Port and File-Blocking Best Practices

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

Does there exist anywhere a list of port- and file-blocking
"best practices" for use with intrusion
detection/prevention apps running on Windows 2000?

I recently purchased McAfee VirusScan Enterprise and am
very pleased with the ease by which I can block ports to
all but trusted/specified apps and also block or log access
to sensitive files and directories. I imagine that other
apps are similarly convenient to setup and use (compared to
the obnoxiously cryptic Event Viewer auditing).

But the sample rules have only whetted my appetite. For
example, changes to various filetypes are logged, including
EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
are restricted to all but iexplore.exe, etc. I know there
are plenty of other file extensions and rules to use with
such apps.

Does a list of "best practices" exist?

Any advice is appreciated.
4 answers Last reply
More about port file blocking practices
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Each environment is unique and what works for one may break the other. If you
    are rolling out an enterprise solution, it may be worthwhile to include in
    your project plans discovery or pilot phases.

    During this period of a few months for example, gather statistics to learn
    how applications and services utilize the network without interfering with
    day to day business. Once this stage completes, draw up a list of authorized
    apps / ports, etc. and seek management support and approval to roll it out.
    Users must be informed and communicated otherwise unpleasant experiences may
    result.

    A point to note - going down to details EXE / DLL / SYS level of control
    would prove to be very challenging unless a strict desktop standard is
    enforced to facilitate this.

    Hope this overview is helpful. Do let us know. Thanks!

    "Dave" wrote:

    > Hi All,
    >
    > Does there exist anywhere a list of port- and file-blocking
    > "best practices" for use with intrusion
    > detection/prevention apps running on Windows 2000?
    >
    > I recently purchased McAfee VirusScan Enterprise and am
    > very pleased with the ease by which I can block ports to
    > all but trusted/specified apps and also block or log access
    > to sensitive files and directories. I imagine that other
    > apps are similarly convenient to setup and use (compared to
    > the obnoxiously cryptic Event Viewer auditing).
    >
    > But the sample rules have only whetted my appetite. For
    > example, changes to various filetypes are logged, including
    > EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
    > are restricted to all but iexplore.exe, etc. I know there
    > are plenty of other file extensions and rules to use with
    > such apps.
    >
    > Does a list of "best practices" exist?
    >
    > Any advice is appreciated.
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you, Desmond.

    What you recommend is pretty much what I'm doing now. It
    is quite a chore, even for a small and well-standardized
    server farm like my own. We are now into our third week of
    auditing logs to see which apps are using which ports.
    [And, of course, I verify that each app is legit.]

    I want to believe that sufficient others have been down
    this road already. For them, I'd love to peek at their
    policies, especially if they've been honing them over the
    coarse of years. In particular, I'm thinking of creating
    policies for CIFS/SMB but don't know if it's a good idea.

    As for auditing the OS, I would think there'd be some
    baseline policies (i.e., "best practices") for detecting
    intrusion that would be beneficial to most Windows systems,
    no? Which file extensions should be monitored for
    modification? Deletion? Which files should be monitored
    for reads? CMD.EXE? Others? These would transcend the
    tool used (McAfee, Symantec, etc.) and so I'm thinking that
    such a list of best practices exists somewhere. No?

    Again, thank you for your kind reply.

    Dave

    >-----Original Message-----
    >Each environment is unique and what works for one may
    break the other. If you
    >are rolling out an enterprise solution, it may be
    worthwhile to include in
    >your project plans discovery or pilot phases.
    >
    >During this period of a few months for example, gather
    statistics to learn
    >how applications and services utilize the network without
    interfering with
    >day to day business. Once this stage completes, draw up a
    list of authorized
    >apps / ports, etc. and seek management support and
    approval to roll it out.
    >Users must be informed and communicated otherwise
    unpleasant experiences may
    >result.
    >
    >A point to note - going down to details EXE / DLL / SYS
    level of control
    >would prove to be very challenging unless a strict desktop
    standard is
    >enforced to facilitate this.
    >
    >Hope this overview is helpful. Do let us know. Thanks!
    >
    >"Dave" wrote:
    >
    >> Hi All,
    >>
    >> Does there exist anywhere a list of port- and file-blocking
    >> "best practices" for use with intrusion
    >> detection/prevention apps running on Windows 2000?
    >>
    >> I recently purchased McAfee VirusScan Enterprise and am
    >> very pleased with the ease by which I can block ports to
    >> all but trusted/specified apps and also block or log access
    >> to sensitive files and directories. I imagine that other
    >> apps are similarly convenient to setup and use (compared to
    >> the obnoxiously cryptic Event Viewer auditing).
    >>
    >> But the sample rules have only whetted my appetite. For
    >> example, changes to various filetypes are logged, including
    >> EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
    >> are restricted to all but iexplore.exe, etc. I know there
    >> are plenty of other file extensions and rules to use with
    >> such apps.
    >>
    >> Does a list of "best practices" exist?
    >>
    >> Any advice is appreciated.
    >>
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I can send you a -pretty- complete list of ip-ports related to
    protocols/trojans/etc... Also, I've been using two different programs for
    anti-virus and firewall-protection. Always have; it's the same idea as the
    government 'controlling' herself. I figured that would always turn out
    corrupt. I'm suprised you're contemplating to block certain filetypes. I just
    remembered that, while using mIRC, I didn't care much about that. Every
    incomming file gets checked anyway by anti-virus. Concerning the os.... Well,
    in my enviroment it didn't matter if I blew it all open (IE) or just kept it
    standard. Active Desktop can be tricky and I would never use Netmeeting; it's
    even integrated in iexplore and messenger. Concerning port 80 of iexplore;
    isn't it the initiation of the download only via that port ? I always
    thought the upper TCP/UDP ports we're used for that; 1080, 8080 ... ? For my
    ftp-server I just used the standard 20 & 21 ports. Only 1 protocol over 2
    ports on a strong NT-based os.....? Seemed more safe than (e.g.) ports 1020
    & 1021.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Looks like Shems already has a checklist that may just work for you.

    Though not directly related to your question, you may like to review the
    following MS resources. In addition, network monitoring or even a personal
    firewall product (like built-in ICF) can reveal interesting information
    (applications, port, protocols, etc.).

    Do let us know if it helps. Thanks!

    http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

    http://support.microsoft.com/default.aspx?scid=kb;en-us;298804

    http://support.microsoft.com/default.aspx?scid=kb;en-us;329928

    http://support.microsoft.com/kb/281336/EN-US/

    http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod88.asp


    "Dave" wrote:

    > Thank you, Desmond.
    >
    > What you recommend is pretty much what I'm doing now. It
    > is quite a chore, even for a small and well-standardized
    > server farm like my own. We are now into our third week of
    > auditing logs to see which apps are using which ports.
    > [And, of course, I verify that each app is legit.]
    >
    > I want to believe that sufficient others have been down
    > this road already. For them, I'd love to peek at their
    > policies, especially if they've been honing them over the
    > coarse of years. In particular, I'm thinking of creating
    > policies for CIFS/SMB but don't know if it's a good idea.
    >
    > As for auditing the OS, I would think there'd be some
    > baseline policies (i.e., "best practices") for detecting
    > intrusion that would be beneficial to most Windows systems,
    > no? Which file extensions should be monitored for
    > modification? Deletion? Which files should be monitored
    > for reads? CMD.EXE? Others? These would transcend the
    > tool used (McAfee, Symantec, etc.) and so I'm thinking that
    > such a list of best practices exists somewhere. No?
    >
    > Again, thank you for your kind reply.
    >
    > Dave
    >
    > >-----Original Message-----
    > >Each environment is unique and what works for one may
    > break the other. If you
    > >are rolling out an enterprise solution, it may be
    > worthwhile to include in
    > >your project plans discovery or pilot phases.
Ask a new question

Read More

Apps Windows