Issue 1: Security Configuration Wireshark starts a Windows service (titled “NPF Service”) which enabled network traffic sniffing on the Windows OS it is running on. This service continues to run after the Wireshark software has been shut down. It will continue to run (and can be used to sniff network traffic) until the machine is shut down or rebooted. How would I be able to shutdown the NPF service upon exiting Wireshark? Issue 2: Data Confidentiality Wireshark exports (.pcap-based Packet Capture files) often contain sensitive information such as routing information, IP Addresses, as well as cipher-capabilities (found in handshakes for encrypted protocols) and should be protected as much as possible through the their lifetimes. How can they securely be protected since they may contain confidential information asked 07 Feb '13, 07:48  easye609 edited 07 Feb '13, 07:49 |
2 Answers:
by stopping it manually from an elevated DOS box (sc stop npf).
By encrypting it with your preferred tool (e.g. those mentioned by @Jasper). BTW: Honestly, those 'findings' are 'level three' findings that usually go into a report only if nothing serious was found in an audit ;-)) I have seen similar things, as some (not so clever) customers are not happy to hear that there is no serious problem in their environment. They prefer to get a 'result' for the money they spent :-)) Well, obviously they get what they ask for. Explanation: Issue 1:
Well, yes. But how hard would it be to simply start Wireshark a second time to capture data?? So, not NPF is the problem. The real problem is, that 'something' (Malware) or someone (bad user) would be able to misuse the NPF service. In both cases it's not the NPF service that poses a risk. It's that fact that either of the two (malware, bad user) has access to that system, which is probably due to a bigger security problem in your environment. So, the 'finding' of the auditor implies that it is possible to misuse the NPF service, but he/she does not explain why this would be possible and how to protect against those risks ;-)) Issue 2:
Well, yes. That's the purpose of a network troubleshooting tool and it is absolutely obvious that you need to properly protect that information. Unfortunately the 'auditor' mentioned only things that are totally uncritical.
come on, that's all 'publicly' available information that needs no protection at all. He/She forgot to mention the more interesting things:
So, please ask your 'auditor' why he/she demands to protect irrelevant information, while he/she did not mention the things that really need protection !??! Or just forward my answer to him/her and ask for a comment :-)) Regards answered 07 Feb '13, 08:18  Kurt Knochner ♦ edited 07 Feb '13, 16:57 |
answered 07 Feb '13, 07:52  Jasper ♦♦ showing 5 of 6 show 1 more comments |
Just a thought: you need admin privileges to start/stop the service. That means the script will run with admin privileges as well and then start Wireshark with the same privileges. That would destroy the privilege separation.
Okay, then maybe a three-step process... two batches for starting and stopping the service (or one with a pause key between start and stop). And Wireshark, started by icon as usual.
Hmmm third party software tends to create more problems then fix them where I work unfortunately. Any ideas that may not require third party software?
What do you mean by third party software? A batch script is a system tool. Or do you mean Wireshark?
I was referencing your solution to my second problem.
Though a batch script may also propose issues since it would have to execute higher then users privileges that wants to use Wireshark since in most cases they do not have admin privileges.
Well, if you're concerned someone is capturing information while not being allowed to, but you need Wireshark installed nonetheless, you need to decide which way to go.
As long as Wireshark is installed, it's either NPF running and a user with non-admin rights can capture, or an admin has to run things anyway.
If you don't want NPF running, an admin has to be there to start and stop it to allow a user to capture when he is supposed to.