Zero-day exploits are an unsettling issue for any administrator who is concerned with security. A zero-day exploit is an exploit against a previously undiscovered and undocumented vulnerability. The problem with zero-day exploits is that you are trying to protect the system against security holes that may or may not even exist. This means that you can't just apply a security patch to prevent the vulnerability from being exploited, because no one except for the hacker who exploits the vulnerability knows about it.
By far the most effective countermeasure against a zero-day exploit is to reduce the attack surface on your systems. Imagine a hacker launching a zero-day exploit against a previously undiscovered security hole in Internet Information Server (IIS). Depending on the nature of the vulnerability, such an attack could be catastrophic if IIS is installed.
That's why it's a good security practice to take a role-based approach in regards to your servers. Try specifically defining the tasks that each server on your network is required to perform. By doing so, you can easily determine which system components are and are not required in order to perform the necessary tasks. For example, if a server is acting solely as a file server, then there is no reason why it would need to run components like IIS or the Print Spooler service.
It is best to configure each server so it performs only a single task. That way, you not only reduce the server's attack surface, but you also make it far easier to determine which system components are required in order for the server to do its job.
Click here for other pieces in the "Containing zero-day threats" series:
Harden your network services and contain zero-day threats
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.