Workstations are particularly vulnerable in a network. Most modern workstations, regardless of their operating systems, communicate using services such as file sharing, network services, and applications programs. Many of these programs have the ability to connect to other workstations or servers.
|
These connections are potentially vulnerable to interception and exploitation. The process of making a workstation or a server more secure is called platform hardening. The process of hardening the operating system is referred to as OS hardening. (OS hardening is part of platform hardening, but it deals only with the operating system.) Platform hardening procedures can be categorized into three basic areas:
Remove unused software, services, and processes from the workstations (for example, remove the server service from a workstation). These services and processes may create opportunities for exploitation.
Ensure that all services and applications are up-to-date (including available service and security packs) and configured in the most secure manner allowed. This may include assigning passwords, limiting access, and restricting capabilities.
Minimize information dissemination about the operating system, services, and capabilities of the system. Many attacks can be targeted at specific platforms once the platform has been identified. Many operating systems use default account names for administrative access. If at all possible, these should be changed. During a new installation of Windows Vista or Windows XP, the first user created is automatically added to the administrators group. Windows Vista then goes one step further and automatically disables the actual administrator account once another account belonging to the administrators group has been created.
|
Most modern server products also offer workstation functionality. In fact, many servers are virtually indistinguishable from workstations. Linux functions as both a workstation and a server in most cases.
Most successful attacks against a server will also work against a workstation, and vice versa. Additionally, servers run dedicated applications, such as SQL Server or a full-function web server.
NOTE
An early version of Internet Information Services (IIS) included a default mail system as a part of its installation. This mail system was enabled unless specifically disabled. It suffered from most of the vulnerabilities to virus and worm infections discussed in Chapter 2. Make sure your system runs only the services, protocols, and processes you need. Turn off or disable things you don't need.
When you're looking for ways to harden a server, never underestimate the obvious. You should always apply all patches and fixes that have been released for the operating system. Additionally, you should make certain you aren't running any services that aren't needed on the machine.
3.135.217.228