Identify and Eliminate Unapproved Services
Unapproved or unauthorized services running on a network can create significant security risks. This chapter explains what services are, how they can increase risk, how to audit services in use, and how to shut down those that are unapproved. It also includes guidance on using source ports to trace the initiating process behind a service.
What Are Services?
Definition: Services refer to background processes or programs that run continuously to provide various functionalities on a system or network. These services are essential for enabling applications and ensuring smooth operations within an organization’s network.
Examples of Common Services:
- Web Services (HTTP/HTTPS): Allow web applications to run and communicate.
- File Transfer Services (FTP/SFTP): Facilitate the transfer of files between systems.
- Database Services (SQL Server, MySQL): Manage data storage and retrieval for applications.
- Remote Access Services (RDP, SSH): Provide remote access capabilities for system administration.
How Do Services Increase Risk?
Unapproved or poorly managed services can increase the risk of exploitation:
- Increased Attack Surface: Every active service adds a potential entry point into the network. Unnecessary or insecure services enlarge the network’s overall attack surface.
- Outdated and Unpatched Services: Unmonitored services can become outdated and vulnerable to exploits.
- Misconfigurations: Improper configurations can expose data or grant unauthorized access.
- Hidden Services: Undocumented services can provide covert entry points for attackers to maintain persistence within a network.
Real-World Example: A forgotten test web server running on a non-standard port with default credentials could be exploited for administrative access.
How to Audit the Services in Use
Auditing services helps identify which processes are running and whether they are approved:
Steps for Auditing Services:
-
Inventory Services: Use tools like Ridgeback to identify services running across your network.
-
Categorize and Evaluate: Classify services as essential, approved but non-essential, or unapproved.
-
Check Versions and Updates: Cross-check versions of running services with known vulnerabilities and patch requirements.
-
Trace Initiating Processes by Source Port:
-
On Windows:
- Use
netstat -ano
to display active connections along with their source ports and associated process IDs (PIDs). - Use
tasklist /fi "PID eq <PID>"
to identify the process by its PID. - For more detailed insight, use PowerShell:
Match theGet-NetTCPConnection | Where-Object { $_.State -eq 'Listen' } | Select-Object -Property LocalPort, OwningProcess
OwningProcess
with thePID
intasklist
.
- Use
-
On Linux:
- Use
ss -tulnp
ornetstat -tulnp
to display listening ports, protocols, and associated PIDs. - Use
ps -p <PID> -o comm,args
to get details about the process and its command-line arguments. - Tools like
lsof -i :<port_number>
can also be used to trace the process using a specific port.
- Use
-
Tools to Use:
- Ridgeback: Provides real-time network insights and helps identify services.
- Network Scanners (e.g., Nmap): Detect open ports and the services behind them.
- Local System Tools:
tasklist
,ss
, andlsof
for tracing PIDs and processes.
How to Shut Down Unapproved Services
Once unapproved services are identified, it’s important to shut them down securely:
Steps to Shut Down Unapproved Services:
- Confirm and Document: Verify the nature of the unapproved service and document its details (name, machine, and process ID).
- Coordinate with Stakeholders: Notify relevant teams before shutting down services that may impact other applications.
- Disable the Service:
- On Windows: Open
services.msc
, locate the service, stop it, and set its Startup Type to Disabled. - On Linux: Use
systemctl stop <service_name>
andsystemctl disable <service_name>
to stop and prevent the service from starting at boot.
- On Windows: Open
- Kill Processes by PID:
- On Windows: Use
taskkill /PID <PID> /F
to forcefully terminate a process. - On Linux: Use
kill <PID>
orkill -9 <PID>
for forceful termination.
- On Windows: Use
- Remove or Secure: Uninstall unapproved services or reconfigure necessary ones with stronger security measures.
- Monitor for Recurrence: Implement continuous monitoring to ensure unapproved services do not reappear.
Preventative Measures:
- Network Policies: Establish clear policies outlining approved services and conditions for running them.
- Change Management: Implement a change management process to ensure services are reviewed before deployment.
- Access Controls: Restrict who can install or start services on key systems.
Conclusion
Regularly auditing and eliminating unapproved services is essential for reducing the network’s attack surface and enhancing security. Leveraging tools to trace initiating processes by source port can provide additional insight into the services running in your network. With diligent monitoring, informed action, and comprehensive policies, you can safeguard your network from unauthorized services.