Now, after considering a number of basic system weaknesses and routes to exploitation, it should surprise no one that our correspondent, Rich, was let down by his firewall and antivirus software. Still, we can control many of the risks that firewalls and AV packages canít. There are two essential elements:
This involves a bit of work, especially for Windows users, but itís not difficult.
What follows is a detailed set of instructions for both Windows and Linux users to strengthen security by disabling unnecessary services and setting up a multiuser environment the right way. It may be helpful to owners of single-user systems, but to enjoy the full security benefits, a multiuser system is crucial. Again, I strongly urge users of Windows 3.x, 9x, and Me to install Windows XP, or better yet, Linux. Windows Services
Both Windows and Linux make numerous services available to applications and to local and remote users. A fair number are superfluous on the typical home system and merely act as potential security holes that may one day be exploited, if they havenít been already. Services are important vectors of exploitation, generally attacked by worms and by the more capable class of malicious hacker.
Unfortunately, with Windows, disabling services can be a tricky affair: there are quite a few dependencies, and you can inadvertently disable desirable functions or even make your system unstable if you get too aggressive. However, unnecessary services are a route to exploitation and a waste of system resources to boot, so itís worth doing away with as many as you can.
To see which services are running on Windows
3. Use the right-click menu to display the properties of the service
4. You will find four tabs at the top of the dialog: General, Log On,
You will notice right away that the descriptions tell you little of value, such as how much memory the service uses, how many remote exploits have been found against it, or whether or not you can safely disable it. Iím going to list services with security implications that can usually be disabled safely on a machine that is not providing network services over a LAN but is used for Internet access. Unfortunately, Microsoft enables most of them by default, so disabling all the risky ones will be tedious and time consuming, though itís very important that you press on and get it done. Itís best to stop a service using the Properties dialog as described previously, then use the system normally for a while and observe its behavior. You can usually reenable a service if shutting it off causes problems. If nothing untoward happens after a bit of daily use, you can disable it permanently.
Now letís look at the most important insecure services enabled by default on Windows:
Automatic Updates: This service will automatically connect to the Internet, check for available patches, and install them. I recommend running Windows Update manually and choosing the upgrades and patches to be downloaded, unless you like the idea of letting Microsoft decide what code belongs on your system and when it should be installed. Set it to Disabled. (But donít forget to run the update manually on a regular basis. Just click on Start -> Windows Update.)
ClipBook: This service stores cut and paste information and allows you to share it with other computers. It multiplies data traces, which complicates the practice of good data hygiene, and also wastes memory. Set it to Disabled.
Error Reporting Service: This service phones home to Microsoft when application errors occur. Set it to Disabled.
Indexing Service: This service essentially maintains data about your data (i.e., metadata) to speed up searching the local drive and the contents of files. It multiplies data traces, completely undermines the practice of good data hygiene, and wastes a good deal of memory. Set it to Disabled.
Internet Information Service (IIS): This is Microsoftís notoriously insecure Web server. It is usually not installed on XP systems, but if it has been installed it should be uninstalled with prejudice unless youíre actually using it. If you need a Web server, Apache for Windows is a safer alternative that I recommend. However, you should never install any sort of server on a home system unless you need one and know how to run it securely.
Messenger: Often called Windows Messenger, this service broadcasts messages on a network. It is not the MSN Messenger chat client. It is often exploited to broadcast spam across the Internet but has no other useful function on a home or small business network, though it can be useful on large networks when the administrator needs to broadcast a message to all users. Set it to Disabled.
Net Logon: This service allows logging on to a domain controller. This is not required for home and small office networks. Set it to Disabled unless your machine is a member of a domain.
NetMeeting Remote Desktop Sharing: This service permits others to access your computer using NetMeeting. This is a major security hole. Set it to Disabled unless you need it.
Network DDE: This service enables applications on different computers to share data. Itís of no use to most home and SOHO users. Set it to Disabled.
Network DDE DSDM: This service manages network shares. Itís of no use to most home and SOHO users. Set it to Disabled.
Network Location Awareness: This service collects location and configuration information about networked computers. Itís of no use to most home and SOHO users. Set it to Disabled.
Protected Storage: This service saves your login passwords for e-mail, your ISP, and the like. This is not dangerous on a properly configured PC, but I do recommend disabling it on laptop computers, which have a tendency to grow legs. If your laptop is stolen, stored passwords will enable the thief to access your ISP account, VPN, e-mail, etc. Set it to Disabled on laptop computers, and get into the habit of logging in manually.
QoS RSVP: This service provides network traffic information to certain applications. Itís of no use to most home and SOHO users. Set it to Disabled.
Remote Access Auto Connection Manager: This service creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. In other words, itís a shortcut for embedded links. Set it to Disabled unless you need it.
Remote Access Connection Manager: This service establishes a network connection when Windows Internet Connection Sharing is in use. Using a router for connection sharing makes this service unnecessary. Set it to Disabled unless you need it.
