How To Avoid Viruses At Windows Install Time?

reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.

Here's a synopsis of my install method:

1. Put the Windows XP CD in the drive;
2. Disconnect the cable modem from the network card;
3. Reboot and install Windows;
4. The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
5. Reboot; Windows runs and all is well;
6. Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
7. Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
8. Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
9. Complete the Norton update and reboot;
10. Launch Windows Update;
11. Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.

That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).

So...how would you do it?"

If you can stand waiting...

[foidulus]

You can get a cd from microsoft(more info here that would have a lot of the updates you are looking for. You could also download it from your linux machine, and then do the whole installation offline.

Re:If you can stand waiting...

[XaviorPenguin]

There is another way. If you go to Autopatcher.com, you can download all of Service Pack 1 and pre-Service Pack 2 updates with all critical and recommended updates. It is a hefty download (300MB +) but it is worth it. It comes with:
-Direct X 9.0b + Updates
-XP Powertoys
-SP1 Critical and Recommended Updates
-Pre SP2 Critical and Recommended Updates
- + More

I use it and it is updated every month. Get it while you can!

Re:If you can stand waiting...

[phorm]

You could also download it from your linux machine, and then do the whole installation offline

Or better yet, use a morphix bootCD. You should be able to download the patches to Welchia et al directly (not using windows update), then reboot w/o the network cable in, patch, reboot, and you should be able to get the other less critical updates without being infected by RPC viruses.

Re:If you can stand waiting...

[LoneIguana]

You can access the windows update catalog here: http://v4.windowsupdate.microsoft.com/catalog/en/d efault.asp There you can get secruity updates for all versions of windows. You actually download them to your computer rather then installing them. You could download them on another computer burn them to a CD, then install before connecting to the internet. The only problem is you need a computer with IE. Maybe get a friend to burn it for you?

Re:If you can stand waiting...

[TPS+Report]

You can (with just a few mouse clicks) automatically create an up-to-date ISO of Windows XP/2000/2003 with XPCreate. It's a really nice utility.

Re:If you can stand waiting...

[zoloto]

DUDE THIS ROCKS!
Actually, what you can do is use Wine or WinEX and install Internet Explorer 5.5 from an old 5.5 installation CD on Linux,... download then burn to CD and you'll be great. I did that just now and i have to say thank you for the link.

It seems that any useful links, MS hides behind a rediculous naming scheme for some odd reason.

Thank you again, if I had MOD points, I'd certianly give them to you.

Re:If you can stand waiting...

[BollocksToThis]

The only problem is you need a computer with IE.

If you go to the Microsoft download center, you can download every patch with (almost?) any browser. I downloaded service pack 1 and every patch after that using nothing but Opera.

It was less convenient than using WindowsUpdate/IE, but it would still have worked on a linux machine. The best part is, when friends give me their computers to reinstall XP, I don't need to spend four hours downloading patches from scratch.

Re:If you can stand waiting...

[Condor7]

Autopatcher.com also has a Lite version and an UltraLite version.

The UltraLite version contains only Critical and Recommended updates, along with IE and Outlook patches, and weighs in at 89MB.

Re:If you can stand waiting...

[flatface]

300mb+? At what point does it stop being just updates and gives out the entire damn OS?

Re:If you can stand waiting...

[jonfelder]

That's not too different from the amount of patches you have to download after a fresh install of linux. Hell, when I loaded Suse 9.1, there were at least 100mb of updates already. If I installed a distro that was as old as XP I could very well see 300mb of updates.

Re:If you can stand waiting...

[ron_ivi]

Slightly exaggerating. Most of that space is all the updates to non-linux (the "GNU/" part of "GNU/Linux") that's part of SUSE.

Linux's updates shouldn't be more than a few megs, considering there are floppy-based distros where the whole distro fits in a meg or two.

Of course if by "Linux" you're counting Wine & MSFT-office-warez & more, you'd have more security updates than a core Linux distro.

Re:If you can stand waiting...

[jonfelder]

You're being awfully pedantic there. Yes, technically the updates to Linux (i.e. the kernel) are small. However, I'm sure if you just patch kernel32.exe or whatever the binaries for the kernel under windows are, the updates would be small too.

