jamesreddy
asked on
Block P2P programs and certain types of files...
Best solutions out there for blocking P2P programs (since they use port 80 these days, blocking port 80 is the only option for firewalls...but then Internet is gone too). I'd like to hear what everyone else is using. Naturally I'd prefer freeware...cheapware. I use an application called TerminatorX now which is pretty effective for blocking these types of programs, but I'm looking for a more centrally controlled application.
Also...best practices out there for blocking downloadable EXE, SCR, and other "at risk" files that can cause viruses and such. I'm familiar with a lot of it, but I am looking for ideas out there since this changes every year. I'd love some feedback. I run a network for a private college and these students keep me busy. I need to crackdown on it with more effective tools. Was wondering what you all are using.
Thanks in advance!
James
Also...best practices out there for blocking downloadable EXE, SCR, and other "at risk" files that can cause viruses and such. I'm familiar with a lot of it, but I am looking for ideas out there since this changes every year. I'd love some feedback. I run a network for a private college and these students keep me busy. I need to crackdown on it with more effective tools. Was wondering what you all are using.
Thanks in advance!
James
Getting a personal Firewall
http://www.zensecurity.co.uk/default.asp?URL=personal
Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf
Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za
Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm
Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view
The Internet Connection Firewall Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;en-us;298804
http://www.zensecurity.co.uk/default.asp?URL=personal
Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf
Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za
Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm
Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view
The Internet Connection Firewall Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;en-us;298804
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/
One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan
How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
http://scan.sygatetech.com/
One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan
How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
CC Proxy is an easy-to-use proxy software
http://www.youngzsoft.net/ccproxy/
BlackICE PC Protection and Firewall
http://blackice.iss.net/product_pc_protection.php
http://www.youngzsoft.net/ccproxy/
BlackICE PC Protection and Firewall
http://blackice.iss.net/product_pc_protection.php
Spybot:
http://security.kolla.de/index.php
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/
SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm
Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html
http://security.kolla.de/index.php
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/
SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm
Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html
ASKER
Ok ok...hold on folks. We have a firewall, but firewalls do not block Kazaa. Kazaa uses port 80 now so firewalls will not help. If you block port 80, it willhave no effect. Adaware is for spyware...not P2P programs (I use the professional version religiously). The proxy software might be a possibility. What about ISA Server? Does ISA have the capability of blocking specific file types from being downloaded? Logging on as a guest user is out of the question. My users require more access than guest users can offer. They require local administrative access for the systems. The systems are locked down pretty tight...group policy pretty much controls most of what is available to them, but we have laptops that I have less control over and I need a central point to control what they can and can't download.
I'll check into the proxy software...but the rest of these so far are for different problems.
I'll check into the proxy software...but the rest of these so far are for different problems.
Comparing Microsoft Security and Acceleration (ISA) Server 2000 and Windows Xp Internet Connection Firewall
http://www.microsoft.com/isaserver/techinfo/planning/isaicfcompare.asp
http://www.microsoft.com/isaserver/techinfo/planning/isaicfcompare.asp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can unpack the tar.gz file with
http://www.ultimatezip.com/
http://www.ultimatezip.com/
ASKER
Hey Rich...
You're right about the links thing....your post had much more of what I am looking for.
You're on the money on some of it, however, our school policy states (right in the student handbook) that all data within any computer located on school property is the sole property of the school, so we have a little more flexibility for student-owned laptops. I create the image for thos laptops and then load them to the student's laptops. What we cannot do is remove local administrator access. I have played with permissions until I was blue in the face, but SOME programs will not work without having full administrator privelages. Sure, I was able to get some to work by giving out full access to a certain directory, but many of the programs being used require much more than that...so removing local admin rights is not an option.
Unfortunately, I do realize an application layer firewall wopuld solve my problem, but as I am sure you know....school....budget..
I do have an "agreement" that pops up on every PC and laptop prior to login that has a list of our acceptable use policy that they must click OK to prior to entering a username and password. It says "By clicking OK, you are acknowledging and greeing to these terms and conditions of use." So, legally...I can prosecute or do whatever I need (and have in the past). Problem is...some people still don't care and I'm trying to force policies on them ince they don't.
I did just come up with some alternate ideas...like a program called Webwasher which is a client-side application that is free to educational institutions. It's an option, but of course, I would always prefer a centrally managed option. I kind of wish someone out there had a halfway decent content filtering list to plug into explorer or something.
We do have Symantec Anti-Virus Corporate. Viruses have never been a problem. My problem is that even though I've installed the Windows Installer & disabled registry editing tools, there are still some programs that can be harmful that do not modify the registry nor do they use the Windows Installer.
