Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

Previous Topic/Section
1.2.8  Biometrics
Previous Page
Pages in Current Topic/Section
1
2
Next Page
Pop Quiz 1.1
Next Topic/Section

1.3  Non-Essential Services and Protocols
(Page 1 of 2)

By simple math, the more services and protocols a host has running, the more targets an attacker have to aim at. As an example, if he can’t find an exploit for “Sulphur FTP Server v1.0”, running on the host, he can move on to attacking “Ravian SNMP Management Tool v2.3”. An important question to ask is, if the host in question is simply a file and print server, are these extra services required? They may be installed by default as part of the operating system, but they provide potential routes into an organization by the unwary system administrator. Similarly, unnecessary open ports on boundary firewalls are inviting targets for attackers to probe. You can often reduce your network’s vulnerability to both random and specifically targeted attacks, simply by disabling non-essential components and protocols.

In the future a concept called port knocking may tighten up the essential services and protocols 61

Better the Odds

The more services and protocols running on a host, the more potential vulnerabilities it has. Disable or filter out access to all services and protocols except those that are absolutely necessary.


When determining which services to run, and which to disable, there are two possible approaches you can take.

First, you can choose the optimistic route. This involves leaving everything exactly as it is, and only removing services and closing access points (such as firewall ports), as they become an issue.

An example of this involves the IIS.htr remote overflow exploit62. An optimistic system administrator may put a default installation of IIS onto the corporate network and hope for the best. Then, when the .htr advisory is released, the system administrator may choose to disable the .htr extension filter only. Unfortunately, because the administrator was on holiday and didn’t read the advisory until 3 days later, the corporate web server was already broken into and “Trojaned” (see 1.4.2) before the hole was closed. Now, the administrator has a lot more than just an IIS extension filter to worry about. This is why the second approach is recommended: it’s proactive, rather than reactive.

The second approach is the pessimistic route. You take the view that nothing on your network is required, and close every port, service and share before issues arise. This involves changing settings on servers (disabling unused services, removing shares) and on the routers and firewalls (setting up “rules” that restrict connections to and from ports on your organization’s machines, allowing only those types of connections which are specifically needed).

You then open only the ports that are specifically required and justifiable, while keeping firewall rules extremely tight. Let’s look at some specific examples.

A corporate web server that is publicly accessible from the Internet would only require port 80 inbound to be opened on the firewall – a web server should never independently make a connection outward, and unless it’s running other services (for example, SSL, which uses port 443), it should never be on anything other than port 80. This methodology extends to services on servers themselves, as well. That is, unused options or subsystems of services should be disabled as well. For example, the IIS exploit mentioned above would be ineffective against this corporate web server if the system administrator had disabled unused IIS extensions prior to deploying it.


 __________________

61. http://www.portknocking.org/

62. http://www.eeye.com/html/Research/Advisories/AD20020612.html

Previous Topic/Section
1.2.8  Biometrics
Previous Page
Pages in Current Topic/Section
1
2
Next Page
Pop Quiz 1.1
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.