KFSensor

 

Extreme System Configuration

Windows XP, 2000 and 2003 were far more vulnerable to attack than more recent versions.

The techniques in the extreme section were developed with these older versions of Windows in order to make these systems as secure as possible. Most of these techniques are no longer needed in the latest Windows versions.

Secure configuration

This section describes how to take advantage of Windows' native security features to configure KFSensor for maximum security.

Background

All modern versions of Windows contain restrictions and checks on what applications can do. These prevent an application error from crashing the entire system or accessing parts of the system they have no need to access. The most dangerous applications, from a security point of view, are those that operate in the kernel mode, such as device drivers. KFSensor runs entirely within user mode as it does not access the computers hardware directly.

Microsoft Windows NT, 2000, XP and 2003 are able to secure resources from unauthorized access using access control lists.
This includes access to directories, files, the registry and the ability to run a system back up process or debugger.
It is this security system that can be used to secure KFSensor. Windows 98 and Windows Me do not have these features. If you have installed KFSensor on one of these Windows versions then you will not be able to secure it in the manner described.

The Least Privilege Principle

Windows assigns access to resources based on the user's assigned rights, not at the application level. If you are logged on as the administrator then any application that you run will inherit your administrator privileges whether it needs them or not.

The key to good security is to run an application with the least amount of privileges required. This ensures that should an application misbehave then it will be prevented from damaging parts of the system it does not have access to. KFSensor has been designed to operate within a very limited set of privileges to make this possible.

Buffer overflow

An application does not have to contain malicious code for it to present a risk. If an application is susceptible to a buffer overflow attack then such a vulnerability could be used to inject code into the system. If the application is running with administrator access then the entire system can be compromised.

KFSensor contains internal checks to detect the presence of buffer overflows and dynamic buffers have been used throughout the code to prevent such vulnerabilities. However it is still advisable to limit the access rights under which KFSensor runs; to ensure that if such a vulnerability is discovered in the future then its effects will be limited.

KFSensor design

KFSensor is comprised of two applications; the server and the monitor. The KFSensor monitor contains the user interface and runs with the same security rights as your own account. It is the KFSensor server that listens and responds to connections on the Internet and is therefore the application most at risk. The KFSensor server does not have a user interface and can be run using an account other than your own. This is the key to securing the KFSensor installation.

Configuring KFSensor

Windows contains numerous options to fine tune the security access rights for a particular user.
The following tables describe the basic permissions needed to configure the resources that KFSensor needs access to.

Type Item Server Monitor
Folder %KFSensor%\bin execute read
execute
Folder %KFSensor%\conf read read
write (see note 1)
Folder %KFSensor%\file read
list folder contents		 none
Folder \fksensor\logs read
write
list folder contents		 read
write
Registry HKEY_LOCAL_MACHINE read read
write (see note 2)
Registry HKEY_CURRENT_USER read
write		 read
write
Special Run as service yes no

Notes:
  1. If the account used to run the KFSensor Monitor does not have permission to write to the config file then the program can still be used to monitor the logs and view the settings, but cannot be used to alter the configuration.
  2. Permission to access the local machine part of the registry is needed to configure the log path, register the application and install the systems service

Note:

KFSensor makes use of WinPCap to provide the Network Protocol Analyzer functionality.
The current version of WinPCap requires a higher level of authority than that provided by the "LocalService" account in order to dynamically load its driver.
If you wish to use this feature then KFSensor service should be run using the default "Local System" account. Ignore the instructions below.

Step by step configuration procedure

The method described here is for a basic secure configuration.

The Windows XP and Windows 2003 provide a systems account called "LocalService". This account has security limits similar to a normal local machine user.

If you are using an earlier version of Windows then you should create a new local machine user account and use this instead.
The windows in the descriptions below are for Windows XP and Windows 2003, earlier versions of Windows differ slightly.

  1. Log onto the machine with an account that gives you full administration rights to the local machine.

  2. Go into the KFSensor Monitor and install the KFSensor server as a systems service if you have not done this already.
    (This is described in the Running the KFSensor Server section of the manual.)

  3. Stop the KFSensor Server, by selecting "File -> Service -> Stop Service" menu option.

  4. Select the "Settings ->Log Path" menu option.
    This dialog box will show you the directory where KFSensor stores its log files.
    The default location is "C:\kfsensor\logs".

  5. You now need to set access permissions for the logs directory.
    • Go into Windows Explorer and select the directory set as the log path.
      Bring up the Properties dialog box, by selecting the 'File -> Properties' menu item.
    • Select the Security tab.
      This may be hidden in Windows XP. If so then you will have to disable the 'Use simple file sharing option'.
    • Press the Advanced button.
    • In the Advanced Security Settings dialog uncheck the 'Inherit from parent...' option.
    • Select Copy in the pop up window and then press OK.
    • In the 'Groups and user names' listbox select 'Users' and press the Remove button.
    • Press the 'Add' button and enter 'LOCAL SERVICE' and press OK.
    • Select the following permission for this account; Modify, Read & Execute, List Folder Contents, Read and Write.
    • In the Advanced Security Settings dialog select the 'Replace permissions entries on all child objects...' option and press OK. Say Yes to the message box and OK again on the properties dialog box.
  6. Open the Windows Services management console.
    This can vary on different versions of Windows. This can usually be found in the Administrative Tools section of the Control Panel.
    Double click of the KFSensor entry to open the KFSensor Properties window and then select the 'Log On tab'

  7. The default 'log on as' account will be set to the Local System Account.
    This gives KFSensor administrator access which it does not need.
    Select the 'This account' option and enter 'NT AUTHORITY\LocalService' into the account name.
    Leave the password fields blank as they are not needed as this is a systems account.
    Press OK to save the changes.
  8. The KFSensor Server can now be started. If it fails to start then the most likely cause will be that it does not have the correct permissions set on the logs directory.

Next: Server Lock Down


KFSensor On-Line Manual Contents