Step 3. Services | Improving Web Application Security: Threats and Countermeasures

Services that do not authenticate clients , services that use insecure protocols, or services that run with too much privilege are risks. If you do not need them, do not run them. By disabling unnecessary services you quickly and easily reduce the attack surface .You also reduce your overhead in terms of maintenance (patches, service accounts, and so on.)

If you run a service, make sure that it is secure and maintained . To do so, run the service using a least privilege account, and keep the service current by applying patches.

During this step, you:

Disable unnecessary services .
Disable FTP, SMTP, and NNTP unless you require them .
Disable the ASP.NET State service unless you require it .

Disable Unnecessary Services

Windows services are vulnerable to attackers who can exploit the service's privileges and capabilities and gain access to local and remote system resources. As a defensive measure, disable Windows services that your systems and applications do not require. You can disable Windows services by using the Services MMC snap-in located in the Administrative Tools programs group .

Note	Before you disable a service, make sure that you first test the impact in a test or staging environment.

In most cases, the following default Windows services are not needed on a Web server: Alerter, Browser, Messenger, Netlogon (required only for domain controllers), Simple TCP/IP Services, and Spooler.

The Telnet service is installed with Windows, but it is not enabled by default. IIS administrators often enable Telnet. However, it is an insecure protocol susceptible to exploitation. Terminal Services provides a more secure remote administration option. For more information about remote administration, see "Remote Administration," later in this chapter.

Disable FTP, SMTP, and NNTP Unless You Require Them

FTP, SMTP, and NNTP are examples of insecure protocols that are susceptible to misuse. If you do not need them, do not run them. If you currently run them, try to find a secure alternative. If you must run them, secure them.

Note	IIS Lockdown provides options for disabling FTP, SMTP, and NNTP.

To eliminate the possibility of FTP exploitation, disable the FTP service if you do not use it. If FTP is enabled and is available for outbound connections, an attacker can use FTP to upload files and tools to a Web server from the attacker's remote system. Once the tools and files are on your Web server, the attacker can attack the Web server or other connected systems.

If you use FTP protocol, neither the user name and password you use to access the FTP site nor the data you transfer is encoded or encrypted. IIS does not support SSL for FTP. If secure communications are important and you use FTP as your transfer protocol (rather than World Wide Web Distributed Authoring and Versioning (WebDAV) over SSL), consider using FTP over an encrypted channel such as a Virtual Private Network (VPN) that is secured with Point-to-Point Tunneling Protocol (PPTP) or Internet Protocol Security (IPSec).

Disable the ASP.NET State Service Unless You Require It

The .NET Framework installs the ASP.NET State service (aspnet_state.exe) to manage out-of-process user session state for ASP.NET Web applications and Web services. By default, this service is configured for manual startup and runs as the least privileged local ASPNET account. If none of your applications store state by using this service, disable it. For more information on securing ASP.NET session state, see the "Session State" section in Chapter 19, "Securing Your ASP.NET Application and Web Services."