Defense - Security

Now, after considering a number of basic system weaknesses and routes to exploitation, it should surprise no one that our correspondent, Rich, was let down by his firewall and antivirus software. Still, we can control many of the risks that firewalls and AV packages can’t. There are two essential elements:

• Disabling unnecessary services to reduce our attack profile

• “Sandboxing” users, or limiting their access to the system so that the code they run will also have limited access

This involves a bit of work, especially for Windows users, but it’s not difficult.

NOTE  In order to make the following Windows configuration instructions and their accompanying screen shots easier for Win-NT and Win-2K users to follow, they will be shown in the default Windows XP theme.Win-XP users should change their Start Menu theme to Classic in order to harmonize their screens with our examples. Simply go to the desktop Start Menu and select Control Panel ? Taskbar and Start Menu. A dialog will pop up. Click on the Start Menu tab at the top of the dialog and then choose Classic Start Menu. Click Apply and clear the dialog.

What follows is a detailed set of instructions for both Windows and Linux users to strengthen security by disabling unnecessary services and setting up a multiuser environment the right way. It may be helpful to owners of single-user systems, but to enjoy the full security benefits, a multiuser system is crucial. Again, I strongly urge users of Windows 3.x, 9x, and Me to install Windows XP, or better yet, Linux.

Windows Services

Both Windows and Linux make numerous services available to applications and to local and remote users. A fair number are superfluous on the typical home system and merely act as potential security holes that may one day be exploited, if they haven’t been already. Services are important vectors of exploitation, generally attacked by worms and by the more capable class of malicious hacker.

Unfortunately, with Windows, disabling services can be a tricky affair: there are quite a few dependencies, and you can inadvertently disable desirable functions or even make your system unstable if you get too aggressive. However, unnecessary services are a route to exploitation and a waste of system resources to boot, so it’s worth doing away with as many as you can.

NOTE  All of the Windows-related instructions in this chapter assume that you have already logged in to your administrator account on Windows XP.

To see which services are running on Windows

1. Go to the Start menu, choose Run, and type in services.msc. Click OK.

2. You will now be confronted with an enormous list of running services with obscure names like Application Layer Gateway Service, Background Intelligent Transfer Service, and COM+ Event System (Figure 2-1). Highlight any service and right-click. You will get a menu allowing you to start it, stop it, or view its properties.

   3.  Use the right-click menu to display the properties of the service
       you chose above. The Properties dialog will launch (Figure 2-2).

   4. You will find four tabs at the top of the dialog: General, Log On,
       Recovery, and Dependencies. The General tab will show you the
       service’s name, a brief description, the path to the relevant
       executable file, a drop-down menu allowing you to choose how it
       should start (i.e., Automatic, Manual, or Disabled), and finally,
       four buttons allowing you to start, stop, pause, and resume the
       service. 

 &nb

     Figure  2-1.  The Windows Services  menu with the        Remote Access Connection Manager service highlighted

 
Figure 2-2.  The Properties dialog associated with the Remote Access Connection Manager service

You will notice right away that the descriptions tell you little of value, such as how much memory the service uses, how many remote exploits have been found against it, or whether or not you can safely disable it. I’m going to list services with security implications that can usually be disabled safely on a machine that is not providing network services over a LAN but is used for Internet access. Unfortunately, Microsoft enables most of them by default, so disabling all the risky ones will be tedious and time consuming, though it’s very important that you press on and get it done. It’s best to stop a service using the Properties dialog as described previously, then use the system normally for a while and observe its behavior. You can usually reenable a service if shutting it off causes problems. If nothing untoward happens after a bit of daily use, you can disable it permanently.

Now let’s look at the most important insecure services enabled by default on Windows:

Automatic Updates: This service will automatically connect to the Internet, check for available patches, and install them. I recommend running Windows Update manually and choosing the upgrades and patches to be downloaded, unless you like the idea of letting Microsoft decide what code belongs on your system and when it should be installed. Set it to Disabled. (But don’t forget to run the update manually on a regular basis. Just click on Start -> Windows Update.)

ClipBook: This service stores cut and paste information and allows you to share it with other computers. It multiplies data traces, which complicates the practice of good data hygiene, and also wastes memory. Set it to Disabled.

Error Reporting Service: This service phones home to Microsoft when application errors occur. Set it to Disabled.

Indexing Service: This service essentially maintains data about your data (i.e., metadata) to speed up searching the local drive and the contents of files. It multiplies data traces, completely undermines the practice of good data hygiene, and wastes a good deal of memory. Set it to Disabled.

