IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Communications Remarks<br />

____________________________________________________________________ .........................................<br />

S 5.72 Deactivation of unnecessary network services<br />

Initiation responsibility: Head of <strong>IT</strong> Section, <strong>IT</strong> Security Management<br />

Implementation responsibility: Administrator<br />

To disable any network services on a Unix system which are not actually<br />

required, the procedure described below should be adopted.<br />

Under Unix there are two ways of starting network services, via the server<br />

service inetd, which is configured in file /etc/inetd.conf, and via the start-up<br />

files, which are held in /etc/rc.d/init.d or /etc/init.d. To disable services which<br />

are not required in the /etc/inetd.conf file, the relevant line should be<br />

commented out using a #. With a standard installation, generally more<br />

services are configured than are actually necessary. Among these, services<br />

will often be included which could constitute a risk. <strong>The</strong>refore as few services<br />

as possible should be enabled, i.e. only those services which are really<br />

necessary on the system concerned (see also S 4.95 Minimal operating system<br />

and S 4.97 One service per server).<br />

<strong>The</strong> services which are initiated by the start-up files are referenced via links<br />

from the subdirectories /etc/rcX.d and /etc/rc.d/rcX.d, where X stands for the<br />

Unix run level in which the start-up file is called. To deactivate the services<br />

which are not required, these can be moved to a subdirectory from where they<br />

can be reactivated if subsequently needed. This could be achieved, for<br />

example, as follows:<br />

cd rc3.d; mkdir .s; mv S85sendmail .s/<br />

<strong>The</strong> command netstat –a can be used to see which services are currently<br />

active.<br />

Additional controls:<br />

- Have the changes to the start-up files been documented?<br />

- Who is allowed to add services on a Unix system?<br />

- Is a check performed with netstat –a after every update of application<br />

programs and operating system components as to which services are<br />

available on the network connection?<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!