None

Executable path None

Type None

Firewall Rules

Rule Name None

Description None

Port None

Path None

Security Installed Files

Component Basic Authentication Windows Authentication Digest Authentication Client Certificate Mapping Authentication IIS Client Certificate Mapping Authentication URL Authorization Request Filtering IP and Domain Name Restriction
Running Services

Resource Files authbas.dll authsspi.dll authmd5.dll authcert.dll authmap.dll urlauthz.dll modrqflt.dll iprestr.dll

Description This component performs Basic authentication. This component performs NTLM integrated authentication. This component performs Digest authentication. This component performs Certificate Mapping authentication using Active Directory. This component performs Certificate Mapping authentication using IIS certificate configuration. This component performs URL authorization. This component rejects requests that conform to a certain pattern. This component allows you to enable or deny content based upon the IP address or domain name of the origination client request.

Service Name None

Display Name None

Executable path None

Type None

Firewall Rules

Rule Name None

Description None

Port None

Path None

Performance Installed Files

Component Static Content Compression Dynamic Content Compression
Running Services

Resource Files compstat.dll compdyn.dll

Description This component enables the compression of static HTTP content. This component enables the compression of dynamic Web content to improve the bandwidth utilization of the server.

Service Name None

Display Name None

Executable path None

Type None

Firewall Rules

Rule Name None

Description None

Port None

Path None

Management Tools Installed Files

Component IIS Management Console

Resource Files inetmgr.exe iis.msc wmi-appserver.dll wmsvc.exe

Description This component installs the

Management Service

This component allows you to configure the IIS 7.0 user interface, IIS Manager, and remotely manage IIS 7.0. This component installs the IIS 6.0 metabase (IIS 6.0 configuration store) and offers interfaces like ABO and Active Directory Service Interfaces (ADSI) to access the metabase.

IIS 6.0 Management Compatibility

inetmgr.exe Note: To manage Simple Mail Transfer Protocol (SMTP) or File Transfer Protocol (FTP) services on an IIS 7.0 Web server, you must install and use the IIS 6.0 Management console.

IIS 6.0 Metabase Compatibility

iismui.dll iisuiobj.dll svcext.dll uihelper.dll certobj.dll iis.msc cnfgprts.ocx logui.ocx iisui.dll inetmgr.dll

Running Services

Service Name IISADMIN
Firewall Rules

Display Name IIS Admin Service

Executable path C:\Windows\system32\inetsrv\inetinfo.exe

Type Automatic

Rule Name

Description

Port

Path

FTP Publishing Service Installed Files

Component FTP Server

Resource Files ftpctrs2.dll ftpmib.dll ftpsvc2.dll iis6.msc

Description This component installs the FTP Server service and enables the Web server to act as an FTP server.

FTP Management
Running Services

This component installs the FTP management snap-in to allow local or remote management of the FTP server.

Service Name MSFTPSVC

Display Name FTP Publishing Service

Executable path C:\Windows\System32\inetsrv\inetinfo.exe

Type Manual

Firewall Rules

Rule Name FTP Server Traffic In

Description Enables or disables Windows Firewall for incoming port 21 traffic.

Port TCP 21

Path %windir%\system32\inetsrv\inetinfo.exe

Files Server Installed Files

Component Nome

Resource Files None

Description None

Running Services

Service Name LanmanServer LanmanWorkstation
Firewall Rules

Display Name Server Workstation

Executable path C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService

Type Automatic Automatic

Rule Name File and Printer Sharing (Echo Request - ICMPv4-In) File and Printer Sharing (Echo Request - ICMPv6-In) File and Printer Sharing (NB-Datagram-In) File and Printer Sharing (NB-Name-In) File and Printer Sharing (NB-Session-In) File and Printer Sharing (SMB-In) File and Printer Sharing (Spooler Service - RPC) File and Printer Sharing (Spooler Service - RPC-EPMAP) File and Printer Sharing (Echo Request - ICMPv4-Out) File and Printer Sharing (Echo Request - ICMPv6-Out) File and Printer Sharing (NB-Datagram-Out) File and Printer Sharing (NB-Name-Out) File and Printer Sharing (NB-Session-Out) File and Printer Sharing (SMB-Out) Note: All firewall rules are predefined and disabled by default. The process of installing the File Server role does not enable the rules. Only sharing a folder enables the rules
Distributed File System Installed Files

Description Port Allows Echo Request messages to be received as ping requests to other nodes over IPv4. Allows Echo Request messages to be received as ping requests to other nodes over IPv6. Allows NetBIOS Datagram transmission and reception. Allows NetBIOS Name Resolution. Allows NetBIOS Session Service connections. Allows SMB transmission and reception via Named Pipes. Allows the Print Spooler Service to communicate via TCP/RPC. The RPCSS service uses this service to allow RPC/TCP traffic for the Spooler Service. Sends Echo Request messages as ping requests to other nodes. Sends Echo Request messages as ping requests to other nodes. Allows NetBIOS Datagram transmission and reception. Allows NetBIOS Name Resolution Allows NetBIOS Session Service connections. Allows SMB transmission and reception via Named Pipes.

Path All All UDP 138 UDP 137 TCP 139 TCP 445 TCP Dynamic RPC RPC Endpoint Mapper All All UDP 138 UDP 137 TCP 139 TCP 445 All All System System System System %SystemRoot%\system32\spoolsv.exe All All All System System System System

Component

Resource Files

Description Core DFS resource files. DFS Microsoft Management Console 3.0 snap-in. Custom DCOM host for COM component in DfsrHelper.dll. This is hosted in a custom host to make sure that the firewall rules for remote DFS Management only allow connections to a specific host and not the generic dllhost. Command line DFS Diagnostic Utility. Command line administrative tool to perform operations on DFS namespaces.

