Remove Unnecessary Network Services
NT doesn't require any network services to be running. However, your application might require a particular network service. For example, FireWall-1 doesn't need any network services, but IIS requires the RPC Configuration service. Thus, you need to check your application's documentation. After determining whether your application needs any network services, open the Control Panel Network applet and select the Services tab, as Figure 1 shows. Remove the network services you don't need.
Running the server with only the application's necessary network services will cause your system to complain. For example, you'll receive the Network Configuration error message Windows NT Networking is not installed. Do you want to install it now? You can simply click No when you receive this error message. Running the server with only the application's necessary network services will also cause several problems. You'll find that the User Manager for Domains doesn't work. You can fix this problem by replacing the User Manager for Domains with NT Workstation's User Manager. You might also have problems installing software because some installation packages make special calls to the OS that require information from network services. If such a problem occurs, you can reinstall the network services, install the new software, then remove the network services. The last problem you'll run into is that you won't be able to configure certain parts of the OS through the GUI. I describe how to work around this problem in the "Change the Network Configuration" section.
Disable Unnecessary Local Services
Instead of listing the many services that you need to disable, let's just mention the few services you need to leave enabled: the Event Log, NT LM Security Support Provider, and Protected Storage services. You also need to leave enabled any local services that your application might need. For example, for IIS, you need to leave the remote procedure call (RPC) service enabled in addition to the three services just mentioned. After determining whether your application needs any local services, open the Control Panel Services applet and disable the unnecessary services.
If you open Task Manager when only the Event Log, NT LM Security Support Provider, Protected Storage, and RPC services are running, you'll see only these processes: csrss.exe, explorer.exe, loadwc.exe, lsass.exe, nddeagnt.exe, pstores.exe, rpcss.exe, services.exe, smss .exe, and winlogon .exe. Under this configuration, NT is a lean operation, consuming only about 18MB of memory.
Change the Network Configuration
You change the network configuration through the GUI and the registry. The changes you make through the GUI are fairly simple. Just follow these steps:
- Remove the NetBIOS functionality from the TCP/IP stack. Open the Network applet and click the Bindings tab. In the Show Bindings for drop-down list, select all adapters. Select WINS Client(TCP/IP) and click Disable, as Figure 2 shows. Disabling the WINS client stops the server from listening on NetBIOS ports (i.e., 137 TCP and UDP; 138 UDP; and 139 TCP) for traffic.
- Disable the driver. Open the Control Panel Devices applet, select WINS Client(TCP/IP), and click Disable.
- Set up inbound TCP/IP filters if the bastion host isn't serving as a firewall. (You don't need inbound filters if you've installed a firewall application because the firewall application performs the filtering function.) The inbound TCP/IP filters modify the ports on which the server listens for inbound traffic. To set up inbound TCP/IP filters, you need to know the IP protocols and the ports you want to use. You can find examples of supported protocols in the \winnt\system 32\drivers\etc\protocol file. You can find examples of supported ports in the \winnt\system32\drivers\etc\services file. After you've determined the IP protocols and the ports, open the Network applet and select Protocols, TCP/IP Protocol, Properties. Select your adapter, then click Advanced. Select the enable security check box and click Configure. In the TCP/IP Security dialog box that appears, specify the protocols and ports. For example, Figure 3 shows the ports required for a Web server that provides connectivity for the HTTP (port 80) and Secure Sockets Layer (SSL—port 443) protocols.
Prev. page
1
[2]
3
next page 
