Attackers don't break in; they log in through the front door you left open. In 2022, the Conti ransomware group exploited exposed RDP ports on thousands of Windows servers to deploy ransomware. The attack surface—the sum of all exploitable entry points—determines your initial risk. This lesson teaches you to systematically map and quantify the attack surface of any OS, from listening services and local processes to filesystem and registry entry points.
Every network service that binds to a port is a potential entry point. On a typical Windows Server, you may find SMB (445), RDP (3389), WinRM (5985), and dozens of ephemeral services. Attackers scan these, fingerprint versions, and cross-reference known vulnerabilities. The first step in hardening is discovering what's actually listening—using netstat, ss, or Get-NetTCPConnection—and then disabling or firewalling everything that isn't strictly required.
The netstat output shows the process ID and service name behind each listener. In the example, port 445 (SMB) is bound to the System process, and port 3389 (RDP) to TermService. If RDP isn't needed, it should be disabled or restricted to a jump host.
# Equivalent enumeration on Linux: list all listening TCP services with PID
sudo ss -tlnp | column -t
# Sample output analysis:
# LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1024,fd=3))
# LISTEN 0 511 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=890,fd=5))💡 Always bind services to localhost unless external access is required. In the PostgreSQL example, binding to 127.0.0.1 ensures only local processes can connect.
Processes running as SYSTEM, root, or with high integrity level expand the local attack surface dramatically. A compromised service running as SYSTEM gives full control. Tools like Process Explorer (Windows) or pspy (Linux) reveal parent-child relationships and privilege levels. Hardening means running services under dedicated, low-privilege accounts, and using techniques like systemd's CapabilityBoundingSet or Windows service SIDs to drop unnecessary capabilities.
Seeing a Python app server running as root is a major red flag. That service should be switched to a dedicated user and restricted with systemd's User=, NoNewPrivileges=yes, and a capability bounding set that removes all unnecessary Linux capabilities.
| OS | High-Risk Services | Recommended Action |
|---|---|---|
| Windows | Print Spooler, RDP, SMBv1 | Disable or upgrade to latest, restrict firewall |
| Linux | CUPS, rpcbind, telnet | Remove or mask service, use SSH instead |
| macOS | Screen Sharing, Bluetooth Sharing | Disable in System Preferences if not used |
Writable system directories, world-writable configuration files, and unprotected registry keys are local attack vectors. On Windows, the Run and RunOnce registry keys, service configurations, and scheduled tasks are common persistence locations. On Linux, /etc/cron.*, systemd unit directories, and /etc/ld.so.preload provide similar leverage. Attackers with a foothold escalate by modifying these paths. Hardening requires strict permissions, monitoring with tools like osquery, and immutable flags where feasible.
# Check Windows Run registry key persistence paths
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"⚠️ Attackers frequently abuse the HKCU Run key because it doesn't require admin rights. Regularly audit these keys and apply AppLocker or WDAC to block unauthorized executables.
Verify exercises to earn ★ 130 XP and unlock next lab level.