This other post from tryware might be an option but I'd still need an option to block certain file types. If I have to enable it on the local PC, so be it...although I'd prefer something centrally managed....
You're right about the links thing....your post had much more of what I am looking for.
You're on the money on some of it, however, our school policy states (right in the student handbook) that all data within any computer located on school property is the sole property of the school, so we have a little more flexibility for student-owned laptops. I create the image for thos laptops and then load them to the student's laptops. What we cannot do is remove local administrator access. I have played with permissions until I was blue in the face, but SOME programs will not work without having full administrator privelages. Sure, I was able to get some to work by giving out full access to a certain directory, but many of the programs being used require much more than that...so removing local admin rights is not an option.
Unfortunately, I do realize an application layer firewall wopuld solve my problem, but as I am sure you know....school....budget..
I do have an "agreement" that pops up on every PC and laptop prior to login that has a list of our acceptable use policy that they must click OK to prior to entering a username and password. It says "By clicking OK, you are acknowledging and greeing to these terms and conditions of use." So, legally...I can prosecute or do whatever I need (and have in the past). Problem is...some people still don't care and I'm trying to force policies on them ince they don't.
I did just come up with some alternate ideas...like a program called Webwasher which is a client-side application that is free to educational institutions. It's an option, but of course, I would always prefer a centrally managed option. I kind of wish someone out there had a halfway decent content filtering list to plug into explorer or something.
We do have Symantec Anti-Virus Corporate. Viruses have never been a problem. My problem is that even though I've installed the Windows Installer & disabled registry editing tools, there are still some programs that can be harmful that do not modify the registry nor do they use the Windows Installer.
This other post from tryware might be an option but I'd still need an option to block certain file types. If I have to enable it on the local PC, so be it...although I'd prefer something centrally managed....
RICHRUMBLE..."What trywaredk fails to realize"
I don't want to argue with you, because you are a qualified expert - no doubt about that - and I agree with you, you are providing explanations, and I was not ...
Some questioners wants explanations, some questioners wants links to instructions they can use. Maybe JAMESREDDY was using proxy software, or was using another proxy software, but could be inspired by one of my links above. Who knows - I don't - only JAMESREDDY knows?
:o) Keep on with your excellent explanations. All of us can use them, to learn more about windows security.
I don't want to argue with you, because you are a qualified expert - no doubt about that - and I agree with you, you are providing explanations, and I was not ...
Some questioners wants explanations, some questioners wants links to instructions they can use. Maybe JAMESREDDY was using proxy software, or was using another proxy software, but could be inspired by one of my links above. Who knows - I don't - only JAMESREDDY knows?
:o) Keep on with your excellent explanations. All of us can use them, to learn more about windows security.
I'm sorry if I went off... I just cleared through 2 tons of spam this morning... and had a flash back ;) My apologies.
Understood james... I'm not up on AD like I should be... but in NT/2k dayz we used to have a logon script that ran, and it called an exe that would inventory "installed" programs with their version numbers date time etc... and each person that logged in, this batch file made a txt file that contained the list of that information. Then we had a perl script parse that info looking for our "hit-list" and then mailing us when it found program's not suited for our environment. I'm not sure of AD has that ability nativly or not... or can use the netlogon scripts anymore... but as you said, not all these programs are "installed" or make changes to the registry. bah!
The iptables link is a step fwd, it has a DROP feature, so that once p2p is detected, all packet's bound in or out are dropped when a stream is matched.
Again, we did have the propblem you are faced with, but didn't have the policies writen up. We were able to "punish" because we were in the corporate environment, and honestly, to do the work they needed to do, all they needed was what we provided on our image. We allowed them to do extra things with their pc's as a priviledge. Now if you can't say to them- "My image contains all that you need" then locking them down is probably out of the question. I do like ZoneAlarm for it's process locking/blocking features... but it can be quite chatty...and isn't centrally managed.
I'll keep looking... this seems to be a common question, but everyones needs are different... I too wish that there were a cheap alternitive to these situations- there maybe... I just need to find it
-rich
Understood james... I'm not up on AD like I should be... but in NT/2k dayz we used to have a logon script that ran, and it called an exe that would inventory "installed" programs with their version numbers date time etc... and each person that logged in, this batch file made a txt file that contained the list of that information. Then we had a perl script parse that info looking for our "hit-list" and then mailing us when it found program's not suited for our environment. I'm not sure of AD has that ability nativly or not... or can use the netlogon scripts anymore... but as you said, not all these programs are "installed" or make changes to the registry. bah!
