Unnecessary Services Guidelines

All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices (MSSND). The recommendations below are provided as optional guidance to assist with achieving the Passphrase Requirements.

Requirement

Only network services, ports, and protocols necessary for the intended purpose or operation of a device may be running. All others must be disabled or removed. 

Description of risk

Network services are applications on your device that listen for and respond to network traffic. Examples include:

  • Web servers, file share servers, proxy servers, and FTP servers
  • Remote access services such as Remote Desktop Protocol (RDP), VNC, and SSH

Open network services provide additional attack surface for hackers to exploit. Many security breaches are the result of attackers taking advantage of security vulnerabilities in network services such as:

  • Flaws in the network service and supporting application libraries (e.g. client-server or peer-to-peer software components)
  • Flaws in the protocol(s) that the network service utilizes
  • Insecure configurations such as default accounts, improper access controls/permissions, lack of strong encryption in-transit, etc.

These flaws can lead to the device being compromised or to Denial of Service (DoS) attacks rendering the device and/or services unavailable.

Therefore, network services unnecessary for the intended purpose or operation of that device should be removed or disabled to reduce the overall risk.

Recommendations

When is a service necessary?

  • There is a clear University business or educational need for the network service
  • The service is generally appropriate given your role at the University
  • The service does not allow guest or anonymous access to your computer or files

Services must also NOT:

  • Introduce a security risk
  • Interfere with other University resources or the campus network
  • Create an excessive burden on campus infrastructure or resources

Harden Operating Systems

Use a well-known security benchmark such as the CIS (Center for Internet Security) benchmarks to secure your device’s configuration. Each benchmark will have specific information about which network services can and should be disabled by default:

CIS security benchmarks are available to all UC Berkeley campus users:

Microsoft Windows - Security Baselines:

Beware of User-Installed Software

Some applications install gratuitous network services that are either not required or are configured to provide network access when only local access is required. When installing a new application, perform a review after the installation to ensure unnecessary network services were not enabled.

Reduce Attack Surface

Just because a service is deemed necessary for University business or educational purposes doesn’t mean that it needs to be accessible to the world! 

  • Use host-based firewall rules to limit access to services, so that only authorized hosts/networks can connect to those services. 
  • If a network service must be broadly available from the Internet, first consider using the Remote Access VPN  as a solution before enabling Internet access to a service:
    • Configure your host-based firewall to default deny connections to the network service from the Internet.
    • Configure your host-based firewall to permit connections to the network service from the Remote Access VPN address ranges.
    • Then use the Remote Access VPN to connect to the campus network and access your network service.
    • Contact your IT support for assistance.