Define server roles, counterattack zero-day threats

Keeping your system protected against zero-day threats and as hardened as possible may mean making changes to your servers' defined tasks list or using virtual server technology. Brien Posey explains his recommendations for helping you stay clear of these types of attacks in this second installment of our five-part series on countering zero-day threats.

This is the second installment in our series on containing zero-day threats from

Zero-day exploits are an unsettling issue for any administrator who is concerned with security. A zero-day exploit is an exploit against a previously undiscovered and undocumented vulnerability. The problem with zero-day exploits is that you are trying to protect the system against security holes that may or may not even exist. This means that you can't just apply a security patch to prevent the vulnerability from being exploited, because no one except for the hacker who exploits the vulnerability knows about it.

More on zero-day threats
Harden your network services and contain zero-day threats
While you can't usually rely on patching as a mechanism for protecting you from zero-day exploits, there are some things you can do to harden your server and make your system far less susceptible to these types of attacks.

By far the most effective countermeasure against a zero-day exploit is to reduce the attack surface on your systems. Imagine a hacker launching a zero-day exploit against a previously undiscovered security hole in Internet Information Server (IIS). Depending on the nature of the vulnerability, such an attack could be catastrophic if IIS is installed.

That's why it's a good security practice to take a role-based approach in regards to your servers. Try specifically defining the tasks that each server on your network is required to perform. By doing so, you can easily determine which system components are and are not required in order to perform the necessary tasks. For example, if a server is acting solely as a file server, then there is no reason why it would need to run components like IIS or the Print Spooler service.

It is best to configure each server so it performs only a single task. That way, you not only reduce the server's attack surface, but you also make it far easier to determine which system components are required in order for the server to do its job.

Click here for other pieces in the "Containing zero-day threats" series:
Harden your network services and contain zero-day threats

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at

This was last published in November 2006

Dig Deeper on Network intrusion detection and prevention and malware removal

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.