DFS Namespace Management

DFS Namespace Service DFS Replication

%systemroot%\System32\DfsRes.dll %systemroot%\System32\DfsMgmt.dll %systemroot%\System32\Interop.DfsrHelper.dll %systemroot%\System32\DfsrPropagationReport.xsl %systemroot%\System32\DfsrHealthReport.xsl %systemroot%\System32\dfsmgmt.msc %systemroot%\System32\DfsDiag.exe %systemroot%\System32\dfsutil.exe %systemroot%\System32\dfssvc.exe %systemroot%\System32\dfsrapi.dll %systemroot%\System32\dfsrress.dll %systemroot%\System32\dfsradmin.exe %systemroot%\System32\dfsradmin.exe.config %systemroot%\System32\dfsrdiag.exe %systemroot%\System32\dfsrs.exe %systemroot%\System32\wbem\dfsrprovs.mof %systemroot%\System32\winevt\Logs\DFS Replication

DFS Namespace service file. Core DFS Replication resource files.

DFS Replication Management

Command-line DFS replication administration tool. Command-line DFS replication diagnostics tool. DFS Replication Service file. WMI management file for DFS-R. DFS-R Event log.

DFS Replication Service WMI DFS Replication Event Log

Running Services

Service Name dfs DFSR

Display Name DFS Namespace DFS Replication

Executable path %systemroot%\System32\dfsssvc.exe %systemroot%\System32\DFSRs.exe

Type Automatic Automatic

Firewall Rules

Rule Name DFS Management (DCOM-in) DFS Management (SMB-In) DFS Management (TCP-In)

Description Inbound rule for DFS Management to allow remote DCOM activation via the RPCSS service. Inbound rule for DFS Management to allow SMB transmission and reception via Named Pipes. Inbound rule for DFS Management to allow the DFS Management service to be remotely managed via DCOM.

Port TCP 135 TCP 445 TCP Dynamic RPC

Path %systemroot%\system32\svchost.exe System %systemroot%\system32\dfsfrshost.exe

DFS Management (WMI-in) DFS Replication (RPC-In) DFS Replication (RPC-EPMAP)

Inbound rule for DFS Management to allow remote invocation of WMI. TCP Dynamic RPC Inbound rule to allow DFS Replication of RPC traffic. TCP Dynamic RPC Inbound rule for the RPCSS service to allow RPC/TCP traffic for DFS Replication. TCP RPC Endpoint Mapper

%systemroot%\system32\svchost.exe %systemroot%\system32\dfsrs.exe %systemroot%\system32\svchost.exe

Files Server Resource Manager Installed Files

Component FSRM

FSRM Service FSRM Reports Manager FSRM Management

Reports WMI
Running Services

Resource Files %systemroot%\System32\dfsext.dll %systemroot%\System32\filescrn.exe %systemroot%\System32\srmclient.dll %systemroot%\System32\srmscan.dll %systemroot%\System32\srmsvc.dll %systemroot%\System32\srmhost.exe %systemroot%\System32\fsrm.msc %systemroot%\System32\dirquota.exe %systemroot%\System32\storrept.exe. %systemroot%\System32\drivers\quota.sys %systemroot%\System32\srm defaults\ReportSettings.xml %systemroot%\System32\wbem\srm.mof

Description Core FSRM resource files.

FSRM Service file. Hosting process for the reporting service. FSRM Microsoft Management Console 3.0 snap-in. Quota command-lin tool. Reports command-line tool. FSRM Report default settings. WMI management file for FSRM.

Service Name srmsvc srmreports
Firewall Rules

Display Name File Server Resource Manager File Server Storage Reports Manager

Executable path %systemroot%\System32\srmsvc.dll %systemroot%\System32\srmhost.exe

Type Automatic Manual

Rule Name None

Description

Port

Path

Services for Network File Systems Installed Files

Component Services for NFS

NFS Services NFS Drivers

NFS Management

WMI

Resource Files C:\Windows\System32\dsctrs.dll C:\Windows\System32\nfscligrps.dll C:\Windows\System32\nfsclilocks.dll C:\Windows\System32\nfsclusrc.dll C:\Windows\System32\nfscommgmt.dll C:\Windows\System32\nfscprop.dll C:\Windows\System32\nfsnp.dll C:\Windows\System32\nfsrc.dll C:\Windows\System32\nfssa.dll C:\Windows\System32\nfssprop.dll C:\Windows System32\nfssvc.exe C:\Windows\System32\nfsclnt.exe C:\Windows\System32\drivers\msnfsflt.sys C:\Windows\System32\drivers\nfsrdr.sys C:\Windows\System32\drivers\nfssvr.sys.sys C:\Windows\System32\drivers\portmap.sys C:\Windows\System32\drivers\rpcxdr.sys C:\Windows\System32\nfsmgmt.msc C:\Windows\System32\nfsadmin.exe C:\Windows\System32\mount.exe C:\Windows\System32\nfsshare.exe C:\Windows\System32\nfsstat.exe C:\Windows\System32\rpcinfo.exe C:\Windows\System32\showmount.exe C:\Windows\System32\umount.exe C:\Windows\System32\wbem\msnfsflt.mof C:\Windows\System32\wbem\nfssvr.mof C:\Windows\System32\wbem\portmap.mof C:\Windows\System32\wbem\rpcxdr.mof

Description Core NFS resource files

Services for NFS Server service. Services for NFS Client service Services for NFS device drivers

NFS Microsoft Management Console 3.0 snap-in. NFS command-line administration tool. General command-line NFS tools.

Services for NFS MOF files.

