Intrusion Detection Systems (IDSs) are an important part of any network. One free, open-source tool for implementing an IDS on networks is Snort. (If you're unfamiliar with IDSs, see Jason Harper, "Protect Your Network from Intrusion" and "Deploy Your Network IDS Effectively," http://www
.secadministrator.com, InstantDoc ID 24650 and InstantDoc ID 25013, respectively.) To build a Snort server in a Windows 2000 environment, you need to install and secure Win2K Server, install Snort and its companion files, and test Snort's various modes.
Installing and Securing Win2K Server
To build a Snort server, you first need to secure the server's OS so that the OS doesn't become a victim of intruders' attacks. In IDSs, the OS typically resides outside a firewall's protection, so the OS needs to be both secure and invisible to intruders' probes. (Some administrators use two NICs to dual-home the Snort server, then connect the server to a port-mirrored switch or hub to transmit only. However, I think that having a system that's completely isolated from the main network is best. That way, the system can stand on its own outside a firewall.) Because Microsoft designed Win2K Server to be a platform on which applications run, the default setup creates an environment that maximizes the system's ability to offer services to the rest of the network. The security administrator's ultimate goal is to turn Win2K on the Snort server into an OS that's undetectable by attackers—a stealthy OS.
To create a stealthy OS, you need to start by installing Win2K Server from scratch. Be sure to delete all existing partitions on the hard disk and create new partitions. Also be sure to put a fresh Master Boot Record (MBR) on the hard disk. Both of these precautions are necessary to ensure that the system has no viruses or worms. The easiest way to accomplish both tasks is to use the Win2K Server CD-ROM to boot the system. When the setup program asks you where you'd like to put the system files, you have the option of deleting all the existing partitions and creating new partitions. Creating partitions this way lets you use the disk's entire capacity for one partition. The log directory that Snort creates can get quite large; therefore, bigger is always better in sizing partitions for IDSs. In the rest of the setup program, you can keep the defaults because you'll be disabling all unwanted services after you apply the service packs and patches.
When the setup program finishes, install Service Pack 3 (SP3) and reboot the system. After you reboot, go to the Windows Update site by clicking Start, Windows Update. Click the Product Updates link and install all the suggested updates, including those for Microsoft Internet Explorer (IE).
After you install the updates and reboot, you're ready to remove all unnecessary services through the Control Panel Add/Remove Programs applet. In this applet, click Add/Remove Windows Components and clear the Internet Information Services (IIS) check box. Removing this service closes the biggest hole in your system's armor. Remove other unnecessary services as well. (If you're unsure of which services to remove, check out Windows & .NET Magazine's free guide "Securing your Operating System—Guidelines for Hardening Windows 2000," http://www.itbuynet.com/pdf/0202-security.pdf.) The only Windows components I leave enabled are Accessories and Terminal Services (in Remote Administration mode). Although having Win2K Server Terminal Services violates the goal of having a stealthy system, I decided that being able to administer the system remotely is worth the risk.
Next, you need to secure the local hard disk and registry. To make the job easier, I created a Win2K security template that contains all the settings I want for an IDS. You can download this template from the Code Library at the Security Administrator Web site. If you need a quick tutorial about what templates do and how to use them, see Paula Sharick, "Security Templates Define and Enforce the Rules," http://www.secadministrator.com, InstantDoc ID 23375.
The template disables the services that an IDS doesn't need. For example, the template disables the Routing and Remote Access, Server, Print Spooler, and RunAs services. The result is that the Snort server will be missing some of the functionality you would expect on production servers.
One service that the template doesn't disable is the Remote Procedure Call (RPC) service. Several administrative tools (e.g., Computer Management, Event Viewer) use RPC to obtain information from the OS. If you disable the RPC service, these administrative tools don't work properly. However, if you leave the RPC service running so that you can manage the server, you must restrict access to the system services because the RPC service listens for connections on port 135.
After you apply the template, only ports 135 and 3389 (the port for Terminal Services) will be visible on the network. In addition, both the registry and the hard disk will allow only local Administrators group members and System account members access to crucial functions.
Although leaving ports 135 and 3389 active can alert an intruder to the IDS's existence, it doesn't defeat the purpose of having a secure system. Both ports require authentication before an intruder can access them, and the template makes unauthorized access more difficult three ways:
- The template requires users to create passwords 8 characters long and a combination of uppercase and lowercase letters, numbers, and special characters. If you want to decrease the chance of a successful dictionary or brute-force attack on the passwords, you can increase the required length to 10 or more characters.
- The template sets the account policies to allow five attempts to enter the password and a 30-minute wait time after five incorrect entries. That way, an account will be disabled for 30 minutes after an intruder makes five logon attempts. At best, an intruder could try 10 passwords per account per hour. If your IDS has only one or two active accounts, guessing a password will take a long time.
- The template removes the Access this computer from the network user right from all groups. The net effect is that even if intruders know the correct password, they can't log on unless they're sitting at the console. Removing this user right doesn't disable Terminal Services because Terminal Services uses the Log on locally user right and the Allow log on to terminal server account property to determine whether an account can log on to the server. In addition, when Terminal Services is in Remote Administration mode, only members of the local Administrators group can log on.