Internet Information Service (IIS): This is Microsoft’s notoriously insecure Web server. It is usually not installed on XP systems, but if it has been installed it should be uninstalled with prejudice unless you’re actually using it. If you need a Web server, Apache for Windows is a safer alternative that I recommend. However, you should never install any sort of server on a home system unless you need one and know how to run it securely.

Messenger: Often called Windows Messenger, this service broadcasts messages on a network. It is not the MSN Messenger chat client. It is often exploited to broadcast spam across the Internet but has no other useful function on a home or small business network, though it can be useful on large networks when the administrator needs to broadcast a message to all users. Set it to Disabled.

Net Logon: This service allows logging on to a domain controller. This is not required for home and small office networks. Set it to Disabled unless your machine is a member of a domain.

NetMeeting Remote Desktop Sharing: This service permits others to access your computer using NetMeeting. This is a major security hole. Set it to Disabled unless you need it.

Network DDE: This service enables applications on different computers to share data. It’s of no use to most home and SOHO users. Set it to Disabled.

Network DDE DSDM: This service manages network shares. It’s of no use to most home and SOHO users. Set it to Disabled.

Network Location Awareness: This service collects location and configuration information about networked computers. It’s of no use to most home and SOHO users. Set it to Disabled.

Protected Storage: This service saves your login passwords for e-mail, your ISP, and the like. This is not dangerous on a properly configured PC, but I do recommend disabling it on laptop computers, which have a tendency to grow legs. If your laptop is stolen, stored passwords will enable the thief to access your ISP account, VPN, e-mail, etc. Set it to Disabled on laptop computers, and get into the habit of logging in manually.

QoS RSVP: This service provides network traffic information to certain applications. It’s of no use to most home and SOHO users. Set it to Disabled.

Remote Access Auto Connection Manager: This service creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. In other words, it’s a shortcut for embedded links. Set it to Disabled unless you need it.

Remote Access Connection Manager: This service establishes a network connection when Windows Internet Connection Sharing is in use. Using a router for connection sharing makes this service unnecessary. Set it to Disabled unless you need it.

Remote Desktop Help Session Manager: This service controls the Windows Remote Assistance feature, which allows remote users, such as malicious script kiddies, to connect to your machine and tweak all its settings. I strongly recommend against using this service; it is far too susceptible to abuse. Set it to Disabled.

Remote Packet Capture Protocol: This service allows remote users to intercept packet traffic on your machine. This is useful for remote administration, but it is suicidal otherwise. A great boon to malicious hackers and script kiddies: set it to Disabled, with prejudice.

Remote Registry Service: This service allows remote users, such as malicious script kiddies, to tweak your Registry settings to their liking. Set it to Disabled.

Routing and Remote Access: This service allows other computers to dial in to yours through a modem to access the local network. You may need it for some VPN software. Unless you need it, set it to Disabled.

Server: This service permits file and print sharing from your computer, which is a very foolish thing to allow if the computer also connects to the Internet. Unless you are using these features (and preferably on a LAN only), set it to Disabled.

SNMP Service: This is a network monitoring service. It is not necessary on most home or small office computers. Set it to Disabled.

SNMP Trap Service: This service handles messages exchanged between SNMP agents on networked computers. It’s of no use to most home and SOHO users. Set it to Disabled.

SSDP Discovery Service: This service enables discovery of UPnP (Universal Plug and Play) devices on your network. UPnP is very insecure, easily exploited, and should never be used on a machine with Internet access (see UPnP later on this list). Set it to Disabled.

TCP/IP NetBIOS Helper Service: This service provides support for NetBIOS over TCP/IP. However, you should not be using NetBIOS over TCP/IP because it is very insecure. Uninstall NetBIOS if you have it (see the instructions that follow), then set this “helper service” to Disabled.

Telnet: This is a very insecure mechanism allowing remote users to log on to your computer. Never make Telnet available for any reason. If it is installed, set it to Disabled.

Terminal Services: This is an insecure service allowing remote users to log on to your computer. However, a very useful feature called Fast User Switching depends on it. Fast User Switching allows users to move between accounts without ending their sessions. Tasks in one account will remain active while another user is logged in. Unfortunately, Microsoft has made this handy feature dependent on an insecure service. If you disable Terminal Services, your computer will be more secure, but whenever you log out of an account you will have to save all your work because your applications and tasks will be shut down. Choose your poison.

Universal Plug and Play (UPnP): Don’t confuse this with Plug and Play, which is useful and safe. The UPnP service detects and configures UPnP-compatible devices over a network. It is very susceptible to remote exploitation, so set it to Disabled. It works with the SSDP Discovery Service, which should also be set to Disabled (see SSDP Discovery Service earlier on this list).