Running Servicess

Service Name NfsServer NfsClient
Firewall Rules

Display Name Server for NFS Client for NFS

Executable path C:\Windows\system32\nfssvc.exe C:\Windows\system32\nfsclnt.exe

Type Automatic Automatic

Rule Name Portmap for UNIX-based Software (TCP-In) Portmap for UNIX-based Software (UDP-In) Client for NFS (TCP In)

Description Inbound rule to allow all inbound traffic for the Portmap service. Inbound rule to allow all inbound traffic for the Portmap service. Inbound rule to allow all inbound traffic for Client for NFS.

Port TCP 111 UDP 111 TCP All Ports

Path System System %systemroot%\system32\nfsclnt.exe

Client for NFS (UDP In) Server for NFS Mount (TCP In) Server for NFS Mount (UDP In) Server for NFS (NFS TCP-In) Server for NFS (NFS UDP-In) Server for NFS - NLM (TCP-In) Server for NFS - NLM (UDP-In) Server for NFS - NSM (TCP-In) Server for NFS - NSM (UDP-In) Portmap for UNIX-based software (TCP-Out) Portmap for UNIX-based software (UDP-Out) Client for NFS (TCP-Out) Client for NFS (UDP-Out)
Windows Search Service Installed Files

Inbound rule to allow all inbound traffic for Client for NFS. Inbound rule to allow all inbound traffic on the MOUNT port. Inbound rule to allow all inbound traffic on the MOUNT port. Inbound rule to allow all inbound traffic on the NFS port. Inbound rule to allow all inbound traffic on the NFS port. Inbound rule to allow all inbound traffic on the NLM port. Inbound rule to allow all inbound traffic on the NLM port. Inbound rule to allow all inbound traffic on the NSM port. Inbound rule to allow all inbound traffic on the NSM port. Outbound rule to allow all inbound traffice for the Portmap service. Outbound rule to allow all inbound traffice for the Portmap service. Outbound rule to allow all inbound traffic for Client for NFS. Outbound rule to allow all inbound traffic for Client for NFS.

UDP All Ports TCP 1048 UDP 1048 TCP 2049 UDP 2049 TCP 1047 UDP 1047 TCP 1039 UDP 1039 TCP All Ports UDP All Ports TCP All Ports UDP All Ports

%systemroot%\system32\nfsclnt.exe System System System System System System System System System System %systemroot%\system32\nfsclnt.exe %systemroot%\system32\nfsclnt.exe

Component

Resource Files

Description

Running Servicess

Service Name

Display Name

Executable path

Type

Firewall Rules

Rule Name

Description

Port

Path

Windows Server 2003 File Services Installed Files

Component

Resource Files

Description

Running Servicess

Service Name

Display Name

Executable path

Type

Firewall Rules

Rule Name

Description

Port

Path

Print Server Installed Files

Component

Resource Files

Print Server PMCPPC

Printing premium tools, PrintBRM

PPC

printservices.events.xml printmanagement.msc ppcsnap.dll ppcsnap.dll.mui PushPrinterConnections.exe PrintBrmui.exe.mui PrintBrm.exe.mui PrintBrmEngine.exe.mui PrintBrmUi PrintBrm.exe PrintBrmEngine.exe PrintBrmPs.dll gpprnext.dll gpprnext.dll.mui ppcRsopCompSchema.mof

Description Includes the Print Spooler service and the Print management snap-in, which you can use to manage multiple remote printers or print servers. Printing premium tools and Print management console files.

Printing premium tools.

Part of the printing core file set.

Running Services

Service Name Spooler

Display Name Print Spooler

Executable path %systemroot%\System32\spoolsv.exe

Type Automatic

Firewall Rules

Rule Name File and Printer Sharing (Echo Request ICMPv4-in) File and Printer Sharing (Echo Request ICMPv6-in) File and Printer Sharing (NB-Datagram-In) File and Printer Sharing (NB-Name-In) File and Printer Sharing (NB-Session-In) File and Printer Sharing (SMB-In) File and Printer Sharing (Spooler Service - RPC)) File and Printer Sharing (Spooler Service - RPC-EPMAP) File and Printer Sharing (Echo Request ICMPv4-Out) File and Printer Sharing (Echo Request ICMPv6-Out) File and Printer Sharing (NB-Datagram-Out) File and Printer Sharing (NB-Name-Out) File and Printer Sharing (NB-Session-Out) File and Printer Sharing (SMB-Out)
LPD Service Installed Files

Description Allows Echo Request messages to be received as ping request to other nodes over IPv4. Allows Echo Request messages to be received as ping request to other nodes over IPv6. Allows NetBIOS Datagram transmission and reception. Allows NetBIOS Name Resolution. Allows NetBIOS Session Service connections. Allows SMB transmission and reception via Named Pipes. Allows the Print Spooler Service to communicate via TCP/RPC. For the RPCSS service to allow RPC\TCP traffic for the Spooler Service. Allows Echo Request messages to be sent as ping request to other nodes over IPv4. Allows Echo Request messages to be sent as ping request to other nodes over IPv6. Allows NetBIOS Datagram transmission and reception. Allows NetBIOS Name Resolution. Allows NetBIOS Session Service connections. Allows SMB transmission and reception via Named Pipes.

Port All All UDP 138 UDP 137 TCP 139 TCP 445 TCP Dynamic RPC TCP Endpoint Mapper All All UDP 138 UDP 137 TCP 139 TCP 445

Path All All System System System System %systemroot%\system32\spoolsv.exe All All All System System System System

Component TCP\IP Print Server

Resource Files lpdsvc.dll lpdsvc.dll.mui

Description This file provides the Line Printer Daemon Service

Running Services

Service Name LPDSVC

Display Name TCP\IP Print Server

Executable path %systemroot%\system32\svchost.exe -k LPDService

Type Automatic

Firewall Rules

Rule Name TCP\IP Print Server

Description Opens the default port used by the Line Printer Daemon protocol

Port TCP 515

Path %systemroot%\System32\svchost.exe

Internet Printing Installed Files

Component IPP Server

IPP Client

Resource Files SetupIPP.dll, SetupIPP.dll.mui, msw3prt.dll, prtwebvw.css, ipp_0000.inc, ipp_adsi.inc, ipp_res.inc, ipp_util.inc page1.asp, ipp_0001.asp, ipp_0002.asp, ipp_0003.asp, ipp_0004.asp, ipp_0005.asp, ipp_0006.asp, ipp_0007.asp, ipp_0010.asp, ipp_0013.asp, ipp_0014.asp, ipp_0015.asp ipp_0002.gif, ipp_0003.gif, ipp_0004.gif, ipp_0005.gif, ipp_0012.gif, ipp_0015.gif Inetppui.dll, Inetpp.dll, wpnpinst.exe, inetppui.dll.mui, inetpp.dll.mui, wpnpinst.exe.mui

Description These files enable the IPP functionality on the Print server.

These script files support the IPP functionality on the Print server. These images are used for the IPP Web pages on the IPP Print server. These enable the Print server to act as an IPP client to other servers.

Running Services

Service Name iisadmin w3svc
Firewall Rules

Display Name IIS Admin Service World Wide Web Publishing Service

Executable path C:\Windows\system32\inetsrv\inetinfo.exe C:\Windows\System32\svchost.exe -k iissvcs

Type Automatic Automatic

Rule Name
Described in Web Server role node.

Description

Port

Path

Certification Authority Installed Files

Component Certsrv.exe Certdb.dll Certpdef.dll Certxds.dll Certadm.dll Certmmc.dll Capesnpn.dll Certtmpl.dll ActiveDirectoryCertificateServices.Event s.xml certsvcctrs.h Pkiview.dll
Running Services

Resource file certsrv.exe.mui Certdb.dll.mui Certpdef.dll.mui Certxds.dll.mui Certadm.dll.mui Certmmc.dll.mui Capesnpn.dll.mui Certtmpl.dll.mui None certsvcctrs.ini Pkiview.dll.mui

Note Service Database Default policy module Default exit module Helper CA snapin CA snapin Template snapin Event filter Performance counter Enterprise PKI snapin

Display name Active Directory Certificate Services
Firewall Rules

Service name certsvc

Executable path %systemroot%\system32\certsrv.exe

Type Automatic

Rule name Certification Authority Enrollment and Management Protocol (CERTSVC-DCOMIN) Certification Authority Enrollment and Management Protocol (CERTSVC-RPCEPMAP-IN) Certification Authority Enrollment and Management Protocol (CERTSVC-RPCNP-IN) Certification Authority Enrollment and Management Protocol (CERTSVC-RPCTCP-IN) Certification Authority Enrollment and Management Protocol (CERTSVC-TCPOUT)
Role Dependency

Service name

Description

Port

Path

RpcSs

An inbound rule to allow traffic to the Certification Authority for certificate enrollment and management 135

%systemroot%\system32\svchost.exe

RpcSs

An inbound rule to allow traffic to the Certification Authority for certificate enrollment and management RPC Endpoint Mapper %systemroot%\system32\svchost.exe An inbound rule to allow traffic to the Certification Authority for certificate enrollment 445 An inbound rule to allow traffic to the Certification Authority for certificate enrollment Dynamic RPC An outbound rule to allow traffic from the Certification Authority for certificate enrollment and management

Any

System

CertSvc

%systemroot%\system32\certsrv.exe

CertSvc

Any

%systemroot%\system32\certsrv.exe

Dependency None

Description

Certification Authority Web Enrollment Installed Files

Component Certification Authority Web Enrollment

Resource file Certcarc.asp Certcert.gif Certcert.inc Certsrck.inc Certckpn.asp Default.asp Certfnsh.asp Certrmpn.asp Certrqad.asp Certrqbi.asp Certrqma.asp Certrqtp.inc Certrqus.asp Certrqxt.asp Certrsdn.asp Certrser.asp Certrsis.asp Certrsob.asp Certrspn.asp Certsbrt.inc Certnew.cer Certnew.p7b Certspc.gif Certcrl.crl Xenrprxy.inc Certcnst.inc

Note

Running Services

Display name No services are installed as a part of the role service

Service name

Executable path

Type

Firewall Rules

Rule name Service name World Wide Web Services (HTTPS TrafficIn) Any World Wide Web Services (HTTP TrafficIn) Any

Description An inbound rule to allow HTTPS traffic for Internet Information Services (IIS) [TCP 443] An inbound rule to allow HTTP traffic for Internet Information Services (IIS) [TCP 80]

Port 443 80

Path System System

Role Dependency

Dependency Web Server (IIS)

Description This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Common HTTP Features ● Default Document ● Directory Browsing ● HTTP Errors ● HTTP Redirection ● Static Content Application Development ● ASP ● ISAPI Extensions ● NET Extensibility Health and Diagnostics ● HTTP Logging ● Logging Tools ● Request Monitor ● Tracing Security ● Request Filtering ● Windows Authentication Performance ● Static Content Compression This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: IIS 6 Management Compatibility ● IIS 6 Metabase Compatibility IIS Managment Console This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Process Model Configuration APIs .NET Environment

Management Tools

Windows Process Activation Service

Online Responder Installed Files

Component Ocspsvc.exe Ocsprevp.dll Ocspisapi.dll Ocspadminnative.dll Ocspsvcctrs.h Ocspsvcctrs.ini Ocspisapictrs.h Ocspisapictrs.ini Microsoft.Certificate Administration.Interop.dll
Running Services

