A modern operating system can provide a multitude of services, ranging from those applicable to end-user workstations to those designed for high-end servers. When installing Red Hat Linux, for example, you have the opportunity to pick a profile for the system you wish to buildin response to your selection the installer ensures that the resulting build contains the necessary program and configuration files. In Windows, you make a similar decision when selecting the flavor of the OS to install (Home, Professional, Server, and so on) as well as when configuring the machine after it boots up for the first time. Keep in mind that the profiles OS installers present to you are generic, and they only approximate the role the machine may play in your particular organization. As a result, it is up to you to remove or disable the OS components you do not need.
Controlling Network Services
You should pay particular attention to programs that may be invoked over the network. Attackers often scan networks in search of systems listening on commonly used ports, especially those associated with known vulnerabilities. Leaving unnecessary network services running on the host increases the risk that the system might be compromised. Even if the host is located behind a firewall, attackers can gain access to the services through ports that the firewall doesn't filter, or by finding ways to bypass the firewall altogether.
It is often difficult to stop an attacker once she gains access. Therefore, it is crucial to be proactive to block the attacker from ever getting in.
You can use the netstat na command on most operating systems to list the ports on which your system is listening. If this command presents you with a port number you do not recognize, search the Web for that port number using your favorite search engine and determine whether the associated application should remain running on your host. For example, if you determine that your host is listening on TCP port 80, the system is probably running a web server. If this is the desired behavior, great! Otherwise, be sure to disable the offending service before releasing the system into production.
On UNIX platforms, the /etc/inetd.conf or /etc/xinetd.conf files control a large number of network services, which are started by the Inetd process. You will need to edit these text files to deactivate unneeded daemons. You may also need to look though various files under the /etc directory to disable some services. The location of such files differs across UNIX flavors. Here are some of the directories to look into:
Under Windows, you can control many network services through Control Panel's applets such as Services and Network Connections. For example, to disable the NetBIOS protocol, which is ridden with legacy security weaknesses and is no longer needed in most environments that use Windows 2000 or higher, you'll need to perform the following steps:
This process is illustrated in Figure 9.1.
Figure 9.1. You can disable NetBIOS over TCP/IP in Windows 2000 or higher by modifying properties of your network connection.
In most Windows 2000 and XP environments, you will still be able to access files and printers remotely through the built-in Server Message Block (SMB) protocol running directly over TCP/IP, even if you disabled the NetBIOS protocol. Older Windows operating systems, however, rely on NetBIOS for remote file and printer access.
Deactivating a network service decreases the likelihood that it will be used as a doorway into the system, but it might complicate the task of remotely administrating the host. For example, file-sharing services might not be directly related to a business function of an Internet-accessible web server, but they might be helpful for administrators when uploading or downloading the server's files. The more critical the system, the more likely you will be willing to forego some administrative convenience for the sake of hardening its configuration.
Let's take a look at some of the resource-sharing and remote access services you should consider disabling on Windows and UNIX hosts.
Resource-sharing services, sometimes called "file and print" services, allow a remote user to access data on the host by connecting to it over the network. Sometimes default OS installations provide too many opportunities for such access, leaving it up to you to disable aspects of these services that you do not need.
Windows allows remote users to access files on a host using the SMB protocol through the Server service, which the OS enables by default. Consider disabling this service on your workstations if you do not require remote access to user workstations. The users will still be able to connect to file shares on your serverssuch outgoing connections are established by the Workstation service. If the system's purpose requires that the Server service remain running, be sure to disable any unneeded file shares that the OS might activate by default. For instance, Windows NT and higher automatically establishes "hidden" administrative shares such as C$, ADMIN$, and PRINT$.
You can view, delete, and create hidden and regular Windows file shares through the Computer Management applet in the Administrative Tools folder of the host's Control Panel. For detailed information on managing Windows shares, take a look at Microsoft Knowledgebase articles 314984 and 318751 at http://support.microsoft.com.
File sharing on UNIX operating systems is usually performed through Network File System (NFS) services. It is a good idea to disable NFS-related daemons, such as nfsd and mountd if you do not require the use of their services. If you will use NFS for providing remote access to the system's file, carefully review the entries in the appropriate configuration files, such as /etc/exports (under Linux) or /etc/dfs/dfstab (under Solaris).
Remote Access Services
In addition to providing resource-sharing services, modern operating systems often give administrators the ability to remotely configure the host as well as to execute commands on the machine without sitting directly in front of its console. Such services are attractive targets for attackers, because, if compromised, they can grant unrestrained access to the host.
Administrators can access Windows workstations remotely through Remote Desktop service, which is part of Windows XP or and higher. They can access Windows servers through Terminal Services, which run on Windows 2000 Server or higher. Although these services require that the user be authenticated before connecting to the host, they provide remote attackers with another network attack vector. If you will not use the Remote Desktop or Terminal Services, you should disable them on your hosts. (For additional information regarding Terminal Services, please see Chapter 10.)
