The fundamentals of this principle are self evident.
- What is the minimum software needed to support the application functionality? (Hint: It's not 'Entire Distribution')
- What are the minimum file system privileges necessary for application functionality? (Hint: It's not 'Everyone/Full Control')
- What are the minimum database privileges necessary for application functionality? (Hint: It's not 'DBA' or 'DBO')
- What are the minimum services that need to be running to support the application functionality? (Hint: You don't need chargen, rsh, rcmd or IPX)
This is extremely valuable for Solaris and Oracle. For both of those, we are able to minimize the installations and defer a significant number of patch cycles simply because the vulnerable feature or package is not installed. If the vulnerable software is not installed, we do not have to consider the vulnerability. It's even on Microsoft's radar. With server 2008, it is finally possible to install a minimized version of the operating system. I dream of the day when my IIS server will not have a GUI browser, and I'll be able to ignore vulnerabilities and patches that infect the pathetically insecure userland software that infests my servers.
So a vendor (Sun) offers to help out with a proof of concept. They delegate the actual install to a VAR. The consultant paid by the VAR (or Sun) shows up and starts to build an 'Entire Installation' server. We insist that 'Entire Installation', which includes software that we will never, ever use on that server, is not appropriate and does not meet our standards. We declare to the consultant that what we need is 'Reduced Networking Core System Support'. The vendor (Sun) provides and supports minimized installation options for the software (Solaris) and we expect the consultant to perform a minimal installation plus the specific packages necessary for supporting the intended application. What's so hard about figuring out a dependency tree and installing the minimum software necessary to resolve the dependencies? The consultant balked.
In this case, fatigued from having to deal with clueless consultants, we said screw it. We'll end up running the proof of concept with an 'Entire Installation', throwing it away and doing the minimal installation later when & if it moves to production. It shouldn't have to be that way though. It's 2009 and I expect consultants to think and act like it's the 21st century.
Why are all my 'vendor' posts also tagged as 'annoying'?