Skip to main content
Version: v1.4.0

Install CrowdSec (Windows)

CrowdSec Installation

You can download the MSI file from the latest github release.

warning

If you previously installed an alpha release of CrowdSec on Windows, you will need to uninstall it before or you will likely end up with a non-functioning installation.

The MSI file will perform some basic setup:

  • Installation of CrowdSec
  • Download of the windows collection. This includes the basic parser for the windows event log, a scenario to detect login brute force and the MMDB files to perform geo-ip enrichment.
  • Registering your CrowdSec installation with our Central API.
  • Installation of the Windows Service for CrowdSec. The service will start at boot time.

Contrary to Linux, CrowdSec does not yet support the automatic configuration at installation time. If you want to be able to detect something other than RDP or SMB bruteforce, then you will need to customize your acquisition configuration.

The default configuration will catch brute force attacks against RDP and SMB or any kind of remote authentication that uses Windows authentification.

We currently support the following Windows services:

  • RDP/SMB: Brute force detection
  • IIS: HTTP attacks
  • SQL Server: Brute force detection
  • Windows Firewall: Network scan detection

These directories are created:

  • C:\Program Files\CrowdSec: Contains the crowdsec.exe and cscli.exe executables
  • C:\ProgramData\CrowdSec\config: Contains all the configuration files
  • C:\ProgramData\CrowdSec\log: Contains the various log files of CrowdSec or the bouncers
  • C:\ProgramData\Crowdsec\data: Contains the CrowdSec database (if using sqlite) and the various data files used by the scenarios/parsers
  • C:\ProgramData\Crowdsec\hub: Contains the hub data

Acquisition Configuration

As CrowdSec is not able to auto-detect running services on Windows, you will need to configure the acquisition manually.

SQL Server logs

You will need to install the crowdsecurity/mssql collection.

The collection contains a parser for the SQL server authentication logs and a scenario to detect brute force.

To install the collection from an admin powershell prompt run cscli.exe collections install crowdsecurity/mssql.

You will then need to update the acquisition file located in C:\ProgramData\CrowdSec\config\acquis.yaml and add the following:

---
source: wineventlog
event_channel: Application
event_ids:
- 18456
event_level: information
labels:
type: eventlog

Restart the CrowdSec service (using net, sc or the services app), and CrowdSec will now parse the SQL server authentification logs.

info

This scenario requires SQL Server to log failed authentication, which is the case by default

IIS Logs

You will need to install the crowdsecurity/iis collection.

The collection contains a parser for IIS W3C log format (with the default fields) and an another collection containing all the basic HTTP scenarios.

To install the collection from an administrator powershell prompt, run cscli.exe collections install crowdsecurity/iis.

If your IIS setup logs to a file then add the following to your acquisition configuration (C:\ProgramData\CrowdSec\config\acquis.yaml):

---
use_time_machine: true
filenames:
- C:\\inetpub\\logs\\LogFiles\\*\\*.log
labels:
type: iis

Please note that use_time_machine is very important: By default IIS will flush the logs to a file every minute or if there is 64kB of logs to write.

This means CrowdSec will see a bunch of lines at the same time which can lead to false positive.

The use_time_machine parameter makes CrowdSec use the timestamp present in the line instead of the date of acquisition as the date of the event.

If your IIS logs to the event logs, add the following to your acquisition configuration:

---
source: wineventlog
event_channel: Microsoft-IIS-Logging/Logs
event_ids:
- 6200
event_level: information
labels:
type: iis

Restart the CrowdSec service (using net, sc or the services app). CrowdSec will now parse your IIS access logs.

Windows Firewall

You will need to install the crowdsecurity/windows-firewall collection.

The collection contains a parser for the windows firewall logs and a scenario to detect port scans.

To install the collection from an administrator powershell or DOS prompt run cscli.exe collections install crowdsecurity/windows-firewall

You will also need to enable the windows firewall logging. The official Microsoft documentation is available here.

Update the acquisition configuration in C:\ProgramData\CrowdSec\config\acquis.yaml and add the following:

---
filenames:
- C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log
labels:
type: windows-firewall

Restart the CrowdSec service and CrowdSec will now parse the firewall logs.

info

Because the Windows Firewall operates in stealth mode by default, not all dropped packets will be logged. Only the one intented for port on which a service listens, which means that CrowdSec won't catch all network scans.

Please note that we DO NOT recommand disabling stealth mode.

Other services

Almost all service types supported on Linux should also be supported on Windows, as long as CrowdSec does not expect logs in the syslog format (this means that MySQL or Apache will work, but not SSH).

Windows Firewall Bouncer Installation

Now that you've got CrowdSec up and running, it's time to install a bouncer to actually block the IP addresses which are attacking your server.

We will use the Windows Firewall bouncer, which manages some windows firewall rules to drop traffic from IP addresses blocked by CrowdSec.

You can download either a MSI (containing only the bouncer) or a setup bundle (containing the bouncer and the .NET 6 runtime) from the github releases: https://github.com/crowdsecurity/cs-windows-firewall-bouncer/releases

warning

The Windows Firewall Bouncer requires the .NET 6 runtime. Install it before running the bouncer or use our setup bundle to install it with the bouncer.

The runtime can be downloaded from Microsoft. Choose the "Console App" download.

warning

If you installed the previous alpha release that was distributed from https://alpha-packages.crowdsec.net/, you must uninstall the previous version first.

When you run the MSI file, the bouncer will automatically register itself in CrowdSec and creates the Windows service, that will run at boot and starts the bouncer.

The bouncer works by adding a number of rules to the windows firewall (one rule per thousand blocked IPs).

Those rules begins with crowdsec-blocklist and you should not manually update or delete them.

They will be automatically deleted when the bouncer stops, and created at startup.

Manual configuration

If you install the bouncer before CrowdSec, you will need to perform some manual steps.

First, you will need to create an API key for the bouncer.

To do so, open an administrator powershell or DOS prompt and run cscli.exe bouncers add windows-firewall-bouncer. This will display an API key.

Add this key in the bouncer configuration file located in C:\ProgramData\CrowdSec\bouncers\cs-windows-firewall-bouncer\cs-windows-firewall-bouncer.yaml.

When done, you will need to enable the cs-windows-firewall-bouncer service and start it.