Deploying a specialized honeypot program such as KFSensor, HoneyPoint, and Honeyd offers many advantages (see "Intrusion detection honeypots simplify network security"). They can ease setup, mimic large networks using a single host, and prevent attackers from carrying out exploits by serving up fake instead of full services. But any old computer -- or Cisco router, Ethernet switch, or control system, for that matter -- can serve as a useful early-warning system.
To use an old PC as a honeypot, start by removing any remaining data, user profiles, and applications (unless you want those applications to be part of your honeypot trap). I generally recommend that the computer receive the same patching and antimalware policies and software as the other computers in your environment; you want it to blend in. Then install any software that makes the honeypot attractive to snoops: Web server, SQL Server, FTP, SMTP, NetBIOS file sharing, and so on.
Finally, place the honeypot inside the perimeter, in places that seem to garner a lot of network traffic -- data centers, busy client segments, server farms, and more. Traditionally, honeypots were placed in the DMZ or forward facing on the Internet. For a business, honeypots provide the most value as early-warning systems when they are placed inside the protected perimeter. You want to know what malicious item has made it past the hardened exterior and into the soft, chewy center.
You should enable all logging on the honeypot computer, especially logons and firewall auditing-only policies. You want to catch and alert on any attempted logons, pings, and enumeration activity. You will probably spend a day or two filtering out normal broadcast and exploratory traffic, such as DHCP broadcasts, NetBIOS broadcasts, and pushing probes from your antimalware install servers. After all the normal, expected probes are filtered out, you want to alert on every other item. Even the best hackers have to probe and explore an asset to learn how it can be compromised.
When an alert is generated, make sure someone responds and looks to see why the remote origin point is trying to touch a fake asset. Unlike your firewall logs, which are full of noise from events that are often legitimate, a properly filtered honeypot is worth its weight in gold. Every connection attempt and probe needs to be explored.