Resource file ocspsvc.exe.mui Ocsprevp.dll.mui Ocspisapi.dll.mui Ocspadminnative.dll.mui Ocspsvcctrs.h Ocspsvcctrs.ini Ocspisapictrs.h Ocspisapictrs.ini

Note service Revocation Provider OCSP ISAPI extension OCSP Snapin helper Performance counter Performance counter Performance counter Performance counter OCSP snapin helper

Display name Online Responder Service

Service name OcspSvc

Executable path %systemroot%\system32\ocspsvc.exe

Type Automatic

Firewall Rules

Rule name Online Responder Service (DCOM-In) Online Responder Service (RPC-In) Online Responder Service (TCP-Out)
Role Dependency

Service name RpcSs OcspSvc OcspSvc

Description Inbound rule for the Online Revocation Service to allow remote DCOM activation. [TCP 135] Inbound rule for the Online Revocation Service to allow remote DCOM traffic for remote management. Outbound rule for the Online Revocation Service. [TCP]

Port 135 Dynamic RPC Any

Path %systemroot%\system32\svchost.exe %systemroot%\system32\ocspsvc.exe %systemroot%\system32\ocspsvc.exe

Dependency

Description

Web Server (IIS)

Management Tools

Windows Process Activation Service

This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Common HTTP Features ● Default Document ● Directory Browsing ● HTTP Errors ● HTTP Redirection ● Static Content Application Development ● ASP ● ISAPI Extensions Health and Diagnostics ● HTTP Logging ● Logging Tools ● Request Monitor ● Tracing Security ● Request Filtering Performance ● Static Content Compression This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: IIS 6 Management Compatibility ● IIS 6 Metabase Compatibility IIS Managment Console This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Process Model Configuration APIs .NET Environment

Network Device Enrollment Service Installed Files

Component mscep.dll

Resource file mscep.dll.mui

Note SCEP ISAPI Extension

Running Services

Display name No services are installed as a part of the role service

Service name

Executable path

Type

Firewall Rules

Rule name Service name World Wide Web Services (HTTPS TrafficIn) Any World Wide Web Services (HTTP TrafficIn) Any

Description An inbound rule to allow HTTPS traffic for Internet Information Services (IIS) [TCP 443] An inbound rule to allow HTTP traffic for Internet Information Services (IIS) [TCP 80]

Port 443 80

Path System System

Role Dependency

Dependency Web Server (IIS)

Description This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Common HTTP Features ● Default Document ● Directory Browsing ● HTTP Errors ● HTTP Redirection ● Static Content Application Development ● .NET Extensibility ● ISAPI Extensions Health and Diagnostics ● HTTP Logging ● Logging Tools ● Request Monitor ● Tracing Security ● Request Filtering ● Windows Authentication Performance ● Static Content Compression

Management Tools

Windows Process Activation Service

This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: IIS 6 Management Compatibility ● IIS 6 Metabase Compatibility IIS Managment Console This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Process Model Configuration APIs .NET Environment

NPAS Installed Files

Component Network Policy Server

Resource file ias.dll iasacct.dll iasads.dll iasdatastore.dll iasdatastore2.dll iashlpr.dll IasMigPlugin.dll iasmontr.dll iasnap.dll iasperf.dll iaspolcy.dll iasrad.dll iasrecst.dll iassam.dll iassdo.dll iassvcs.dll iasuihelper.dll npsui.dll sdohlp.dll sdohlplib.dll

Note

Running Services

Display name Network Policy Server

Service name IAS

Executable path C:\Windows\System32\svchost.exe -k netsvcs

Type Automatic (delayed start)

Firewall Rules

Rule name Network Policy Server (DCOM-In) Network Policy Server (Legacy RADIUS Accounting - UDP-In) Network Policy Server (Legacy RADIUS Authentication - UDP-In) Network Policy Server (RADIUS Accounting UDP-In)

Service name rpcss

Description Inbound rule to allow DCOM traffic for the Network Policy Server. [TCP 135] Inbound rule to allow Network Policy Server to receive RADIUS Accounting requests. [UDP 1646] Inbound rule to allow Network Policy Server to receive RADIUS Authentication requests. [UDP 1645]

Port

Path 135 %systemroot%\system32\svchost.exe

Any

1646 Any

Any

1645 Any

Any

Network Policy Server (RADIUS Authentication UDP-In) Any Network Policy Server (RPC) Any

Inbound rule to allow Network Policy Server to receive RADIUS Accounting requests. [UDP 1813] Inbound rule to allow Network Policy Server to receive RADIUS Authentication requests. [UDP 1812] Inbound rule for the Network Policy Server to be remotely managed via RPC/TCP. Dynamic RPC

1813 Any

1812 Any %systemroot%\system32\iashost.exe

Role Dependencies

Dependency None

Description

Routing and Remote Access Remote Access Installed Files

Component DHCP v4 Relay Agent DHCP v6 Relay Agent Netsh helper DLL Netsh helper DLL IP routing node in the MMC snap-in Routing and Remote Access MMC snap-in

Resource file Ipbootp.dll Dhcpv6r.dll Ipmontr.dll Ippromon.dll Ipsnap.dll Rrasmgmt.msc

Note IP BOOTP. DHCPv6 Relay. IP Router Monitor DLL. IP protocols monitor DLL. IP routing management snap-in. Routing and Remote Access MMC console file.

