Why not terminate un-needed services that burn overhead & create attack surfaces?

  • Thread starter Thread starter Bluddyhun
  • Start date Start date
B

Bluddyhun

According to the SANS GIAC website, recently the majority of illicit
connection attempts have been aimed at the 'attack surfaces' (as microsoft
refers to it) created by smb on port 445 and the old netbios ports 139, 137
etc. Although blocking these connection attempts (say, with a packet
filtering router) is good, most of the "How-to-harden-windows" webpages,
including the one on MS itself I believe, also recommend terminating the
services themselves IF the services are not required. Since my system is a
standalone, home system that never will be part of anybodies
domain//tree//forest//garden//weedpatch, why wouldn't I want to disable
these services, in addition to blocking the connection attempts at the
router? It seems like a win-win proposition, smaller attack surface and
freed-up resources.
 
You can't disable RPC because much of Windows relies on it, even for interprocess
communications within a single computer.

Regarding SMB, I don't know what the side effects would be of disabling the
server and workstation services because it isn't something I normally do.

Steve Riley
(e-mail address removed)
 
On Fri, 31 Dec 2004 13:55:42 -0800, Steve Riley [MSFT]
You can't disable RPC because much of Windows relies on it, even for interprocess
communications within a single computer.

Which points to bad design.

XP is NT, and NT was designed to be a network slave (er, "client").
Whereas the poster, like most consumers that Home is for, has a
standalone PC that he'd prefer to air-gap from the Internet.
Regarding SMB, I don't know what the side effects would be of disabling the
server and workstation services because it isn't something I normally do.

Me neither. I do use a .REG to kill "admin shares", facilitate Set
statements in RC, and suppress WSH, and those have been OK.

Exactly. But you can't, because MS is fobbing you off with a neutered
network client OS rather than developing a true stand-alone OS.

Firewall's the only way to protect against RPC and similar attacks,
but you can do two things to mitigate the effects of such attacks:

1) Stop RPC service failures from restarting the PC

2) Stop system failures from restarting the PC

These are both worthwhile fixes for dumb-ass MS duhfaults.


------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
 
You brought some interesting points (I'm the original poster of this thread)
Me neither. I do use a .REG to kill "admin shares", facilitate Set
statements in RC, and suppress WSH, and those have been OK.

The .reg, is that a registry mod? If so, what is it? I use "script sentry"
which intercepts calls to script interpereters (like wscript host) and
diverts them to notepad, so I can read the script and decide what to do.
It's just amazing how frequently browsers and even other apps encounter (and
would have just gone ahead and run)scripts.


1) Stop RPC service failures from restarting the PC
2) Stop system failures from restarting the PC

Sounds good, but how do it?



cquirke (MVP Win9x) said:
On Fri, 31 Dec 2004 13:55:42 -0800, Steve Riley [MSFT]
You can't disable RPC because much of Windows relies on it, even for
interprocess
communications within a single computer.

Which points to bad design.

XP is NT, and NT was designed to be a network slave (er, "client").
Whereas the poster, like most consumers that Home is for, has a
standalone PC that he'd prefer to air-gap from the Internet.
Regarding SMB, I don't know what the side effects would be of disabling
the
server and workstation services because it isn't something I normally do.

Me neither. I do use a .REG to kill "admin shares", facilitate Set
statements in RC, and suppress WSH, and those have been OK.

Exactly. But you can't, because MS is fobbing you off with a neutered
network client OS rather than developing a true stand-alone OS.

Firewall's the only way to protect against RPC and similar attacks,
but you can do two things to mitigate the effects of such attacks:

1) Stop RPC service failures from restarting the PC

2) Stop system failures from restarting the PC

These are both worthwhile fixes for dumb-ass MS duhfaults.


------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -
 
Back
Top