KFSensor

 

Server lock down

A newly installed Windows XP machine is pre-configured to listen on several ports with standard services such as RPC and SMB. A Windows server may be configured to run many more such as IIS and DNS.

An unpatched Windows machine is highly vulnerable to attacks due to the numerous vulnerabilities that have been discovered in these services.

There are three approaches to securing Windows machines.

  1. Install the latest Microsoft service packs and patches
  2. Install a personal firewall
  3. Lock down the machine

Of these the third approach is the most important to get the best out of KFSensor and is the focus of this section of the guide.

Service Packs and Patches

Most Microsoft patches are designed to fix problems in services that should be disabled on a KFSensor machine and therefore are a not priority to install. However certain patches fix vulnerabilities in low level components such as the TCP stack and it is advisable to ensure that these patches are applied.

The latest versions of Windows contains a feature called "Windows Update" that can be configured to automatically download and update Windows with new patches.

It is strongly recommended that Windows automatic updates are disabled and Windows Update is configured to manual checking only.

There are several reasons for this.

  1. Difficult to believe but true, is the fact the Automatic Windows Update causes the Windows machine to listen on ports that may be vulnerable to attack
  2. Automatic patching may change the configuration of the machine and enable services that have been disabled.
  3. Automatic patching may disturb or invalidate forensic examination of the KFSensor machine

Personal Firewall

Personal firewalls work best when they are used to block access to vulnerable or poorly configured services.

Provided the system has been patched and locked down it is not essential to run a personal firewall on a KFSensor machine.

If you do run a personal firewall then there are a number of changes to the default configuration that should be made to ensure, that KFSensor can work properly.

The goal should be to allow external access to all ports opened by KFSensor and to allow ICMP traffic.

Windows Firewall

The following assumes that you are using the Windows Firewall in XP SP2 in its default configuration.
Other firewalls need similar changes to their configuration.

  1. Go the Control Panel and select Windows FireWall
  2. In the General tab, of the Windows Firewall dialog, select 'On (recommended)'
  3. In the Exceptions tab; uncheck all check boxes in the Programs and Services list box. N.B. Remote Assistance may be the only one checked and should definitely be unchecked.
  4. Press the 'Add Program...' button. You will now need to select the 'Browse' button as the KFSensor server will not be listed.
  5. Select C:\Program Files\KeyFocus\KFSensor\bin\kfsnserv.exe and then press open and OK. kfsnserv.exe should now be listed and ticked in Programs and services.
  6. In the Advanced tab; select the Security Logging Settings... button. Tick the two Log check boxes and press OK.
  7. Select the 'ICMP Settings...' button. It is advised that all the check boxes in the ICMP Settings dialog be checked.
    8. Enabling all of these options will help an attacker to both find the KFSensor machine on the network and give the impression that the machine does not have a firewall enabled.
    If not all these settings can be enabled then the most important of these is the echo request setting and that should always be enabled.
  8. Press 'OK' twice and the Firewall should be configured to allow KFSensor to work.

Lock down

Locking down a machine involves reconfiguring or disabling services from running, based on the simple and effective principle that if something is turned off it cannot cause trouble.

One of the main tasks of KFSensor is to replace these services with simulated versions that do not suffer vulnerabilities and enable attacks to be detected. If the original services are running then KFSensor will not be able to replace them in this way.

From within KFSensor it is possible to see the system services that are still running. In the ports view, a port will be displayed in blue. This indicates that KFSensor failed to bind to that port.

For a machine dedicated to the use of KFSensor it is advised that all services that listen to ports should be disabled. This will enable KFSensor to be most effective, but may mean that other methods of accessing the machine need to be employed. For example if Windows networking is disabled then an FTP client could be used on the KFSensor machine instead to transfer files to a remote machine.

Finding open ports

There are different ways of finding which ports are open on a machine.
It is recommended that both the KFSensor server and monitor be shut down, before performing these actions to prevent too much information being shown.

From a DOS prompt use the netstat system command. Type:
netstat -ano
This will list the open ports along with the PID of the process that owns them.

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1160
TCP 192.168.1.1:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:135 *:* 884
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 704
UDP 0.0.0.0:1026 *:* 1112
UDP 0.0.0.0:1027 *:* 976

More advanced and easier to use utilities are TCPView and fport.
These are available free at http://www.sysinternals.com

Closing services

Closing open ports is usually a case of shutting down and disabling the service that has opened port, but some ports require more work.

To disable a service go to the Windows Control Panel, select 'Administrative Tools', then 'Services'.
Select a service and double-click on it.
Select the 'Stop' button and then change the 'Start up type' to 'Disabled'.

The following details some of the most common services and how disable them.

Ports Services
TCP 21
TCP 25
TCP 80
TCP 443
TCP 110
IIS, FTP, SMTP
These core services may be found running on Windows Server or Windows Professional machines.
Shutdown and disable the following in the services console.
World Wide Web Publishing Service
Simple Mail Transport Protocol (SMTP)
HTTP SSL
IIS Admin Service
TCP 139
TCP 445
UDP 137
UDP 138
Windows Networking
Windows Networking includes NetBIOS, NBT, CIFS and SMB.
It enables Windows file sharing, printing and other services.
A full discussion on how to configure this is given in the Window networking / NetBIOS / SMB / CIFS section in this guide.
TCP 135
TCP 1025
RPC, DCOM
Microsoft's RPC service supports a number of other vulnerable services such as Distributed COM.
It runs over port TCP 135 and is very difficult to disable.
A full discussion on how to configure this is given in the MS RPC, Port 135, DCOM Buffer Overrun and the Blaster worm section in this guide.
UDP 500
UDP 4500
IPSec
The IPSEC service manages the Microsoft IKE protocol (Internet Key Exchange) implementation.
Shutdown and disable IPSEC services in the services console.
TCP 3389
Terminal Server
Shutdown and disable Terminal Services in the services console.
TCP 53
DNS
Shutdown and disable DNS Server in the services console.
 
Other Services
It is a good idea to shutdown and disable the following services in the services console.
SSDP Discovery Service
Windows Time
Messenger
Remote Registry
System Event Notification
Remote Desktop Help Session Manager
Distributed Transaction Coordinator
Task Scheduler service
COM+ Event System
COM+ System Application


KFSensor On-Line Manual Contents