The iptables link is a step fwd, it has a DROP feature, so that once p2p is detected, all packet's bound in or out are dropped when a stream is matched.
Again, we did have the propblem you are faced with, but didn't have the policies writen up. We were able to "punish" because we were in the corporate environment, and honestly, to do the work they needed to do, all they needed was what we provided on our image. We allowed them to do extra things with their pc's as a priviledge. Now if you can't say to them- "My image contains all that you need" then locking them down is probably out of the question. I do like ZoneAlarm for it's process locking/blocking features... but it can be quite chatty...and isn't centrally managed.
I'll keep looking... this seems to be a common question, but everyones needs are different... I too wish that there were a cheap alternitive to these situations- there maybe... I just need to find it
-rich
ASKER
Well, for 90% of the students, my image DOES contain all that they need. In fact...I've given most users a fifty meg network drive and completely denied local access to the C drive. It's the LAPTOPS...I hate the laptops. So far, web washer is all that I've found. Upon downloading it, I discovered it can also act as a server if you use a proxy for Internetusers. We don't, but that can be easily changed. It's an option anyway. Just want to see what other ideas were out there. :)
ASKER
Ok...how bout this. Is there a program or method to determine WHAT websites these users are visiting? Rich, you mentioned having a script that would log all installed applications. I have a similar script that runs that logs all users who log into a machine, what time they logged on, etc. What about a script that would monitor all URLs entered into IE. It's a lousy option, but at LEAST if I knew what they were typing in, I could block it in the Content Advisor.
Yes- IE's history file... permissions can be set on it so that they cannot delete their url history. Now with a different browser... it's going to be a little different... but still most keep a history file. You could have that file copied in your logon script or what have you. What I was doing was a real hack :) I used an exe from a computer game, it told me what I needed to know in a text file, then i copied that txt file off into a dir for each user. there are call's you can make to windows to get this info, I just didn't know them at the time.
Programs like spIE are all over the place: http://www.pcworlddownload.com/internet/monitoring/spIE.htm
Although not free... hackerwacker is a good product that can be centrally managed: http://www.hackerwacker.com/highacad/default.htm
HWAE offers optional central database logging, unlike HWPE...
I use snort for everything I need to monitor on the network, so I'd create a rule that pulled out each ip visit's on port 443 and port 80- that way i dont' have to go to IT and tell them, hey install hacker wacker or make a scriot that copies thier URL history... but that's just me :)
-rich
Programs like spIE are all over the place: http://www.pcworlddownload.com/internet/monitoring/spIE.htm
Although not free... hackerwacker is a good product that can be centrally managed: http://www.hackerwacker.com/highacad/default.htm
HWAE offers optional central database logging, unlike HWPE...
I use snort for everything I need to monitor on the network, so I'd create a rule that pulled out each ip visit's on port 443 and port 80- that way i dont' have to go to IT and tell them, hey install hacker wacker or make a scriot that copies thier URL history... but that's just me :)
-rich
i prefer the radical way:
you could create a gpo, which only allows to execute listed programms ("word.exe", "excel.exe", ...)
when a user tries to open a program ("kazaa.exe") he gets a "forbidden by administrator"
but there´s a snag on it:
if users figure out to rename "kazaa.exe" to "word.exe" the could it run it ...
(but most user never figure it out :-)
you could create a gpo, which only allows to execute listed programms ("word.exe", "excel.exe", ...)
when a user tries to open a program ("kazaa.exe") he gets a "forbidden by administrator"
but there´s a snag on it:
if users figure out to rename "kazaa.exe" to "word.exe" the could it run it ...
(but most user never figure it out :-)
ASKER
Actually Berni...I am considering that option already. It seems to be viable. I have a list of about 20 programs that would need to be run by the user, and I could easily do a GPO for it. Also....my users do not have access to the C drive. So if I were tospecify the full path name of word, they would have to figure out how to copy kazaa.exe into the Program Files directory (which is on the denied C drive), then rename it.
My problem is really the laptops. Lap PCs are under control. Your option is one that I already informed the teachers I will be implementing this week. What I need is a program like Rich is discussing that I can find how to limit users web access. So far, the Conent Advisor is all I've got. TerminatorX is pretty good as long as I know what I want blocked. I guess I'll just have to stick to that. It was only $250.00 for a site license. It would be better than implementing a Content Advsior policy that would require more typing.
I might have to check out spIE though. Haven't heard of that one.
My problem is really the laptops. Lap PCs are under control. Your option is one that I already informed the teachers I will be implementing this week. What I need is a program like Rich is discussing that I can find how to limit users web access. So far, the Conent Advisor is all I've got. TerminatorX is pretty good as long as I know what I want blocked. I guess I'll just have to stick to that. It was only $250.00 for a site license. It would be better than implementing a Content Advsior policy that would require more typing.
