I’ve heard this phrase bandied about in Linux forums and in the occasional blog post, but it’s something I never considered relative to the security of Windows boxes. There’s an awful lot of research on the subject and it boils down to this: The larger the attack surface, the more insecure the system. Makes sense, but just what is an attack surface? Thanks to a research paper, Measuring a System’s Attack Surface, Pratusya Manadhata and Jeannette M. Wing, CMU Technical Report CMU-CS-04-102, January 2004, we have a concise definition:
A system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage.
This means that any applet, any built-in feature, any module, any application, probably contains multiple attack vectors. Moreover, certain applications like Internet Explorer are attack vectors in and of themselves. When I started to look into this, I found that some folks over at the Microsoft Developer Network had put together a discussion along with a handy list of Windows attack vectors:
- Open sockets
- Open RPC endpoints
- Open named pipes
- Services running by default
- Services running as SYSTEM
- Active Web handlers (ASP files, HTR files, and so on)
- Active ISAPI Filters
- Dynamic Web pages (ASP and such)
- Executable virtual directories
- Enabled Accounts
- Enabled Accounts in admin group
- Null Sessions to pipes and shares
- Guest account enabled
- Weak ACLs in the file system
- Weak ACLs in Registry
- Weak ACLs on shares
Bear in mind that any of these can be subject to multiple vulnerabilities and many of them have been connected with specific vulnerabilities. However, the attack vector itself does not necessarily indicate a system vulnerability, per se. Think of these as things an attacker would try to compromise; for example, attempting to logon to a system as Guest. If the Guest account is enabled, that’s a vulnerability; if the Guest account is disabled, it’s merely a vector for attack.
So, how can we use this information in our workaday world? First, realize that the OS itself is the basis of all of the above items. Next, realize that any program, web application, widget, gadget, what have you, is going to utilize one or more of them. Finally, get the concept of “default unnecessary.” Windows comes with many built-in (read default) features, services and applications—many of them completely unnecessary in the enterprise.
We shrink the desktop attack surface by building our desktop image in three stages:
- We clean up the OS by removing ALL unnecessary features, tools, and applications. A good place to start is all the stuff in the Accessories folder. And who ever uses Microsoft Backup, or Character Map, or Tour Windows XP? You get the idea.
- Given a stripped-down image, we next install ONLY those applications and tools that are absolutely necessary for the user to perform her job. Ideally, we avoid mainstream applications and utilities as much as possible and go with those that are not as widely used (security through obscurity) and therefore not as subject to attack. For example, if PDF isn’t used in the enterprise for purposes other than reading manuals, why use Adobe Reader? Foxit Reader or any of the Open Source apps will work.
- Finally, disable all services and uninstall all protocols that aren’t required by the OS or necessary applications. The first things that come to mind here are UPnP and the SSDP Discovery Service and the Net.tcp Port Sharing service.
That will give us a clean desktop setup with a significantly lower attack surface; come to think of it, you should probably go check the servers, too.
If I’ve missed anything, let me know.