HOWTO: Disable Unnecessary Services and Scheduled Tasks on AD FS Servers

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll harden the AD FS Server installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. However, as management of AD FS on Server Core installations is PowerShell-only, we also include information for AD FS Servers running Windows Server 2016with Desktop Experience (Full).

 

Why harden AD FS Servers

Hardening provides additional layers to defense in depth approaches. It changes the default behavior of products and services to make them more resilient to unauthorized changes and compromise.

Reasons why

Active Directory Federation Services (AD FS) servers are typically placed on the internal network, close to Active Directory Domain Controllers. They offer security translation, and as such can be abused to create claim tokens that misrepresent information towards cloud applications. In the end, the private key for the service communications certificate is trusted by all relying parties. The private keys for the token encryption and token signing certificates provide additional levels of trust, depending on the configuration. Needless to say, you deleted any *.pfx files you used to import these certificates from the hard disk, right?

Possible negative impact (What could go wrong?)

When AD FS servers are improperly hardened, the functionality of the AD FS farm stops and/or monitoring of the AD FS servers stops. This functionality can be easily assessed. However, in situations with load balancers and having hardened some of the AD FS servers, it may be tricky to get results from the right AD FS server.

 

Getting Ready

To disable unnecessary services on AD FS servers, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the AD FS servers reside.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the load balancer guys and gals, the networking guys and gals, the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

 

Unnecessary services

By default

The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:

  • Computer Browser (browser)
  • Net.Tcp Port Sharing Service (NetTcpPortSharing)
  • Routing and Remote Access (RemoteAccess)
  • Smart Card (SCardSvr)

The following Windows services are disabled, by default on Windows Server with Desktop Experience installations of Windows Server 2016:

  • Auto Time Zone Update (tzautoupdate)
  • Microsoft App-V Client (AppVClient)
  • Offline files (cscService)
  • User Experience Virtualization Service (UevAgentService)
  • Windows Search (WSearch)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on installations of Windows Server 2016 with the Desktop Experience (Full Installations). These can be disabled:

  • ActiveX Installer (AxInstSV) (AxInstSV)
  • Bluetooth Support Service (bthserv)
  • CDPUserSvc (CDPUserSvc)
  • Contact Data (PimIndexMaintenancesvc)
  • dmwappushsvc (dmwappushsvc)
  • Downloaded Maps Manager (MapsBroker)
  • Geolocation Service (lfsvc)
  • Internet Connection Sharing (ICS) (SharedAccess)
  • Link-Layer Topology Discovery Mapper (lltdsvc)
  • Microsoft Account Sign-in Assistant (wlidsvc)
  • Microsoft Passport (NgcSvc)
  • Microsoft Passport Container (NgcCtnrSvc)
  • Network Connection Broker (NcbService)
  • Phone Service (PhoneSvc)
  • Print Spooler (Spooler)
  • Printer Extensions and Notifications (PrintNotify)
  • Program Compatibility Assistant Service (PcaSvc)
  • Quality Windows Audio Video Experience (QWAVE)
  • Radio Management Service (RmSvc)
  • Sensor Data Service (SensorDataService)
  • Sensor Monitoring Service (SensrSvc)
  • Sensor Service (SensorService)
  • Shell Hardware Detection (ShellHWDetection)
  • Smart Card Device Enumeration Service (ScDeviceEnum)
  • SSDP Discovery (SSDPSRV)
  • Still Image Acquisition Events (WiaRpc)
  • Sync Host (OneSyncSvc)
  • Touch Keyboard and Handwriting Panel (TabletInputService)
  • UPnP Device Host (upnphost)
  • User Data Access (UserDataSvc)
  • User Data Storage (UnistoreSvc)
  • WalletService (WalletService)
  • Windows Audio (Audiosrv)
  • Windows Audio Endpoint Builder (AudioEndpointBuilder)
  • Windows Camera Frame Server (FrameServer)
  • Windows Image Acquisition (WIA) (stisvc)
  • Windows Insider Service (wisvc)
  • Windows Mobile Hotspot Service (icssvc)
  • Windows Push Notifications System Service (WpnService)
  • Windows Push Notifications User Service (WpnUserService)
  • Xbox Live Auth Manager (XblAuthManager)
  • Xbox Live Game Save (XblGameSave)

Most of the above services do not exist on Server Core installations, and can be ignored on these installations.

 

Unnecessary tasks

On Windows Server installations with Desktop Experience, two scheduled tasks exist that can be removed without consequences on AD FS Servers:

  1. \Microsoft\XblGameSave\XblGameSaveTask
  2. \Microsoft\XblGameSave\XblGameSaveTaskLogon

 

How to disable unnecessary services

As the AD FS Servers are part of Active Directory Domain Services, the best way to disable the unnecessary Windows Services is through Group Policy.

