The attack surface

Jabez Gan, a fellow MVP, did an interesting book review – that of Professional Windows Desktop and Server Hardening by Roger A. Grimes, published by Wrox. Jabez summarises his learnings from the book in 10 points:

1. To Linux fans out there: Whatever is Popular Gets Hacked. How true is this statement? You might be saying that Windows is full of exploits because it is unstable and vunerable. If it’s the days of Windows 9x/NT, I would agree with you that Windows isn’t that secure. However things have changed, thus vunerabilities have decreased tremendously.

If you think about Apache, you’ll notice that it has more vunerabilities than IIS. (Since Apache is more widely used).

2. Don’t Let End Users Make Security Decisions. Heck I don’t even trust end users myself, so why should we let them make security decisions? They will only increase our workload when they submit support tickets!

3. Security-by-Obscurity Works! Change to some random port for our RDP (remote desktop protocol) instead of the usual 3389. Change to some random port for our HTTP instead of the default port 80 (do this only for internal users, not external users).

4. Assume Firewalls and Antivirus Software Will Fail. I’ve been doing some consulting for a few companies, and this statement is true. Updated antivirus software with properly configured firewall isn’t enough. Malware nowadays comes through port 80 and Antivirus doesn’t work as great when it comes to detecting new viruses.

5. Minimize Potential Attack Vectors, Decrease Attack Space. Everybody knows this. Disable services or programs that you do not need. Close the ports you do not need. Use IPSec for communications between machines.

6. RunAs. Remember the long forgotten RunAs? Administrators should provide users (and themselves) with limited user accounts (LUA) and use the RunAs if they want to install applications. Also, I’ve learnt not to provide users with the permission to install new applications. It must be done by an administrator.

7. Keep Patches Updated. To cut things short, Keep Patches Updated. All of you know why.

8. Use a Host-Based Firewall. Who said Windows XP SP2’s firewall isn’t good? It is a host based firewall… Nah, it doesn’t provide Outgoing firewall monitoring. So use a 3rd party instead. ;)

9. Rename Admin and Highly Privileged Accounts. Scripts or hackers will try to hack through the system through the default administrator account. So on every installation of Windows (or any OS or applications), rename the default high privileged accounts.

10. Install High-Risk Software (IIS) to Non-Default Folders.  I know lots of you out there will just install everything to the default folder, but here’s a tip: Don’t! Take the hassle to reconfigure things if you have IIS installed to the default folder. I know it will break some web app (if you have any) but do you want to fix your web app or secure your server?

Interesting. Let’s analyse. The first thing that comes to mind is that renaming admin and highly-privileged accounts and installing software to non-default folders are variations of the security-through-obscurity approach – in addition to using non-default ports for IP services. Incidentally, that contradicts on of sys.admin’s principles that I follow – Use Defaults Whenever Possible. Using the defaults allows quicker problem resolution, which is good for security. Another note is about renaming high-privileged accounts – there are none by default, why then?

Minimize Potential Attack Vectors, Decrease Attack Space sounds like stating the obvious – besides, there’s at least one thing that is not so obvious here: security through obscurity leaves the attack surface intact, not cutting it even a tiniest bit. Proper systems management and access control are to shrink it.

Should we disallow end user installing software and making any security decisions? The proper question here is – are you ready to make all the decisions on the users’ behalf? A personal firewall is a good example. Controlling outbound communication sounds like a good security (so may denying all of it by default) – but are you ready to make the decisions for the users whereever they are? In any environment of scale, you won’t be able to cope – thus the users must have a level of freedom here. They are already trusted with business information that you’re trying to protect. A better rule is to disallow users making decisions that will impact other users.

And the final note is about the Whatever is Popular Gets Hacked. Reality gives it an interesting twist: whatever is not popular also get hacked – but most hardly notice and often don’t know. Obscure systems with zero known vulnerabilities should never be considered safe.

Leave a Reply

Your email address will not be published. Required fields are marked *