Server Security: Less is More
By Shawn Travers
IT Pro Evangelist, Microsoft Corporation
See other Viewpoint articles.
Anyone who has spent more than a few days working in information security has probably heard the three core tenets of security: availability, confidentiality, and integrity. Heck, these concepts are usually what you learn about first when studying for just about any security certification. While these three concepts will always define the heart of security, I believe the lifeblood of good security is another well-known but often overlooked concept: simplicity.
Assuming all else is constant, as the complexity of a system doubles (defined as the number of security-critical elements), the likelihood of a catastrophic vulnerability increases by a factor of four1. This disproportionate increase in catastrophic vulnerabilities results from the exponential increase in the number of interactions between the various parts of the system. Put another way, interconnected systems tend to break down much more often the larger, or more complex, they get. If we apply this logic to maximizing the security of our server infrastructure, it follows that we should try to do everything we can to maximize simplicity.
Unfortunately, well-intentioned systems administrators today frequently attempt to affect good information security in exactly the opposite way. They introduce highly complex segmentation into the network, add more port rules to the firewall than necessary, change application and operating systems default settings without truly understanding their purpose, and add expensive third-party security applications. We do these things despite the fact that the built-in tools, default implementation, or a simpler solution would often provide better protection. It is often said of cryptographic algorithms that the simplest, most elegant solutions also prove themselves to be the most secure. The same is true of information systems. Find the solution with the cleanest design, and more often than not, it will stand the test of time. Often, the hardest part to engineering a simpler environment is deciding where to start.
There are literally thousands of ways to make our existing datacenters simpler. First, we will examine some of the low hanging fruit, and then we will explore a few ways that Windows Server 2008 delivers a more secure solution.
Security is simple
With the explosion of interconnected devices and systems, as well as an increasingly confusing array of security tools and applications, you might ask yourself, “How can security be simple?” A good start might be to get rid of the servers that aren’t being utilized. I cannot tell you how many datacenters I’ve visited where a high-level administrator has told me, “I don’t know what that server (sometimes referring to an entire rack of servers) is doing. It was here when I got here and no one has touched it since.” If you don’t know what it is, log on and spend a few minutes searching through the installed programs to understand the server’s purpose and determine what group might be responsible for the server. You can also use the log files to ascertain who has been accessing the server from an administrative perspective. Monitor the server over time if necessary to determine its purpose. In many cases, it may be possible to consolidate or eliminate the server altogether, thereby eliminating a potential entry point into your organization.
After that, take a look at eliminating unnecessary security applications. For example, don’t add a third-party firewall to your server when the built-in Windows firewall or IPSec would do the job well. Many bundled security packages include overlapping functionality. Perform a quick analysis of all installed security applications to determine if they may be reduced or eliminated altogether. Then, extend your search to include ALL unnecessary applications. The relatively mundane task of eliminating unnecessary applications on servers can have a huge impact on overall security. Doing so would reduce attack points and eliminate potential footholds for gaining unauthorized access to your network. The positive security impact of ridding the datacenter of superfluous software is greater the longer it has been since the last audit. So, if it has been over a year since you last audited and cleaned your servers, the time is ripe for a spring cleaning. The best way to start cleaning is by inventorying your applications and installed devices with Systems Management Server (SMS) or System Center Configuration Manager 2007 (SCCM) to identify what’s out there and how often it’s being used. But, if you don’t have SMS, don’t let that stop you. Go get the Microsoft Application Compatibility toolkit 5.0 (ACT) to help you2. It’s a free download and provides extensive inventory reports of all your software and devices from across the network. There is a small client side install, a Data Collection Package (DCP), which does the heavy lifting for you. It can be installed on Windows Server 2000 Update Rollup 1 for SP4 or Windows Server 2003 SP1, and you can simply remove it after the inventory is taken. You can then use the resulting inventory reports to make educated decisions about what applications and devices can be safely eliminated. Anything that cannot be justified by a specific and quantifiable business need should be removed for the sake of an easier and more secure environment. Of course, deciding what constitutes a business need may be the most complex part of all, but I’ll leave that for another author. Now, let’s put this “less is more” security plan to the test by examining a few of the improvements to the Windows Server® 2008 operating system.
