Windows XP, 2000 and 2003 were far more vulnerable to attack than more recent versions.
The techniques in the extreme section were developed with these older versions of Windows in order to make these systems as secure as possible. Most of these techniques are no longer needed in the latest Windows versions.
All modern versions of Windows contain restrictions and checks on what applications can do. These prevent an application error from crashing the entire system or accessing parts of the system they have no need to access. The most dangerous applications, from a security point of view, are those that operate in the kernel mode, such as device drivers. KFSensor runs entirely within user mode as it does not access the computers hardware directly.
Microsoft Windows NT, 2000, XP and 2003 are able to secure resources from unauthorized access using access control lists.
This includes access to directories, files, the registry and the ability to run a system back up process or debugger.
It is this security system that can be used to secure KFSensor. Windows 98 and Windows Me do not have these features. If you have installed KFSensor on one of these Windows versions then you will not be able to secure it in the manner described.
Windows assigns access to resources based on the user's assigned rights, not at the application level. If you are logged on as the administrator then any application that you run will inherit your administrator privileges whether it needs them or not.
The key to good security is to run an application with the least amount of privileges required. This ensures that should an application misbehave then it will be prevented from damaging parts of the system it does not have access to. KFSensor has been designed to operate within a very limited set of privileges to make this possible.
An application does not have to contain malicious code for it to present a risk.
If an application is susceptible to a buffer overflow attack then such a vulnerability could be used to inject code into the
system. If the application is running with administrator access then the entire system can be compromised.
KFSensor contains internal checks to detect the presence of buffer overflows and dynamic buffers have been used throughout the code to prevent such vulnerabilities. However it is still advisable to limit the access rights under which KFSensor runs; to ensure that if such a vulnerability is discovered in the future then its effects will be limited.
KFSensor is comprised of two applications; the server and the monitor. The KFSensor monitor contains the user interface and runs with the same security rights as your own account. It is the KFSensor server that listens and responds to connections on the Internet and is therefore the application most at risk. The KFSensor server does not have a user interface and can be run using an account other than your own. This is the key to securing the KFSensor installation.
Windows contains numerous options to fine tune the security access rights for a particular user.
The following tables describe the basic permissions needed to configure the resources that KFSensor needs access to.
write (see note 1)
list folder contents
list folder contents
write (see note 2)
|Special||Run as service||yes||no|
Note:KFSensor makes use of WinPCap to provide the Network Protocol Analyzer functionality.
The current version of WinPCap requires a higher level of authority than that provided by the "LocalService" account in order to dynamically load its driver.
If you wish to use this feature then KFSensor service should be run using the default "Local System" account. Ignore the instructions below.
The method described here is for a basic secure configuration.
The Windows XP and Windows 2003 provide a systems account called "LocalService". This account has security limits similar to a normal local machine user.
If you are using an earlier version of Windows then you should create a new local machine user account and use this instead.
The windows in the descriptions below are for Windows XP and Windows 2003, earlier versions of Windows differ slightly.
Next: Server Lock Down