Identifying Nonessential Services and Attacks
- Understanding and Identifying Common Services and Nonessential Services Posing Possible Security Threats
- Attacks
- Malicious Code
- Social Engineering
- Auditing
- Practice Questions
- Need to Know More?
Terms you'll need to understand:
Nonessential services
DoS/DDoS
Back door
Spoofing
Man-in-the-middle attack
Replay
Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking
Password guessing (brute force/dictionary)
Software exploitation
Viruses
Trojan horses
Logic bombs
Worms
Social engineering
Auditing
Techniques you'll need to master:
Understanding and identifying common services that may be disabled or locked down to thwart unauthorized access
Recognizing when an attack is happening and taking proper steps to end it
Learning to identify which types of attacks you might be subject to and how to implement proper security to protect your environment
Recognizing malicious code and knowing how to respond appropriately
Understanding how easy social engineering has become
Learning the concepts of proper auditing
The challenge of working in a mixed operating system environment becomes a factor when trying to secure your resources. It has become very common for servers to be subject to a myriad of attacks through services, protocols, and open ports.
The Security+ exam requires that you understand that eliminating nonessential services can thwart many would-be attackers and that you understand the different types of attacks that can happen.
Understanding and Identifying Common Services and Nonessential Services Posing Possible Security Threats
It is an IT professional's responsibility to be sure that the network is secure and safe from attacks. This is an enormous undertaking. Most servers come with a wide range of services and protocols, many of which are turned on by default. The first step in securing your environment is to formulate a plan. The plan should include the following:
The role of each server along with its current configuration
The services, protocols, and applications required to meet the business needs
Any configuration changes that should be made to the existing servers, such as additions and the removal of nonessential server services that don't meet business needs
Overlooking the planning phase can spell disaster. Many times though, this phase is skipped because the server has to be put in place right away or its original role has been changed without any reconfiguration. The technology world is changing constantly, and your network needs to change along with it to accommodate new ways of doing business while protecting yourself from new vulnerabilities. It is dangerous to sit down at a server and try to configure it without a plan. Each operating system has its own set of protocols, scripting languages, and tools. You could not possibly cover all bases efficiently and effectively without proper planning. Your plan should also be reevaluated on a regular basis. What is a viable solution now might not work in the future.
Establishing a Server Role
By identifying the role that each server plays, it can more easily be determined which services and protocols are required or needed. Common roles for servers include the following:
Logon serverThese servers authenticate users when they log on to their workstations. These servers can also function as other types of servers.
Network services serverThese servers host services that are required for the network to function as per the configuration. These include Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Windows Internet Name Service (WINS), and Simple Network Management Protocol (SNMP).
Application serverUsed for hosting applications such as custom accounting packages and office suites.
File serverUsed for access to common user files and home directories.
Print serverUsed for access to the network shared printers.
Web serverUsed to host Web-based applications and internal or external Web sites.
FTP serverUsed to store files that are downloaded or uploaded. These can be internal as well as external.
Email serverUsed for email but can also be used to host public folders and groupware applications.
News/Usenet (NNTP) serverUsed as a newsgroup server where users can post and retrieve messages in a common location.
It should also be determined whether the server will be accessed from the internal network, from the external world, or both. This helps identify the services and protocols you need on your server. In the following sections, we discuss how to determine which protocols and services you need on your server as well as the benefits of removing unnecessary protocols and services.
Required and Critical Services
Every operating system requires different services for it to operate properly. Ideally, the configuration process should start with installing only the services necessary for the server to function. The manufacturer should have these services listed in the documentation. If not, a wealth of information on hardening servers can be found in books and on the Web. Using documentation to standardize the methods used to set up servers will make new deployments easier and more secure.
The best way to ensure that only necessary services are running is to do a clean install. When a computer system is shipped to you, there is usually additional software, such as the manufacturer's tools, or additional configuration changes that have been made. The only way to be sure the machine meets the specifications of the plan is to perform a clean installation using predetermined checklists or policies. This task is very time consuming but in the long run is worth it. An additional benefit is that it ensures you have all the software and skills required to rebuild the server should this ever need to be done. Taking the time to do it right the first time saves you many headaches down the road.
Determining Required Protocols
Some administrators install unnecessary protocols because they either misunderstand the protocols' function or think they may need them later. Protocols, like services, should not be installed unless required. When looking at your network environment, the following should be determined:
Whether the protocol(s) is required for desktop-toserver communication
Whether the protocol(s) is required for server-to-server communication
Whether the protocol(s) is required for remote accessto-server communication
Whether the protocol(s) chosen requires additional services
Whether there are any known security issues associated with the protocol(s) chosen
Many networks consist of a mixed Windows and Unix operating system environment. Hypothetically, you have decided to use TCP/IP as the communications protocol. Next, you need to determine whether to implement TCP/IP statically or dynamically through DHCP.
If you decide that TCP/IP is to be deployed dynamically, you need to use an additional service (DHCP). Although DHCP can ease administration costs, it is less secure because unknown users can plug into your network and receive a TCP/IP address. This is especially true on unsecured wireless networks, where someone can be in the parking lot with a laptop attached to your network via a wireless connection.
TCP/IP also requires that you have a DNS server deployed for proper name resolution. In the hypothetical network, both Unix and Windows operating systems are running, and depending on whether Windows NT 4.0 or Windows 2000 is used, both DNS and WINS may be needed.
You must consider the implications in security planning. Weighing the factors helps you make wise choices in deploying services and protocols. The risks associated with running each choice of service and protocol should be researched and documented. It would be great to eliminate the associated risks altogether, but this is virtually impossible in today's world. However, being able to come up with possible solutions to reduce the risks associated with each service and protocol is a step in the right direction.
Benefits of Removing Protocols and Services
Deploying a server out of the box may have services installed that actually pose security risks. An unconfigured server is a server looking to be hacked. Therefore, you need to determine which services can be uninstalled or disabled. It is not wise to run services that aren't going to be used. If they are left installed and improperly configured, someone else may use them to do harm to the network. This can happen from inside the network as well as from the outside. These days, more harm is done by disgruntled and curious employees than from outside hackers.
Remember that secure networks require planning time. Companies have a tendency to want to deploy new technology as fast as they can to take advantage of what it can do for them. The number of configuration options offered in each new operating system increases faster than we can imagine. Being able to identify and implement only the necessary services and protocols required is a skill that must be learned. This approach helps reduce the attacks that affect every network.