CIS Benchmark SYSTEM HARDENING VULNERABILITY MANAGEMENT

What are the recommended hardened services settings for Windows for PCI DSS, NERC-CIP, NIST 800-53 or other compliance standards?

Security Best Practice advocates the minimizing of your IT systems' 'Attack Surface'. By using CIS Benchmark secure configuration guidance we can harden systems against attack. Known vulnerabilites can be removed and defenses strengthened by applying an expert-derived configuration policy.

 

PCI DSS V3.2: Requirement 2.2d 'Enabling only necessary services'

  • "Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
  • Enabling only necessary services, protocols, daemons, etc., as required for the function of the system"

NERC-CIP: CIP-007-5 Cyber Security – Systems Security Management

"Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. Requirement R1 exists to reduce the attack surface of Cyber Assets by requiring entities to disable known unnecessary ports. The SDT intends for the entity to know what network accessible (“listening”) ports and associated services are accessible on their assets and systems, whether they are needed for that Cyber Asset’s function, and disable or restrict access to all other ports. 1.1. This requirement is most often accomplished by disabling the corresponding service or program that is listening on the port or configuration settings within the Cyber Asset"

NIST SP 800-53 Rev 4: CM-7 LEAST FUNCTIONALITY

"The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]"

The Center for Internet Security also recommend hardening services configurations, cutting back functionality to reduce further the opportunities to compromise a system. However, the demands of each organization, their IT services and their environment are all different, making it impossible to accurately prescribe a hardened services policy for every situation.

To help you get started with deriving your own hardened services policies, NNT in conjunction with Microsoft have provided the following Hardened Services checklists. You can manually audit your server for compliance using the checklists provided below, changing service mode and state using the Windows Services Console (search or run -> services.msc). As ever, it pays to test application and service delivery as you apply hardening measures to ensure required functionality is preserved while security is improved.

Please contact This email address is being protected from spambots. You need JavaScript enabled to view it. with any questions or to get help with your hardening project.

Services

Hardened Windows Service Configurations

Server 2016 Hardened Services List

A-D

ActiveX Installer (AxInstSV) Service

Display Name: ActiveX Installer (AxInstSV) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:AxInstSV
Description:Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control installation based on Group Policy settings. This service is started on demand and if disabled the installation of ActiveX controls will behave according to default browser settings.

Download the complete Hardened Services Configuration

AllJoyn Router Service

Display Name: AllJoyn Router Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:AJRouter
Description:Routes AllJoyn messages for the local AllJoyn clients. If this service is stopped the AllJoyn clients that do not have their own bundled routers will be unable to run.

Download the complete Hardened Services Configuration

App Readiness Service

Display Name: App Readiness Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:AppReadiness
Description:Gets apps ready for use the first time a user signs in to this PC and when adding new apps.

Download the complete Hardened Services Configuration

Application Host Helper Service

Display Name: Application Host Helper Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:AppHostSvc
Description:Provides administrative services for IIS, for example configuration history and Application Pool account mapping. If this service is stopped, configuration history and locking down files or directories with Application Pool specific Access Control Entries will not work.

Download the complete Hardened Services Configuration

Application Identity Service

Display Name: Application Identity Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:AppIDSvc
Description:Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced.

Download the complete Hardened Services Configuration

Application Information Service

Display Name: Application Information Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:Appinfo
Description:Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks.

Download the complete Hardened Services Configuration

Application Layer Gateway Service

Display Name: Application Layer Gateway Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:ALG
Description:Provides support for 3rd party protocol plug-ins for Internet Connection Sharing

Download the complete Hardened Services Configuration

Application Management Service

Display Name: Application Management Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:AppMgmt
Description:Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

AppX Deployment Service (AppXSVC) Service

Display Name: AppX Deployment Service (AppXSVC) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:AppXSvc
Description:Provides infrastructure support for deploying Store applications. This service is started on demand and if disabled Store applications will not be deployed to the system, and may not function properly.

Download the complete Hardened Services Configuration

ASP.NET State Service (aspnet_state) Service

Display Name: ASP.NET State Service (aspnet_state) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:aspnet_state
Description:Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Auto Time Zone Updater (tzautoupdate) Service

Display Name: Auto Time Zone Updater (tzautoupdate) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:tzautoupdate
Description:Automatically sets the system time zone.

Download the complete Hardened Services Configuration

Background Intelligent Transfer Service

Display Name: Background Intelligent Transfer Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:BITS
Description:Transfers files in the background using idle network bandwidth. If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to automatically download programs and other information.

Download the complete Hardened Services Configuration

Background Tasks Infrastructure (BrokerInfrastructure) Service

Display Name: Background Tasks Infrastructure (BrokerInfrastructure) Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:BrokerInfrastructure
Description:Windows infrastructure service that controls which background tasks can run on the system.

Download the complete Hardened Services Configuration

Base Filtering Engine Service

Display Name: Base Filtering Engine Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:BFE
Description:The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.

Download the complete Hardened Services Configuration

Bluetooth Support Service (bthserv) Service

Display Name: Bluetooth Support Service (bthserv) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:bthserv
Description:The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping or disabling this service may cause already installed Bluetooth devices to fail to operate properly and prevent new devices from being discovered or associated.

Download the complete Hardened Services Configuration

CDPUserSvc (cdpusersvc) Service

Display Name: CDPUserSvc (cdpusersvc) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:CDPUserSvc
Description:This user service is used for Connected Devices Platform scenarios

Download the complete Hardened Services Configuration

Certificate Propagation Service

Display Name: Certificate Propagation Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:CertPropSvc
Description:Copies user certificates and root certificates from smart cards into the current user's certificate store, detects when a smart card is inserted into a smart card reader, and, if needed, installs the smart card Plug and Play minidriver.

Download the complete Hardened Services Configuration

Client License Service (ClipSVC) Service

Display Name: Client License Service (ClipSVC) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:ClipSVC
Description:Provides infrastructure support for the Microsoft Store. This service is started on demand and if disabled applications bought using Windows Store will not behave correctly.

Download the complete Hardened Services Configuration

CNG Key Isolation Service

Display Name: CNG Key Isolation Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:KeyIso
Description:The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Download the complete Hardened Services Configuration

COM+ Event System Service

Display Name: COM+ Event System Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:EventSystem
Description:Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

COM+ System Application Service

Display Name: COM+ System Application Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:COMSysApp
Description:Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Computer Browser Service

Display Name: Computer Browser Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:Browser
Description:Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Connected Devices Platform Service (CDPSvc) Service

Display Name: Connected Devices Platform Service (CDPSvc) Service
Hardened Start Mode: Automatic, Hardened Expected State: Running, Stopped
Name:CDPSvc
Description:This service is used for Connected Devices and Universal Glass scenarios

Download the complete Hardened Services Configuration

Connected User Experiences and Telemetry (DiagTrack) Service

Display Name: Connected User Experiences and Telemetry (DiagTrack) Service
Hardened Start Mode: Automatic, Hardened Expected State: Running
Name:DiagTrack
Description:The Connected User Experiences and Telemetry service enables features that support in-application and connected user experiences. Additionally, this service manages the event driven collection and transmission of diagnostic and usage information (used to improve the experience and quality of the Windows Platform) when the diagnostics and usage privacy option settings are enabled under Feedback and Diagnostics.

Download the complete Hardened Services Configuration

Contact Data (PimIndexMaintenanceSvc) Service

Display Name: Contact Data (PimIndexMaintenanceSvc) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:PimIndexMaintenanceSvc
Description:Indexes contact data for fast contact searching. If you stop or disable this service, contacts might be missing from your search results.

Download the complete Hardened Services Configuration

CoreMessaging (CoreMessagingRegistrar) Service

Display Name: CoreMessaging (CoreMessagingRegistrar) Service
Hardened Start Mode: Automatic, Hardened Expected State: Running
Name:CoreMessagingRegistrar
Description:Manages communication between system components.

Download the complete Hardened Services Configuration

Credential Manager Service

Display Name: Credential Manager Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:VaultSvc
Description:Provides secure storage and retrieval of credentials to users, applications and security service packages.

Download the complete Hardened Services Configuration

Cryptographic Services Service

Display Name: Cryptographic Services Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:CryptSvc
Description:Provides three management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Data Sharing (DsSvc) Service

Display Name: Data Sharing (DsSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DsSvc
Description:Provides data brokering between applications.

Download the complete Hardened Services Configuration

Data Sharing (DcpSvc) Service

Display Name: Data Sharing (DcpSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DcpSvc
Description:The DCP (Data Collection and Publishing) service supports first party apps to upload data to cloud.

Download the complete Hardened Services Configuration

DCOM Server Process Launcher Service

Display Name: DCOM Server Process Launcher Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:DcomLaunch
Description:The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the DCOMLAUNCH service running.

Download the complete Hardened Services Configuration

Device Association (deviceassociationservice) Service

Display Name: Device Association (deviceassociationservice) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DeviceAssociationService
Description:Enables pairing between the system and wired or wireless devices.

Download the complete Hardened Services Configuration

Device Install (DeviceInstall) Service

Display Name: Device Install (DeviceInstall) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DeviceInstall
Description:Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

Download the complete Hardened Services Configuration

Device Management Enrollment (DmEnrollmentSvc) Service

Display Name: Device Management Enrollment (DmEnrollmentSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DmEnrollmentSvc
Description:Performs Device Enrollment Activities for Device Management

Download the complete Hardened Services Configuration

Device Setup (DsmSvc) Service

Display Name: Device Setup (DsmSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DsmSvc
Description:Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated software, and may not work correctly.

Download the complete Hardened Services Configuration

DevQuery Background Discovery Broker (DevQueryBroker) Service

Display Name: DevQuery Background Discovery Broker (DevQueryBroker) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Name:DevQueryBroker
Description:Enables apps to discover devices with a backgroud task

Download the complete Hardened Services Configuration

DHCP Client Service

Display Name: DHCP Client Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:Dhcp
Description:Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Diagnostic Policy Service

Display Name: Diagnostic Policy Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:DPS
Description:The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function.

Download the complete Hardened Services Configuration

Diagnostic Service Host Service

Display Name: Diagnostic Service Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:WdiServiceHost
Description:The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Diagnostic System Host Service

Display Name: Diagnostic System Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:WdiSystemHost
Description:The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Distributed Transaction Coordinator Service

Display Name: Distributed Transaction Coordinator Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:MSDTC
Description:Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will fail. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DMWAPPushService (dmwappushservice) Service

Display Name: DMWAPPushService (dmwappushservice) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:dmwappushservice
Description:WAP Push Message Routing Service

Download the complete Hardened Services Configuration

DNS Client Service

Display Name: DNS Client Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Name:Dnscache
Description:The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Downloaded Maps Manager (MapsBroker) Service

Display Name: Downloaded Maps Manager (MapsBroker) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Name:MapsBroker
Description:Windows service for application access to downloaded maps. This service is started on-demand by application accessing downloaded maps. Disabling this service will prevent apps from accessing maps.

Download the complete Hardened Services Configuration

Server 2012R2 Hardened Services List

A-D

App Readiness Service

Display Name: App Readiness Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The App Readiness Service gets apps ready for use the first time a user signs in to this PC and when adding new apps.

Download the complete Hardened Services Configuration

Application Experience Service

Display Name: Application Experience Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Application Experience service processes application compatibility cache requests for applications as they are launched.

Download the complete Hardened Services Configuration

Application Host Helper Service

Display Name: Application Host Helper Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: Handles administrative tasks for Internet Information Services (IIS), Microsoft's web server. This process can be safely disabled if you do not use IIS. It may also be safe to disable if you do not need to control access to dynamic application pools.

Download the complete Hardened Services Configuration

Application Identity Service

Display Name: Application Identity Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: This service determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. This service is configured by default for a manual start. When started, by default it logs on using the local service account.

Download the complete Hardened Services Configuration

Application Information Service

Display Name: Application Information Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks.

Download the complete Hardened Services Configuration

Application Layer Gateway Service

Display Name: Application Layer Gateway Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Application Layer Gateway Service service provides support for 3rd party protocol plug-ins for Internet Connection Sharing.

Download the complete Hardened Services Configuration

Application Management Service

Display Name: Application Management Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Application Management service processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

AppX Deployment Service (AppXSVC) Service

Display Name: AppX Deployment Service (AppXSVC) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The AppX Deployment Service provides infrastructure support for deploying Store applications. The AppX Deployment Service service is started on demand and if disabled Store applications will not be deployed to the system, and may not function properly.

Download the complete Hardened Services Configuration

ASP.NET State Service (aspnet_state) Service

Display Name: ASP.NET State Service (aspnet_state) Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Background Intelligent Transfer Service

Display Name: Background Intelligent Transfer Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Background Intelligent Transfer Service service transfers files in the background using idle network bandwidth. If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to automatically download programs and other information.

Download the complete Hardened Services Configuration

Background Tasks Infrastructure (BrokerInfrastructure) Service

Display Name: Background Tasks Infrastructure (BrokerInfrastructure) Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Background Tasks Infrastructure service is a Windows infrastructure service that controls which background tasks can run on the system.

Download the complete Hardened Services Configuration

Base Filtering Engine Service

Display Name: Base Filtering Engine Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Base Filtering Engine service the Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.

Download the complete Hardened Services Configuration

Certificate Propagation Service

Display Name: Certificate Propagation Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Certificate Propagation service copies user certificates and root certificates from smart cards into the current user's certificate store, detects when a smart card is inserted into a smart card reader, and, if needed, installs the smart card Plug and Play minidriver.

Download the complete Hardened Services Configuration

CNG Key Isolation Service

Display Name: CNG Key Isolation Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The CNG Key Isolation service the CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Download the complete Hardened Services Configuration

COM+ Event System Service

Display Name: COM+ Event System Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The COM+ Event System service supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

COM+ System Application Service

Display Name: COM+ System Application Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The COM+ System Application service manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Computer Browser Service

Display Name: Computer Browser Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Computer Browser service maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Credential Manager Service

Display Name: Credential Manager Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The Credential Manager service provides secure storage and retrieval of credentials to users, applications and security service packages.

Download the complete Hardened Services Configuration

Cryptographic Services Service

Display Name: Cryptographic Services Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Cryptographic Services service provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DCOM Server Process Launcher Service

Display Name: DCOM Server Process Launcher Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The DCOM Server Process Launcher service the DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the DCOMLAUNCH service running.

Download the complete Hardened Services Configuration

Device Association (deviceassociationservice) Service

Display Name: Device Association (deviceassociationservice) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The Device Association service enables pairing between the system and wired or wireless devices.

Download the complete Hardened Services Configuration

Device Install (deviceinstall) Service

Display Name: Device Install (deviceinstall) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The Device Install service enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

Download the complete Hardened Services Configuration

Device Setup (dsmsvc) Service

Display Name: Device Setup (dsmsvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The Device Setup service enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated software, and may not work correctly.

Download the complete Hardened Services Configuration

DHCP Client Service

Display Name: DHCP Client Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The DHCP Client service registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Diagnostic Policy Service

Display Name: Diagnostic Policy Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Diagnostic Policy Service service the Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function.

Download the complete Hardened Services Configuration

Diagnostic Service Host Service

Display Name: Diagnostic Service Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Diagnostic Service Host service the Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Diagnostic System Host Service

Display Name: Diagnostic System Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Diagnostic System Host service the Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Distributed Transaction Coordinator Service

Display Name: Distributed Transaction Coordinator Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Distributed Transaction Coordinator service coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will fail. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DNS Client Service

Display Name: DNS Client Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The DNS Client service the DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

The Enhanced Mitigation Experience Toolkit (EMET) Service

Display Name: The Enhanced Mitigation Experience Toolkit (EMET) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform. EMET also provides a configurable SSL/TLS certificate pinning feature that is called Certificate Trust. This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).