I might have to check out spIE though. Haven't heard of that one.
RICHRUMBLE..."I just cleared through 2 tons of spam this morning"
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
JAMESREDDY... "We have a firewall, but firewalls do not block Kazaa."
Some does'nt, but a pix firewall does...
Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801e419a.shtml#c4
***qoute***
FastTrack is the most popular P2P network around today. P2P file sharing applications such as Kazaa, KazaaLite, Grokster and iMesh all use this network and connect to other hosts using any open TCP/UDP port to search and download files, making filtering them with an access list impossible.
Note: These applications cannot be filtered with a PIX firewall.
To effectively filter these applications, use NBAR on your outside router (or any router between the source host and the Internet connection). NBAR can match specifically on connections made to the FastTrack network and can either be dropped completely or rate-limited.
A sample IOS-router NBAR configuration to drop FastTrack packets appear as shown below:
class-map match-any p2p
match protocol fasttrack file-transfer *
policy-map block-p2p
class p2p
drop
!--- The drop command did not become available
!--- for use until Cisco IOS Software Release 12.2(13)T.
!--- See the Release Notes for more details.
***end of quote***
Some does'nt, but a pix firewall does...
Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801e419a.shtml#c4
***qoute***
FastTrack is the most popular P2P network around today. P2P file sharing applications such as Kazaa, KazaaLite, Grokster and iMesh all use this network and connect to other hosts using any open TCP/UDP port to search and download files, making filtering them with an access list impossible.
Note: These applications cannot be filtered with a PIX firewall.
To effectively filter these applications, use NBAR on your outside router (or any router between the source host and the Internet connection). NBAR can match specifically on connections made to the FastTrack network and can either be dropped completely or rate-limited.
A sample IOS-router NBAR configuration to drop FastTrack packets appear as shown below:
class-map match-any p2p
match protocol fasttrack file-transfer *
policy-map block-p2p
class p2p
drop
!--- The drop command did not become available
!--- for use until Cisco IOS Software Release 12.2(13)T.
!--- See the Release Notes for more details.
***end of quote***
ASKER
Did you read that? "Note: These applications cannot be filtered with a PIX firewall."
We have a PIX firewall 515 series and an external Cisco Router 1600 and an internal Cisco 2500 series router. The NBAR command is a router based command and only became available a year ago. Our router is several years old and we do not have a support contract any longer to get the new IOS software.
We have plenty of equipment and if there was any way to use this equipment to get this done, I'd have done it a long time ago. :)
We have a PIX firewall 515 series and an external Cisco Router 1600 and an internal Cisco 2500 series router. The NBAR command is a router based command and only became available a year ago. Our router is several years old and we do not have a support contract any longer to get the new IOS software.
We have plenty of equipment and if there was any way to use this equipment to get this done, I'd have done it a long time ago. :)
Note: These applications cannot be filtered with a PIX firewall.
To effectively filter these applications, use NBAR on your outside router
To effectively filter these applications, use NBAR on your outside router
well - I know - you can't, but it's the solution
JAMESREDDY... It says "By clicking OK, you are acknowledging and greeing to these terms and conditions of use."
Make a logonscript that monitors the use of HKLM\SOFTWARE\Microsoft\Co
Then setup a txt-file with the subkeys you can accept
When done, allow only domain admin write permissions to the txt-file, and domain users write permissions to the logfiles, and change your logonscript to delete the rest of the subkeys you don't want.
That does'nt remove the p2p, but logs it, and disturbs the users with the activeX-dialog.
It could be done with windows scripting host.
Make a logonscript that monitors the use of HKLM\SOFTWARE\Microsoft\Co
Then setup a txt-file with the subkeys you can accept
When done, allow only domain admin write permissions to the txt-file, and domain users write permissions to the logfiles, and change your logonscript to delete the rest of the subkeys you don't want.
That does'nt remove the p2p, but logs it, and disturbs the users with the activeX-dialog.
It could be done with windows scripting host.
