Security Tips

On this page are tips for securing your Windows HoneyBOT. These tips are not represented in any particular order and may be optional for your individual situation.


Computer Selection

Install HoneyBOT on a dedicated system or virtual machine. Running HoneyBOT on a production system is strongly discouraged.


Patches

You should protect your computer by updating your system with service packs and software patches.


Firewall

A firewall will prevent unsolicited connections from reaching your computer. Your firewall rules will need to be relaxed in order to allow HoneyBOT to accept incoming connections. If you have not disabled Windows services then you should block them at the firewall.


Disable Windows Services

You should disable any Windows services that are not required for the machine to operate as they offer an attacker a possible avenue of attack. HoneyBOT cannot listen on a port that is already in use by a Windows service. Some of the services that you may choose to disable include: Messenger, ClipBook, COM+, FTP Publishing, SMTP, SNMP, TCP/IP NetBIOS Helper, Telnet, WWW Publishing.


Disable SMB (CIFS)

SMB provides name resolution, network browsing and printing services over TCP/IP. To disable SMB open the Network Connections window, right click the adapter and select Properties and uninstall Client For Microsoft Networks and File And Printer Sharing. Note this may break browsing and sharing files on the local network.


Disable NetBIOS (NBT)

SMB services may also be provided over NetBIOS. To disable NetBIOS open the Device Manager window, select Show Hidden Devices, expand Non-Plug And Play Drivers and disable NetBios Over Tcpip. Note this may break browsing and sharing files on the local network.


Disable RPC

It is possible to disable RPC by modifying the registry, but removal will leave your machine unstable.


Take a Baseline

Before starting HoneyBOT take a baseline of the current listening services. In the following example the only service enabled is RPC. Accordingly this service is being blocked at the firewall.

C:\>netstat -ano
Active Connections

ProtoLocal AddressForeign AddressStatePID
TCP0.0.0.0:1350.0.0.0:0LISTENING1128


Remote Monitoring

If you are monitoring your honeypot via a remote desktop program then you should change the default listening port to a random high numbered port.


Got a new tip?

Submit your tips here.
 

Main Menu

Home
HoneyBOT
Screenshots
Security Tips
Download
History
Links
Contact Us

Reports

Top Ports & Sources
Protocol Trend
Port Trend
Packet Volume

Donate

Like free software? Please support the ongoing development of HoneyBOT. You can contribute by making a donation here.

Cleveland Weather

Cleveland Weather To see live updates of what the weather is doing at Cleveland check out the Cleveland Weather Station