No Unnecessary Services Guidelines

UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices.  The recommendations below are provided as optional guidance to assist with achieving the No Unnecessary Services requirement.

Requirement

If a network service is not necessary for the intended purpose or operation of the device, that service must not be running.

Background and description of risk

By definition, running a network service on a device provides an avenue for communications with other devices where one did not previously exist. Any service may be subject to software flaws or poor configurations that introduce security vulnerabilities leading to compromise. Therefore, network services unnecessary for the intended purpose or operation of that device should be removed or disabled to reduce the overall risk.

Recommendations

Default Network Services

Most operating system vendors have now acknowledged the risk of unnecessary network services; therefore, it is generally true that more recent operating systems are configured more securely by default and are preferred. However, all systems should be hardened. Consult the Center for Internet Security benchmark for your operating system for specific information about which services can and should be disabled by default. Instructions for accessing the Center for Internet Security Benchmark are available at: Center for Internet Security

User-Installed Software

Besides the operating system, some user-installed applications provide network services to communicate with other devices. In many cases these services are required for the intended operation of the device, and are therefore permitted. However, some applications install gratuitous network services that are either not required or are configured to provide network access when only local access is required. For example, some reporting software installs the Microsoft SQL service as an add-on even though its services are unnecessary for most users. When installing new software, query to determine if the install process added additional network services and determine whether those additional services are necessary or gratuitous.

Edge Cases

Services that provide a benefit but are not strictly necessary

Some network services may not be strictly necessary to the intended purpose or operation of the device, but disabling or removing them creates significant barriers to effective use or management of the device. For example, the “Server” service is not strictly required for Microsoft Windows workstations to run effectively, but disabling the “Server” service will make automated desktop management by IT staff very difficult.

Do not disable or remove a network service if doing so will create a significant barrier to the effective use or management of the device. Configure the host-based firewall, IPSEC or some other mechanism to limit access to the service and mitigate the risk of exposure to potential vulnerabilities. Contact System and Network Security at security@berkeley.edu if you have questions about the security implications of the service.