[Dshield] Windoze Questions...

Laurie Kennedy cblmaint at cblptyltd.com.au
Fri Feb 13 03:25:51 GMT 2004

----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Friday, February 13, 2004 12:26 AM
Subject: [Dshield] Windoze Questions...

> As I have said several times before, I am not a windows expert and we use
few windows machines in our shop. Thus, I have a few questions about Windows
security from a Unix perspective.
> Questions:
>   2) Anyone running SNORT under Windows? Any comparison to how it runs
under *nix?

I have been running the Windows version of Snort for over a year on a Win
2000 PC. You can load it up as a basic windows service if you use IDScenter
and something like WinSnort2HTML. The latest RC's for IDScenter even has an
option for running it 'inline'. The setup can be a bit of a pain, but if you
play around a bit with the configuration, you can usually get it operating
successfully. It uses the same rule set as Linux Snort. I don't use the
Linux version of Snort, I like to keep my internal data server clean and
'dumb', so I cannot offer any comparison. I've also had a look at Nuzzler
Basic Edition from SecurePoint. It is more like a packet sniffer with a
built in IDS that operates off rules similar to Snort. You have to register
it to get full access to all of the options.

>   4) About the Windows encrypted file system... if someone gets Admin
privilege on a system using the encrypted file system, can they disclose or
compromise data that would normally be protected?

Probably, but if the data cannot get out of the local network and past your
hardware firewall, the security breach won't succeed.

>   6) Finally, windows firewalls... Is Zone Alarm still considered the best
for Windows? What are the strengths and weaknesses of the firewall built
into Win/XP?

I use Zone Alarm Pro and the hardware firewall connects to the Zone Alarm
website before DNS servers are allocated by my ADSL provider. It did not
detect the unauthorised internal program access referred to in my previous
'Unauthorised program access' post, and I don't let anything access the
internet without my intervention (it may seem mindlessly pedantic, but it
works as CBL hasn't let anything get out, or in for that matter for quite a
while now).

Most windows PC's on my network have at least Mailwasher, anti-virus and a
software firewall running in the background, and Ad-aware/full AV scans
every week. The important machines have two different anti virus programs
running (Vet and RAV), ISP supplied AV and Spam filtering, I back up all of
the windows mail/docs etc to their home directories on the linux SMB server
once a week and scan with RAV (linux) every day (I can go directly to any
machine that has problems and clean it without worrying about the others.
Windows Viruses cannot run in Linux and Vs a Vs. I can understand why MS
purchased RAV because it does an extremely thorough job in both Windows and
Linux, especially with win mail files.

> TIA for all answers!
> -- 
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.

Laurence N. Kennedy
Competency Based Learning

More information about the list mailing list