Download the complete Hardened Services Configuration

Encrypting File System (EFS) Service

Display Name: Encrypting File System (EFS) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format. Encryption is the strongest protection that Windows provides to help you keep your information secure.

Download the complete Hardened Services Configuration

Extensible Authentication Protocol Service

Display Name: Extensible Authentication Protocol Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Extensible Authentication Protocol service the Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Protection (NAP). EAP also provides application programming interfaces (APIs) that are used by network access clients, including wireless and VPN clients, during the authentication process. If you disable this service, this computer is prevented from accessing networks that require EAP authentication.

Download the complete Hardened Services Configuration

Server 2008R2 Hardened Services List

A-D

Application Experience Service

Display Name: Application Experience Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Application Experience service processes application compatibility cache requests for applications as they are launched.

Download the complete Hardened Services Configuration

Application Host Helper Service

Display Name: Application Host Helper Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: Handles administrative tasks for Internet Information Services (IIS), Microsoft's web server. This process can be safely disabled if you do not use IIS. It may also be safe to disable if you do not need to control access to dynamic application pools.

Download the complete Hardened Services Configuration

Application Identity Service

Display Name: Application Identity Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: This service determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. This service is configured by default for a manual start. When started, by default it logs on using the local service account.

Download the complete Hardened Services Configuration

Application Information Service

Display Name: Application Information Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks.

Download the complete Hardened Services Configuration

Application Layer Gateway Service

Display Name: Application Layer Gateway Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Application Layer Gateway Service service provides support for 3rd party protocol plug-ins for Internet Connection Sharing.

Download the complete Hardened Services Configuration

Application Management Service

Display Name: Application Management Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Application Management service processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Background Intelligent Transfer Service

Display Name: Background Intelligent Transfer Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Background Intelligent Transfer Service service transfers files in the background using idle network bandwidth. If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to automatically download programs and other information.

Download the complete Hardened Services Configuration

Base Filtering Engine Service

Display Name: Base Filtering Engine Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Base Filtering Engine service the Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.

Download the complete Hardened Services Configuration

Certificate Propagation Service

Display Name: Certificate Propagation Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Certificate Propagation service copies user certificates and root certificates from smart cards into the current user's certificate store, detects when a smart card is inserted into a smart card reader, and, if needed, installs the smart card Plug and Play minidriver.

Download the complete Hardened Services Configuration

CNG Key Isolation Service

Display Name: CNG Key Isolation Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The CNG Key Isolation service the CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Download the complete Hardened Services Configuration

COM+ Event System Service

Display Name: COM+ Event System Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The COM+ Event System service supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

COM+ System Application Service

Display Name: COM+ System Application Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The COM+ System Application service manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Computer Browser Service

Display Name: Computer Browser Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Computer Browser service maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Credential Manager Service

Display Name: Credential Manager Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running
Description: The Credential Manager service provides secure storage and retrieval of credentials to users, applications and security service packages.

Download the complete Hardened Services Configuration

Cryptographic Services Service

Display Name: Cryptographic Services Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The Cryptographic Services service provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DCOM Server Process Launcher Service

Display Name: DCOM Server Process Launcher Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The DCOM Server Process Launcher service the DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the DCOMLAUNCH service running.

Download the complete Hardened Services Configuration

Desktop Window Manager Session Manager Service

Display Name: Desktop Window Manager Session Manager Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Desktop Window Manager Session Manager service provides Desktop Window Manager startup and maintenance services. The service supports the Themes service and checks that applications are compatible with the Windows Aero user experience in Windows Vista. If an application is not compatible with Aero, this service causes it revert to a classic Windows theme that it supports. If your computer does not support Aero graphics, you may see improved performance by disabling this service.

Download the complete Hardened Services Configuration

Diagnostic Policy Service

Display Name: Diagnostic Policy Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Diagnostic Policy Service service the Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function.

