Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


April 2004

Honeypots for Windows

Distract intruders away from your legitimate resources
From the April 2004 Edition
of Windows IT Pro
Roger A. Grimes
Lab Feature
InstantDoc #41976
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    A Small Consideration

Many virtual honeypots simulate services on well-known ports that would interest an intruder, such as SMTP or FTP. These honeypots go beyond the initial protocol handshake by having the emulated service respond to the intruder. An emulated service that returns only a mimicked banner reply is called a banner service. For example, an intruder's connection to TCP port 25 (SMTP) might return a simulated Exchange banner connection response. An emulated service that responds with minimum output in response to input is called a simple or standard service. For example, probes to FTP port 21 might prompt intruders for their logon name and password, which the honeypot records. If an intruder uses current or old logon information versus a random guess, the intruder might be an insider or might have successfully compromised the system in the past.

Simulated services, especially those trying to mimic IIS or FTP, often offer greater levels of emulation. Some virtual honeypots provide fake subdirectories, files, and responses. Other virtual honeypots allow service-port probes to be relayed to other computers hosting legitimate software but ensure the intruder is still attacking a nonproduction resource. Generally, the better the service emulation, the more interesting the target becomes to intruders. The longer the intruders stay around, the more information you can collect. However, most virtual honeypots are considered low-interaction, which means they don't offer sophisticated levels of emulation.

Selection and Evaluation Criteria
Numerous honeypots are available, so I had to narrow the field. To be included in this review, the honeypot had to run natively on Windows platforms and mimic multiple common Windows ports and services. I didn't consider honeypots that specialize in only one facet of defense (e.g., tarpits, antispam) or have minimal features because they tend to arrive and disappear in a few months and offer limited support.

Four honeypots—Honeyd-WIN32 0.5, KeyFocus's KFSensor, Network Security Software's (NETSEC's) SPECTER 7.0, and VMware (an EMC subsidiary) Workstation 4.0—met all the selection criteria. (Table 1 outlines other notable honeypots that can run in a Windows environment but didn't meet the other selection criteria.) To evaluate the four honeypots, I used the following evaluation criteria:

  • Windows emulation—Emulating a Windows host means offering remote procedure call (RPC) port 135 and NetBIOS ports 137, 138, 139, and 445 at a minimum as well as any other port or service that might be present on a typical Windows computer. For example, a fake Exchange server might offer additional ports 25 (SMTP), 110 (POP3), 113 (Network News Transfer Protocol—NNTP), and 143 (IMAP). An emulated IIS server might offer additional ports 20 and 21 (FTP), 25, 80 (HTTP), and 443 (HTTP Secure—HTTPS). A Windows 2000 Server system might offer additional ports 53 (DNS), 68 (DHCP), 88 (Kerberos), 1433 and 1434 (Microsoft SQL Server), and 3389 (Win2K Server Terminal Services). Honeypots should let users emulate the correct services on these ports. For example, an emulated Web server should return an IIS banner, not Apache, and an emulated SMTP server should return an Exchange banner, not sendmail. Historically, most honeypots have done a poor job of emulating the ports and services typically found in a Microsoft environment.
  • Ease of setup and use—Some honeypots can be installed quickly, whereas others take hours of customization. After you finish the setup process, you want a honeypot that's easy to use yet meets your needs. Items to consider include whether you want a GUI or text-based real-time monitoring interface, whether you need the ability to manage the honeypot remotely, whether the honeypot comes with emulated data or has a mechanism with which to add and update data, and how easily you can recover the honeypot after a compromise.
  • Data capture—All honeypots capture attack activity in real time, with varying levels of detail. The best honeypots capture everything the intruder does, including full network packet decodes, keystrokes, and system-manipulation activity. Other honeypots require you to add tools if you want to capture such detailed information. Another consideration is where the honeypot stores captured data. Does the honeypot write data to only a local text-based log file, or can the honeypot write data to an external database?
  • Alerts and reports—No honeypot is complete without offering a way to alert administrators in real time to unauthorized activity. Honeypots offer a range of alert mechanisms, including broadcast messages, email, and Short Message Service (SMS). Another consideration is the types of reports the honeypot offers.
   Previous  1  [2]  3  4  5  6  Next 


Top Viewed ArticlesView all articles
2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

Don't Miss Windows Server 2008 Virtual Event

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement