IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.95 Minimal operating system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Computers in a security-critical environment should be designed so as to
present as few targets for attack as possible. As today's operating systems
provide many network services as standard, a well thought-out server service
(such as an SSL-based Web server) is not sufficient for the operation of a
secure server. It is also necessary to safeguard the operating system, because
otherwise the security functions of the server service could be evaded via a
weak point in the operating system. The characteristic feature of what is
referred to as a minimal operating system is that ideally it does not provide
any form of network service. A potential attacker will therefore be unable to
exploit a weak point in a network service belonging to the operating system.
Even if an attacker does gain access to the computer via a weak point, he will
be further impeded by the minimal system. The fewer programs an attacker
finds on a target computer, the more difficult it is for him to locate and exploit
further weak points on that computer. Furthermore this also greatly facilitates
maintenance of the server, because the patches or service packs for utility
programs no longer have to be loaded if the programs are not there.
The following sections describe the configuration of an operating system
using the example of an Internet server, because in this case the security
requirements imposed on the operating system are generally very high.
An Internet server usually has only one task: making a certain number of
services (such as the readiness to receive e-mails) available to other computers
in a stable manner. The underlying operating system should not provide any
other services. The following procedure should therefore be observed when
installing an Internet server:
1. Basic installation of the operating system
If it is possible to influence which packages are actually installed during
installation, only the necessary packages should be loaded at this stage. It is
not always easy to establish the necessity of certain packages, however, so
at least those packages which are obviously superfluous should not be
loaded.
2. Deactivation of unnecessary programs
When a computer is started up, a large number of programs are launched
automatically. Some of these programs are entirely irrelevant for an
Internet server and should be deactivated. They can be deactivated by
preventing automatic launching (start scripts under Unix, Startup and
Service Manager under Windows NT) and by additionally deleting the
corresponding programs. For security reasons it is recommended to delete
them, because then an attacker will not be able to reactivate the services.
However, it is sometimes very difficult to find and delete all of the files
belonging to a particular service, so if there is any doubt the files should
not be deleted.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000