Ten Practical Security Steps
Limit Software
10. Don't install anything you don't expect to use.
For resource limited staffs, this is easy to honor going forward.
Starting with new system install's, don't put anything on the system
that's not needed. There is a strong temptation to install everything
that comes bundled in the basic price of a system. Especially with
disk space increasing and prices dropping faster compared to other
computer components, most systems have more disk space than they'll
ever need. The reasoning goes that if you put it on with the initial
install, it will be there and ready to go if you ever need it. Adding
in components that were not installed initially is likely to be more
difficult.
There is some truth to this but if you don't need them when the system
is installed, most of these "extras" never get used. While they're
sitting unused by the system's owner, they may be just what an
intruder needs to gain unauthorized access. Most of the Microsoft web
related security issues have not been with the OS or even the core of
IIS. They have been with things like RDS (Remote Data Services), ASP
(Active Server Pages), sample scripts and other options that are
routinely installed in default or complete installs. While some of
these are essential to some Microsoft web servers, most are not needed
on most servers they are installed on. When combined with lax
Microsoft default file permissions, these extras leave the systems
they are on, wide open to anyone who knows how to exploit the
weaknesses. Most of reported NT security breaches would not have
occurred if unneeded IIS and Option Pack options had not been
installed.
ColdFusion has also had several serious bugs in its sample files. The
more software installed on a system, the more likely it is to be exposed
to a security exploit. The more there is on a system, the harder it
is to figure out what's on it and what is and is not needed. Not
putting it on in the first place is much easier than later
removing what you hope to be unneeded software.
Because of the potential problems trying to remove unnecessary software
from working systems, I would not do this, except when a known security
bug actually exposes your systems to a real threat.
Make a resolve on future installs and upgrades to consider all options
carefully and only install those that are expected to be used.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|