GeodSoft logo   GeodSoft

Ten Practical Security Steps
No Unneeded Services

5. Turn off all unneeded services or daemons and run those that you must with the lowest possible privilege level, i.e. not as system, root or an administrator.

A port that's not listening or a service that's off can't be attacked. All systems are installed by default with services running that are not needed on most machines. If you turn off or disable services not actually used on a machine you can ignore most security alerts as they tend to describe problems that apply to default installs. Software that is sitting idly on your disks won't hurt you. Administrators who leave their systems with default install settings should pay attention to every security alert for their operating systems as the alerts will mostly describe weaknesses that may actually be attacked on their systems.

"Netstat -an" will show open ports on the local machine. Use nmap or another port scanner to detect all open ports on all machines on your network. Be absolutely sure that you have top IT management approval for this. Don't use the common port lists; scan all 65,535 TCP and UDP ports on every machine. Use one of the log file formats or tee to redirect the screen output to a file. If possible do this during the night or other low use period. Test some typical individual and unimportant machines before scanning a network.

If there are internal firewalls, do this so that all machines can be scanned without an intervening firewall. You're only interested in open ports. There should be a very small number that you recognize as standard and necessary services on most or all machines. There will be a few others such as TCP 80 on your web server(s) and TCP 25 on your mail server(s).

Everything else that's open needs to be investigated. These will typically represent one of two conditions, a default service not needed for the specific machine on a standard port or a backdoor / Trojan such as BackOrifice or netcat, typically but not necessarily on an odd port. The services should be turned off. If you find a standard port open and the standard service isn't running or an odd open port, then there is most likely unauthorized software installed by a user or an intruder.

Those services that are needed should run with the minimum privileges necessary to accomplish their tasks. If a service is running without system or root privileges, the amount of damage it can do even if it has a security flaw, is substantially limited, if file access permissions are set up carefully. The practical opportunities to restrict services may be limited but some have well documented methods for running with limited privileges. On Windows, running a service under a Domain Admins account is even worse than System, because the service will have access to network resources, as well as all local resources.

Web servers are the ideal example of a service that can and should be run with limited privileges. By the very nature of what it does, a web server will likely be available to everyone on your LAN and quite possibly the whole world. Running with system or root privileges, the opportunities for damage are enormous if there is a buggy CGI script or other application level program, but quite limited if the web server runs as a user set up specifically for this purpose. The Apache web server has simple configuration command "User" that allows it to run most processes as a limited privilege user. NT's IIS normally runs in the security context of IUSR_machine-name. All NT users are part of the group Everyone and cannot be removed from the group. If you've severely limited Everyone's access as suggested in step four then you've done most of what's need. The IIS user then only needs to be granted explicit access to those resources that are to be made public via IIS.

Though most IIS actions run in the security context of the IUSR_machine-name user, some actions are performed in the system context before the security environment is checked. Multiple buffer overflows in IIS have been discovered, that allow the execution of arbitrary commands in the system context. There is no protection against these, except to apply the appropriate security patches when such a bug is found.

Normally Apache starts as root to gain access to port 80 and switches to another user context. When properly configured, all user requests are handled by a process running as a non privileged user. I's been over four years since Apache had exploit comparable to the IIS exploits that occur in a system context. Further, there is a technique available to all UNIX services that run as root, simply to gain access to a port below 1024. The service can run non privileged using a high numbered port, e.g., 8888 for a web server. Port forwarding software which is normally part of network address translation (NAT) software can forward requests recieved by the low ports to the high ports. As an example a web server listens on 8888 and the port forwarding software forwards all requests received on 80, the normal public web port, to 8888. This is transparent to the web server or other server receiving forwarded requests.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

 
Home >
How-To >
10 Security Steps >
five.htm


What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.