Sign in with
Sign up | Sign in
Your question

Port and File-Blocking Best Practices

Last response: in Windows 2000/NT
Share
March 3, 2005 7:50:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

Does there exist anywhere a list of port- and file-blocking
"best practices" for use with intrusion
detection/prevention apps running on Windows 2000?

I recently purchased McAfee VirusScan Enterprise and am
very pleased with the ease by which I can block ports to
all but trusted/specified apps and also block or log access
to sensitive files and directories. I imagine that other
apps are similarly convenient to setup and use (compared to
the obnoxiously cryptic Event Viewer auditing).

But the sample rules have only whetted my appetite. For
example, changes to various filetypes are logged, including
EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
are restricted to all but iexplore.exe, etc. I know there
are plenty of other file extensions and rules to use with
such apps.

Does a list of "best practices" exist?

Any advice is appreciated.
Anonymous
March 4, 2005 4:09:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Each environment is unique and what works for one may break the other. If you
are rolling out an enterprise solution, it may be worthwhile to include in
your project plans discovery or pilot phases.

During this period of a few months for example, gather statistics to learn
how applications and services utilize the network without interfering with
day to day business. Once this stage completes, draw up a list of authorized
apps / ports, etc. and seek management support and approval to roll it out.
Users must be informed and communicated otherwise unpleasant experiences may
result.

A point to note - going down to details EXE / DLL / SYS level of control
would prove to be very challenging unless a strict desktop standard is
enforced to facilitate this.

Hope this overview is helpful. Do let us know. Thanks!

"Dave" wrote:

> Hi All,
>
> Does there exist anywhere a list of port- and file-blocking
> "best practices" for use with intrusion
> detection/prevention apps running on Windows 2000?
>
> I recently purchased McAfee VirusScan Enterprise and am
> very pleased with the ease by which I can block ports to
> all but trusted/specified apps and also block or log access
> to sensitive files and directories. I imagine that other
> apps are similarly convenient to setup and use (compared to
> the obnoxiously cryptic Event Viewer auditing).
>
> But the sample rules have only whetted my appetite. For
> example, changes to various filetypes are logged, including
> EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
> are restricted to all but iexplore.exe, etc. I know there
> are plenty of other file extensions and rules to use with
> such apps.
>
> Does a list of "best practices" exist?
>
> Any advice is appreciated.
>
March 4, 2005 2:07:24 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you, Desmond.

What you recommend is pretty much what I'm doing now. It
is quite a chore, even for a small and well-standardized
server farm like my own. We are now into our third week of
auditing logs to see which apps are using which ports.
[And, of course, I verify that each app is legit.]

I want to believe that sufficient others have been down
this road already. For them, I'd love to peek at their
policies, especially if they've been honing them over the
coarse of years. In particular, I'm thinking of creating
policies for CIFS/SMB but don't know if it's a good idea.

As for auditing the OS, I would think there'd be some
baseline policies (i.e., "best practices") for detecting
intrusion that would be beneficial to most Windows systems,
no? Which file extensions should be monitored for
modification? Deletion? Which files should be monitored
for reads? CMD.EXE? Others? These would transcend the
tool used (McAfee, Symantec, etc.) and so I'm thinking that
such a list of best practices exists somewhere. No?

Again, thank you for your kind reply.

