Chapter 2: Hardening Network Access: Disable Unnecessary Services

Overview

The main reason to put a computer on a network is so that it can communicate with other computers. Computer security is often an afterthought when deploying a new server. Unfortunately, correctly configuring system security requires delicately balancing system access. You must provide just enough access, but not too much.

The best strategy to adopt when hardening any system is to limit machine-to-machine communication to just the necessary communications. The first step in limiting communication is to only allow a service to be enabled or running if it is fulfilling a requirement.

The best time to configure services is right after installation. However, when creating a server it may be difficult to determine exactly what is needed. If this is the case, the following nine steps present a quick recipe for turning off all unnecessary network services and ensuring they remain off. You can return to this fundamental process over and over again as your system requirements change. You can also use the steps right after an installation, before placing the system on the network. Each individual step in the following list is explained in its own section.

1. Remove the machine from the network.

2. Identify the services you intend to support.

3. Determine the dependencies of the supported services.

4. Alter the system configuration so only necessary services are enabled.

5. Reboot the system.

6. Check to see that unnecessary services are not running.

7. Check to see if the services you require are running.

8. Return the machine to the network and verify network connectivity.