Remote Desktop Help Session Manager: This service controls the Windows Remote Assistance feature, which allows remote users, such as malicious script kiddies, to connect to your machine and tweak all its settings. I strongly recommend against using this service; it is far too susceptible to abuse. Set it to Disabled.
Remote Packet Capture Protocol: This service allows remote users to intercept packet traffic on your machine. This is useful for remote administration, but it is suicidal otherwise. A great boon to malicious hackers and script kiddies: set it to Disabled, with prejudice.
Remote Registry Service: This service allows remote users, such as malicious script kiddies, to tweak your Registry settings to their liking. Set it to Disabled.
Routing and Remote Access: This service allows other computers to dial in to yours through a modem to access the local network. You may need it for some VPN software. Unless you need it, set it to Disabled.
Server: This service permits file and print sharing from your computer, which is a very foolish thing to allow if the computer also connects to the Internet. Unless you are using these features (and preferably on a LAN only), set it to Disabled.
SNMP Service: This is a network monitoring service. It is not necessary on most home or small office computers. Set it to Disabled.
SNMP Trap Service: This service handles messages exchanged between SNMP agents on networked computers. Itís of no use to most home and SOHO users. Set it to Disabled.
SSDP Discovery Service: This service enables discovery of UPnP (Universal Plug and Play) devices on your network. UPnP is very insecure, easily exploited, and should never be used on a machine with Internet access (see UPnP later on this list). Set it to Disabled.
TCP/IP NetBIOS Helper Service: This service provides support for NetBIOS over TCP/IP. However, you should not be using NetBIOS over TCP/IP because it is very insecure. Uninstall NetBIOS if you have it (see the instructions that follow), then set this ďhelper serviceĒ to Disabled.
Telnet: This is a very insecure mechanism allowing remote users to log on to your computer. Never make Telnet available for any reason. If it is installed, set it to Disabled.
Terminal Services: This is an insecure service allowing remote users to log on to your computer. However, a very useful feature called Fast User Switching depends on it. Fast User Switching allows users to move between accounts without ending their sessions. Tasks in one account will remain active while another user is logged in. Unfortunately, Microsoft has made this handy feature dependent on an insecure service. If you disable Terminal Services, your computer will be more secure, but whenever you log out of an account you will have to save all your work because your applications and tasks will be shut down. Choose your poison.
Universal Plug and Play (UPnP): Donít confuse this with Plug and Play, which is useful and safe. The UPnP service detects and configures UPnP-compatible devices over a network. It is very susceptible to remote exploitation, so set it to Disabled. It works with the SSDP Discovery Service, which should also be set to Disabled (see SSDP Discovery Service earlier on this list).
Upload Manager: This service manages file transfers between clients and servers on a network. Very few home users will have any use for it. It also phones home to Microsoft seeking driver information when devices are installed. Set it to Disabled.
WebClient: This service allows Windows and MS applications to modify Web-based content. Some Microsoft applications may need it. If you have difficulty with MSN Messenger or Media Player, you may need to enable WebClient later. However, if you follow my recommendations and substitute more secure Internet clients for the ones Microsoft supplies, there is little chance you will ever need this service. Set it to Disabled.
Thereís a crucial service that cannot be disabled in Windows, which is unfortunate because it is exceptionally insecure. Itís called remote procedure call (RPC), and it allows one computer to execute code on another across a network. This is fine on a LAN, but it is extremely risky if the computer is connected to the Internet. Sadly, the roster of services and applications that Microsoft has chosen to make dependent on RPC is enormous. Disabling it can leave your computer unstable, and, in some situations, unbootable. RPC is essentially a security hole that you canít live without. The only practical solution is to set your firewall to block TCP/UDP ports 135Ė139, 445, and 593. Home users may not be able to configure their firewalls to block specific ports, but a good packet filter or router capable of stateful packet inspection should prove adequate.
It is important to uninstall TCP/IP NetBIOS. This is not a good service to have on any machine connected to the Internet. To remove it, follow these steps:
5. Choose the option labeled Disable NetBIOS over TCP/IP at the
There is one more notoriously insecure service that we need to disable on Windows, called DCOM (Distributed Component Object Model), which enables software components to communicate directly over a network. It is quite unnecessary for home users, terribly obscure, and the particular service that enabled the MSBlaster worm to attack the Windows RPC service. Power users can open the Registry and alter the key HKEY_LOCAL_MACHINE\Software\Microsoft \OLE\EnableDCOM with a value of N and reboot. Novices should disable DCOM thus:
3. In the left pane, right-click on My Computer and choose
4. Choose the Default Properties tab on the My Computer
By disabling insecure services, not only do you shut off many vectors of attack and exploitation, you also create a second line of defense in case you miss an important security patch. This is not to say that you should get careless with system updates, but itís good to know that if you should miss an important security fix, thereís at least a decent chance that the vulnerable item will have been disabled and the problem therefore will not affect you. Disabling unnecessary services is a good proactive step that can protect you from new exploits, viruses, and worms before they become widely known and before patches become available. For example, if you had disabled DCOM before the Blaster worm struck, you would have been blithely unaware of it.
blog comments powered by Disqus