A system consisting of just the kernel and a few command line tools would be awfully boring and not a particularly fair comparison.

By "Linux" I'm referring to the kernel itself, along with X and the base applications that come along with gnome or KDE. Installing a distro with the base set of libraries, GUI, window manager, apps, etc that give a reasonable approximation of what you get with windows (no gimp, no koffice, etc) will require a considerable amount of downloading of patches if it's as old as XP.

Re:If you can stand waiting...

[jonfelder]

Sure. But *CAN* you do this?

Absolutely. Just install the hotfixes that pertain to kernel vulnerabilities.

But it's the *RIGHT* thing to do from a security point of view. If you're file-server is running X & Gnome & KDE & Wine & Kazaa, you're *BEGGING* for trouble.

While you can't avoid installing the gui and what not in windows, you can turn off almost all of the running services. Technically, not that I'd advise it, you could avoid running IE, Outlook Express, etc...and forgo patching them in a server environment. Just don't run any apps either.

The hard part about microsoft is that it's really hard to do that, since (as the article pointed out) the default install has everything with all the holes pre-installed and running.

So does a default install of many distros...ones as old as XP even more so.

I'm not a Microsoft advocate, I dislike Microsoft products for multiple reasons, but the size of the patches isn't one of them. All I'm saying is that when comparing a default (normal size) linux distro install to a default windows one, the amount of patches you need to install are similar.

Re:If you can stand waiting...

[ComaVN]

MD5 is weak in the sense that it is possible to create two files with identical hash. It's NOT possible (at the moment) to create another file that has the same hash as an existing one.

So, for this purpose, MD5 is adequate.

You're right about SHA being better though.

Re:If you can stand waiting...

Right click on a Microsoft update, then choose properties, then digital signatures.

I think you'll find they went one better and digitally sign every update with their private key.

Re:If you can stand waiting...

Friends? XP? You got some pretty dumb friends. Why do you Linux people help these losers?

My friends help me, I help my friends. It's not my decision what software they put on their computer, and when their courses dictate software that only runs under Windows, it's not my place to say "forget that, ditch your courses and use a MAN'S operating system".

Basically, I don't tell my friends to fuck off because I quite like having friends. I know how to fix their computer in a tenth the time or cost it would take them, they know how to do the same for my car, or my plumbing, or any of a hundred other things.

SP1 From CD

[The+Snowman]

When I install Windows it is behind a NAT firewall which helps (no open ports from the outside). The first thing I do is install SP1 from CD, next I update from Windows Update.

I recommend downloading SP1 and burning it in Linux, then using that CD to patch up the Windows box before connecting it to the network.

Re:SP1 From CD

[Malc]

The article submitter could just as easily have written "Can a home user install and update Linux without being attacked". It doesn't matter which OS you install, if it's out of date then you're vulnerable. I think the article is almost flamebait!

There are things the submitter could have done, like stopped all services that listen for connections. Ran Windows XP's firewall on their connection. Unbound Microsoft Networking Client from their NIC, etc. They could have booted up in safe mode with network support.

But the solution you offered is probably the best. I recommend to everybody these days that they run behind a cheap NAT box. It doesn't matter which OS you use, keep your computer off the internet! A NAT box is the simplest and not particulary expensive solution, and it'll leave you much safer and require less effort on the vigilance (note: I didn't no vigilance ;)).

We have incompetent IT guys at our place and Sasser is loose on the corporate LAN. We were trying to create a Win2K box but it kept rebooting. We just copied the patch for that over via CDRW, although the submitter could have downloaded everything they needed first from their Linux installation. In carpentry they always say "measure twice, cut once". This person didn't do enough preparation.

Re:SP1 From CD

[hawkeyeMI]

Are you sure your wife's not just a pr0n fiend?

Re:SP1 From CD

[TrixX]

All the linux update tools I know (apt, red-carpet, urpmi) run perfectly with the firewall up and at maximum paranoia level. So I could install, set my firewall to reject all incoming connections, and update; that would leave me vulnerable only to very basic level exploits (like some hypothetical hole in ICMP).

I've not used windows update, but the poster said it asked to lower the firewall, and I think that's a weak point.

Re:SP1 From CD

[msobkow]

I run behind a firewall as well. Last time I did a WinXP install (not that long, unfortunately), I had no problems.

But I don't install or enable any services during an initial installation, just the core OS. I don't do anything but install manufacturer's drivers before installing an anti-virus product.

After the anti-virus is fully updated, then I start dealing with Windows updates.

At no point have I ever had to disable hardware or software firewalls to install Windows updates. I have no idea why they continue to insanely recommend you remove all your security just to download updates -- you don't need to.

In fact, the only time I shut down the antivirus is during a disconnected defrag. And there is no way to disable the hardware firewall.

If you're connecting directly to the net with a Windows box, you're just getting what you deserve. Either hide it behind a hardware firewall, or accept the fact that you're just another spambot-in-waiting.

Easy

[daveschroeder]

Do the installation behind a personal NAT/firewall device.

(Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.)

Re:Easy

[Phosphor3k]

OR turn on the windows XP firewall under the advanced tab on your network connection's properties before you plug the network cable in.

Re:Easy

[Josh_Borke]

or install zonealarm. and don't turn off the firewall. I've never had to turn off my firewall when doing any windows update.

I would update windows before updating the firewall, that way you don't have to worry so much about being shutdown while the firewall is down.

my .02

Re:Easy

[Otter]

OR turn on the windows XP firewall under the advanced tab on your network connection's properties before you plug the network cable in.

I've installed Windows once (98, several years ago) and even I know about turning the firewall on. Why?

Because this is at least the fouth freaking article Slashdot has run on this question!!!

(Remember the one that linked to an article about "Installing Windows Safely" and all the posts were "Instead of linking to a large PDF, why not tell people to just turn the firewall off?"?)

Re:Easy

[bcrowell]

Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.
Well, yeah, but c'mon, there are plenty of ways to do it without spending any extra money on hardware or software. Some possibilities:

• Use Lindows as a substitute for Windows.
• Wait for the next version of Windows. MS says they're making security a top priority now, so I'm sure the next version won't have any vulnerabilities.
• Run DOS -- I don't think anybody is writing viruses that can infect it.
• When your machine gets attacked, look at your log files to see where the attack came from, find out who their ISP is, and then send a polite letter by U.S. mail asking them to make their customer stop behaving badly. Repeat until all the bad, naughty machines are gone from the internet.
• Start your own internet. Only people you trust are invited to join it, and nobody is allowed to link it to the bad, old internet.
• Call MS tech support and ask for help.

OK, I admit that last one was a little silly.

Re:Easy

[caffeineboy]

EXCEPT that the stupid XP firewall service is not started when the interface is started. You have your ass in the wind every time the machine boots.

Its easy...

[CyberBill]

Leave the software firewall turned on if you can, if not, get a cheap Linksys Cable/DSL router, it will block all of those viruses.

I have to reinstall most of my family's computers when I go home, I made all of them have routers. :P

-Bill

Firewall

[jpaz]

Keep the firewalling on, no matter what Microsoft says. I've never had an instance where having a firewall turned on kept windowsupdate from working properly.

Re:Firewall

[orin]

This is absolutely correct. You can even use the simple Internet Connection Firewall that is built into Windows XP

Easy

[Masami+Eiri]

We do this all the time where I work.
Use another machine to burn a copy of the latest service pack, and the Sasser worm fix, and whatever other updates you want to include.
After installing, install the updates from the CD, then check windows update for anything else.

Probabl redundant at this point, but...

[__aavhli5779]

Yes, a firewall and/or NAT is all you really need. Evidently Norton Internet Security did not live up to its promise, which comes as little surprise to me, I must admit.

I've had success installing Windows XP and upgrading it with only Microsoft's Internet Connection Firewall enabled.

Odd

[The-Bus]

What about a router/firewall?

How do you get these worms? This sounds incredulous...

Re:Odd

[Patoski]

How do you get them? All the RPC Worms which currently inflict unpatched Windows NT based OSes is how. These worms do network sweeps and will find a vulnerable machine anywhere from a few seconds to a few minutes depending on the size of your network.

I recall one particular instance at work where an outside laptop that was infected got plugged into the network (our network has about 2000 various boxes connected to it). Our security team got alerted by our intrusion detection systems was on the way to whack the offending user with a clue stick and unplug the laptop. Too late....

During that time I had just finished ghosting a machine with SP4 integrated into the build. In only a matter of a minute or two the new box I was working on became infected and started doing net sweeps of its own (the whole process of infection was done silently of course). I don't doubt the tales of machines becoming infected in a very short period of time given the rate of infection with RPC based worms because I have seen it. All it takes is one rogue machine to infect other boxes it can talk to.

Re:Odd

[ktakki]

How do you get these worms? This sounds incredulous...

Here's a snippet of the log from my Linksys router:

00:00:26 TCP from 200.63.154.32:4927 to XXX.XXX.XXX.XXX:445
00:00:29 TCP from 68.219.231.103:2712 to XXX.XXX.XXX.XXX:445
00:00:29 TCP from 200.63.154.32:4927 to XXX.XXX.XXX.XXX:445
00:00:32 TCP from 68.219.231.103:2712 to XXX.XXX.XXX.XXX:445
00:00:42 TCP from 68.144.136.248:3225 to XXX.XXX.XXX.XXX:445
00:00:59 TCP from 81.185.113.170:3646 to XXX.XXX.XXX.XXX:445
00:01:36 TCP from 68.144.169.29:2873 to XXX.XXX.XXX.XXX:445
00:01:52 TCP from 4.41.255.6:3139 to XXX.XXX.XXX.XXX:445
00:02:07 TCP from 200.223.92.184:4958 to XXX.XXX.XXX.XXX:445
00:02:08 TCP from 68.94.121.110:3927 to XXX.XXX.XXX.XXX:445
00:02:10 TCP from 200.223.92.184:4958 to XXX.XXX.XXX.XXX:445
00:02:11 TCP from 68.94.121.110:3927 to XXX.XXX.XXX.XXX:445
00:02:19 TCP from 81.218.207.145:4814 to XXX.XXX.XXX.XXX:445
00:02:28 TCP from 80.198.29.151:4015 to XXX.XXX.XXX.XXX:445
00:02:48 TCP from 63.230.237.96:3181 to XXX.XXX.XXX.XXX:445
00:03:00 TCP from 209.50.93.166:4294 to XXX.XXX.XXX.XXX:445
00:03:12 TCP from 24.80.105.49:2350 to XXX.XXX.XXX.XXX:445

The timestamp is hours:minutes:seconds. XXX.XXX.XXX.XXX is my WAN address (redacted), an East Coast Verizon DSL line. Port 445 is probably being targetted by W32.Sasser.

Sixteen attempts in 3 minutes and 12 seconds.

A couple of things are interesting about this log excerpt. First, there are no attempts from the 141.154.* netblock (where my WAN address resides). Second, I usually see a number of different ports listed (139, 1025, 1026, 1080, 3129, 5000), from both viruses and people probing for open proxies. Then again, it's Sunday night. I've noticed that virus traffic is higher during business hours in the US.

k.

Get a router.

Why don't people pay ~30$ for a router with built in firewall? Even if one got only one PC connected to it it's worth it. No worries about worms or hacks.

Firewall

[fremen]

...all firewalls are turned off.

Why don't you try turning the firewall on? It will block the RPC calls that are necessary to infect your machine with the most recent series of worms and allow you to install whatever patches are necessary worry free.

Plus, it just makes your PC safer in general.

Use NAT

[hkb]

Duh.

Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.

If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Worst case scenario

[gwoodrow]

So the WORST case scenario is that you don't actually succeed in getting Windows installed? Man, talk about a win-win situation!

Download the Service pack before install

[borwells]

Download the SP1 Network install before beginning your XP installation. Stick it on a CD or a Samba share and install it prior to connecting to the Internet.

External firewall?

[pilkul]

You say you're a Linux user; why not plug one of your Linux boxes to the 'net, use it as NAT-routing firewall using iptables, and download the updates from behind the firewall? It's always worked for me. Or if you only have one machine, you can buy a cheap NAT router for 50$ nowadays.

