Installing and Modifying Services (Building Internet Firewalls, 2nd Edition)

12.5. Installing and Modifying Services

Some of the services you want to provide may not be provided with your operating system. Others may be provided in versions that are inappropriate for use in a secure environment or are missing features you probably want. You will have to choose servers to provide these services and install them.

Windows NT does not have an equivalent to the Unix TCP wrappers (which provide global controls that can be enforced on most services). Instead, you will need to secure every service separately. You should not assume that services are safe; reputable software companies often ship unsafe packages, and in many cases, their worst problems are easy to find and repair.

Install a test copy of the service on a machine that is otherwise stable and will not change while you are doing the installation. Use Find to identify all the files that were changed during the installation, and check to make sure that those files are acceptable. In particular:

Make sure that file permissions are as restrictive as possible; arbitrary users shouldn't be able to write to any executables, configuration files, or temporary directories. If possible, limit read and execute permissions as well.
Verify the permissions on all registry entries to make sure that arbitrary users can't change them. Again, you will probably want to limit read permissions as well. In particular, many services store passwords in registry keys, sometimes with extremely weak protection. You do not want these keys to be readable!
If the program installs a user account, make sure that the password is set to something other than the program's default. If possible, change the account name to something other than the program's default.
Make sure that all programs are run by users with appropriate permissions. Do not run services as Administrator unless they need to be run as Administrator. If you add special user accounts for services, make sure that they cannot be used as normal login accounts.

Note that many services have interesting interactions with hot fixes and service packs. Services, hot fixes, and service packs all have a tendency to change system files. You will need to install them in the correct order to make sure that you have the most desirable version of the system files. In general, this means installing the services first and then the hot fixes or service packs that you need. In a few cases, you may need to install hot fixes or service packs both before and after you install a service (for instance, if the service requires a particular service pack, you will have to install that service pack, install the service, and then install the service pack you want to run). Extremely rarely, you need to install the service after the hot fix or service pack (which means that you will need to reinstall the service if you install a new hot fix or service pack).


12.4. Disabling Nonrequired Services		III. Internet Services