HOWTO: Disable Unnecessary Services and Scheduled Tasks on Windows Servers running Azure AD Connect

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

 

Why harden Azure AD Connect

Hardening provides additional layers to defense in depth approaches. It changes the default behavior of products and services to make them more resilient to unauthorized changes and compromise.

Reasons why

Azure AD Connect installations are typically placed on the internal network, close to Active Directory Domain Controllers. In fact, many security experts advice to treat Azure AD Connect installations as Domain Controllers. When an Azure AD Connect installation is compromised, the information on the Windows Server and in the Azure AD Connect database can be used to:

  • Make changes to the entire Azure AD Connect tenant, for instance by changing the password of an account with the Global Administrator role or adding an account to a group to provide access to resources.
  • Make changes to the Organizational Units (OUs) in Active Directory in scope for Azure AD Connect (in the case of hardened service accounts with privileges limited to the OUs in scope, for instance change passwords for administrators, add accounts to groups and attach new on-premises accounts to existing Azure AD accounts through the objectGUID or mS-DS-ConsistencyGUID attribute, used as source anchor.
  • Implement additional Domain Controllers and/or perform a DCSync attack, based on the Replicate Changes and Replicate Changes All permissions assigned in Active Directory to the Azure AD Connect service account.

Also remember that Azure AD Connect cannot be implemented on Server Core installations of Windows Server or Windows containers: Azure AD Connect requires a Windows Server installation with Desktop Experience (or what most people call a ‘Full Server’)

Possible negative impact (What could go wrong?)

When an Azure AD Connect installation is hardened improperly, it may stop synchronizing objects from Active Directory to Azure Active Directory. Synchronization cycle occur every 30 minutes, by default. So you may not get events indicating something is wrong in Event Viewer right away.

When synchronization stops or is partial, the most apparent problem is that colleagues will start experiencing lack of functionality; When they get married, their name change is not reflected everywhere. When they get added to a group, they don’t gain access to cloud applications. When they change or reset their password, it’s not reflected, or they receive a “Something went wrong” error, etc.

However, things get tricky when people are laid off on the spot. In these situations, it’s important that the user account is disabled, stripped from permissions and/or removed throughout all systems as soon as possible.

 

Getting Ready

To disable unnecessary services on Windows Servers running Azure AD Connect, make sure to meet the following requirements:

System requirements

Make sure the Windows Server installations are installed with the latest cumulative Windows Updates. Also make sure you run the latest stable version of Azure AD Connect.

Privilege requirements

Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the Windows Server running Azure AD Connect reside.

Who to communicate to

When intending to make changes to Azure AD Connect installations, make sure to send a heads-up to these people and/or teams in your organization:

  • Load balancers and networking guys and gals
  • The Active Directory team
  • The people responsible for backups, restores and disaster recovery
  • The people going through the logs, using a SIEM and/or a TSCM solution
  • The monitoring team

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

 

Unnecessary services

By default

The following Windows services are disabled, by default, on Windows Server with Desktop Experience installations of Windows Server 2016:

  • Auto Time Zone Update (tzautoupdate)
  • Computer Browser (browser)
  • Microsoft App-V Client (AppVClient)
  • Net.Tcp Port Sharing Service (NetTcpPortSharing)
  • Offline files (cscService)
  • Routing and Remote Access (RemoteAccess)
  • Smart Card (SCardSvr)
  • User Experience Virtualization Service (UevAgentService)
  • Windows Search (WSearch)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on installations of Windows Server 2016 with the Desktop Experience (Full Installations). These can be disabled:

  • ActiveX Installer (AxInstSV) (AxInstSV)
  • Bluetooth Support Service (bthserv)
  • CDPUserSvc (CDPUserSvc)
  • Contact Data (PimIndexMaintenancesvc)
  • dmwappushsvc (dmwappushsvc)
  • Downloaded Maps Manager (MapsBroker)
  • Geolocation Service (lfsvc)
  • Internet Connection Sharing (ICS) (SharedAccess)
  • Link-Layer Topology Discovery Mapper (lltdsvc)
  • Microsoft Account Sign-in Assistant (wlidsvc)
  • Microsoft Passport (NgcSvc)
  • Microsoft Passport Container (NgcCtnrSvc)
  • Network Connection Broker (NcbService)
  • Phone Service (PhoneSvc)
  • Print Spooler (Spooler)
  • Printer Extensions and Notifications (PrintNotify)
  • Program Compatibility Assistant Service (PcaSvc)
  • Quality Windows Audio Video Experience (QWAVE)
  • Radio Management Service (RmSvc)
  • Sensor Data Service (SensorDataService)
  • Sensor Monitoring Service (SensrSvc)
  • Sensor Service (SensorService)
  • Shell Hardware Detection (ShellHWDetection)
  • Smart Card Device Enumeration Service (ScDeviceEnum)
  • SSDP Discovery (SSDPSRV)
  • Still Image Acquisition Events (WiaRpc)
  • Sync Host (OneSyncSvc)
  • Touch Keyboard and Handwriting Panel (TabletInputService)
  • UPnP Device Host (upnphost)
  • User Data Access (UserDataSvc)
  • User Data Storage (UnistoreSvc)
  • WalletService (WalletService)
  • Windows Audio (Audiosrv)
  • Windows Audio Endpoint Builder (AudioEndpointBuilder)
  • Windows Camera Frame Server (FrameServer)
  • Windows Image Acquisition (WIA) (stisvc)
  • Windows Insider Service (wisvc)
  • Windows Mobile Hotspot Service (icssvc)
  • Windows Push Notifications System Service (WpnService)
  • Windows Push Notifications User Service (WpnUserService)
  • Xbox Live Auth Manager (XblAuthManager)
  • Xbox Live Game Save (XblGameSave)

 

Unnecessary tasks

On Windows Server installations with Desktop Experience, two scheduled tasks exist that can be removed without consequences on Windows Servers running Azure AD Connect:

  1. \Microsoft\XblGameSave\XblGameSaveTask
  2. \Microsoft\XblGameSave\XblGameSaveTaskLogon

 

How to disable unnecessary services

As the Windows Servers running Azure AD Connect are part of Active Directory Domain Services, the best way to disable the unnecessary Windows Services is through Group Policy.

