Ten Practical Security Steps
No Unneeded Services
5. Turn off all unneeded services or daemons and run those
that you must with the lowest possible privilege level, i.e. not
as system, root or an administrator.
A port that's not listening or a service that's off can't be attacked.
All systems are installed by default with services running that are not
needed on most machines. If you turn off or disable services not
actually used on a machine you can ignore most security alerts as they
tend to describe problems that apply to default installs. Software
that is sitting idly on your disks won't hurt you. Administrators who
leave their systems with default install settings should pay attention
to every security alert for their operating systems as the alerts will
mostly describe weaknesses that may actually be attacked on their
systems.
"Netstat -an" will show open ports on the local machine. Use nmap or
another port scanner to detect all open ports on all machines on your
network. Be absolutely sure that you have top IT management approval
for this. Don't use the common port lists; scan all 65,535 TCP and
UDP ports on every machine. Use one of the log file formats or tee to
redirect the screen output to a file. If possible do this during the
night or other low use period. Test some typical individual and
unimportant machines before scanning a network.
If there are internal firewalls, do this so that all machines can be
scanned without an intervening firewall. You're only interested in
open ports. There should be a very small number that you recognize as
standard and necessary services on most or all machines. There will
be a few others such as TCP 80 on your web server(s) and TCP 25 on
your mail server(s).
Everything else that's open needs to be investigated. These will
typically represent one of two conditions, a default service not
needed for the specific machine on a standard port or a backdoor /
Trojan such as BackOrifice or netcat, typically but not necessarily on
an odd port. The services should be turned off. If you find a
standard port open and the standard service isn't running or an odd
open port, then there is most likely unauthorized software installed by
a user or an intruder.
Those services that are needed should run with the minimum privileges
necessary to accomplish their tasks. If a service is running without
system or root privileges, the amount of damage it can do even if it
has a security flaw, is substantially limited, if file access
permissions are set up carefully. The practical opportunities to
restrict services may be limited but some have well documented methods
for running with limited privileges. On Windows, running a service
under a Domain Admins account is even worse than System, because the
service will have access to network resources, as well as all local
resources.
Web servers are the ideal example of a service that can and should be
run with limited privileges. By the very nature of what it does, a web
server will likely be available to everyone on your LAN and quite
possibly the whole world. Running with system or root privileges, the
opportunities for damage are enormous if there is a buggy CGI script
or other application level program, but quite limited if the web
server runs as a user set up specifically for this purpose. The
Apache web server has simple configuration command "User" that allows
it to run most processes as a limited privilege user. NT's IIS normally runs
in the security context of IUSR_machine-name. All NT users are part
of the group Everyone and cannot be removed from the group. If you've
severely limited Everyone's access as suggested in step
four then you've done most of what's need.
The IIS user then only needs to be granted explicit access to
those resources that are to be made public via IIS.
Though most IIS actions run in the security context of the
IUSR_machine-name user, some actions are performed in the system
context before the security environment is checked. Multiple
buffer overflows in IIS have been discovered, that allow the execution
of arbitrary commands in the system context. There is no protection
against these, except to apply the appropriate security patches when
such a bug is found.
Normally Apache starts as root to gain access to port 80 and switches
to another user context. When properly configured, all user requests
are handled by a process running as a non privileged user. I's been
over four years since Apache had exploit comparable to the IIS
exploits that occur in a system context. Further, there is a
technique available to all UNIX services that run as root, simply to
gain access to a port below 1024. The service can run non privileged
using a high numbered port, e.g., 8888 for a web server. Port
forwarding software which is normally part of network address
translation (NAT) software can forward requests recieved by the low
ports to the high ports. As an example a web server listens on
8888 and the port forwarding software forwards all requests received
on 80, the normal public web port, to 8888. This is transparent to
the web server or other server receiving forwarded requests.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|