Confessions of a security pro: I was wrong about host hardening

After years of preaching host hardening, this security expert realizes the practice isn't always beneficial -- and can be harmful

Page 2 of 2

Some may argue Microsoft used to enable IIS on computers that didn't need it, along with SQL through SQL Desktop Edition. It's no longer the case and hasn't been for nearly a decade. The IIS of today is significantly hardened. It isn't installed anywhere by default, and when installed, it runs in a significantly hard-to-exploit default state. The latest versions of SQL haven't been exploited in years. When people ask me how to harden IIS or SQL, I usually reply, "Don't mess things up! The defaults are pretty darn good."

There's another risk in hardening: Most people making changes don't know what they are doing, so disabling a seemingly unneeded service can often have unexpected outcomes. One of my favorites examples is users disabling the Printer Spooler service on Windows domain controllers. Unbeknownst to them, it disabled Active Directory's printer pruning capabilities.

Even worse, in most hardening guides, I see horrible advice. The recommended practices are likely to cause problems and may, in fact, weaken security. I see it all the time, and very popular hardening guides are no exception.

As I mentioned, the latest IPv6 exploit has prompted IT admins to question whether they should disable the service. First, they argue, it's hard to stop, and second, most of the world isn't using it. I tell them no: IPv6 is significantly more secure than IPv4. Companies should be using and enabling it, not disabling it. Unless you're spending significant efforts trying to stop Layer 2 DHCP spoofing attacks, which impact nearly every computer in any company, you shouldn't expend your energies worrying about IPv6 lower layer attacks. Yes, IPv6 attacks will happen, just as they do with DHCP, but they aren't widespread.

I don't want to overgeneralize. Disabling an unneeded service often makes sense in terms of the cost benefit. Maybe even disabling IPv6 plain works for your company. But shouldn't you wait to see if any IPv6 attacks are forming in the wild before you start dedicating time and resources to it? If you're trying to prevent IPv6 hacks, why not direct that time and energy to more likely invasions, such as client-side attacks?

I'm also for anyone who wants to harden their own data security settings, as well as the applications and code they create. That's a no-brainer. What I'm talking about is all the effort spent hardening base OS or popular vendor applications that have already been security-examined and bolstered by the person who created it. If you're going to spend your time hardening your defenses, focus on the applications and areas that vendors haven't already reviewed or are clueless about security.

I'm certainly far from the first person to reach this conclusion. My coworker Aaron Margosis has been writing about it for years. A few years ago, Jesper Johansson and Steve Riley argued the same in their book "Protect Your Windows Network: From Perimeter to Data." I chided them and wrote articles rejecting their "bad" advice. I'm pretty sure I was even partially personally angry with what they were saying.

I was wrong. Sometimes it takes the passage of time to see that the other guys saw something clearer than I could, earlier than I could. Here's hoping that one of my future articles pass along the favor.

This story, "Confessions of a security pro: I was wrong about host hardening," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies