Firewall Wizards mailing list archives
Re: Custom Unix server installations -- to harden extensively ?
From: "Bill Royds" <Bill () royds net>
Date: Fri, 16 May 2003 08:24:14 -0400
Interestingly, the new Windows 2003 server is set up with nearly all services turned off and a requirement for the installer to decide on what is needed to run on the machine. As well as being good for security, it has the added advantage of sppeding the server up. There are many fewer daemons running in the background taking CPU cycles and memory. Perhaps Microsoft has been listening to these rants. ----- Original Message ----- From: "Devdas Bhagat" <dvb () users sourceforge net> To: <firewall-wizards () honor icsalabs com> Sent: Wednesday, May 14, 2003 6:00 PM Subject: Re: [fw-wiz] Custom Unix server installations -- to harden extensively ? : On 14/05/03 14:12 -0400, Carson Gaspar wrote: : <snip> : > An attacker is left with no method for privilege escalation. Removing : > binaries only stops script kiddies - anyone who has access to run processes : > on your box can install anything they want (assuming they can create : > executable files). : It isn't the script kiddie that this defends against, it is the clueless : admin who should never have had that level of access in the first place. : Lacking easy access to tools can mean the difference between said admin : having to ask for help and not doing damage to a system with a libc : upgrade without really understanding what it will break, and said admin : damaging the system badly enough to have to run for backup tapes and : upgrade disks. : : I personally have found that a centralized build system with proper : distribution of binaries helps in /keeping/ boxes locked down and : synchronized. : : The administrator does not have to worry about building software on : multiple systems, just on one. The lesser the stuff installed, the fewer : vulnerabilities to watch out for. : If something is installed, it can easily be activated by another : application/upgrade/newbie admin. What is not installed, will not be : activatable, and the admin doesn't need to worry about having to patch a : bunch of applications for a bug that should not be important but ends up : being so. : : To sum up, not installing stuff is a precaution against accidents rather : than a defense against malicious attackers, even though it does act as : an additional step in filtering them out. : : Start small, and build up as needed is a much easier way of building : servers, rather than start with everything and then strip out what is : not needed. At least with Unix like systems, individual services can be : turned off, with a system like Windows, it is hard for the average admin : to know what to safely turn off. : : Devdas Bhagat : _______________________________________________ : firewall-wizards mailing list : firewall-wizards () honor icsalabs com : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 16)
- RE: Custom Unix server installations -- to harden extensively ? R. DuFresne (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)