Follow these steps:

  1. Sign in with an account that is a member of the Domain Admins group, or with an account that is delegated to create and link Group Policy objects (GPOs) to Organizational Units (OUs).
  2. Open the Group Policy Management console (gpmc.msc).
  3. In the left navigation pane, navigate to the Organizational Unit (OU) where the AD Windows Servers running Azure AD Connect reside.
  4. Right-click the OU and select Create a GPO in this domain, and Link it here….
  5. In the New GPO pop-up, provide a name for the Group Policy Object, corresponding to the naming convention for Group Policy objects in the environment.
  6. Click OK
  7. Back in navigation pane of the Group Policy Management console, expand the OU and click on the Group Policy object link.
  8. Click OK in the Group Policy Management Console pop-up, explaining You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other location where this GPO is linked.
  9. Right-click the Group Policy object and select Edit… from the context menu.
    The Group Policy Management Editor window appears.
  10. In the left navigation pane, under Computer Configuration, expand the Policies node.
  11. Expand the Windows Settings node.
  12. Expand the Security Settings node.
  13. Select System Services.Disable a service through Group Policy (click for original screenshot)
  14. In the main pane, for each service in the above list, double-click the service, and then select the Define this policy setting option and select the Disabled service startup mode.
  15. When done, close the Group Policy Management Editor window.
  16. Close the Group Policy Management Console window.
  17. Sign out.

 

How to remove scheduled tasks

As the Windows Servers running Azure AD Connect are part of Active Directory Domain Services, the best way to remove the unnecessary scheduled tasks is through Group Policy Preferences.

Note:
Do not place Group Policy settings and Group Policy preferences in the same Group Policy object, as this will result in synchronous processing behavior and slowness during startups of the Windows Servers running Azure AD Connect.

Follow these steps:

  1. Sign in with an account that is a member of the Domain Admins group, or with
    an account that is delegated to create and link Group Policy objects (GPOs) to
    Organizational Units (OUs).
  2. Open the Group Policy Management console (gpmc.msc).
  3. In the left navigation pane, navigate to the Organizational Unit (OU) where
    the Windows Servers running Azure AD Connect reside.
  4. Right-click the OU and select Create a GPO in this domain, and Link
    it here…
    .
  5. In the New GPO pop-up, provide a name for the Group Policy
    Object, corresponding to the naming convention for Group Policy objects in the
    environment.
  6. Click OK
  7. Back in navigation pane of the Group Policy Management console,
    expand the OU and click on the Group Policy object link.
  8. Click OK in the Group Policy Management
    Console
    pop-up, explaining You have selected a link to a Group
    Policy Object (GPO). Except for changes to link properties, changes you make
    here are global to the GPO, and will impact all other location where this GPO is
    linked.
  9. Right-click the Group Policy object and select Edit… from
    the context menu.
    The Group Policy Management Editor window
    appears.
  10. In the left navigation pane, under Computer Configuration,
    expand the Preferences node.
  11. Expand the Control Panel Settings node.
  12. Expand the Scheduled Tasks node.
  13. In the main pane, right-click on Scheduled Tasks and select New  and then Scheduled Task from the context menu.GPPDisableScheduledTask
  14. In the New Task Properties window,select Delete as the action and provide the name of the scheduled task, exactly as provided above.
  15. Click OK.
  16. Repeat steps 13-15 for the second task.
  17. When done, close the Group Policy Management Editor
    window.
  18. Close the Group Policy Management Console window.
  19. Sign out.

 

Testing proper hardening

After hardening it’s time to test the hardening. Everyone should sign off (not literally, unless that’s procedure) on the correct working of the Windows Servers running Azure AD Connect. Does authentication to cloud applications still work? Does rolling over the certificate still work? Does monitoring still work? Can we still make back-ups? Can we still restore the backups we make?

Typically, hardening is rolled out to one Windows Server running Azure AD Connect. In an environment with a Staging Mode Azure AD Connect installation, the hardening can be performed on this Windows Server installation and tested with the normal Staging Mode (imports only) synchronization cycles. When hardening is approved upon, the actively synchronizing Azure AD Connect installation can be switched, or hardened, too.

Rolling back hardening

To roll back hardening of the services and removal of the scheduled tasks, disable the Group Policy object(s) or remove the link between the Group Policy object(s) and the Organizational Unit (OU) where the Windows Servers running Azure AD Connect reside.

 

Concluding

Disable unnecessary services on all Windows Servers running Azure AD Connect throughout the Hybrid Identity implementation using Group Policy.

Further reading

Mimikatz and DCSync and ExtraSids, Oh My
Mimikatz DCSync Usage, Exploitation, and Detection

Series Navigation

<< HOWTO: Disable Unnecessary Services and Scheduled Tasks on AD FS ServersHOWTO: Enforce Azure AD Connect to use TLS 1.2 only >>

One Response to HOWTO: Disable Unnecessary Services and Scheduled Tasks on Windows Servers running Azure AD Connect

  1.  

    Thanks for these 3 posts !
    Cyril

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.