How to find and remove unused services (or secure them)

RELATED CONTENT Risk management strategies Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Cut down on calls to help desk with cybersecurity awareness training Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

For instance, on Compaq (and now Hewlett-Packard Co.) servers, there's an interesting server and infrastructure management service called Compaq Insight Manager (or, more recently, called HP Systems Insight Manager). This service is sometimes poorly configured, either because manufacturer default credentials remain unchanged, or because busy administrators fail to understand the importance of choosing difficult-to-guess passwords. A Web browser interface to this service, in fact, can often be found on TCP ports 2301 and 2381. Older versions have a default administrator password of "administrator," permitting an unauthorised user to gain control of a server remotely, read or alter the SNMP strings (thus defeating any hardening of SNMP that may have been implemented) and even power down a server.

Another example of a potentially unused service is Internet Information Server (IIS), which is installed by default on many Windows servers. Since it's a huge job to patch every Windows system in a corporate network, an understaffed or overburdened organisation's focus is typically on Internet-facing devices. This leaves unpatched servers (and sometimes workstations) vulnerable to a significant number of IIS vulnerabilities, which provide attackers with administrative access, and thus the ability to install a Trojan or rootkit that can subsequently harvest all the data they want.

In many sites that my firm has tested, it's common to have business systems running on Unix operating systems whilst the majority of in-house staff's technical expertise is on Windows systems. As a result, these Unix systems are sometimes remotely administered by the third parties who supplied the business application. Unfortunately, the third parties are not always motivated to install the latest patches or to harden the operating system configuration. This results in a variety of older services being ripe for exploitation, often on business-critical systems running finance applications.

For these reasons, it's imperative to properly secure or remove unused or unpatched services after they are identified. This need can be addressed by the selective and careful use of one of many commonly available vulnerability scanners. Nessus remains one of the most popular free scanners and provides a good overview of an enterprise's network exposure by highlighting missing patches and out-of-date software, and by listing all the services running on each device. Inexperienced users should ensure they understand how their scanner works and which of its many settings are appropriate for their environment. Occasionally, overzealous administrators have been known to cause system outages and even crashes by running improperly configured vulnerability scanners. Alternatively, an occasional visit by a third party to conduct a vulnerability assessment and penetration test can be a cost-effective alternative, especially where the IT department is already over-stretched or may not have the necessary security skills to interpret a scanner's results accurately.

About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.