Port and File-Blocking Best Practices

[Dave]

Hi All,

Does there exist anywhere a list of port- and file-blocking
"best practices" for use with intrusion
detection/prevention apps running on Windows 2000?

I recently purchased McAfee VirusScan Enterprise and am
very pleased with the ease by which I can block ports to
all but trusted/specified apps and also block or log access
to sensitive files and directories. I imagine that other
apps are similarly convenient to setup and use (compared to
the obnoxiously cryptic Event Viewer auditing).

But the sample rules have only whetted my appetite. For
example, changes to various filetypes are logged, including
EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
are restricted to all but iexplore.exe, etc. I know there
are plenty of other file extensions and rules to use with
such apps.

Does a list of "best practices" exist?

Any advice is appreciated.

 

[Guest]

Each environment is unique and what works for one may break the other. If you
are rolling out an enterprise solution, it may be worthwhile to include in
your project plans discovery or pilot phases.

During this period of a few months for example, gather statistics to learn
how applications and services utilize the network without interfering with
day to day business. Once this stage completes, draw up a list of authorized
apps / ports, etc. and seek management support and approval to roll it out.
Users must be informed and communicated otherwise unpleasant experiences may
result.

A point to note - going down to details EXE / DLL / SYS level of control
would prove to be very challenging unless a strict desktop standard is
enforced to facilitate this.

Hope this overview is helpful. Do let us know. Thanks!

 

[Dave]

Thank you, Desmond.

What you recommend is pretty much what I'm doing now. It
is quite a chore, even for a small and well-standardized
server farm like my own. We are now into our third week of
auditing logs to see which apps are using which ports.
[And, of course, I verify that each app is legit.]

I want to believe that sufficient others have been down
this road already. For them, I'd love to peek at their
policies, especially if they've been honing them over the
coarse of years. In particular, I'm thinking of creating
policies for CIFS/SMB but don't know if it's a good idea.

As for auditing the OS, I would think there'd be some
baseline policies (i.e., "best practices") for detecting
intrusion that would be beneficial to most Windows systems,
no? Which file extensions should be monitored for
modification? Deletion? Which files should be monitored
for reads? CMD.EXE? Others? These would transcend the
tool used (McAfee, Symantec, etc.) and so I'm thinking that
such a list of best practices exists somewhere. No?

Again, thank you for your kind reply.

Dave

 

[Guest]

I can send you a -pretty- complete list of ip-ports related to
protocols/trojans/etc... Also, I've been using two different programs for
anti-virus and firewall-protection. Always have; it's the same idea as the
government 'controlling' herself. I figured that would always turn out
corrupt. I'm suprised you're contemplating to block certain filetypes. I just
remembered that, while using mIRC, I didn't care much about that. Every
incomming file gets checked anyway by anti-virus. Concerning the os.... Well,
in my enviroment it didn't matter if I blew it all open (IE) or just kept it
standard. Active Desktop can be tricky and I would never use Netmeeting; it's
even integrated in iexplore and messenger. Concerning port 80 of iexplore;
isn't it the initiation of the download only via that port ? I always
thought the upper TCP/UDP ports we're used for that; 1080, 8080 ... ? For my
ftp-server I just used the standard 20 & 21 ports. Only 1 protocol over 2
ports on a strong NT-based os.....? Seemed more safe than (e.g.) ports 1020
& 1021.

 

[Guest]

Looks like Shems already has a checklist that may just work for you.

Though not directly related to your question, you may like to review the
following MS resources. In addition, network monitoring or even a personal
firewall product (like built-in ICF) can reveal interesting information
(applications, port, protocols, etc.).

Do let us know if it helps. Thanks!

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

http://support.microsoft.com/default.aspx?scid=kb;en-us;298804

http://support.microsoft.com/default.aspx?scid=kb;en-us;329928

http://support.microsoft.com/kb/281336/EN-US/

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod88.asp

Thank you, Desmond.

What you recommend is pretty much what I'm doing now. It
is quite a chore, even for a small and well-standardized
server farm like my own. We are now into our third week of
auditing logs to see which apps are using which ports.
[And, of course, I verify that each app is legit.]

I want to believe that sufficient others have been down
this road already. For them, I'd love to peek at their
policies, especially if they've been honing them over the
coarse of years. In particular, I'm thinking of creating
policies for CIFS/SMB but don't know if it's a good idea.

As for auditing the OS, I would think there'd be some
baseline policies (i.e., "best practices") for detecting
intrusion that would be beneficial to most Windows systems,
no? Which file extensions should be monitored for
modification? Deletion? Which files should be monitored
for reads? CMD.EXE? Others? These would transcend the
tool used (McAfee, Symantec, etc.) and so I'm thinking that
such a list of best practices exists somewhere. No?

Again, thank you for your kind reply.

Dave

-----Original Message-----
Each environment is unique and what works for one may break the other. If you
are rolling out an enterprise solution, it may be worthwhile to include in
your project plans discovery or pilot phases.