S 4.95 Minimal operating system

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Computers in a security-critical environment should be designed so as to present as few targets for attack as possible. As today's operating systems provide many network services as standard, a well thought-out server service (such as an SSL-based Web server) is not sufficient for the operation of a secure server. It is also necessary to safeguard the operating system, because otherwise the security functions of the server service could be evaded via a weak point in the operating system. The characteristic feature of what is referred to as a minimal operating system is that ideally it does not provide any form of network service. A potential attacker will therefore be unable to exploit a weak point in a network service belonging to the operating system. Even if an attacker does gain access to the computer via a weak point, he will be further impeded by the minimal system. The fewer programs an attacker finds on a target computer, the more difficult it is for him to locate and exploit further weak points on that computer. Furthermore this also greatly facilitates maintenance of the server, because the patches or service packs for utility programs no longer have to be loaded if the programs are not there.

The following sections describe the configuration of an operating system using the example of an Internet server, because in this case the security requirements imposed on the operating system are generally very high.

An Internet server usually has only one task: making a certain number of services (such as the readiness to receive e-mails) available to other computers in a stable manner. The underlying operating system should not provide any other services. The following procedure should therefore be observed when installing an Internet server:

1. Basic installation of the operating system

If it is possible to influence which packages are actually installed during installation, only the necessary packages should be loaded at this stage. It is not always easy to establish the necessity of certain packages, however, so at least those packages which are obviously superfluous should not be loaded.

2. Deactivation of unnecessary programs

When a computer is started up, a large number of programs are launched automatically. Some of these programs are entirely irrelevant for an Internet server and should be deactivated. They can be deactivated by preventing automatic launching (start scripts under Unix, Startup and Service Manager under Windows NT) and by additionally deleting the corresponding programs. For security reasons it is recommended to delete them, because then an attacker will not be able to reactivate the services. However, it is sometimes very difficult to find and delete all of the files belonging to a particular service, so if there is any doubt the files should not be deleted.

The network parameters of the Internet server must be set, if this has not already been done at the time of installation. The parameters relevant to the security of the Internet server include the selection of a default gateway and a domain name server. For example, if communication between the Internet server and the Internet takes place via a proxy (see S 2.73 Selecting a suitable firewall), a default gateway is superfluous. Without a default gateway it is not possible to send a direct response from the Internet server onto the Internet, so that if the proxy is bypassed no communication can take place, and therefore also no attack. DNS is often also superfluous for an Internet server and should be avoided if possible, because it allows the establishment of a direct communication channel to the operating system (see S 4.96 ). In addition there are a great many other parameters which have a direct influence on the TCP/IP stack, for example the maximum size of IP packets. These parameters are very heavily dependent on the respective operating system, so at this stage all that can be mentioned is the deactivation of IP forwarding. Other changes could enhance stability when dealing with errored IP packets, for example, or also increase network throughput.

Some essential utility programs provide a large number of other services (this refers in particular to inetd under Unix). The corresponding configuration files must be restricted to those network services that are necessary (see also S 5.16 Survey of network services).

The operating system should be extended with additional security programs, if they are not already part of the operating system. Particularly useful additions include an integrity checking program (see S 4.93 Regular integrity checking) and a software packet filter (already included in Windows NT). Programs to scan for viruses and to evaluate log entries are also worth recommending. If remote administration of the Internet server is required, a security product to cope with this must be installed, for example the Secure Shell daemon (see S 5.64 ), and the security of the system must be checked at regular intervals (see also S 4.26 Regular security checks of Unix systems).

Ideally, a minimal operating system should not provide a single network service, and would therefore not be vulnerable to attack from the outside. Especially in relatively large networks, this approach is not practicable for administration reasons, so remote access is in fact necessary. Under both Unix and Windows NT, the netstat -a command can be used to check whether the Internet server provides such services. The configuration of each of the listed services should be restricted in such a way that only authorised computers are able to access them (for example, remote access to the Internet server should be limited to the network management computer).

As soon as the installation of a minimal operating system is complete, various programs which could be helpful to a potential attacker should be deleted. In particular, any compilers which may be present should be removed, because these could be a valuable tool for an attacker. Besides, another reason why it is not advisable to have compilers on Internet servers is that these computers are production machines, and program development and tests should be carried out on other computers. It is also conceivable to delete all editors, which would make it very much more difficult for an attacker to manipulate configuration files. If the editors are deleted, though, administration is also more complicated. If changes need to be made to configuration files, an editor has to be installed on a case-by-case basis, or alternatively, and this is recommended, the configuration files have to be edited on a different computer and then transferred.

A minimal operating system should of course not be an end in itself. It goes without saying that, for an Internet server, the server service itself still has to be installed. It depends on the particular installation whether this is done at the end of the above list or between points 6 and 7, for example, or even immediately after point 1. It becomes problematical if the installation fails because of the absence of operating system packages, because in that case the missing packages have to be located and reinstalled manually. It would be better if the vendor of the server service specified the operating system dependencies, so that the minimal system could be brought into line with these from the outset.

Even a computer configured with a minimal system is not entirely protected against attacks. The most probable cause of a successful attack is no doubt the server service, but also the minimal system itself is still open to attack, in particular the TCP/IP stack, which has to forward the network packets to the application. Almost all attacks against the TCP/IP stack that have so far come to light, however, have only affected availability, with the computers concerned being caused to crash; this means that infiltration of computers has not yet been observed. In order to reduce even this risk yet further, S 4.98 Restricting communication to a minimum with packet filters should also be implemented.