ASKER
Not a bad idea trywaredk. Might have to check into that as well.
yes - and you maybe could do a lot of more work, and from the subkey of HKLM\SOFTWARE\Microsoft\Co
for example, if you find a subkey that you do no allow like
HKLM\SOFTWARE\Microsoft\Co
But be carefull and doublecheck before deleting in HKCR\CLSID, you could harm the system, because the subkey {D27CDB6E-AE6D-11CF-96B8-4
for example, if you find a subkey that you do no allow like
HKLM\SOFTWARE\Microsoft\Co
But be carefull and doublecheck before deleting in HKCR\CLSID, you could harm the system, because the subkey {D27CDB6E-AE6D-11CF-96B8-4
trywaredk thanks for the spam tips- but it's not place to ask these guys to use filtering on their server's- and I'm on so many distribution list's it's impossible- i have lot's of accounts all over- and... frankly I don't want to set the stuff up on my box ;)
Our cisco rep has elluded to us, that p2p blocking and dropping is making it's way on to the pix firewalls. Coming soon, to a firewall near you... Probably this summer. I'd get around the registry- all you need is the program files... it doesn't have to be installed correctly to function. That terminatorX program looks to be right up your ally... I wonder if it log's to the local machine, either in the event viewer or to a file when a program is found... if so your script's can check or copy that...
Anyway... I've been thinking through out the day about this- as well as many many occasions before.
1) You want to monitor when a violation is occuring- and who is doing it.
2) You want to block that violation quickly, and with little foot-work.
3) You want central logging of these events (is that about right... please add to this if there is more)
Snort- is free, the hardware isn't- but it wouldn't take much to get it up and running- linux can use some very old hardware well. Snort can alert you by a number of ways... email pager sms etc... it also can take care of #3 as it log's all the matches in it's database.
2 is a little trickier- espically for you laptop's I assume. Your other's... AD and the GPO that is discussed above may do the trick- you said you were contimplating that idea already- I don't know much of AD yet. Your laptop user's may need an agent on them so "baby-sit" while they aren't on your network, I'm not sure the gpo goes with them or not... sorry- someone will know better than I.
Snort rules are quite easy to write, and even to keep false positives from bogging you down.
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established
Write your own for .scr
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Possible Virus-Screen_saver"; flow:to_server,established
When FP's are encountered- you improve your rules... that .scr rule may trigger some FP's... you could then get more specific and make better or more defined rules
alert tcp $HOME_NET 25 <- $EXTERNAL_NET any (msg:"Possible W32.MyPower"; flow:to_server,established
It's an undertaking to say the least- and I wouldn't blame you for looking for another solution- however, for the interim it's equiped with some very nice rules and features from the start... thresholding has given me a new respect for snort- Instead of telling me that 22 p2p connections have been for this one host- if I set the threshold to 4 or 5, i'll only see 4 or 5 alert's instead of 22- it will also keep the database smaller. The thresholds can be set per rule, or apply to all at once.
I think you should also pay more attention to the violators- as they are most likely to do it over and over. I maintain that you need a punishment of some type to show them you mean business... but something else occured to me today.
Say you catch Jimmy Jones with gnutella, you VNC or RemoteDesktop your way on to his pc and remove the program. You can log jimmy's username in a file- and when he log's on to his pc, or even another's, he can recieve a "special" message pop-up semi tailored for him.
%username% , Your activities are being monitored more closely this week
since we found you were in violation is school acceptable usage policy. This
policy can be read at :%url to web-site with your policies% . Your probation
will remain in effect until &violation_date + 6% . Further violations will result
in loss of admin-rights or possible disiplinary actions.
Something to that effect, I think you can catch on. I used to use "net send" messages to people I found in violation along with my telephone and email address- so that they could contact me if it wasn't a good time for ME to remove the program, and search for other's on their PC's ;)
GL!
-rich
Our cisco rep has elluded to us, that p2p blocking and dropping is making it's way on to the pix firewalls. Coming soon, to a firewall near you... Probably this summer. I'd get around the registry- all you need is the program files... it doesn't have to be installed correctly to function. That terminatorX program looks to be right up your ally... I wonder if it log's to the local machine, either in the event viewer or to a file when a program is found... if so your script's can check or copy that...
Anyway... I've been thinking through out the day about this- as well as many many occasions before.
1) You want to monitor when a violation is occuring- and who is doing it.
2) You want to block that violation quickly, and with little foot-work.
3) You want central logging of these events (is that about right... please add to this if there is more)
Snort- is free, the hardware isn't- but it wouldn't take much to get it up and running- linux can use some very old hardware well. Snort can alert you by a number of ways... email pager sms etc... it also can take care of #3 as it log's all the matches in it's database.
2 is a little trickier- espically for you laptop's I assume. Your other's... AD and the GPO that is discussed above may do the trick- you said you were contimplating that idea already- I don't know much of AD yet. Your laptop user's may need an agent on them so "baby-sit" while they aren't on your network, I'm not sure the gpo goes with them or not... sorry- someone will know better than I.
