The discipline of information security is concerned with minimizing the attack surface of any protected resource. This can be achieved by successfully removing, or substantially reducing, the ability of an attacker to conduct an attack against vulnerability. There are several effective methods to minimize the attack surface. The most secure environments employ a combination of strategies. Most important, a solid overall security strategy avoids monolithic solutions. Relying on a single control to protect a resource increases the probability of a successful attack. Always design a defense strategy that is multilayered, which requires multiple controls be compromised to exploit any vulnerability. Such a strategy is often called a defense-in-depth approach to security. FIGURE 2-5 shows how a multilayered defense strategy protects resources.

At a high level, the easiest way to reduce the attack surface is to remove functionality. Suppose an attacker wants to exploit Internet Information Services (IIS) web server vulnerability. The quickest way to deny such an attack is to disable or remove the IIS web server. Although disabling IIS may be easy, it may be unacceptable. What if the server computer in question is a web server? Disabling IIS in that case is not an option! But in many cases, disabling a web server is perfectly OK. It all depends on the purpose of the server computer and the services it must provide to be functional. Defining the computer role and configuring the operating system for that role is one of the best ways to reduce the attack surface of any computer.

Proper workstation and server role definition make it easier during the installation process to only install and enable services that are necessary for a particular computer. By installing and enabling only the necessary services, you reduce the operating system’s complexity and overall attack surface. Windows Server versions since Windows Server 2008 include the Server Manager tool, which makes it easy to define specific roles for a server. There is even a new installation option available called Server Core that installs only the basic services to support file and print services, Active Directory, and a few other basic server functions. The resulting installation takes up less disk space, consumes less memory, and has a much smaller attack surface due to fewer installed services. Server Core doesn’t include a Graphical User Interface (GUI), so it is the common base image for servers that are managed remotely.

If you must install and enable a service, such as the IIS web server, you will have to employ measures to protect your system from IIS vulnerabilities. The strategies you will learn to secure any resource, also called mitigating a risk, fall into two main categories:

1. Remove vulnerabilities

2. Stop attacks from exploiting vulnerabilities

Between the two strategies, the former is the better option. Removing vulnerabilities by disabling the service or by updating vulnerable software to a more secure version removes the possibility of a successful attack against a specific vulnerability. However, just applying a security patch doesn’t guarantee there is no more vulnerability in the service. That’s why a multilayered defense is so important. Never rely on a single control or strategy to protect a resource. Always employ multiple levels of controls. Your goal is to make attackers work very hard to exploit resources on protected computers.