U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Contact Us
U-M Windows Forest Main

Allowing IIS, SQL and the Messaging Services in the UMROOT Domain

IIS, SQL and the Messaging applications are 3 of the most vulnerable on Windows workstations and servers and must be properly secured and patched or you will surely have a compromised machine on your hands. We have decided to turn off the services that support these applications by default in the UMROOT domain. You can easily turn these services back on in your OU or a sub-OU.

These following services have their Startup property configured to Disabled in the Default Domain Group Policy. If you start one of these services manually, the service will run until the next reboot, when the group policy will not allow it to start.

World Wide Publishing (W3SVC)
IIS Admin Service

In order to allow these services to run, you will need to create a Group Policy at your OU level, or better at a sub-OU level where you want all the machines in that OU to be able to run the service. Please note that some workstation applications such as Visio and others install a version of MS SQL Server that is very vulnerable unless properly secured. This is one of the reasons for implementing this Group Policy across the entire domain. The specific group policy that needs to be configured is:

Computer Configuration/Windows Settings/Security Settings/System Services

To allow one or all of these services to run, change the Startup type from Disabled to Automatic or Manual. Microsoft has not made changing this setting easy. The machine that you are running the Group Policy editor on, must be running the service you want to enable or it won't show up in the list of services.

There are some potential problems that you need to be aware of. If this is a computer that you want the service to start Automatically, change the setting to Automatic. This setting does not only allow computers in this OU to run the service, it actually sets this service to Automatic on all computers affected by the Group Policy. This could lead to the service running on computers you don't want it running on. Another option is to choose Manual, but then you have to start the service after every reboot. Once you are aware of this "feature," you can be careful to apply this new Group Policy to only those computers you want to run the service by creating a special OU for them or using Group Policy Filtering.

To make this easier, we have created several Group Polices with these settings. All you need to do is link one or more these Policies to your OU. The Policies are located in the UMICH/UMROOT-Administration/Policies OU. The Policies are:

UMROOT Allow IIS Service Policy
UMROOT Allow Messenger Service Policy
UMROOT Allow SQL Server Service Policy
UMROOT Allow Dangerous Apps Policy (IIS and Messenger Service)