Snort rules are quite easy to write, and even to keep false positives from bogging you down.
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established
Write your own for .scr
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Possible Virus-Screen_saver"; flow:to_server,established
When FP's are encountered- you improve your rules... that .scr rule may trigger some FP's... you could then get more specific and make better or more defined rules
alert tcp $HOME_NET 25 <- $EXTERNAL_NET any (msg:"Possible W32.MyPower"; flow:to_server,established
It's an undertaking to say the least- and I wouldn't blame you for looking for another solution- however, for the interim it's equiped with some very nice rules and features from the start... thresholding has given me a new respect for snort- Instead of telling me that 22 p2p connections have been for this one host- if I set the threshold to 4 or 5, i'll only see 4 or 5 alert's instead of 22- it will also keep the database smaller. The thresholds can be set per rule, or apply to all at once.
I think you should also pay more attention to the violators- as they are most likely to do it over and over. I maintain that you need a punishment of some type to show them you mean business... but something else occured to me today.
Say you catch Jimmy Jones with gnutella, you VNC or RemoteDesktop your way on to his pc and remove the program. You can log jimmy's username in a file- and when he log's on to his pc, or even another's, he can recieve a "special" message pop-up semi tailored for him.
%username% , Your activities are being monitored more closely this week
since we found you were in violation is school acceptable usage policy. This
policy can be read at :%url to web-site with your policies% . Your probation
will remain in effect until &violation_date + 6% . Further violations will result
in loss of admin-rights or possible disiplinary actions.
Something to that effect, I think you can catch on. I used to use "net send" messages to people I found in violation along with my telephone and email address- so that they could contact me if it wasn't a good time for ME to remove the program, and search for other's on their PC's ;)
GL!
-rich
ASKER
Hehe. Here here Rich. And yes...occasionally I use LanGuard to manually go searching for stuff on the network that doesn't belong. I also keep a log of who logs into what systems. That way, if I ever see that something has been installed, I can find a creation date for the file (last modified, etc) and track it down to the user who was logged in at the time. And yes, I have had several students suspended...one expelled for violating policy. But it's kind of like murderers Rich....they KNOW before they do it it's against the law...they KNOW if they are caught it means prison or death, but they do it anyway. and even though you catch them, in the end, someone else still got hurt as a result of their actions. Same thing applies here so I want to put as many preventative measures in place as possible.
You are making me think seriously about snort. I have the server hardware...that's not a problem. Will snort run on Windows Server 2003? Or must I have Linux? While I'm a big proponent of Linux, I'm not anxious to learn the intricacies of it at the moment. I've barely got these bloodt Macintosh systems down. Also, my programming skills are minimal. Snort seems to rely a lot on programming your own variables into it...that might be a problem for me.
What information can you throw at me regarding snort? Websites to look at? I'd be interested in giving it a test run...
James
You are making me think seriously about snort. I have the server hardware...that's not a problem. Will snort run on Windows Server 2003? Or must I have Linux? While I'm a big proponent of Linux, I'm not anxious to learn the intricacies of it at the moment. I've barely got these bloodt Macintosh systems down. Also, my programming skills are minimal. Snort seems to rely a lot on programming your own variables into it...that might be a problem for me.
What information can you throw at me regarding snort? Websites to look at? I'd be interested in giving it a test run...
James
RICHRUMBLE..."I'm on so many distribution list's it's impossible- i have lot's of accounts all over- and... frankly I don't want to set the stuff up on my box"
Softscan is only great if it's your own email-server. The issue is, that Softscan is "hiring" your email-domainname, so that anybody who's sending email to you and your users, does'nt send it to you, without knowing it, they send it to Softscan, who stops spam and virus, and only send the rest to your firewall and emailserver. You can logon to Softscan and manage the filtering.
I works great for me, because it stops about 55% of all email to us, but it does'nt work with email accounts own by other companies like @yahoo.com
Softscan is only great if it's your own email-server. The issue is, that Softscan is "hiring" your email-domainname, so that anybody who's sending email to you and your users, does'nt send it to you, without knowing it, they send it to Softscan, who stops spam and virus, and only send the rest to your firewall and emailserver. You can logon to Softscan and manage the filtering.
I works great for me, because it stops about 55% of all email to us, but it does'nt work with email accounts own by other companies like @yahoo.com
RICHRUMBLE..."2) You want to block that violation quickly, and with little foot-work"
To JAMESREDDY... If you want that, you can use this free tool to manipulate the laptops with your script.
PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
To JAMESREDDY... If you want that, you can use this free tool to manipulate the laptops with your script.
PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
http://www.snort.org/
Snort does run on win32... I haven't tried on 2003, but it does on every other windows itteration- so I don't see why not. Hmm interesting- http://accessories.us.dell.com/sna/ProductDetail.aspx?TabPage=overview&sku=A0277464&c=us&l=en&cs=04&page=external
It's the packet inspectiing firewall- or as snort calls it "inline ids"- 5 grand and it still has the same problem I have with snort inline ids... not much throughput... ah well- regular snort has yet to fail us. There is a book coming out maybe next month, Snort 2.1... 2.1 has some great features that make is making it harder for it's competitors to ignore. If you were going to get a book to "bone-up" on snort... I'd wait for that one, as snort has changed much this year. But to let you get an idea of snort quickly- http://www.securitydocs.com/41/1 http://www.snort.org/docs/ are great sources.
Writing the rules is not to tough for just tome general alerting- and there are 5-10 different ways to trigger the same alert mos times... But your typical rule breaks down lik this
Example
alert tcp $HOME_NET 25 <> $EXTERNAL_NET any (msg:"Possible Virus-Screen_saver"; flow:to_server,established
Typically your most concerned with the "content" portion of the rule- not always, but for our purposes, you are. The < > are saying any direction, if it were <- this rule would look for connections coming from any port on the public side, to port 25 on your internal network. It's pretty simple if you look at it for a few minutes.
Finding the "content" to look for can be tricky, and you can specify it in HEX or in Text, probably other ways also... anyway get out your trusty sniffer, ethereal or whatever... and have a look at what Kazaa is sending as it signs on or as it begins a DL... you do that a few times, then you can see where the similarities are and choose the ones you think are most unique... that way you avoid FP's. You wouldn't want to just use "GET" or "PUT" as your content, unless you had somemore to go on... it's really worth a look and to play around with...
snort 2.1 book
http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/qid=1079917057/sr=8-1/ref=sr_8_xs_ap_i1_xgl14/104-9631291-7410352?v=glance&s=books&n=507846
I've got to go... I'll check back tomorrow... i need to get my doc's up on a web page...
-rich
Snort does run on win32... I haven't tried on 2003, but it does on every other windows itteration- so I don't see why not. Hmm interesting- http://accessories.us.dell.com/sna/ProductDetail.aspx?TabPage=overview&sku=A0277464&c=us&l=en&cs=04&page=external
It's the packet inspectiing firewall- or as snort calls it "inline ids"- 5 grand and it still has the same problem I have with snort inline ids... not much throughput... ah well- regular snort has yet to fail us. There is a book coming out maybe next month, Snort 2.1... 2.1 has some great features that make is making it harder for it's competitors to ignore. If you were going to get a book to "bone-up" on snort... I'd wait for that one, as snort has changed much this year. But to let you get an idea of snort quickly- http://www.securitydocs.com/41/1 http://www.snort.org/docs/ are great sources.
Writing the rules is not to tough for just tome general alerting- and there are 5-10 different ways to trigger the same alert mos times... But your typical rule breaks down lik this
Example
alert tcp $HOME_NET 25 <> $EXTERNAL_NET any (msg:"Possible Virus-Screen_saver"; flow:to_server,established
Typically your most concerned with the "content" portion of the rule- not always, but for our purposes, you are. The < > are saying any direction, if it were <- this rule would look for connections coming from any port on the public side, to port 25 on your internal network. It's pretty simple if you look at it for a few minutes.
Finding the "content" to look for can be tricky, and you can specify it in HEX or in Text, probably other ways also... anyway get out your trusty sniffer, ethereal or whatever... and have a look at what Kazaa is sending as it signs on or as it begins a DL... you do that a few times, then you can see where the similarities are and choose the ones you think are most unique... that way you avoid FP's. You wouldn't want to just use "GET" or "PUT" as your content, unless you had somemore to go on... it's really worth a look and to play around with...
snort 2.1 book
http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/qid=1079917057/sr=8-1/ref=sr_8_xs_ap_i1_xgl14/104-9631291-7410352?v=glance&s=books&n=507846
I've got to go... I'll check back tomorrow... i need to get my doc's up on a web page...
-rich
You could always have their logon script delete any of the p2p directories.
A little more about snort...
It comes with some very good rules, right off the bat. For your imidiate purposes, you won't need 80% of them... but they are worth looking at, and learning from. You simply comment out rules you don't need- or erase them... they can always be dl'd from the site again, or you exclude them from loading in snort.conf ....
How about this as a possible solution. Process snap-shot logging. Every minute (or whatever interval you decide) this program could take snapshots of the running process's and place them in a txt file. Your logon scripts could DL these to a depository seperated how ever you wish, by username, pc name etc...