Dave

>-----Original Message-----
>Each environment is unique and what works for one may
break the other. If you
>are rolling out an enterprise solution, it may be
worthwhile to include in
>your project plans discovery or pilot phases.
>
>During this period of a few months for example, gather
statistics to learn
>how applications and services utilize the network without
interfering with
>day to day business. Once this stage completes, draw up a
list of authorized
>apps / ports, etc. and seek management support and
approval to roll it out.
>Users must be informed and communicated otherwise
unpleasant experiences may
>result.
>
>A point to note - going down to details EXE / DLL / SYS
level of control
>would prove to be very challenging unless a strict desktop
standard is
>enforced to facilitate this.
>
>Hope this overview is helpful. Do let us know. Thanks!
>
>"Dave" wrote:
>
>> Hi All,
>>
>> Does there exist anywhere a list of port- and file-blocking
>> "best practices" for use with intrusion
>> detection/prevention apps running on Windows 2000?
>>
>> I recently purchased McAfee VirusScan Enterprise and am
>> very pleased with the ease by which I can block ports to
>> all but trusted/specified apps and also block or log access
>> to sensitive files and directories. I imagine that other
>> apps are similarly convenient to setup and use (compared to
>> the obnoxiously cryptic Event Viewer auditing).
>>
>> But the sample rules have only whetted my appetite. For
>> example, changes to various filetypes are logged, including
>> EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
>> are restricted to all but iexplore.exe, etc. I know there
>> are plenty of other file extensions and rules to use with
>> such apps.
>>
>> Does a list of "best practices" exist?
>>
>> Any advice is appreciated.
>>
>.
>
Related resources
Anonymous
March 6, 2005 11:05:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I can send you a -pretty- complete list of ip-ports related to
protocols/trojans/etc... Also, I've been using two different programs for
anti-virus and firewall-protection. Always have; it's the same idea as the
government 'controlling' herself. I figured that would always turn out
corrupt. I'm suprised you're contemplating to block certain filetypes. I just
remembered that, while using mIRC, I didn't care much about that. Every
incomming file gets checked anyway by anti-virus. Concerning the os.... Well,
in my enviroment it didn't matter if I blew it all open (IE) or just kept it
standard. Active Desktop can be tricky and I would never use Netmeeting; it's
even integrated in iexplore and messenger. Concerning port 80 of iexplore;
isn't it the initiation of the download only via that port ? I always
thought the upper TCP/UDP ports we're used for that; 1080, 8080 ... ? For my
ftp-server I just used the standard 20 & 21 ports. Only 1 protocol over 2
ports on a strong NT-based os.....? Seemed more safe than (e.g.) ports 1020
& 1021.
Anonymous
March 7, 2005 2:05:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Looks like Shems already has a checklist that may just work for you.

Though not directly related to your question, you may like to review the
following MS resources. In addition, network monitoring or even a personal
firewall product (like built-in ICF) can reveal interesting information
(applications, port, protocols, etc.).

Do let us know if it helps. Thanks!

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

http://support.microsoft.com/default.aspx?scid=kb;en-us;298804

http://support.microsoft.com/default.aspx?scid=kb;en-us;329928

http://support.microsoft.com/kb/281336/EN-US/

http://www.microsoft.com/technet/security/prodtech/wind...

http://msdn.microsoft.com/library/default.asp?url=/libr...


"Dave" wrote:

> Thank you, Desmond.
>
> What you recommend is pretty much what I'm doing now. It
> is quite a chore, even for a small and well-standardized
> server farm like my own. We are now into our third week of
> auditing logs to see which apps are using which ports.
> [And, of course, I verify that each app is legit.]
>
> I want to believe that sufficient others have been down
> this road already. For them, I'd love to peek at their
> policies, especially if they've been honing them over the
> coarse of years. In particular, I'm thinking of creating
> policies for CIFS/SMB but don't know if it's a good idea.
>
> As for auditing the OS, I would think there'd be some
> baseline policies (i.e., "best practices") for detecting
> intrusion that would be beneficial to most Windows systems,
> no? Which file extensions should be monitored for
> modification? Deletion? Which files should be monitored
> for reads? CMD.EXE? Others? These would transcend the
> tool used (McAfee, Symantec, etc.) and so I'm thinking that
> such a list of best practices exists somewhere. No?
>
> Again, thank you for your kind reply.
>
> Dave
>
> >-----Original Message-----
> >Each environment is unique and what works for one may
> break the other. If you
> >are rolling out an enterprise solution, it may be
> worthwhile to include in
> >your project plans discovery or pilot phases.
!