RE: Port and File-Blocking Best Practices
From: Dave (anonymous_at_discussions.microsoft.com)
Date: 03/04/05
- Next message: Steven L Umbach: "Re: Has anyone seen this "Alert"?"
- Previous message: _at_: "Re: Drag and Drop functionality lost after fix 890047"
- In reply to: Desmond Lee: "RE: Port and File-Blocking Best Practices"
- Next in thread: Shems: "RE: Port and File-Blocking Best Practices"
- Reply: Shems: "RE: Port and File-Blocking Best Practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Mar 2005 11:07:24 -0800
Thank you, Desmond.
What you recommend is pretty much what I'm doing now. It
is quite a chore, even for a small and well-standardized
server farm like my own. We are now into our third week of
auditing logs to see which apps are using which ports.
[And, of course, I verify that each app is legit.]
I want to believe that sufficient others have been down
this road already. For them, I'd love to peek at their
policies, especially if they've been honing them over the
coarse of years. In particular, I'm thinking of creating
policies for CIFS/SMB but don't know if it's a good idea.
As for auditing the OS, I would think there'd be some
baseline policies (i.e., "best practices") for detecting
intrusion that would be beneficial to most Windows systems,
no? Which file extensions should be monitored for
modification? Deletion? Which files should be monitored
for reads? CMD.EXE? Others? These would transcend the
tool used (McAfee, Symantec, etc.) and so I'm thinking that
such a list of best practices exists somewhere. No?
Again, thank you for your kind reply.
Dave
>-----Original Message-----
>Each environment is unique and what works for one may
break the other. If you
>are rolling out an enterprise solution, it may be
worthwhile to include in
>your project plans discovery or pilot phases.
>
>During this period of a few months for example, gather
statistics to learn
>how applications and services utilize the network without
interfering with
>day to day business. Once this stage completes, draw up a
list of authorized
>apps / ports, etc. and seek management support and
approval to roll it out.
>Users must be informed and communicated otherwise
unpleasant experiences may
>result.
>
>A point to note - going down to details EXE / DLL / SYS
level of control
>would prove to be very challenging unless a strict desktop
standard is
>enforced to facilitate this.
>
>Hope this overview is helpful. Do let us know. Thanks!
>
>"Dave" wrote:
>
>> Hi All,
>>
>> Does there exist anywhere a list of port- and file-blocking
>> "best practices" for use with intrusion
>> detection/prevention apps running on Windows 2000?
>>
>> I recently purchased McAfee VirusScan Enterprise and am
>> very pleased with the ease by which I can block ports to
>> all but trusted/specified apps and also block or log access
>> to sensitive files and directories. I imagine that other
>> apps are similarly convenient to setup and use (compared to
>> the obnoxiously cryptic Event Viewer auditing).
>>
>> But the sample rules have only whetted my appetite. For
>> example, changes to various filetypes are logged, including
>> EXE, DLL, PIF and SCR. Likewise, web downloads (port 80)
>> are restricted to all but iexplore.exe, etc. I know there
>> are plenty of other file extensions and rules to use with
>> such apps.
>>
>> Does a list of "best practices" exist?
>>
>> Any advice is appreciated.
>>
>.
>
- Next message: Steven L Umbach: "Re: Has anyone seen this "Alert"?"
- Previous message: _at_: "Re: Drag and Drop functionality lost after fix 890047"
- In reply to: Desmond Lee: "RE: Port and File-Blocking Best Practices"
- Next in thread: Shems: "RE: Port and File-Blocking Best Practices"
- Reply: Shems: "RE: Port and File-Blocking Best Practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
