Confessions of a security pro: I was wrong about host hardening

http://www.infoworld.com/d/security/confessions-security-pro-i-was-wrong-about-host-hardening-239

I agree with this writer. Kudos for reexamining his views .

 

I think this is the worst advice I have seen in years.

 

Article also discussed at http://community.spiceworks.com/topic/136517-confessions-of-an-security-pro.

 

Security is a matter of making intelligent trade-offs. You analyse and then decide whether the benefits are worth the costs. The value of hardening anything (not just the host) is more often than not subjective. Is the effort worth it? Does the change cause too much inconvenience or disrupt your productivity levels? It all boils down to whether you see the risks as exaggerated/unlikely to affect you or you see them as real threats that needs your attention. No one size fits all.

 

So if all the home intrusions in an area were done by using the back door, it's not worth the effort to lock the windows. There's very little cost or inconvenience in disabling services you aren't using. IMO, it sounds like he wants to justify laziness.

Several of the services running by default on Win 7 and 8 didn't exist when those worms made their rounds. They haven't withstood the test of time or the repeated penetration and patching the others have seen in 10+ years. This author seems to be assuming that OS vendors have truly made these services exploit proof. Security and convenience/usability can conflict in many cases, like the integration of one app into another. Examples, opening PDFs in the browser, saving files and opening them offline instead of opening them directly, not using a sandbox or virtual environment, etc. Disabling unneeded or unused services inconveniences no one. If IT people consider securing and hardening their systems an inconvenience, too bad. It's their job.

 

Disabling Unnecessary Services? A Word to the Wise

 

Apparently that guys predecessor didn't document what he did or the reasons behind it. I don't envy those who walk into someone elses mess and have to fix it, especially if nothing has been documented.
From the article:

The problem here is the wrong question is asked. The question should be "what do I need," not "what can I disable." Answering the question "what services do I need" does require that the user has some basic understanding of what those services do. Applying someone elses ideas of what you do and don't need can be gotten away with on a home system, as long as you have a system backup or a backup of the original services configuration. A few of the services are obvious but a lot more aren't. Someone who does this for a living should understand what these services do and what the needs of the different items on their network are.

In many ways, this reminds me of some of the older threads here regarding Kerio 2.1.5 and the Blitzenzeus firewall rules download. People were importing that ruleset but had no idea what the individual rules did. The didn't understand that many of the rules didn't apply to their systems and those that did needed to be matched to their specific system. It's no different with system services.

 

And some of the ones that seem obvious have other purposes (example).

 

Follow-up to last post: here are some more issues that occur when Windows Firewall service is disabled. How many people are aware of these things when they're hardening/tweaking?

 

Here are some tweak guides that recommend disabling the Windows Firewall service in all or some circumstances:
http://broodplank.net/?p=271
http://forums.tweakarena.com/showthread.php?t=87
http://www.overclock.net/t/555682/windows-7-setup-and-tweaking-guide-for-benchmarking
http://www.msfn.org/board/topic/87443-windows-vista-service-tweak-guide/

Some posts here at Wilders have also recommended doing that, but I won't mention them due to courtesy.

Note: don't disable the Windows Firewall service! (See posts #8 and 9 for reasons why.)