A newly installed Windows XP machine is pre-configured to listen on several ports with standard services such as RPC and SMB. A Windows server may be configured to run many more such as IIS and DNS.
An unpatched Windows machine is highly vulnerable to attacks due to the numerous vulnerabilities that have been discovered in these services.
There are three approaches to securing Windows machines.
Of these the third approach is the most important to get the best out of KFSensor and is the focus of this section of the guide.
Most Microsoft patches are designed to fix problems in services that should be disabled on a KFSensor machine and therefore are a not priority to install. However certain patches fix vulnerabilities in low level components such as the TCP stack and it is advisable to ensure that these patches are applied.
The latest versions of Windows contains a feature called "Windows Update" that can be configured to automatically download and update Windows with new patches.
It is strongly recommended that Windows automatic updates are disabled and Windows Update is configured to manual checking only.
There are several reasons for this.
Personal firewalls work best when they are used to block access to vulnerable or poorly configured services.
Provided the system has been patched and locked down it is not essential to run a personal firewall on a KFSensor machine.
If you do run a personal firewall then there are a number of changes to the default configuration that should be made to ensure, that KFSensor can work properly.
The goal should be to allow external access to all ports opened by KFSensor and to allow ICMP traffic.
The following assumes that you are using the Windows Firewall in XP SP2 in its default configuration.
Other firewalls need similar changes to their configuration.
Locking down a machine involves reconfiguring or disabling services from running, based on the simple and effective principle that if something is turned off it cannot cause trouble.
One of the main tasks of KFSensor is to replace these services with simulated versions that do not suffer vulnerabilities and enable attacks to be detected. If the original services are running then KFSensor will not be able to replace them in this way.
From within KFSensor it is possible to see the system services that are still running. In the ports view, a port will be displayed in blue. This indicates that KFSensor failed to bind to that port.
For a machine dedicated to the use of KFSensor it is advised that all services that listen to ports should be disabled. This will enable KFSensor to be most effective, but may mean that other methods of accessing the machine need to be employed. For example if Windows networking is disabled then an FTP client could be used on the KFSensor machine instead to transfer files to a remote machine.
There are different ways of finding which ports are open on a machine.
It is recommended that both the KFSensor server and monitor be shut down, before performing these actions to prevent too much information being shown.
From a DOS prompt use the netstat system command. Type:
This will list the open ports along with the PID of the process that owns them.
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1160
TCP 192.168.1.1:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:135 *:* 884
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 704
UDP 0.0.0.0:1026 *:* 1112
UDP 0.0.0.0:1027 *:* 976
More advanced and easier to use utilities are TCPView and fport.
These are available free at http://www.sysinternals.com
Closing open ports is usually a case of shutting down and disabling the service that has opened port, but some ports require more work.
To disable a service go to the Windows Control Panel, select 'Administrative Tools', then 'Services'.
Select a service and double-click on it.
Select the 'Stop' button and then change the 'Start up type' to 'Disabled'.
The following details some of the most common services and how disable them.
IIS, FTP, SMTPThese core services may be found running on Windows Server or Windows Professional machines.
Shutdown and disable the following in the services console.
World Wide Web Publishing Service
Simple Mail Transport Protocol (SMTP)
IIS Admin Service
Windows NetworkingWindows Networking includes NetBIOS, NBT, CIFS and SMB.
It enables Windows file sharing, printing and other services.
A full discussion on how to configure this is given in the Window networking / NetBIOS / SMB / CIFS section in this guide.
RPC, DCOMMicrosoft's RPC service supports a number of other vulnerable services such as Distributed COM.
It runs over port TCP 135 and is very difficult to disable.
A full discussion on how to configure this is given in the MS RPC, Port 135, DCOM Buffer Overrun and the Blaster worm section in this guide.
IPSecThe IPSEC service manages the Microsoft IKE protocol (Internet Key Exchange) implementation.
Shutdown and disable IPSEC services in the services console.
Terminal ServerShutdown and disable Terminal Services in the services console.
DNSShutdown and disable DNS Server in the services console.
Other ServicesIt is a good idea to shutdown and disable the following services in the services console.
SSDP Discovery Service
System Event Notification
Remote Desktop Help Session Manager
Distributed Transaction Coordinator
Task Scheduler service
COM+ Event System
COM+ System Application