Confessions of a security pro: I was wrong about host hardening

Discussion in 'other security issues & news' started by MrBrian, Feb 16, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I think this is the worst advice I have seen in years. :thumbd:
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Security is a matter of making intelligent trade-offs. You analyse and then decide whether the benefits are worth the costs. The value of hardening anything (not just the host) is more often than not subjective. Is the effort worth it? Does the change cause too much inconvenience or disrupt your productivity levels? It all boils down to whether you see the risks as exaggerated/unlikely to affect you or you see them as real threats that needs your attention. No one size fits all.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    So if all the home intrusions in an area were done by using the back door, it's not worth the effort to lock the windows. There's very little cost or inconvenience in disabling services you aren't using. IMO, it sounds like he wants to justify laziness.
    Several of the services running by default on Win 7 and 8 didn't exist when those worms made their rounds. They haven't withstood the test of time or the repeated penetration and patching the others have seen in 10+ years. This author seems to be assuming that OS vendors have truly made these services exploit proof. Security and convenience/usability can conflict in many cases, like the integration of one app into another. Examples, opening PDFs in the browser, saving files and opening them offline instead of opening them directly, not using a sandbox or virtual environment, etc. Disabling unneeded or unused services inconveniences no one. If IT people consider securing and hardening their systems an inconvenience, too bad. It's their job.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Apparently that guys predecessor didn't document what he did or the reasons behind it. I don't envy those who walk into someone elses mess and have to fix it, especially if nothing has been documented.
    From the article:
    The problem here is the wrong question is asked. The question should be "what do I need," not "what can I disable." Answering the question "what services do I need" does require that the user has some basic understanding of what those services do. Applying someone elses ideas of what you do and don't need can be gotten away with on a home system, as long as you have a system backup or a backup of the original services configuration. A few of the services are obvious but a lot more aren't. Someone who does this for a living should understand what these services do and what the needs of the different items on their network are.

    In many ways, this reminds me of some of the older threads here regarding Kerio 2.1.5 and the Blitzenzeus firewall rules download. People were importing that ruleset but had no idea what the individual rules did. The didn't understand that many of the rules didn't apply to their systems and those that did needed to be matched to their specific system. It's no different with system services.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    And some of the ones that seem obvious have other purposes (example).
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Follow-up to last post: here are some more issues that occur when Windows Firewall service is disabled. How many people are aware of these things when they're hardening/tweaking?
     
    Last edited: Feb 23, 2014
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here are some tweak guides that recommend disabling the Windows Firewall service in all or some circumstances:
    http://broodplank.net/?p=271
    http://forums.tweakarena.com/showthread.php?t=87
    http://www.overclock.net/t/555682/windows-7-setup-and-tweaking-guide-for-benchmarking
    http://www.msfn.org/board/topic/87443-windows-vista-service-tweak-guide/

    Some posts here at Wilders have also recommended doing that, but I won't mention them due to courtesy.

    Note: don't disable the Windows Firewall service! (See posts #8 and 9 for reasons why.)
     
    Last edited: Feb 23, 2014
Loading...
Thread Status:
Not open for further replies.