I recall a description of a machine that adhered to a strict security policy as having no network connection, no floppy disk drive, and no keyboard or mouse. Obviously, a server like this wouldn’t be worth much, but this image does help to illustrate a point about security: reduce the avenues for possible compromise. The last time I heard about a worm compromising systems worldwide, my first question asked which service it was using to get to the machine. Sure enough, it was a service that is enabled by default, but I breathed a sigh of relief knowing that I had long since disabled that service on my machine. It takes some time and some effort to identify and disable the services not required in a particular environment, but it’s worth it in the long run.
Tip | Disable services on the Web server that aren’t being used. For example, if you type net start at the command prompt, you will probably be surprised at the number of services running on the server. You might not need Simple Mail Transfer Protocol (SMTP), Infrared Monitor, or a DHCP client running on the server. Look at the demands of the Web application, and be sure that the running services are needed to make the server and the application run correctly. |
My next advice might seem obvious, but it gets ignored all the time: when operating system, Web server, and database security patches are released, install them! Malicious users and security professionals are constantly looking for new ways to compromise systems. When a hole is found, patch it. Often when system compromises occur, they exploit a vulnerability that was found and fixed in a release long before the attack on your system occurred.