Re: Custom Unix server installations -- to harden extensively ?

["Bill Royds" <Bill () royds net>]

Interestingly, the new Windows 2003 server is set up with nearly all
services turned off and a requirement for the installer to decide on what is
needed to run on the machine. As well as being good for security, it has the
added advantage of sppeding the server up. There are many fewer daemons
running in the background taking CPU cycles and memory.

Perhaps Microsoft has been listening to these rants.

----- Original Message ----- 
From: "Devdas Bhagat" <dvb () users sourceforge net>
To: <firewall-wizards () honor icsalabs com>
Sent: Wednesday, May 14, 2003 6:00 PM
Subject: Re: [fw-wiz] Custom Unix server installations -- to harden
extensively ?


: On 14/05/03 14:12 -0400, Carson Gaspar wrote:
: <snip>
: > An attacker is left with no method for privilege escalation. Removing
: > binaries only stops script kiddies - anyone who has access to run
processes
: > on your box can install anything they want (assuming they can create
: > executable files).
: It isn't the script kiddie that this defends against, it is the clueless
: admin who should never have had that level of access in the first place.
: Lacking easy access to tools can mean the difference between said admin
: having to ask for help and not doing damage to a system with a libc
: upgrade without really understanding what it will break, and said admin
: damaging the system badly enough to have to run for backup tapes and
: upgrade disks.
:
: I personally have found that a centralized build system with proper
: distribution of binaries helps in /keeping/ boxes locked down and
: synchronized.
:
: The administrator does not have to worry about building software on
: multiple systems, just on one. The lesser the stuff installed, the fewer
: vulnerabilities to watch out for.
: If something is installed, it can easily be activated by another
: application/upgrade/newbie admin. What is not installed, will not be
: activatable, and the admin doesn't need to worry about having to patch a
: bunch of applications for a bug that should not be important but ends up
: being so.
:
: To sum up, not installing stuff is a precaution against accidents rather
: than a defense against malicious attackers, even though it does act as
: an additional step in filtering them out.
:
: Start small, and build up as needed is a much easier way of building
: servers, rather than start with everything and then strip out what is
: not needed. At least with Unix like systems, individual services can be
: turned off, with a system like Windows, it is hard for the average admin
: to know what to safely turn off.
:
: Devdas Bhagat
: _______________________________________________
: firewall-wizards mailing list
: firewall-wizards () honor icsalabs com
: http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards