GeodSoft logo   GeodSoft

Ten Practical Security Steps
Limit Software

10. Don't install anything you don't expect to use.

For resource limited staffs, this is easy to honor going forward. Starting with new system install's, don't put anything on the system that's not needed. There is a strong temptation to install everything that comes bundled in the basic price of a system. Especially with disk space increasing and prices dropping faster compared to other computer components, most systems have more disk space than they'll ever need. The reasoning goes that if you put it on with the initial install, it will be there and ready to go if you ever need it. Adding in components that were not installed initially is likely to be more difficult.

There is some truth to this but if you don't need them when the system is installed, most of these "extras" never get used. While they're sitting unused by the system's owner, they may be just what an intruder needs to gain unauthorized access. Most of the Microsoft web related security issues have not been with the OS or even the core of IIS. They have been with things like RDS (Remote Data Services), ASP (Active Server Pages), sample scripts and other options that are routinely installed in default or complete installs. While some of these are essential to some Microsoft web servers, most are not needed on most servers they are installed on. When combined with lax Microsoft default file permissions, these extras leave the systems they are on, wide open to anyone who knows how to exploit the weaknesses. Most of reported NT security breaches would not have occurred if unneeded IIS and Option Pack options had not been installed.

ColdFusion has also had several serious bugs in its sample files. The more software installed on a system, the more likely it is to be exposed to a security exploit. The more there is on a system, the harder it is to figure out what's on it and what is and is not needed. Not putting it on in the first place is much easier than later removing what you hope to be unneeded software.

Because of the potential problems trying to remove unnecessary software from working systems, I would not do this, except when a known security bug actually exposes your systems to a real threat.

Make a resolve on future installs and upgrades to consider all options carefully and only install those that are expected to be used.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

 
Home >
How-To >
10 Security Steps >
ten.htm


What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.