Download the complete Hardened Services Configuration

Diagnostic Service Host Service

Display Name: Diagnostic Service Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Diagnostic Service Host service the Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Diagnostic System Host Service

Display Name: Diagnostic System Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Diagnostic System Host service the Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Distributed Transaction Coordinator Service

Display Name: Distributed Transaction Coordinator Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The Distributed Transaction Coordinator service coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will fail. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DHCP Client Service

Display Name: DHCP Client Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped
Description: The DHCP Client service registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DNS Client Service

Display Name: DNS Client Service
Hardened Start Mode: Auto, Hardened Expected State: Running
Description: The DNS Client service the DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Windows 10 Hardened Services List

A-D

ActiveX Installer (AxInstSV) Service

Display Name: ActiveX Installer (AxInstSV) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:AxInstSV
Description:Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control installation based on Group Policy settings. This service is started on demand and if disabled the installation of ActiveX controls will behave according to default browser settings.

Download the complete Hardened Services Configuration

AllJoyn Router Service

Display Name: AllJoyn Router Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:AJRouter
Description:Routes AllJoyn messages for the local AllJoyn clients. If this service is stopped the AllJoyn clients that do not have their own bundled routers will be unable to run.

Download the complete Hardened Services Configuration

App Readiness Service

Display Name: App Readiness Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:AppReadiness
Description:Gets apps ready for use the first time a user signs in to this PC and when adding new apps.

Download the complete Hardened Services Configuration

Application Identity Service

Display Name: Application Identity Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:AppIDSvc
Description:Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced.

Download the complete Hardened Services Configuration

Application Information Service

Display Name: Application Information Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:Appinfo
Description:Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks.

Download the complete Hardened Services Configuration

Application Layer Gateway Service

Display Name: Application Layer Gateway Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:ALG
Description:Provides support for 3rd party protocol plug-ins for Internet Connection Sharing

Download the complete Hardened Services Configuration

Application Management Service

Display Name: Application Management Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:AppMgmt
Description:Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users will be unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

AppX Deployment Service (AppXSVC) Service

Display Name: AppX Deployment Service (AppXSVC) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:AppXSvc
Description:Provides infrastructure support for deploying Store applications. This service is started on demand and if disabled Store applications will not be deployed to the system, and may not function properly.

Download the complete Hardened Services Configuration

AssignedAccessManager Service

Display Name: AssignedAccessManager Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:AssignedAccessManagerSvc
Description:AssignedAccessManager Local Server

Download the complete Hardened Services Configuration

Auto Time Zone Updater (tzautoupdate) Service

Display Name: Auto Time Zone Updater (tzautoupdate) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:tzautoupdate
Description:Automatically sets the system time zone.

Download the complete Hardened Services Configuration

Background Intelligent Transfer Service

Display Name: Background Intelligent Transfer Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:BITS
Description:Transfers files in the background using idle network bandwidth. If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, will be unable to automatically download programs and other information.

Download the complete Hardened Services Configuration

Background Tasks Infrastructure (BrokerInfrastructure) Service

Display Name: Background Tasks Infrastructure (BrokerInfrastructure) Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:BrokerInfrastructure
Description:Windows infrastructure service that controls which background tasks can run on the system.

Download the complete Hardened Services Configuration

Base Filtering Engine Service

Display Name: Base Filtering Engine Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:BFE
Description:The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.

Download the complete Hardened Services Configuration

BitLocker Drive Encryption Service

Display Name: BitLocker Drive Encryption Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:BDESVC
Description:The BitLocker Drive Encryption Service (BDESVC) allows BitLocker to prompt users for various actions related to their drives when they are accessed and supports the unlocking of BitLocker-protected drives automatically without user interaction. Additionally, the service supports the storing of recovery information to Active Directory Domain Services, if available, and, if necessary, ensures the most recent recovery certificates are used. Stopping or disabling the service will prevent users from using these features of BitLocker.

Download the complete Hardened Services Configuration

Block Level Backup Engine Service

Display Name: Block Level Backup Engine Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:wbengine
Description:The WBENGINE service is used by Windows Backup to perform backup and recovery operations. If this service is stopped by a user, it may cause the currently running backup or recovery operation to fail. Disabling this service may disable backup and recovery operations using Windows Backup on this computer.

Download the complete Hardened Services Configuration

Bluetooth Handsfree Service

Display Name: Bluetooth Handsfree Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:BthHFSrv
Description:Enables wireless Bluetooth headsets to run on this computer. If this service is stopped or disabled, then Bluetooth headsets will not function properly with this machine.

Download the complete Hardened Services Configuration

Bluetooth Support Service (bthserv) Service

Display Name: Bluetooth Support Service (bthserv) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:bthserv
Description:The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping or disabling this service may cause already installed Bluetooth devices to fail to operate properly and prevent new devices from being discovered or associated.

Download the complete Hardened Services Configuration

BranchCache

Display Name: BranchCache
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:PeerDistSvc
Description:This service caches network content from peers on the local subnet.

Download the complete Hardened Services Configuration

Capability Access Manager Service

Display Name: Capability Access Manager Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:camsvc
Description:Provides facilities for managing UWP apps access to app capabilities as well as checking an app's access to specific app capabilities

Download the complete Hardened Services Configuration

CDPUserSvc (cdpusersvc) Service

Display Name: CDPUserSvc (cdpusersvc) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:CDPUserSvc
Description:This user service is used for Connected Devices Platform scenarios

Download the complete Hardened Services Configuration

Certificate Propagation Service

Display Name: Certificate Propagation Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:CertPropSvc
Description:Copies user certificates and root certificates from smart cards into the current user's certificate store, detects when a smart card is inserted into a smart card reader, and, if needed, installs the smart card Plug and Play minidriver.

Download the complete Hardened Services Configuration

Client License Service (ClipSVC) Service

Display Name: Client License Service (ClipSVC) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:ClipSVC
Description:Provides infrastructure support for the Microsoft Store. This service is started on demand and if disabled applications bought using Windows Store will not behave correctly.

Download the complete Hardened Services Configuration

CNG Key Isolation Service

Display Name: CNG Key Isolation Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:KeyIso
Description:The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Download the complete Hardened Services Configuration

COM+ Event System Service

Display Name: COM+ Event System Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:EventSystem
Description:Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

COM+ System Application Service

Display Name: COM+ System Application Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:COMSysApp
Description:Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Connected Devices Platform Service (CDPSvc) Service

Display Name: Connected Devices Platform Service (CDPSvc) Service
Hardened Start Mode: Automatic, Hardened Expected State: Running, Stopped)
Name:CDPSvc
Description:This service is used for Connected Devices and Universal Glass scenarios

Download the complete Hardened Services Configuration

Connected User Experiences and Telemetry (DiagTrack) Service

Display Name: Connected User Experiences and Telemetry (DiagTrack) Service
Hardened Start Mode: Automatic, Hardened Expected State: Running)
Name:DiagTrack
Description:The Connected User Experiences and Telemetry service enables features that support in-application and connected user experiences. Additionally, this service manages the event driven collection and transmission of diagnostic and usage information (used to improve the experience and quality of the Windows Platform) when the diagnostics and usage privacy option settings are enabled under Feedback and Diagnostics.

Download the complete Hardened Services Configuration

Contact Data (PimIndexMaintenanceSvc) Service

Display Name: Contact Data (PimIndexMaintenanceSvc) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:PimIndexMaintenanceSvc
Description:Indexes contact data for fast contact searching. If you stop or disable this service, contacts might be missing from your search results.

Download the complete Hardened Services Configuration

CoreMessaging (CoreMessagingRegistrar) Service

Display Name: CoreMessaging (CoreMessagingRegistrar) Service
Hardened Start Mode: Automatic, Hardened Expected State: Running)
Name:CoreMessagingRegistrar
Description:Manages communication between system components.

Download the complete Hardened Services Configuration

Credential Manager Service

Display Name: Credential Manager Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:VaultSvc
Description:Provides secure storage and retrieval of credentials to users, applications and security service packages.

Download the complete Hardened Services Configuration

Cryptographic Services Service

Display Name: Cryptographic Services Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:CryptSvc
Description:Provides three management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Data Sharing (DsSvc) Service

Display Name: Data Sharing (DsSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DsSvc
Description:Provides data brokering between applications.

Download the complete Hardened Services Configuration

Data Usage Service

Display Name: Data Usage Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:DusmSvc
Description:Network data usage, data limit, restrict background data, metered networks.

Download the complete Hardened Services Configuration

DCOM Server Process Launcher Service

Display Name: DCOM Server Process Launcher Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:DcomLaunch
Description:The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the DCOMLAUNCH service running.

Download the complete Hardened Services Configuration

Delivery Optimization Service

Display Name: Delivery Optimization Service
Hardened Start Mode: Auto, Hardened Expected State: Stopped/Running)
Name:DoSvc
Description:Performs content delivery optimization tasks

Download the complete Hardened Services Configuration

Device Association (deviceassociationservice) Service

Display Name: Device Association (deviceassociationservice) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DeviceAssociationService
Description:Enables pairing between the system and wired or wireless devices.

Download the complete Hardened Services Configuration

Device Install (DeviceInstall) Service

Display Name: Device Install (DeviceInstall) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DeviceInstall
Description:Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

Download the complete Hardened Services Configuration

Device Management Enrollment (DmEnrollmentSvc) Service

Display Name: Device Management Enrollment (DmEnrollmentSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DmEnrollmentSvc
Description:Performs Device Enrollment Activities for Device Management

Download the complete Hardened Services Configuration

Device Setup (DsmSvc) Service

Display Name: Device Setup (DsmSvc) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DsmSvc
Description:Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated software, and may not work correctly.

Download the complete Hardened Services Configuration

DevicesFlow

Display Name: DevicesFlow
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DevicesFlowUserSvc
Description:Device Discovery and Connecting

Download the complete Hardened Services Configuration

DevQuery Background Discovery Broker (DevQueryBroker) Service

Display Name: DevQuery Background Discovery Broker (DevQueryBroker) Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:DevQueryBroker
Description:Enables apps to discover devices with a backgroud task

Download the complete Hardened Services Configuration

DHCP Client Service

Display Name: DHCP Client Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:Dhcp
Description:Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Diagnostic Execution Service

Display Name: Diagnostic Execution Service
Hardened Start Mode: Manual, Hardened Expected State: Stopped, Running)
Name:diagsvc
Description:Executes diagnostic actions for troubleshooting support

Download the complete Hardened Services Configuration

Diagnostic Policy Service

Display Name: Diagnostic Policy Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:DPS
Description:The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function.

Download the complete Hardened Services Configuration

Diagnostic Service Host Service

Display Name: Diagnostic Service Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:WdiServiceHost
Description:The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Diagnostic System Host Service

Display Name: Diagnostic System Host Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:WdiSystemHost
Description:The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context. If this service is stopped, any diagnostics that depend on it will no longer function.

Download the complete Hardened Services Configuration

Distributed Transaction Coordinator Service

Display Name: Distributed Transaction Coordinator Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:MSDTC
Description:Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will fail. If this service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

DMWAPPushService (dmwappushservice) Service

Display Name: DMWAPPushService (dmwappushservice) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:dmwappushservice
Description:WAP Push Message Routing Service

Download the complete Hardened Services Configuration

DNS Client Service

Display Name: DNS Client Service
Hardened Start Mode: Auto, Hardened Expected State: Running)
Name:Dnscache
Description:The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

Download the complete Hardened Services Configuration

Downloaded Maps Manager (MapsBroker) Service

Display Name: Downloaded Maps Manager (MapsBroker) Service
Hardened Start Mode: Disabled, Hardened Expected State: Stopped)
Name:MapsBroker
Description:Windows service for application access to downloaded maps. This service is started on-demand by application accessing downloaded maps. Disabling this service will prevent apps from accessing maps.

Download the complete Hardened Services Configuration