Upload Manager: This service manages file transfers between clients and servers on a network. Very few home users will have any use for it. It also phones home to Microsoft seeking driver information when devices are installed. Set it to Disabled.

WebClient: This service allows Windows and MS applications to modify Web-based content. Some Microsoft applications may need it. If you have difficulty with MSN Messenger or Media Player, you may need to enable WebClient later. However, if you follow my recommendations and substitute more secure Internet clients for the ones Microsoft supplies, there is little chance you will ever need this service. Set it to Disabled.

There’s a crucial service that cannot be disabled in Windows, which is unfortunate because it is exceptionally insecure. It’s called remote procedure call (RPC), and it allows one computer to execute code on another across a network. This is fine on a LAN, but it is extremely risky if the computer is connected to the Internet. Sadly, the roster of services and applications that Microsoft has chosen to make dependent on RPC is enormous. Disabling it can leave your computer unstable, and, in some situations, unbootable. RPC is essentially a security hole that you can’t live without. The only practical solution is to set your firewall to block TCP/UDP ports 135–139, 445, and 593. Home users may not be able to configure their firewalls to block specific ports, but a good packet filter or router capable of stateful packet inspection should prove adequate.

It is important to uninstall TCP/IP NetBIOS. This is not a good service to have on any machine connected to the Internet. To remove it, follow these steps:

1. Go to the Start menu and choose Settings -> Network Connections or -> Control Panel -> Network Connections. Click on your network connection device, then on the Properties button.

2. A dialog will launch. Under the General tab you will find your installed network protocols, services, and clients. If your PC is used for Internet access and does not require additional networking capability, you should uninstall everything except Internet Protocol (TCP/IP). Get rid of File and Print Sharing, NetBIOS, Client for Microsoft Networks (unless you use PGP), and the rest of these superfluous whistles and bells. TCP/IP is the only component you need for an Internet connection to work.

3. After uninstalling all the unnecessary networking components, left-click on Internet Protocol (TCP/IP) to launch its Properties dialog.

4. Click the Advanced button and another dialog will launch, labeled Advanced TCP/IP Settings. Choose the WINS tab at the top (Figure 2-3).

   5.  Choose the option labeled Disable NetBIOS over TCP/IP at the 
        bottom. You will need to reboot for all of these settings to take  
        effect.

Figure 2-3.  The Advanced TCP/IP Settings dialog with proper WINS settings

There is one more notoriously insecure service that we need to disable on Windows, called DCOM (Distributed Component Object Model), which enables software components to communicate directly over a network. It is quite unnecessary for home users, terribly obscure, and the particular service that enabled the MSBlaster worm to attack the Windows RPC service. Power users can open the Registry and alter the key HKEY_LOCAL_MACHINE\Software\Microsoft \OLE\EnableDCOM with a value of N and reboot. Novices should disable DCOM thus:

1. Go to the Start menu, choose Run, and type in dcomcnfg. Click OK, and the Component Services dialog will launch.

2. In the left pane, choose the menu item Component Services and expand the tree below it. Next choose Computers, expand the tree again, and choose My Computer.

   3.   In the left pane, right-click on My Computer and choose
         Properties from the drop-down menu (Figure 2-4). The My
         Computer Properties dialog will launch.

   4.   Choose the Default Properties tab on the My Computer
         Properties dialog and clear the checkbox in front of the option
         Enable Distributed COM on this computer (Figure 2-5). You will
         need to reboot for the change to take effect. If the option is
         not available, you’ll need to use the Registry hack mentioned
         earlier.

Figure 2-4.  The Component Service dialog with tree expanded, right-click menu activated 

 
Figure 2-5.  The My Computer Properties dialog with proper DCOM settings

By disabling insecure services, not only do you shut off many vectors of attack and exploitation, you also create a second line of defense in case you miss an important security patch. This is not to say that you should get careless with system updates, but it’s good to know that if you should miss an important security fix, there’s at least a decent chance that the vulnerable item will have been disabled and the problem therefore will not affect you. Disabling unnecessary services is a good proactive step that can protect you from new exploits, viruses, and worms before they become widely known and before patches become available. For example, if you had disabled DCOM before the Blaster worm struck, you would have been blithely unaware of it.

This chapter is from Computer Security for the Home and Small Office by Thomas C. Greene (Apress, 2004, ISBN: 1590593162). Check it out at your favorite bookstore today. Buy this book now.

>>> More Security Articles          >>> More By Apress Publishing

blog comments powered by Disqus