In addition to providing full access to the remote system through Remote Desktop or Terminal Services, Windows offers the Remote Registry Service, which allows authenticated users to remotely manage the system's Registry. (Windows uses the Registry to store critical configuration data for the OS and its applications.) In the spirit of disabling network components that you do not need, you should deactivate this service unless you are actually going to use it to remotely maintain the machine.
UNIX platforms support numerous services that can be used for remotely accessing the host and that can be misused by an attacker. The most vulnerable of such programs are the so-called r-commands, which include rsh and rlogin. These two programs allow users to execute remote commands, but they do not encrypt the communications. Telnet is another popular mechanism for remotely accessing UNIX systems. Much like the r-commands, Telnet is gradually being phased out in favor of Secure Shell (SSH), which encrypts the session and provides stronger authentication options.
It is possible set up a trust relationship between UNIX systems so that a remote user can execute a command on another host without providing a password. Such trust relationships are useful and might be required for the system's business purpose. Most r-commands use IP addresses as the basis of verifying the identity of the trusted system; therefore, it is relatively easy to spoof the trusted host's identity. Remote access mechanisms, such as SSH, support the establishment of trust relationships based on cryptographic keys, which are much more dependable for authenticating users and systems. With all trust relationships, keep in mind that if it is easy for a legitimate user to jump from host to host, it is just as easy for an attacker who compromises just a single trusted host to do the same.
In addition to controlling the host's network-accessible services, it is important to remove or disable other services and applications that the system does not require to fulfill its tasks.
A network access mechanism that has serious implications for information leakage in Windows is known as a null session, which may allow remote users to anonymously access sensitive data. One of the legitimate uses of null sessions is to list users from another domain when granting them access to local resources. Some older third-party tools also use null sessions for similar purposes. Unfortunately, an attacker can use the same mechanism to query the remote system for usernames, shares, and services without authenticating to the host. Although environments based on Windows 2000 or higher often do not require null sessions for proper operation, they are commonly left enabled without regard to their security risk.
If you disable the Server service, null session connections will be disabled as well. If the Server service has to remain running, you can limit null session access through the Local Security Policy editor, which you can access through the Administrative Tools folder in Control Panel, or through Group Policy in environments that use Active Directory. The relevant policy entry is called "Additional restrictions for anonymous connections," illustrated in Figure 9.2. You will find this setting under Local Policies, Security Options. The most secure option is "No access without explicit anonymous permissions," which eliminates most risks associated with null sessions, but might break some legacy applications.
Figure 9.2. You can limit null session connections by restricting anonymous actions using the Local Security Policy editor or through Group Policy.
Another network service that often provides attackers with sensitive information is Simple Network Management Protocol (SNMP). As we discuss in Chapter 19, "Maintaining a Security Perimeter," administrators can use SNMP for remotely querying and modifying configuration parameters of a wide range of hosts and network devices. In most SNMP installations, SNMP-based access is restricted to those who know the proper passwords, which SNMP calls community strings. Unfortunately, community strings are often set to the words private and public in many default installations. If you cannot disable SNMP on your host, be sure to at least change its community strings. Numerous SNMP tools can be used to retrieve a wealth of information about the host running SNMP services, much more than the information leakage associated with null sessions on Windows systems.
Removing Extraneous Software Components
Removing extraneous software components, even if they are not network services, is important regardless whether you are installing an OS from scratch or locking down a system that has been already installed. For example, a C compiler such as GCC might be installed on a Linux-based web server by default, but it is rarely required for the web server to operate properly. When a system is compromised and a utility such as GCC is available to the attacker, it will be easier for her to compile additional attack tools or to install a backdoor to the system that will allow future access.
To remove unnecessary software components from Windows hosts, use the Add/Remove Programs applet in the Control Panel. Clicking the Add/Remove Windows Components tab will result in the window depicted in Figure 9.3. By removing unnecessary OS components in this manner, you will slow down the progress of an attacker should she find her way onto your system.
Figure 9.3. The Windows Component Wizard allows you to remove unnecessary software components from the host.
UNIX operating systems typically include package management tools that allow you to remove unnecessary software components with relative ease. For instance, many Linux distributions offer the rpm utility to remove unwanted packages that come with the OS, whereas Solaris comes with the pkgrm program, which can be used to fulfill the same purpose.
It is sometimes tricky to figure out which package to uninstall in order to get rid of a particular program. To make this determination, you can usually query the package management database on the host with the program's file path. For instance, in Linux you would use the following command to determine that gcc-3.2-7 is the package that "owns" the GCC program file:
# rpm q f /usr/bin/gcc gcc-3.2-7
You should remove unnecessary administrative tools and OS components from critical servers, especially those that act as bastion hosts firewalls, VPNs, and other security services. You may encounter situations where removing a software component is too difficult: It may be embedded too deeply into the OS, or you may need to use it once in a while for administrative purposes. Whatever tools you elect to keep, be sure to modify file system permissions on their files to make it difficult for non-administrative users to get to them. You can usually accomplish this by setting the appropriate file system permissions so that only those authorized to use the tools will have access to the files.
Now that we've covered the principles behind disabling or removing unnecessary programs, let's take a look at the steps involved in limiting local access to sensitive data and configuration files.