Page tree

Contents

Requirements

  • A server or Virtual Machine running Windows 2016 Server TP5 (the “Server”).
    • 8GB of RAM or more required.
  • Make a note of the public IP address of your Server
  • Create an account at threatstop.com

Installation

Caution:

Copying/pasting the installation script is preferred because Windows 2016 prevents direct execution of downloaded scripts unless security restrictions are relaxed.

  1. Log into your Windows 2016 Server as an Administrator.
  2. Download the Windows Server 2016 Installation Script text file.

  3. Open PowerShell ISE using Run as administrator:
    1. Click on the Start Menu.
    2. Right-click on Windows PowerShell ISE.
    3. From the More menu, select Run as administrator.
    4. Click the New page icon () to create a new PowerShell file.
  4. Paste the contents of the text file into the PowerShell window.

  5. Execute the script by clicking the green arrow
    (). You will be prompted to enter the public IP address of your Server.

    Note:

    The public IP address to use can be determined by visiting: http://www.threatstop.com/cgi-bin/validip.pl

    If necessary, the DNS Server role will be enabled on your server. This step may take a few minutes to complete. A reboot is not required.

  6. Wait a few moments for the installation to complete. The full ThreatSTOP package will be downloaded and extracted to C:\ThreatSTOP, and setup tasks will be performed.

  7. When setup is complete, a message similar to the following will be displayed:

    ThreatSTOP DNS Policy Setup completed at 07/04/2016 23:22:51

About your Installation

The installer creates a new directory located at C:\ThreatSTOP. This directory contains useful files and scripts:

  • ThreatSTOP.ini – this is the configuration file for your ThreatSTOP service. Modify this file when changing the name of your ThreatSTOP policy.
  • Setup.ps1 – re-run this file (as Administrator) after making changes to your ThreatSTOP.ini configuration file.
  • UninstallTS.ps1 – run this script (as Administrator) to remove the ThreatSTOP service. Note that the uninstaller removes all DNS policies and Scheduled Tasks for ThreatSTOP but does not remove the C:\ThreatSTOP directory from your server. You may wish to delete this folder manually after uninstalling. The DNS Server role is not changed or removed when running this script.

Register Your Device at threatstop.com

Adding a device to ThreatSTOP is a straight forward process. To add a device to ThreatSTOP:

  1. Login at www.threastop.com (https://www.threatstop.com).
  2. Click on Devices.
  3. If you have an available seat the + Add Device icon will display. Click on this icon to continue.
  4. The Edit Device window pop-up will display.
  5. Enter a Nickname for the device (we recommend a description of the device, or the network name of the device).
  6. Select the Manufacturer of the device. For Windows Server 2016, this should be set to Microsoft.
  7. The Model or type of device being installed. In this case Windows Server 2016.
  8. The IP Type (Static or Dynamic) used by the device. Set this to Static.
  9. The IP Address of the device. The device address to use can be determined by visiting: http://www.threatstop.com/cgi-bin/validip.pl from the Windows 2016 Server.
  10. In the Location dropdown select the country you reside in. This is an optional field.
  11. If your country uses Postal or ZIP Codes enter yours in the Postal Code field. This is an optional field.
  12. Select the DNS firewall policy you wish to run the device under, this will default to a ThreatSTOP provided policy, but a custom policy can be used.
  13. Click Next.
    A message offering help with adding your DNS firewall policy to your device will appear. Clicking here or Rules will take you to this help page. Clicking Done will return you to the ThreatSTOP portal.
  14. Click Done.

Testing your ThreatSTOP installation

Note:

 bad.threatstop.com is included in our policies specifically for testing purposes.

A DNS response of Query Refused indicates that your ThreatSTOP DNS policies are working correctly. Open a command window and run a localhost lookup on bad.threatstop.com.

C:\Users\user>nslookup bad.threatstop.com localhost

*** Unknown can't find bad.threatstop.com: Query refused

Customizing Your ThreatSTOP DNS Firewall Policy

Policies combine target lists to define the Fully Qualified Domain Names (FQDNs) to which communications are regulated. Unlike a traditional IP firewall DNS Firewalls regulate outbound traffic, without regulating inbound traffic. Attempts to contact regulated domains can be adjusted to meet predefined behaviors, by default ThreatSTOP provides four settings (respond with no such domain, drop all communications, don't provide data, or pass data through). Creating a custom DNS firewall policy is covered in ThreatSTOP DNS Firewall. For this guide we will only be setting up a very basic custom DNS firewall policy. Custom block and allow lists are covered in User-Defined Domains and should be setup before proceeding through this setup.

Warning:

Your account will need to be flagged by our Sales team as a DNS Firewall account. To verify that your account has DNS Firewall functionality:

  1. Login to the portal at https://www.threatstop.com
  2. Click on Policies & Lists
  3. Verify that the DNS FW Policy tab () is visible, if it is not please contact our Sales team and let them know.
To set a DNS Firewall Policy:

  1. Click on the Policies & Lists towards the top of the window..
  2. Click on the DNS FW Policy tab.
  3. Click on + Add Policy.
    The Create Policy pop-up will appear.
  4. Enter a name for your new policy in the Policy name field.
  5. Type a brief description of your policy in the Description field. This will help you focus on what you are looking to accomplish with your policy.
  6. Determine the type of policy that you would prefer. Standard or Expert. Toggle the usage mode appropriately.
  7. Locate and tick the boxes next to the target lists, and user defined domains you want to Block from communicating with your network.

    Caution:

    If you load only user defined domains, and these do not include bad.threatstop.com the testing method used above will fail.

    Additionally, User-Defined Lists of IP addresses will not work with a Windows Server 2016 DNS firewall out of the box. An additional IP firewall will need to be added, or a BIND server will need to be added and used as the primary resolver.

  8. Once you have your DNS firewall policy defined to your liking click Submit.
    This will add your policy name to the Policy field in the device setup section.

    Note:

    Changes to an established policy will take about 15 minutes before propagating taking effect.

  9. Open the C:\ThreatSTOP\ThreatSTOP.ini file and update the TSZoneName value to your new policy name:

    TSZoneName=<RPZ Zone name retrieved from device settings>

Note:

It is not necessary to run C:\ThreatSTOP\Setup.ps1 if only the policy name has changed. The new policy will be used upon the next scheduled refresh. If you wish to force an immediate refresh, you can run C:\ThreatSTOP\Setup.ps1 (as Administrator).

Using ThreatSTOP and Configuring your Clients

Clients and network devices that you wish to protect will need to be configured to use the private IP address of the Windows Server 2016 TP5 Firewall as their DNS server. Alternatively, you can configure your DHCP server to provide this information to clients automatically.

Caution:

This is not necessarily the IP address established in step nine of Register Your Device at threatstop.com. More it is more than likely that you will need to use the Private IP address of your Windows 2016 Server, or configure your Active Directory controller to use the Windows 2016 DNS server for DNS.

View the Contents of a Policy

The file C:\ThreatSTOP\Utilities.ps1 contains sample PowerShell commands for viewing your DNS policies and block lists.

Scheduled Tasks

Note:

Scheduled task execution time is randomized by Windows by a few minutes.

Open Windows Task Scheduler to see the three tasks created by ThreatSTOP:

  • ThreatSTOP_policyrefresh – updates your ThreatSTOP DNS policies with current threats.
  • ThreatSTOP_exportDNSlog – exports a log of blocked requests to your export folder (as specified in your ThreatSTOP.ini configuration)
  • ThreatSTOP_uploadDNSlog – uploads your ThreatSTOP logs to the ThreatSTOP portal for analysis and reporting.

Event Viewer

ThreatSTOP logs events in the standard Windows Application Log. Use Event Viewer and look in the Source column for ThreatSTOP to view logged events. For example, every time your DNS policies are updated you will see an entry similar to the following:

Policies updated. Last TS pol: ThreatSTOPblock14

 

ThreatSTOP DNS policies are created in blocks of 1000. So a message of “Last TS pol: ThreatSTOPblock14” indicates that there are approximately 14,000 block rules in effect.

Troubleshooting Installation

  1. Check the Event Log for error messages.
  2. You may also view C:\Windows\System32\dns to see the ThreatSTOP zone files. The modified date on your current ThreatSTOP policy will update each time your DNS server refreshes its policy.
  3. Use the Utilities.ps1 script to check the contents of your ThreatSTOP policy blocks
  4. If you encounter PowerShell permissions restrictions, you may need to change the execution policy using Set-ExecutionPolicy.

    Set-ExectionPolicy RemoteSigned

  5. Contact ThreatSTOP for assistance. We’re happy to help!