Follow these steps:

  1. Sign in with an account that is a member of the Domain Admins group, or with an account that is delegated to create and link Group Policy objects (GPOs) to Organizational Units (OUs).
  2. Open the Group Policy Management console (gpmc.msc).
  3. In the left navigation pane, navigate to the Organizational Unit (OU) where the AD FS Servers reside.
  4. Right-click the OU and select Create a GPO in this domain, and Link it here….
  5. In the New GPO pop-up, provide a name for the Group Policy Object, corresponding to the naming convention for Group Policy objects in the environment.
  6. Click OK
  7. Back in navigation pane of the Group Policy Management console, expand the OU and click on the Group Policy object link.
  8. Click OK in the Group Policy Management Console pop-up, explaining You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other location where this GPO is linked.
  9. Right-click the Group Policy object and select Edit… from the context menu.
    The Group Policy Management Editor window appears.
  10. In the left navigation pane, under Computer Configuration, expand the Policies node.
  11. Expand the Windows Settings node.
  12. Expand the Security Settings node.
  13. Select System Services.Disable a service through Group Policy (click for original screenshot)
  14. In the main pane, for each service in the above list, double-click the service, and then select the Define this policy setting option and select the Disabled service startup mode.
  15. When done, close the Group Policy Management Editor window.
  16. Close the Group Policy Management Console window.
  17. Sign out.

 

How to remove scheduled tasks

As the AD FS Servers are part of Active Directory Domain Services, the best way to remove the unnecessary scheduled tasks is through Group Policy Preferences.

Note:
Do not place Group Policy settings and Group Policy preferences in the same Group Policy object, as this will result in synchronous processing behavior and slowness during startups of the AD FS Servers.

Follow these steps:

  1. Sign in with an account that is a member of the Domain Admins group, or with
    an account that is delegated to create and link Group Policy objects (GPOs) to
    Organizational Units (OUs).
  2. Open the Group Policy Management console (gpmc.msc).
  3. In the left navigation pane, navigate to the Organizational Unit (OU) where
    the AD FS Servers reside.
  4. Right-click the OU and select Create a GPO in this domain, and Link
    it here…
    .
  5. In the New GPO pop-up, provide a name for the Group Policy
    Object, corresponding to the naming convention for Group Policy objects in the
    environment.
  6. Click OK
  7. Back in navigation pane of the Group Policy Management console,
    expand the OU and click on the Group Policy object link.
  8. Click OK in the Group Policy Management
    Console
    pop-up, explaining You have selected a link to a Group
    Policy Object (GPO). Except for changes to link properties, changes you make
    here are global to the GPO, and will impact all other location where this GPO is
    linked.
  9. Right-click the Group Policy object and select Edit… from
    the context menu.
    The Group Policy Management Editor window
    appears.
  10. In the left navigation pane, under Computer Configuration,
    expand the Preferences node.
  11. Expand the Control Panel Settings node.
  12. Expand the Scheduled Tasks node.
  13. In the main pane, right-click on Scheduled Tasks and select New  and then Scheduled Task from the context menu.GPPDisableScheduledTask
  14. In the New Task Properties window,select Delete as the action and provide the name of the scheduled task, exactly as provided above.
  15. Click OK.
  16. Repeat steps 13-15 for the second task.
  17. When done, close the Group Policy Management Editor
    window.
  18. Close the Group Policy Management Console window.
  19. Sign out.

 

Testing proper hardening

After hardening it’s time to test the hardening. Everyone should sign off (not literally, unless that’s procedure) on the correct working of the AD FS servers. Does authentication to cloud applications still work? Does rolling over the certificate still work? Does monitoring still work? Can we still make back-ups? Can we still restore the backups we make?

Typically, hardening is rolled out to one AD FS server. When testing the hardening of the functionality behind the load balancer, make sure that the load balancer points you to the hardened system, not another one.

Rolling back hardening

To roll back hardening of the services and removal of the scheduled tasks, disable the Group Policy object(s) or remove the link between the Group Policy object(s) and the Organizational Unit (OU) where the AD FS servers reside.

 

Concluding

Disable unnecessary services on all AD FS Servers throughout the Hybrid Identity implementation using Group Policy.

Series Navigation

<< HOWTO: Disable Unnecessary Services on Web Application ProxiesHOWTO: Disable Unnecessary Services and Scheduled Tasks on Windows Servers running Azure AD Connect >>

3 Responses to HOWTO: Disable Unnecessary Services and Scheduled Tasks on AD FS Servers

  1.  

    Thank you for this and the WAP article. You mention these are recommended practices, yours, from Microsoft? Is this officially supported?

    • These are Microsoft-supported practices as outlined on the Microsoft Security Guidance blog and time-tested by me and my team in numerous real-world Hybrid Identity deployments.

       
  2.  

    Thank you Sander!

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.