1

We have a variety of SDKs installed on a production Microsoft Windows 2003 SP2 server and I'd like to know if there is any good reason for them to be there, or if they represent a security risk.

  • Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework 3.5.21022
  • Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32 6.1.5288.17011
  • Microsoft Windows SDK .NET Framework Tools 6.1
  • Microsoft Windows SDK .NET Framework Tools 7.1.30514

The server hosts an IIS website with at least one .NET component.

Any help or advice on this matter would be appreciated.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
user3271228
  • 27
  • 4
  • 3
    Are you running applications that use them? That's the usual way that they get there. – Michael Hampton Jul 24 '14 at 20:05
  • @MichaelHampton Well, that's the thing...I'm not sure. The developer, who is now long gone, had a tendency to collect as many "toys" as possible on the servers, and it's hard to tell whether any of them are there for a reason, or are just there because he wanted to play with them. The site is a classic ASP site, but I know it also uses some third-party file uploader that relies on the .NET framework. It's a frustrating situation... – user3271228 Jul 25 '14 at 13:52
  • Dear Gawd. I hope your company no longer allows developers anywhere near production. – Michael Hampton Jul 25 '14 at 14:04

1 Answers1

1

I would hope that those are on your server because it's running some application that requires them... and not because some developer was using your server to develop on.

Having said that, if you're not sure, leave them there.

SDKs generally don't increase your server's attack surface and are not targets for exploits, so the security implications of having them there are minimal to non-existent.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 1
    It's much more common for an application to use the appropriate runtimes, rather than an SDK. Though it's certainly possible and I'm sure it happens. – Michael Hampton Jul 24 '14 at 20:20
  • @MichaelHampton Correct. And I have personally seen "enterprise" software that required an SDK to run, which we had on a server that multiple clients connected to. Like an Access database... no excuse for needing or using it, but plenty of crappy software does anyway. – HopelessN00b Jul 24 '14 at 20:23
  • @HopelessN00b So there are applications that require these SDKs to be present, or there could be...I wasn't sure if they were strictly for development or if a deployed application could have dependencies on them. I'm no .NET expert, but I'm hoping that the framework CLR is the only thing our site actually needs for its .NET aspect. Guess we'll have to schedule some downtime and figure that out on our own...I'm sure we can just reinstall if needed. Good information, though, especially on the relative risk of the SDKs. Thanks also to M.Hampton. – user3271228 Jul 25 '14 at 14:18