Reducing Your Company's Attack Surface

Don't expose your broadside to the enemy

ITPro Today

June 19, 2005

7 Min Read
ITPro Today logo in a gray background | ITPro Today

If your job is to guard your company's network, you'd do well to employ a fundamental naval defense tactic and avoid exposing your network's broadside to the enemy. When you employ attack surface reduction in the virtual world of computers, you reduce any set of functionality that can be attacked. Attack surface reduction can be effective against both automated malware and malicious intruders. Systems can be penetrated through compromised passwords, security misconfigurations, or unpatched components, and in all cases attackers are successful because a service, port, or other feature presented them with a target. When you eliminate unneeded functionality, you eliminate such targets and implement an additional layer in your defense-in-depth strategy. Let's look at some specific ways you can reduce your company network's attack surface.

Batten Down the Network
Start with the network itself. Many small businesses run a simple broadband gateway firewall router, such as is available from vendors such as Netgear (http://www.netgear.com), Linksys (http://www.linksys.com), and D-Link (http://www.d-link.com). Firewalls reduce a network's attack surface by using Network Address Translation (NAT) to present one IP address to the Internet and hiding the internal network's components from view. But don't forget about the attack surface of the firewall itself. Firewall routers have an option that allows remote administration through a Web browser. Although this option offers the convenience of administering your firewall from any Internet-connected machine, if you enable the option, you significantly increase the attack surface of your firewall.

You should avoid opening any ports or other features that accept unnecessary incoming connections. In addition to your firewall, what other components connect your network to the outside world? For example, VPN devices, wireless Access Points (APs), and modem-equipped PCs with direct-dial telephone lines represent attack points that you must defend through preventive and detective controls if you can't eliminate them.

Tighten up Servers and Workstations
You can't stop at the network perimeter. Every server and workstation in your business is a massive target with an attack surface that you can reduce. The first place to start on a Windows computer is with the services that run on the computer. In the past, Microsoft enabled services for ease of use and functionality, which created significantly larger attack surfaces on Windows versions earlier than Windows Server 2003. With Windows 2003, Microsoft has reversed its philosophy and embraced a "secure-by-default" approach. For example, in Windows 2003, Internet Information Services (IIS) comes uninstalled by default for the first time. IIS has been the source of a large number of Windows vulnerabilities because it implements Internet protocols that weren't designed to be secure. Even if you do install IIS on Windows 2003, much of its dynamic content (i.e., .asp, .ipp, .and cgi files) is disabled by default. Many of the exploits and worms that hit IIS over the past few years leveraged vulnerabilities in IIS features that few installations use or need. IIS on Windows 2003 is an excellent example of how to implement attack surface reduction—enable only the bare set of functionality required to support the system's purpose.

Workstations have attack surface reduction requirements that go beyond what servers need. Workstations face additional threats because they process interactive content from untrusted sources. Most of this content isn't executable code. Although nonexecutable files were once considered safe because they are strictly passive, attackers have found ways to embed attacks in ostensibly passive file types such as help files or pictures. Attackers use malformed file structures to cause buffer overflows that trick the computer into running arbitrary code that the attacker supplies. Web pages, email, text documents, and applications downloaded from the Internet are processed primarily by workstations rather than servers, and interactive content is the conduit for a constant stream of exploits such as buffer overflows in code that handles various file types, malicious use of file extensions, and cross-frame browser exploits. You can block some forms of this content at the mail and Internet gateways, but you need to consider how you can reduce the attack surface itself—that is, the functionality of a workstation. Such an effort calls for extra care, because you can negatively affect users if you disable necessary functionality.

On workstations, a perhaps more appropriate term than attack surface reduction might be attack surface management because there are times when you simply can't disable certain functionality but must instead implement other compensating controls, such as a responsive, automated patch process and training to help users recognize potentially malicious content. Before taking such steps, however, reduce your attack surface where you can. Disable unneeded file types that can be exploited. Open Windows Explorer, select Tools, Options, then click the File Types tab to see how many different file types are associated with different programs. Most users never need all of these file types. For example, no one uses .pif files anymore, but my Inbox continually receives malicious .pif attachments disguised as other files. For more information about securing file associations, see the Windows IT Security article "Disabling Automatic File Associations for Script Files," December 2002, InstantDoc ID 27074.

Rein in IE
Internet Explorer (IE) is another key area that exposes a significant amount of attack surface, given all the technologies that Microsoft has packed into it. Fortunately, you can use IE's security zones to selectively enable or disable many features of the browser according to the type of site you are visiting. You can specify a different security level for each of IE's four security zones: Internet, Trusted sites, Local intranet, and Restricted sites. In addition, you can configure the zones as well as use Group Policy to assign DNS domains to each zone. For more information about IE security settings, see the Web-exclusive series "Internet Explorer Security Options," March­June 2001, InstantDoc ID 20468.

Be Careful with Your Authority
An important way to reduce attack surface in Windows is to limit the actions you perform when logged on with Administrator authority. Any time you work with untrusted content— whether Internet pages, email, documents, or downloaded applications—you run the risk of executing malicious code. If you execute malware as an administrator, the impact will be substantial because the malware can leverage your unlimited authority. Therefore, you should avoid working with untrusted content while logged on as an administrator. Instead, create two accounts for yourself—one with Administrator authority and another that is a typical user account. Log on to your workstation and perform typical user activities under your unprivileged account. Use Run as to execute programs that require Administrator authority, or log on to the appropriate server via Remote Desktop to perform administrative tasks. Either method will mitigate the risk of giving malware a chance to exploit your administrative authority.

Easier Patching
A big bonus of limiting your attack surface is a savings in the time you spend patching your systems. If you disable or uninstall a feature, installing patches associated with the feature is less urgent. You might decide to wait for the next cumulative service pack to patch a hole if you're confident that your systems aren't affected by it. Of course, you can't disable everything, so you'll need to keep up with patching those components that come through your attack surface reduction intact. To keep workstations patched, you can install Windows Server Update Services (WSUS) on an existing server and configure your workstations and other servers to obtain Windows updates automatically. WSUS will extend support to Office updates, and products from Independent Software Vendors (ISVs) such as St. Bernard (http://www.stbernard.com) and Shavlik (http://www.shavlik.com) can update other popular, non-Microsoft applications such as WinZip.

Safe Journey
It takes some up-front work to limit your network's and computers' attack surface, but the effort will provide you a degree of immunity to current and yet-to-be discovered exploits and can eliminate a significant portion of the drudgery of patching. Disable every unneeded service and feature, don't install software you don't really need, and avoid working with untrusted content while logged on with elevated privileges. When you take these steps to avoid presenting your broadside to the enemy, you'll experience smoother, more secure sailing.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like