Disable Unnecessary Services

Use Authentication Everywhere

• Don't use blank passwords.
• Don't use weak or default passwords.
• Be Cyber Safe!!

Disable Network Services

The CIS Benchmarks do a good job at identifying and disabled commonly unused services. However, an OS installer should still take a look afterwards to see what services have Internet sockets that are 'listening' using commands like:

• netstat -an (Windows or Unix)
• Active Ports (Windows)
• netstat -an | egrep 'Proto|LISTEN' (Unix)
• lsof -i -n | egrep 'COMMAND|LISTEN' (Unix)
• sockstat -4 -l (FreeBSD)
• netstat -luntp (Linux)

Once you've identified a service, verify its necessity, and if possible disable it (e.g remove it from the startup). Ideally, workstations should have no sockets listening.

Windows specific: If the computer will not be joining a domain, sharing files, printer, etc. (i.e. it is a stand-alone workstation), then disable Client for Microsoft Networks and disable File and Printer Sharing for each interface listed under Network Connections.

Restrict Network Services

This is done either in the applications configuration itself, or via a filter (tcpwrappers or firewall)

Look for configuration documentation to see if there is a means of filtering clients. Research. Read.

Some examples:

• tcpwrappers, iptables, and ipfw
• Configuring a Windows XP SP2 firewall
• Enable IPSec
• --skip-networking flag for MySQL
• -nolisten tcp flag for X11 (startx)
• Allow from directive for Apache
• allow-recursion{ } directive for Bind