Saturday, February 23, 2008

Microsoft Protocols Programs

Thanks to Robert Graham for pointing me to the fact that Microsoft has started a Protocols Program. This project includes thousands of pages of documentation (in .pdf format, w00t) divided into categories like Microsoft Communications Protocol Program (MCPP, for "server software that interoperates with Windows desktop operating systems") and Microsoft [Work Group] Server Protocol Program (WSPP, for "server software that interoperates with Microsoft Windows server and desktop operating systems to provide file, print, and user and group administration services").

I am frankly astounded by the number of documents available. Windows_Communication_Protocols.zip and Windows_Server_Protocols.zip are 314 MB total.

I am probably going to follow the recommendations in the [MS-DOCO]: Windows Protocols Documentation Roadmap that outlines what to read and in which order. That means starting with [MS-PROTO]: Windows Protocols Overview and [MS-SYS]: Windows System Overview. Documentation like this is a boon for those who develop protocol analyzers, network security inspection systems, and filtering products. Security analysts and reverse engineers will also like to read this material.

7 comments:

Anonymous said...

Hopefully this helps me be able to better analyze SMB sessions... Thanks for the link!

Is there anything you do differently when analyzing attacks involving the SMB protocol?

shadow said...

It's a dream come true for Analysts anywhere! Finally a decent glimpse into the world of MS protocols... Haven't looked at the data yet, but I sure hope that it lives up to the description. Good find Richard!

oledb said...

Isn't this mainly a concession by MS to the EU? It's not like they volunteered this up, they were implicitly forced to.

Richard Bejtlich said...

oledb,

Doesn't matter to me -- I'm just glad to see the docs.

Andrew Yeomans said...

I think it's a good move, and reading the documentation is free, but it looks like you will be nickel-and-dimed for any commercial use of the protocols. See Royalty Report Sample. And that's not to mention your lkawyers' fees.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.