Running Services

Display name Routing and Remote Access Remote Access Quarantine Agent

Service name RemoteAccess Rqs

Executable path C:\Windows\System32\svchost.exe -k netsvcs %systemroot%\system32\rqs.exe

Type Automatic Manual

Firewall Rules

Rule name Routing and Remote Access (GRE-In) Routing and Remote Access (L2TP-In) Routing and Remote Access (PPTP-In) Routing and Remote Access (GRE-Out)

Service name Any Any Any Any

Description Inbound rule for RRAS to allow Generic Routing Encapsulation Protocol traffic. Inbound rule for RRAS to allow Layer 2 Tunnel Protocol traffic. [UDP 1701] Inbound rule for RRAS to allow Point-to-Point Tunnel Protocol traffic. [TCP 1723] Outbound rule for RRAS to allow Generic Routing Encapsulation Protocol Traffic

Port GRE (any port) 1701 1723 GRE (any port)

Path System System System System

Routing and Remote Access (L2TP-Out) Routing and Remote Access (PPTP-Out)

Any Any

Routing and Remote Access Remote Management (DCOM-In) rpcss Routing and Remote Access Remote management (RPC-In) DHCPv4 Relay Agent [Client] (UDP-In) DHCPv6 Relay Agent [Server] (UDP-In) DHCPv4 Relay Agent [Client] (UDP-Out) DHCPv6 Relay Agent [Server] (UDP-Out) Any remoteaccess remoteaccess remoteaccess remoteaccess

Outbound rule for RRAS to allow Layer 2 Tunnel Protocol traffic. [UDP 1701] Outbound rule for RRAS to allow Point-to-Point Tunnel Protocol traffic. [TCP 1723] Inbound rule for Routing and Remote Access (RRAS) to be remotely managed by RPC/TCP. Inbound rule to allow DCOM traffic for Routing and Remote Access (RRAS) to be remotely managed. Inbound rule for DHCPv4 Relay Agent to allow DHCP traffic. [UDP 67] Inbound rule for DHCPv6 Relay Agent to allow DHCP traffic. [UDP 547] Outbound rule for DHCPv4 Relay Agent to allow DHCP traffic. [UDP 67]

1701 1723 RPC Endpoint Mapper Dynamic RPC 67 547 67

System System %systemroot%\system32\svchost.exe %systemroot%\system32\remrras.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

Outbound rule for DHCPv6 Relay Agent to allow DHCP traffic. [UDP 547] 547

Note In addition to the firewall rules listed in the previous tables, the computer may also require the necessary firewall rules to support IPsec and RADIUS communication with other computers running the NPS role service. Note Some of the Windows Firewall rules that the Remote Access role service uses are disabled until you run the Configure and Enable Routing and Remote Access wizard. For more information on how to run the Configure and Enable Routing and Remote Access wizard, see "Install and Enable the Routing and Remote Access Service" in the Windows Server 2008 Help and Support

Role Dependencies

Dependency

NPS

Description Although not dependent on this role, the Remote Access Service role service uses the NPS role service for authentication in most remote access scenarios. Although not dependent on this role, the Remote Access Service role service uses the services AD CS role for certificate authentication in some remote access scenarios.

AD CS

Routing Installed Files

Component IGMP IGMP agent RIP RIP agent

Resource file igmpv2.dll Igmpagnt.dll Iprip2.dll Ripagnt.dll

Note IGMPv2 Microsoft IGMP subagent IP RIP Microsoft RIP2 subagent

Running Services

Display name Routing and Remote Access Remote Access Quarantine Agent

Service name RemoteAccess Rqs

Executable path C:\Windows\System32\svchost.exe -k netsvcs %systemroot%\system32\rqs.exe

Type Automatic Manual

Firewall Rules

Rule name Routing and Remote Access (GRE-In) Routing and Remote Access (L2TP-In) Routing and Remote Access (PPTP-In) Routing and Remote Access (GRE-Out) Routing and Remote Access (L2TP-Out) Routing and Remote Access (PPTP-Out)

Service name Any Any Any Any Any Any

Routing and Remote Access Remote Management (DCOM-In) rpcss Routing and Remote Access Remote management (RPC-In) DHCPv4 Relay Agent [Client] (UDP-In) DHCPv6 Relay Agent [Server] (UDP-In) DHCPv4 Relay Agent [Client] (UDP-Out) Any remoteaccess remoteaccess remoteaccess

Description Inbound rule for RRAS to allow Generic Routing Encapsulation Protocol traffic. Inbound rule for RRAS to allow Layer 2 Tunnel Protocol traffic. [UDP 1701] Inbound rule for RRAS to allow Point-to-Point Tunnel Protocol traffic. [TCP 1723] Outbound rule for RRAS to allow Generic Routing Encapsulation Protocol Traffic Outbound rule for RRAS to allow Layer 2 Tunnel Protocol traffic. [UDP 1701] Outbound rule for RRAS to allow Point-to-Point Tunnel Protocol traffic. [TCP 1723] Inbound rule for Routing and Remote Access (RRAS) to be remotely managed by RPC/TCP. Inbound rule to allow DCOM traffic for Routing and Remote Access (RRAS) to be remotely managed. Inbound rule for DHCPv4 Relay Agent to allow DHCP traffic. [UDP 67] Inbound rule for DHCPv6 Relay Agent to allow DHCP traffic. [UDP 547] Outbound rule for DHCPv4 Relay Agent to allow DHCP traffic. [UDP 67]

Port GRE (any port) 1701 1723 GRE (any port) 1701 1723 RPC Endpoint Mapper Dynamic RPC 67 547 67

Path System System System System System System %systemroot%\system32\svchost.exe %systemroot%\system32\remrras.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

DHCPv6 Relay Agent [Server] (UDP-Out)

remoteaccess

Outbound rule for DHCPv6 Relay Agent to allow DHCP traffic. [UDP 547] 547

%systemroot%\system32\svchost.exe

Note As a router, the Routing role service routes a large number of protocols between locations in your intranet. However, these protocols are typically encapsulated in a PPTP, L2TP, or SSTP tunnel. Note Some of the Windows Firewall rules that the Routing role service uses are disabled until you run the Configure and Enable Routing and Remote Access wizard. For more information on how to run the Configure and Enable Routing and Remote Access wizard, see "Install and Enable the Routing and Remote Access Service" in the Windows Server 2008 Help and Support
Role Dependencies

Dependency Routing and Remote Access

NPS

Description The Routing role service depends on the Routing and Remote Access role service. Although not dependent on this role, the Remote Access Service role service uses the NPS role service for authentication in most remote access scenarios. Although not dependent on this role, the Remote Access Service role service uses the services AD CS role for certificate authentication in some remote access scenarios.

AD CS

Health Registration Authority Installed Files

Component HRA Service HRA Service
Running Services

Resource file %systemroot%\system32\hcs\hcsrvext.dll %systemroot%\system32\hcs\Hcsperf.dll

Note

Display name

Service name

Executable path

Type

Note The HRA role service has no services, but rather runs as an ISAPI extension that runs in IIS.

Firewall Rules

Rule name World Wide Web Services (HTTPS Traffic-In) World Wide Web Services (HTTP Traffic-In)

Service name Any Any

Description Port An inbound rule to allow HTTPS traffic for Internet Information Services (IIS) [TCP 443] 443 An inbound rule to allow HTTP traffic for Internet Information Services (IIS) [TCP 80] 80

Path System System

Note The local ports specified in the previous tables are based on the default port numbers for the HTTP and HTTPS protocols. If you configure the server running IIS that hosts the HRA role service to use different ports, substitute those ports for the ports in the previous table.

Role Dependencies

Dependency Network Policy and Access Server

Description This role service must be installed locally, but can be configured as a proxy. The following components are required: Network Policy Server

Web Server (IIS)

Management Tools

Windows Process Activation Service

This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Common HTTP Features ● Static Content ● Default Document ● Directory Browsing ● HTTP Errors ● HTTP Redirection Application Development ● ISAPI Extensions Health and Diagnostics ● HTTP Logging ● Logging Tools ● Request Monitor ● Tracing Security ● Windows Authentication ● Client Certificate Mapping Authentication Performance ● Static Content Compression This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: IIS 6 Management Compatibility ● IIS 6 Metabase Compatibility ● IIS 6 Scripting Tools ● IIS 6 WMI Compatibility IIS Managment Console This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Process Model Configuration APIs

Note Although not required to be installed locally, the HRA role service requires access to a certification authority (CA). For more information about CAs, see Chapter 9, "Hardening Active Directory Certificate Services."

Host Credential Authorization Protocol Installed Files

Component HCAP Server

Resource file %systemroot%\system32\hcap\hcapext.dll

Note

Running Services

Display name

Service name

Executable path

Type

Note The HCAP role service has no services, but rather runs as an ISAPI extension that runs in IIS.

Firewall Rules

Rule name World Wide Web Services (HTTPS Traffic-In) World Wide Web Services (HTTP Traffic-In)

Service name Any Any

Description Port An inbound rule to allow HTTPS traffic for Internet Information Services (IIS) [TCP 443] 443 An inbound rule to allow HTTP traffic for Internet Information Services (IIS) [TCP 80] 80

Path System System

Note The local ports specified in the previous tables are based on the default port numbers for the HTTP and HTTPS protocols. If you configure the server running IIS that hosts the HCAP role service to use different ports, substitute those ports for the ports in the previous table.

Role Dependencies

Dependency Network Policy and Access Server

Description This role service must be installed locally, but can be configured as a proxy. The following components are required: Network Policy Server

Web Server (IIS)

Management Tools

Windows Process Activation Service

This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Common HTTP Features ● Static Content ● Default Document ● Directory Browsing ● HTTP Errors ● HTTP Redirection Application Development ● ISAPI Extensions Health and Diagnostics ● HTTP Logging ● Logging Tools ● Request Monitor ● Tracing Security ● Basic Authentication ● Digest Authentication ● Client Certificate Mapping Authentication ● IIS Client Certificate Mapping Authentication Performance ● Static Content Compression This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: IIS 6 Management Compatibility ● IIS 6 Metabase Compatibility ● IIS 6 WMI Compatibility IIS Managment Console This role services is a Web service that runs in IIS and as such, requires the installation of the Web Server (IIS) role service and the following components: Process Model Configuration APIs

Note Although not required to be installed locally, the HCAP role service requires access to a certification authority (CA). For more information about CAs, see Chapter 9, "Hardening Active Directory Certificate Services."

Terminal Services Role Service Installed Files

Component Terminal Services

Resource Files PublishingWizard.dll PublishSnapIn.dll rapmsign.dll SDClient.dll tlsbln.exe tssdjet.dll

Description Core TS resource files

Terminal Services Extensions TS Licensing

tsprof.exe Tssrvlic.dll

This command line tool copies the user configuration information, which is displayed in the Terminal Services extensions to Local Users and Groups and Active Directory Users and Computers, from one user to another. Terminal Services profile can also set the profile path for a user. The TS Licensing client. Provides the TS-Install Wizard to support installing applications onto the Terminal Server. The management console snap-in for managing RemoteApps

TS-Install

TSAppCMP.dll TSAppInstall.exe remoteprograms.msc

TS RemoteApp Manager MMC Snap-in
Running Services

Service Name
TermService SessionEnv UMRDPService

Display Name
Terminal Server Terminal Services Configuration Terminal Services UserMode Port Redirector

