5.10 Remote Information Services Countermeasures

  • There is no reason to run systat, netstat, fingerd, rwhod, or rusersd services in any production environment; these services completely undermine security and offer little benefit.

  • DNS should be accessible over TCP only if inbound DNS zone transfers are offered because standard DNS queries are served over UDP. Diligently check all publicly accessible hosts to ensure that unnecessary DNS services aren't publicly accessible.

  • Most Linux identd packages are vulnerable to public and privately known attacks; therefore, refrain from running identd on mission-critical Linux servers.

  • SNMP services running on both servers and devices should be configured with strong read and write access community strings to minimize brute-force password-grinding risk. Network filtering of SNMP services from the Internet and other untrusted networks ensures further resilience and blocks buffer overflow and other process-manipulation attacks.

  • Ensure that your accessible LDAP and Windows 2000 AD Global Catalog services don't serve sensitive information to anonymous unauthenticated users. If LDAP or Global Catalog services are being run in a high-security environment, ensure that brute-force attacks aren't easily undertaken by logging failed authentication attempts.

  • Always keep your publicly accessible services patched to prevent exploitation of process-manipulation vulnerabilities. Most DNS, SNMP, and LDAP vulnerabilities don't require an authenticated session to be exploited by a remote attacker.