Honeypots for Windows

By Dale Farris, Secretary
Golden Triangle PC Club
April 2005

General Overview

Installing a honeypot inside your network as an early warning system can significantly improve your security. Currently, almost every book and resource about honeypots comes from a Unix background, which leaves Windows administrators still grasping for help. But Honeypots for Windows is a forensic journey—helping you set up the physical layer, design your honeypot, and perform malware code analysis.

You’ll discover which Windows ports need to be open on your honeypot to fool those malicious hackers, and you’ll learn about numerous open source tools imported from the Unix world. Install a honeypot on your DMZ or at home and watch the exploits roll in! Your honeypot will capture waves of automated exploits, and you’ll learn how to defend the computer assets under your control.

While there are other books on honeypots, the world of computer security, and honeypots in particular, is largely Unix-based. Most of the literature about firewalls, intrusion detection systems (IDSs), and honeypots was written by Unix gurus. Most of the tools are Unix-based and work only on Unix platforms. Even when the tools are ported to Windows, they may talk about Windows and give a few Windows examples, but most of the text and examples are for Unix-based users. It can be very frustrating when you are not a Unix person, but still want to learn about computer security and use all the cool tools.

The majority of the world's PCs run on one of Microsoft's Windows operating systems. This book was written to fill the large gap for Windows administrators trying to learn about honeypots outside the Unix subculture. The author does not give examples of software and exploits that do not occur in the typical Windows environment. When the book discusses mail servers, it will be referring to Microsoft Exchange, not Sendmail. When the book refers to web servers, it will be talking about Microsoft Internet Information Services (IIS), not Apache. While both of these programs have Windows-based counterparts, these are not the norm in a Windows network. This does not mean that the knowledge and lessons learned in the book cannot be applied to non-Microsoft environments. The opposite is true. You can take anything covered in this book and easily apply it to Unix, Linux, Macintosh, or any other computer environment.

However, this is a honeypot resource that targets the Windows administrator. This means the following:

Honeypot planning and setup will target Windows systems
Security tools will be Windows versions
Hacking examples will be Windows examples
When TCP/IP is discussed, it will be as it applies in Windows
When TCP/IP ports are discussed, these will be ports common in Windows

What Is A Honeypot?

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. A honeypot is intentionally put in harm's way, in order to be compromised, and has no legitimate production value beyond the goals of the honeypot.

Using honeypots is about making a computer network safe. Used as an early warning system, a honeypot is the best tool for detecting malicious code.

Traditional network security defenses do not work. It these did, malware and hackers would be a historical footnote. Virus scanners will miss new code. Firewalls will not stop everything. Intrusion detection systems are too full of false-positives, and there will always be one user who insists on opening every e-mail file attachment.

Honeypots can also be a lot fun to work with, since what could be more enjoyable than hacking the hacker?

Table of Contents

The twelve (12) chapters are organized into three (3) parts, including:

Part One: Honeypots in General

1)    An Introduction to Honeypots
2)    A Honeypot Deployment Plan

Part Two: Windows Honeypots

3)    Windows Honeypot Modeling
4)    Windows Honeypot Deployment
5)    Honeyd Installation
6)    Honeyd Configuration
7)    Honeyd Service Scripts
8)    Other Windows-Based Honeypots

Part Three: Honeypot Operations

9)    Network Traffic Analysis
10) Honeypot Monitoring
11) Honeypot Data Analysis
12) Malware Code Analysis

Target Readers

This book is for administrators with an intermediate understanding of the Windows operating system and computer security. Readers should have experience with the Windows operating system, the Internet, and Windows-based networking; be able to install and trouble-shoot network-related software; and have general understanding of the OSI model. It helps if you are familiar with basic computer security concepts, such as computer worms, buffer overflows, and password cracking. AN understanding of Windows security mechanisms will make the book more enjoyable.

A strong understanding of TCP/IP network protocol basics is essential for most honeypot administrators. Although this book will cover the fundamentals needed to understand the material presented, readers should understand the following terms prior to beginning this journey: TCP, UDP, ICMP, stateful, stateless, TCP/IP handshake, packet header, and packet payload.

Even if you are not familiar with the details of these topics, you should still be able to understand every concept discussed in this book. Do not panic if you cannot name all the TCP header flags off the top of your head, or if you do not know the exact meaning of stateful inspection. The book will be of value to people newly interested in computer security and honeypots, as well as to experienced security experts.

Readers without a firm foundation in these fundamentals should consider a quick refresher with a TCP/IP protocol reference.

Book Contents

424 pages; about the author; acknowledgments; introduction; figures; notes; tips; tables; screenshots; detailed index

Author

Roger A. Grimes

About the Author

Roger A. Grimes — (CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CEH, TICSA, Security+, MCT) — is a 17-year Windows security consultant, instructor, and author. This is Mr. Grimes' third book and he has written over 150 articles for magazines like Windows IT Pro, Microsoft Certified Professional, InfoWorld, Network Magazine, Windows & .NET, and Security Administrator. He is a contributing editor for Windows & .NET, and InfoWorld magazines.

Mr. Grimes has presented at Windows Connections, MCP TechMentors, and SANS. He was recently recognized as Most Valuable Professional (MVP) by Microsoft, for Windows Server 2003 security. Grimes also frequently writes for Microsoft, including material for two courses on advanced Windows security and Technet. He has taught security to many of the world's largest and most respected organizations, including Microsoft, VeriSign, the U.S. Navy, various universities, and public school systems. Mr. Grimes spends his time surrounded by the maddening hum of twelve 1U servers in his home office, monitoring his personal honeypots.

ISBN

February 2005 - First Edition
1-59059-335-9

List Price

$39.99

About Apress

Apress is a publishing company devoted to meeting the needs of programming professionals. Apress' unique approach to computer book publishing grew out of conversations between Dan Appleman and Gary Cornell, Apress' founders, who believe that too many programming books are of such low quality that they are a complete waste of time. Computer professionals need quality books that are not just rehashes of documentation.

The "A" in Apress stands for The Author's Press, and their books have "The Expert's Voice." Apress acquires manuscripts of the highest quality by attracting the best authors and technical experts that the world has to offer. Apress makes authors partners in the publishing process, doesn't impose a "house style" on authors, and doesn't make them conform to a series that straightjacket's them.

Apress also makes sure that authors are treated equitably. Another key feature of the Apress approach to publishing books is taken from the software industry. Apress treats the technical review process as seriously as the best software companies treat the quality assurance process.

Apress is convinced that the innovations listed above make it possible for them to produce the highest quality books, recruit the highest quality authors, and publish titles that information technology professionals need and want.

The Apress management team ensures that the distribution and fulfillment of Apress titles is second to none, and that the capital is available to move aggressively and take advantage of any publishing opportunities that arise. To accomplish this, Apress has entered into a partnership with Springer-Verlag, one of the world's most respected publishing houses. Springer-Verlag is convinced that Apress will be the publisher of quality trade computer paperbacks in the years to come.

Apress will continue to publish titles of the highest quality, and has compiled a team of authors that reads like a veritable "Who's Who" list of the computing industry. The company founders have published over 200 software titles by leading software professionals, all of whom have "The Expert's Voice."

Publisher Contact

Glenn Munlawin
Product Manager
Apress
2560 Ninth Street, Suite 219
Berkeley, California 94710
510-549-5930 ext. 120
FAX 510-549-5939
glenn@apress.com
www.apress.com