[ISN] REVIEW: "Honeypots for Windows", Roger A. Grimes

InfoSec News isn at c4i.org
Fri Sep 16 05:04:54 EDT 2005

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

BKHNPTWN.RVW   20050614

"Honeypots for Windows", Roger A. Grimes, 2005, 1-59059-335-9, U$39.99
%A   Roger A. Grimes roger at banneretcs.com
%C   2560 Ninth Street, Suite 219, Berkeley, CA   94710
%D   2005
%G   1-59059-335-9
%I   Apress
%O   U$39.99 510-549-5930 fax 510-549-5939 info at apress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1590593359/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/1590593359/robsladesin03-20
%O   Audience i+ Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   392 p.
%T   "Honeypots for Windows"

Now, we all know that honeypots can be fun: turning the tables on the
blackhats, and watching what they are doing for once.  We'll even
acknowledge that the information honeypots provide can be useful,
teaching us the types of approaches and activities that intruders are
likely to undertake.  But Grimes, in the introduction, stresses the
position that honeypots are important security tools used for
protection: that the extensive employment of honeypots will somehow
"put an end" to script kiddies and the myriad attacks we see flying
around the nets.

Part one is about general honeypot concepts.  Chapter one is an
introduction to honeypots, looking at different honeypots and some
common attack types, and has an extremely terse mention of the fact
that there are risks associated with using honeypots.  Components and
simple topologies for honeypots are listed in chapter two.

Part two moves specifically to Windows honeypots.  Chapter two lists
the ports that a Windows computer typically has open, and provides
some (but not much) information on how the major ones work.  A set of
questions to ask yourself about how you want to operate and configure
your honeypot are in chapter three, along with generic advice about
hardening the computer if you use Windows as the native operating
system.  There is a table of services that you might want to turn off. 
There is also an inventory of programs you may wish to remove: it
contains rather dated entries such as edlin.exe, but doesn't mention
items such as tftp.exe.  Chapters five to seven are concerned with the
honeyd program and its Windows port, first in regard to description
and installation, then configuration options, and finally service
scripts.  Other honeypot programs; Back Officer Friendly (BOF),
LaBrea, SPECTER, KFSensor, Patriot Box, and Jackpot; are outlined in
chapter eight, with the commercial entries getting the bulk of the

Part three deals with the operation of honeypots.  Chapter nine has
some basic traffic analysis information, mostly documentation for the
use of the Ethereal packet sniffer and the Snort intrusion detection
system.  A number of tools for monitoring your system are listed in
chapter ten.  Even though the title is "Honeypot Data Analysis," most
of chapter eleven records more monitoring tools.  Grimes reprises some
of his stuff from "Malicious Mobile Code" (cf. BKMLMBCD.RVW), and adds
a catalogue of assembly tools, to talk about analysing such code in
chapter twelve.

As a compilation of utilities, the book will probably be a handy
reference for those who are interested in trying out a honeypot, or
possibly just getting more information from their Windows computer. 
Network administrators who are seriously interested in actually
running a honeypot or reviewing the data thus collected should
probably look into "Know Your Enemy" (cf. BKKNYREN.RVW) or "Honeypots"
(cf. BKHNYPOT.RVW), both by Spitzner.

copyright Robert M. Slade, 2005   BKHNPTWN.RVW   20050614

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
A hundred years from now it won't matter the kind of house I
lived in, what my bank account total was, or the kind of car I
drove.  But the world may be different because I was important in
the life of a child.                                   - Joyce Eyman
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

More information about the ISN mailing list