Now windows has the program available for this, and you could schedule the task ;) Assign permissions to the task and the txt file so that the user's can't touch the stuff. Even if the laptop users were away... you'd be able to see their process activity at various intervals.
oh... man I always forget hos useful those resource kits are: ) http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/instaler-o.asp (could put that in startup)
but this is the one I had in mind when I said the above:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/pulist-o.asp it is easily "batched"- even says so on that page ;)
Again, I realize that is only documenting the issue- not stopping it. For that I guess I'd look for at the GPO idea more... and some other program like ZA that can look at a list of process's and act on the new ones. ZA is free, but it is also chatty... and you'd need to password protect it... headaches bah!
It's pretty risky and a nasty hack, so I got to say it;) you could batch rkill.exe "rkill \\servername process.exe" and then schedule it to run... ugly right?
I dunno... I'm running out of ideas. What would be even cooler, is that if you used the pulist.exe and it dumped it's txt file at the scheduled time, another scheduled task could parse through looking for key words such as kazaa or napster... then if it found them, could send an email to you, and or do a net send to the local pc with some statement... "Kindly remove %var% as it is strictly forbidden to use or install on SCHOOL PROPERTY, James has been notified, he's the man you know..." something to that effect. I just like the net send- it soo freaks the users out... hell I think I'll set that one up, but use my name instead of yours.
GL!!
-rich
It comes with some very good rules, right off the bat. For your imidiate purposes, you won't need 80% of them... but they are worth looking at, and learning from. You simply comment out rules you don't need- or erase them... they can always be dl'd from the site again, or you exclude them from loading in snort.conf ....
How about this as a possible solution. Process snap-shot logging. Every minute (or whatever interval you decide) this program could take snapshots of the running process's and place them in a txt file. Your logon scripts could DL these to a depository seperated how ever you wish, by username, pc name etc...
Now windows has the program available for this, and you could schedule the task ;) Assign permissions to the task and the txt file so that the user's can't touch the stuff. Even if the laptop users were away... you'd be able to see their process activity at various intervals.
oh... man I always forget hos useful those resource kits are: ) http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/instaler-o.asp (could put that in startup)
but this is the one I had in mind when I said the above:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/pulist-o.asp it is easily "batched"- even says so on that page ;)
Again, I realize that is only documenting the issue- not stopping it. For that I guess I'd look for at the GPO idea more... and some other program like ZA that can look at a list of process's and act on the new ones. ZA is free, but it is also chatty... and you'd need to password protect it... headaches bah!
It's pretty risky and a nasty hack, so I got to say it;) you could batch rkill.exe "rkill \\servername process.exe" and then schedule it to run... ugly right?
I dunno... I'm running out of ideas. What would be even cooler, is that if you used the pulist.exe and it dumped it's txt file at the scheduled time, another scheduled task could parse through looking for key words such as kazaa or napster... then if it found them, could send an email to you, and or do a net send to the local pc with some statement... "Kindly remove %var% as it is strictly forbidden to use or install on SCHOOL PROPERTY, James has been notified, he's the man you know..." something to that effect. I just like the net send- it soo freaks the users out... hell I think I'll set that one up, but use my name instead of yours.
GL!!
-rich
ASKER
I'll need some time to test out some of these this week. I'm going to get started tomorrow or Thursday. I'll let you know. Thanks for the extra info.
ASKER
Well...snort is out. It won't even start up properly under Windows Server 2003.
That's too bad... It works well on 2k server and XP pro I've setup both... wonder why. what sort of errors do you get? and what version of snort. if you don't want to pursue troubleshooting snort let me know. I might try and throw it on 2k3 today.
-rich
-rich
ASKER
The first error was about WinPcap, but I downloaded and installed that successfully. The I got the following:
"The procedure entry point PacketGetNetInfo could not be located in the dynamic link library packet.dll."
"The procedure entry point PacketGetNetInfo could not be located in the dynamic link library packet.dll."
ASKER
I've gone with an aftermeasure...since preventative measures were seemingly out of the question. I've discovered a program that can log all activity and upload those logs to a server where I can create a script to go through and search for key words for things that are a no, no. Things like the IE history file are being uploaded and open programs, and even every key typed in (key logger). The suggestions were much appreciated, and I will split the points down the middle between you rich, and tryware.
I still may try some more of your suggestions later. Thanks gentlemen.
James
I still may try some more of your suggestions later. Thanks gentlemen.
James
:o) Glad we could help you - thank you for the points
Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm
Builtin and predefined groups in Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/lsm_local_groups.asp
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open