www.apolis.org

Software and Hardware companies are faced with a choice when they determine the default configurations for their products. They could enable all of the services that might be needed by default, or they could disable all but the essential core functionality. The former makes it easier for the end user to get up and running quickly, and the latter makes for a more secure default configuration. Often the choice is made to make it easier for the end user, at the expense of security.

In the process of hardening servers and network gear, I will:

• determine the minimum set of services needed for the device to perform it's business function, and disable all the rest.
• assure that the device has the latest manufacturer-issued security patches.
• confirm that logging is sufficient to be usable in the event of a security incident
• configure the device to permit only secure management connections
• examine the physical security controls for completeness

The goal of this process is to minimize the attack surface of the servers. By removing or disabling unneeded and unused network services or software packages, there is substantially less risk that one of those unused services could be exploited in an attack.