Executable path
C:\Windows\System32\svchost -k termsvcs C:\Windows\System32\svchost -k netsvcs C:\Windows\System32\svchost -k LocalSystemNetworkRestricted

Firewall Rules

Rule Name
Remote Desktop (TCP-In) Terminal Services (RPC)

Terminal Services (RPC-EPMAP) Terminal Services (NP-In) Terminal Services - WMI (DCOM-In) Terminal Services - WMI (TCP-In) Terminal Services - WMI (WMI-Out)

Description Inbound rule for the Remote Desktop service to allow RDP traffic Inbound rule to allow Terminal Services to be remotely managed via RPC/TCP traffic Inbound rule for the RPCSS service to allow RPC/TCP traffic for Terminal Services Inbound rule to allow Terminal Services to be remotely managed over Named Pipes Inbound rule to allow DCOM traffic for remote WMI management of Terminal Services Inbound rule for WMI management of Terminal Services Outbound rule for WMI management of Terminal Services

Port TCP 3389 Dynamic RPC RPC Endpoint Mapper TCP 445 TCP 135 Dynamic RPC Any

Terminal Services Licensing Role Service Installed Files

Component Service resource files

Licensing Manager WMI Management
Running Servicess

Resource Files C:\Windows\System32\lrwizdll.dll C:\Windows\System32\lserver.dll C:\Windows\System32\tls236.dll C:\Windows\System32\TlsArwApi.dll C:\Windows\System32\LicMgr.exe C:\Windows\System32\TLSUnattend.exe C:\Windows\System32\TlsWmiProv.dll

Description Core TS Licensing resource files

TS Licensing Manager application tbd - pg TS Licensing WMI provider

Service Name TermServLicensing
Firewall Rules

Display Name Terminal Services Licensing

Executable path
C:\Windows\System32\svchost -k TSLicensing

Rule Name Terminal Services Licensing Server (RPC) Terminal Services Licensing Server (RPC-EPMAP) Terminal Services Licensing Server (NP-In) Terminal Services Licensing Server -WMI (DCOM-In) Terminal Services Licensing Server -WMI (TCP-In) Terminal Services Licensing Server -WMI (WMI-Out)

Description Inbound rule for Terminal Services Licensing Server to be remotely managed via RPC/TCP Inbound rule for the RPCSS service to allow RPC/TCP traffic for Terminal Services Licensing Server. Inbound rule to allow Terminal Services Licensing Server to be remotely managed over Named Pipes. Inbound rule to allow DCOM traffic for remote WMI management of Terminal Services Licensing Server Inbound rule for WMI management of Terminal Services Licensing Server. Outbound rule for WMI management of Terminal Services Licensing Server

Port Dynamic RPC RPC Endpoint Mapper TCP 445 TCP 135 Dynamic RPC Any

Terminal Services Session Broker Role Service Installed Files

Component Service Script WMI
Running Servicess

Resource Files C:\Windows\System32\tssdis.exe C:\Windows\System32\TerminalServerSessionDirectoryRole.cmd C:\Windows\System32\TsSdWmi.dll

Description TS Session Broker service file Used to start and stop the TS Session Broker service WMI Provider for TS Session Broker service

Service Name
tssdis Firewall Rules

Display Name Terminal Services Session Broker

Executable path
C:\Windows\System32\tssdis.exe

Rule Name Session Broker Service (RPC) Session Broker Service (RPC-EPMAP) Session Broker Service (NP-In) Session Broker Service -WMI (DCOM-In) Session Broker Service -WMI(TCP-In) Session Broker Service -WMI(WMI-Out)

Description Port Inbound rule to allow Session Broker service to be remotely managed via RPC/TCP traffic Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Session Broker Service Inbound rule to allow the Session Broker Service to be remotely managed over Named Pipes. Inbound rule to allow DCOM traffic for remote WMI management of the Session Broker Service. Inbound rule for WMI management of the Session Broker Service Outbound rule for WMI management of the Session Broker Service

Dynamic RPC RPC Endpoint Mapper TCP 445 TCP 135 Dynamic RPC Any

TS Gateway Role Service Installed Files

Component tbd - pg

Resource Files

Description

Running Servicess

Service Name TSGateway
Firewall Rules

Display Name Terminal Services Gateway

Executable path C:\Windows\system32\svchost.exe -k tsgateway

Rule Name World Wide Web Services HTTP Traffic In Terminal Services Gateway Server Farm (RPC HTTP Load Balancing Service) Terminal Services Gateway Server Farm (RPC-EPMAP) Terminal Services Gateway Server Farm (TCP-In)

Description Enables/disables firewall support for port 80 incoming traffic. Inbound rule for the Terminal Services Gateway Server Farm to allow RPC Load balancing communications. Disabled by default Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Terminal Services Gateway Server Farm. Disabled by default Inbound rule to allow connections from other members of the Terminal Services Gateway Server farm. Disabled by default

Port TCP 80 Dynamic RPC RPC Endpoint Mapper TCP 3388

TS Web Access Role Service Installed Files

Component tbd - pg

Resource Files

Description

Running Servicess

Service Name tbd - pg

Display Name

Executable path

Firewall Rules

Rule Name World Wide Web Services HTTP Traffic In

Description Enables/disables firewall support for port 80 incoming traffic.

Port TCP 80

Type
Automatic Manual Manual

Path
System %systemroot%\system32\svchost.exe

%systemroot%\system32\svchost.exe System %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

Type Automatic

Path %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe System %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

Type Automatic

Path %systemroot%\system32\tssdis.exe %systemroot%\system32\svchost.exe System %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

Type Automatic

Path System %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe %systemroot%\system32\svchost.exe

Type

Path System


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:229
posted:3/26/2009
language:English
pages:27