There are several ways that Windows Server 2008 fits well with the “less is more” premise, beginning with its minimal installation footprint. Specifically, Windows Server 2008 offers a new Server Core installation option. This minimal installation eliminates the traditional server graphical user interface (GUI), seven default services, and other functionality in favor of improved performance, manageability, and security. Greater security is achieved through the smaller attack surface and this can be especially critical when running core under the inherently exposed IIS role, and perhaps to a lesser extent the file server role3. Server Core results in one of those rare win-win situations for IT professionals. We install only the core components and services to maximize security through a narrower attack surface, and, in doing so, we get the added benefit of improved performance and reliability. Further, we continue to benefit in the long-term through fewer change management headaches and lower ongoing management costs because there are fewer updates and security patches to worry about. According to the Microsoft Web site, “Because Server Core installations include only what is required for the designated roles, a Server Core installation will typically require less maintenance and fewer updates.... If a security flaw or vulnerability is discovered in a component that is not installed, a patch is not required.” (http://www.microsoft.com/windowsserver2008/evaluation/overview.mspx)
But Server Core is just aspect of Windows Server 2008 security profile. Take, as another example, the improvements with regard to service hardening. Like many other areas of the operating system, services have been compartmentalized, or modularized. By implementing a simple change to the way tokens are issued, a concept known as “split access tokens,” Microsoft prevents one service from taking over the address space of other services. This way, a security compromise in one area of the operating system cannot impact or endanger other areas. For example, when the Blaster worm spread across the Internet in August 2003, it did so by exploiting a flaw in the DCOM remote procedure call (RPC) service, writing to protected areas in the registry and the file system, and, finally, replicating itself over the network. RPC had no justifiable reason to perform any of these actions, but since the actions were not explicitly denied, RPC was allowed to act with impunity. This type of exploit would be impossible in Windows Server 2008, which explicitly allows only the activities a service needs to do its job. Windows Server 2008 goes further by forcing separate access tokens (ergo, no shared memory usage) that prevents all services, including RPC, from taking over or “borrowing” functionality from any other services – essentially, isolating each service to its own sandbox. In short, Microsoft has simplified the structure and behavior of services, which results directly in improved security for us.
However, let’s not forget that simplicity is not the only factor contributing to the level of security in our systems. While improvements such as fewer security tools, applications, and less access is extremely beneficial, cutting corners on process for the sake of simplicity would be a grave mistake. Process remains one of the most underinvested areas in security. We need to continue to hold ongoing meetings to evaluate network and server security. We need to follow a security guidance process that keeps up with the other changes we make every day. I recommend stealing as much of your process as possible from those who have already blazed that trail. One great way to do that is to grab the Microsoft Operations Framework4. I would suggest sprinkling a bit of creativity in your security testing and planning as well. The attackers are always looking for new and creative ways to infiltrate our networks, and so we can’t be afraid to include creativity in our approach to security controls.
Security can be a benefit for today’s IT professional, but all too often we allow it to become an aggravation. We can make IT security less complex – in fact, we have an obligation to do so, since complexity is counter to good security. We should be spending less and installing fewer tools when it comes to security. That’s not to say we shouldn’t spend time and energy on good security. With the desktop’s wide-ranging roles and lack of physical security, it is on the front lines for attack, and it is pushing security improvements into the datacenter. However, configuration woes persist today. Today, I would argue that a minimally configured workstation sitting on someone’s desk is more secure than a poorly administered, complex server in a million dollar datacenter. Don’t do more than you have to when it comes to server security today. Less is more, and by minimizing complexity and leveraging the built-in security features in Windows Server 2008, you may find that you can eliminate a sizable amount of unnecessary risk.
1 Extracted from notes assembled by Paul Kocher titled “Shades of Gray: Security and Complexity”
3 Read more about server core roles at http://www.microsoft.com/windowsserver2008/servercore.mspx
4 Get more information on the Microsoft Operations Framework at http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/default.mspx