First principle to understand vulnerability assessment, one can’t exploit the vulnerability if a threat does not exist. So by default the services (ports) which are not required in a system (server) will present an unnecessary threat to be exploited if specific vulnerability exists in a system.
These unnecessary and unattended services are also the prime target of an attacker which they will find in reconnaissance session and ultimately exploit these vulnerabilities to get into a system. Modern networks should be resilient enough to handle the availability and bandwidth of traffic but also the daily barrage of attacks. Information security is a necessary evil to stay in business (cost of doing business) today. Compliance and regulatory fines aside, InfoSec is treated as business enabler in today’s business suite.
Below are five services which must be disabled unless there is a business reason. If you do have to enable one of these services then utilize compensatory controls to minimize the given risk to acceptable level.
1. Finger – the finger is TCP Unix service (port 79) which is utilized to determine who was logged on to system. After that all you have to find what is their password to get into the system and there are plenty of brute force applications out there to do that for you. Same service can be provided from other lookup secure services (like whois) which may minimize the risk in your environment. So make sure this service is disabled on all devices.
2. Telnet – is used for remote device management to get into system, no wonder a gold mine for a hacker. Like FTP, Telnet communicate in clear text, so it is insecure protocol. So it should be replaced with other secure services like SSH (port 22).
3. HTTP – is the most common user friendly web interface today. Because of its commonality the hackers have discovered several methods of exploiting HTTP service. Beside that HTTP is a clear text protocol as well which provides an extra advantage to a hacker. So it should be replaced with other secure services like Https (port 443).
4. NTP – Network Time protocol utilize to synchronize all the time clocks with a remote time server which also use to keep all the logs in sync for forensic or incident handling. If NTP is not required on a system it should be disabled.
5. ICMP – is data link layer protocol which provides information about neighboring network devices. ICMP flood, also known as Ping flood or Smurf attack, is type of Denial of Service attack that sends large amounts of (or just over-sized) ICMP packets to a machine in order to attempt to crash the TCP/IP stack on the machine and cause it to stop responding to TCP/IP requests. Some time it necessary to enable this protocol when troubleshooting, so only enable when necessary otherwise keep it disable.
Please feel free to comment and add more services which you think should be added to this list