TELECOM Digest OnLine - Sorted: Book Review: "Honeypots for Windows", Roger A. Grimes

Book Review: "Honeypots for Windows", Roger A. Grimes

Rob Slade (
Thu, 18 Aug 2005 10:38:36 -0800


"Honeypots for Windows", Roger A. Grimes, 2005, 1-59059-335-9, U$39.99
%A Roger A. Grimes
%C 2560 Ninth Street, Suite 219, Berkeley, CA 94710
%D 2005
%G 1-59059-335-9
%I Apress
%O U$39.99 510-549-5930 fax 510-549-5939
%O Audience i+ Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 392 p.
%T "Honeypots for Windows"

Now, we all know that honeypots can be fun: turning the tables on the
blackhats, and watching what they are doing for once. We'll even
acknowledge that the information honeypots provide can be useful,
teaching us the types of approaches and activities that intruders are
likely to undertake. But Grimes, in the introduction, stresses the
position that honeypots are important security tools used for
protection: that the extensive employment of honeypots will somehow
"put an end" to script kiddies and the myriad attacks we see flying
around the nets.

Part one is about general honeypot concepts. Chapter one is an
introduction to honeypots, looking at different honeypots and some
common attack types, and has an extremely terse mention of the fact
that there are risks associated with using honeypots. Components and
simple topologies for honeypots are listed in chapter two.

Part two moves specifically to Windows honeypots. Chapter two lists
the ports that a Windows computer typically has open, and provides
some (but not much) information on how the major ones work. A set of
questions to ask yourself about how you want to operate and configure
your honeypot are in chapter three, along with generic advice about
hardening the computer if you use Windows as the native operating
system. There is a table of services that you might want to turn off.
There is also an inventory of programs you may wish to remove: it
contains rather dated entries such as edlin.exe, but doesn't mention
items such as tftp.exe. Chapters five to seven are concerned with the
honeyd program and its Windows port, first in regard to description
and installation, then configuration options, and finally service
scripts. Other honeypot programs; Back Officer Friendly (BOF),
LaBrea, SPECTER, KFSensor, Patriot Box, and Jackpot; are outlined in
chapter eight, with the commercial entries getting the bulk of the

Part three deals with the operation of honeypots. Chapter nine has
some basic traffic analysis information, mostly documentation for the
use of the Ethereal packet sniffer and the Snort intrusion detection
system. A number of tools for monitoring your system are listed in
chapter ten. Even though the title is "Honeypot Data Analysis," most
of chapter eleven records more monitoring tools. Grimes reprises some
of his stuff from "Malicious Mobile Code" (cf. BKMLMBCD.RVW), and adds
a catalogue of assembly tools, to talk about analysing such code in
chapter twelve.

As a compilation of utilities, the book will probably be a handy
reference for those who are interested in trying out a honeypot, or
possibly just getting more information from their Windows computer.
Network administrators who are seriously interested in actually
running a honeypot or reviewing the data thus collected should
probably look into "Know Your Enemy" (cf. BKKNYREN.RVW) or "Honeypots"
(cf. BKHNYPOT.RVW), both by Spitzner.

copyright Robert M. Slade, 2005 BKHNPTWN.RVW 20050614

====================== (quote inserted randomly by Pegasus Mailer)
In theory, there is no difference between theory and practice,
but, in practice, there is. - Jan L.A. van de Snepscheut or

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: USTelecom dailyLead: "SBC Picks Motorola, S-A For Set-Tops"
Go to Previous message: Dante Chinni: "Journalism's Fear and Loathing of Blogs"
TELECOM Digest: Home Page