- Install the OS as default-ly as possible. Scan it with nmap and Nessus during the installation.
- At completion of installation, scan again.
- Install relatively common listening services and scan again.
- Install the latest ‘major patch’, and scan again.
- Finally install all ‘minor patches’ published prior to Jan 1 2007, and scan again.
I very much encourage you to read the full report, but one thing I sorely missed was a summary chart so I could get a better sense of what all that verbiage really means. So I created one – you see it below.
Some important points about this summary chart:
- I left out the ‘mid-install’ scan info. I’m assuming y’all have the sense not to build your critical machines whilst connected to attack-prone networks.
- The study mentions local vulnerabilities in one or two places, but is primarily concerned with remote vulns. In the ‘vulns’ column I list only those remote-exploitable vulns found by Nessus.
- I’m not 100% sure I have the numbers exactly right. In some places the report was confusingly worded. I think I have preserved the author’s intent and I really hope he’ll let me know if I fumbled the ball.
- I list port names for a reason. It seemed to me that in at least some cases, the choice of services to install in the ‘services installed’ config was a bit arbitrary. I note that some server OS have a web server enabled, some do not. So I thought this was important to include!
- ICMP is not counted as one of the open ports.
- As best I can tell, no firewall is enabled in any of the tests. In some cases, default firewalls were explicitly shut off.
There’s a lot to be learned here. For now, I’m drawing no conclusions. But I welcome yours, in the comments!
I'm sorry the above image is so small - click it to see at readable size. I tried to use an actual html table, so you'd be able to cut/paste from it, but I'm learning that Blogger likes to mangle html in its own special ways, so for now we'll have to make do with this image.
No comments: