[ Thanks to Jane Walker for this link.
]
“Recently, a colleague complained to me that X Windows refused
to start following a routine patch upgrade on a production Web
server. I asked why he needed X Windows running on a production Web
server in the first place, especially a server that was allegedly
secured as a bastion host in a perimeter DMZ. The response that ‘it
was installed by default’ seemed inadequate when considering the
security risk posed by running X Windows on a bastion host.“Unnecessary packages on a host bring significant risks. An
attacker can target the capabilities of those unnecessary packages
to subvert or compromise your host, especially since most
distributions automatically start the processes required by the
installed packages (for example, if you have installed Apache, then
the httpd process is automatically started)…”