S 4.95 Minimal operating system

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Computers in a security-critical environment should be designed in such a way that they offer the lowest possible number of points of attack. Since today's operating systems provide numerous network services by default, a well designed server service (e.g. an SSL-based web server) is insufficient for operating a secure server. The operating system must instead be secured, since the security functions of the server service may possibly be bypassed using a vulnerability in the operating system. A so-called minimal operating system is characterised in that it does not provide any network service in an ideal case. Thus, a potential attacker is not able to use any vulnerability in a network service of this operating system. Should an attacker nevertheless have gained access to the computer by using a vulnerability, he/she is impaired further by the minimal system. The fewer programs an attacker finds on a target computer, the more difficulties he/she will have regarding the identification and/or use of further vulnerabilities in the target computer. Furthermore, this significantly facilitates server maintenance, since the patches and/or service packs for service programs must no longer be installed if these are not present.

The configuration of an operating system is described in the following based on an Internet server, since very high security requirements must be placed on the operating system here in general.

An Internet server usually only has one task: providing a certain number of services (e.g. the readiness for receiving email) to other computers in a stable manner. The underlying operating system should not offer any additional service. Therefore, the following approach should be adhered to when installing an Internet server:

1. Basic installation of the operating system

If the extent of the packs to be installed can be influenced during installation, only the necessary packs should be installed at this point. However, the necessity of certain packs cannot be discerned in all cases so that the obviously dispensable packs should not be installed as a minimum.

2. Disabling unnecessary programmes

When booting a computer, numerous programs are started automatically. Some of these programs are completely dispensable for an Internet server and should be disabled. These programs may be disabled by preventing their automatic start (start scripts in Unix, auto start and service manager in Windows NT) and by additionally deleting the corresponding programs. Due to reasons of security, deletion is recommended, since an attacker is not able to re-enable the services in this case. However, it is sometimes very difficult to find and delete all files belonging to a certain service so that deletion should not be performed in cases of doubt.

3. Configuration of the network parameters

Unless already performed during installation, the network parameters of the Internet server must be configured. Amongst other things, the selection of a default gateway and a domain name server are relevant for the security of the Internet server. For example, if the Internet server communicates with the Internet using a proxy (see S 2.73 Selecting suitable basic structures for security gateways) a default gateway is dispensable. Without a default gateway, the Internet server may not directly respond to the Internet so that no communication may take place when the proxy is bypassed, i.e. no attack either. DNS is often dispensable for an Internet server and should be avoided as far as possible, since it allows for a direct communication channel to the operating system (see S 4.96 Deactivating DNS). Additionally, there are numerous parameters directly influencing the so-called TCP/IP stack, e.g. the maximum IP packet size. These parameters strongly depend on the respective operating system so that only disabling IP forwarding may be mentioned here. Further changes may increase the stability regarding erroneous IP packets or even the network throughput, for example.

4. Deactivation of unnecessary network services

Some necessary utilities provide numerous additional services (this is particularly applicable to inetd in Unix). The corresponding configuration files must be restricted to the necessary network services (see also S 5.16 Survey of network services).

5. Installation of security programs

The operating system should be complemented by additional security programs, unless these are already part of the operating system. Installing an integrity checking program (see S 4.93 Regular integrity checking) and a software packet filter (already included in Windows NT) makes sense in particular. Additionally, virus scanners and programs for evaluating the log entries are recommendable. If the Internet server is to be administrated remotely, a corresponding security product must be installed, e.g. the Secure Shell Daemon (see S 5.64 Secure Shell), and the system's security must be checked regularly (see also S 4.26 Regular security checks of Unix systems).

6. Configuration and control of the network services

Ideally, a minimal operating system does not provide a single network service, rendering it insusceptible for attacks from the outside. Particularly in larger networks, this approach is no longer practicable due to the administration so that a remote access is necessary. Whether the Internet server provides services can be checked using the netstat -a command both in Windows NT and Unix. Each of the services listed should be restricted in its configuration in such a way that only authorised computers may access the service (e.g. the remote access to the Internet server must be restricted to the network management computers).

7. Deleting unneeded programs

Once the installation of a minimal operation system is complete, different programs that may be helpful for a potential attacker should be deleted. Any existing compilers must be removed in particular, since they could be a useful aid for an attacker. Furthermore, compilers do not make any sense on Internet servers, since these computers are production machines and program development and testing should be performed on different computers. Deleting all editors is also conceivable, which would make the manipulation of configuration files much more difficult for an attacker. However, administration would be more complicated as well. When changing the configuration files, an editor would have to be re-installed in each case or, and this is recommendable, the configuration files must be edited on a different computer and then copied.

A minimal operating system should not be an end in itself, of course. The actual server service must naturally be installed for an Internet server. Whether this is performed at the end of the above mentioned list or between items 6 and 7 or even directly after item 1 depends on the respective installation. Problems arise if the installation fails due to a lack of operating system packs, since the missing packs have to be sought and installed manually. It would be better if the manufacturer of the server service specified the operating system dependencies so that the minimal system can be adapted to these right from the beginning.

Even a computer configured with a minimal system does not provide for complete protection against attacks. The most likely reason for a successful attack certainly is the server service, but also the minimal system itself is still susceptible to attacks, particularly the TCP/IP stack that must forward the network packets to the application. However, nearly all published attacks against the TCP/IP stack so far only affected the availability by the affected computers crashing, i.e. any intrusion into computers has not been observed yet. In order to further minimise this risk, S 4.98 Restricting communication to a minimum with packet filters should also be implemented.

Review questions:

© Federal Office for Information Security. All rights reserved.