This solution seems so obvious to me that I wonder why you even bothered to ask. With your apparent technical knowledge, surely you must've thought of this. I'm inclined to think this question was just a veiled way to start an article bashing Microsoft about all the worms affecting their system.

use a nat router firewall

[bstil]

All you need for a home installation is a NAT firewall connected to your cable modem/dsl. As long as your firewall is properly configured and no other computer on your NAT network is infected, you should be okay.

Re:Simple, Get an external Router.

[yamla]

You don't believe you can get infected in 20 minutes? The record at the undergraduate department of Computing Science at the University of Alberta is SIX SECONDS from plugging in an installed, unprotected Windows XP system until the time it is infected.

It is highly unlikely that you could run an unprotected XP system with no firewall and no patches, hooked up via a cable modem or ADSL, for even ten minutes before getting infected.

Autopatcher!

[calebb]

I can't believe nobody's posted this yet!

Autopatcher

AutoPatcher was started in October of 2003. It was started by Jason Kelley and was a simple batch program that would install many updates silently. Upon reaching version 2.65, Jason was contacted by Antonis Kaladis, who offered to help make a VB front-end for the program. And thus, the current incarnation of AutoPatcher was born.

Not only does it install all your Windows updates with just one reboot, it can also (optionally) install many other programs such as the Windows XP Powertoys, IESpell, etc. There's even some registry config options such as increasing the max connections per server (IE) to something greater than 2.

Re:Simple, Get an external Router.

[tomakaan]

If definitely believe him. I've seen it happen all the time. My situation may be unique since I'm on a large college network, but I've seen blaster/welchia/gaobot/sasser infect a machine in a quarter of that time without the proper Windows Updates.

i'm installing right now...

[phrasebook]

I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.

Found at isc.incidents.org:

[BandwidthHog]

Windows XP: Surviving the First Day

but if you can't....

[Mydron]

There are a few guides out there explaining what to do. Most of them involve shutting off windows services (such as file sharing and the windows network client) and using the firewall included with Windows XP before connecting to the internet.

Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day

Re:but if you can't....

[dknj]

This is a pretty poor Ask Slashdot article, IMHO. Here is how I do it within an hour and have nothing to worry about:

1. Unplug network cable
2. Install Windows XP
3. Upon first boot turn on the Windows Firewall and reconnect network cable
4. http://www.windowsupdate.com
5. Wait for patches to download, then remove network cable and reboot after patches have installed
6. Return to http://www.windowsupdate.com and download the remaining patches
7. Reboot (no need to unplug network cable this time) and install a Virus Scanner/Firewall Suite.

This takes an hour and isn't rocket science.

-dk

Re:but if you can't....

[innosent]

Problem is, the Windows Firewall is almost completely useless, and the average computer is probably hit by an attack every 20 minutes, which is far less time than it takes to download all of the patches, especially since the first reboot will only cover SP1, which only eliminates about 5% of the active exploits. The original (I'm told the SP2 version is better) windows firewall does not protect people from any of the attack vectors I've seen coming through my network so far this year. It is a "stateful firewall", it's just that the only state it maintains is an open one. It does not protect the computer from access to system services (most notably RPC), so it cannot protect people for long enough to patch their systems. There are only two methods for a clean install, either install and patch offline from CDs, or install from behind a stateful firewall (either a cheap linksys/dlink/netgear type or your network firewall). All installations we do at work are done initially on the private segment of the network, with packets sent through a NATd portion of the firewall (which by the nature of NAT accomplishes exactly what is needed). Of course, we also drop packets which have no legitimate purpose on our network, and log the supposed legitimate ones, which is probably a bit beyond the requirements for installing XP on granny's computer.

Re:but if you can't....

[dknj]

Except the firewall will block incoming connections. Don't go to other sites which will exploit old IE bugs and install spyware/viruses/etc, go straight to windows update after installing windows. That will patch up to SP1.. there is a known bug with the firewall that will leave the machine vulnerable for a few seconds (enough to get infected) during the boot before SP1 finishes (or it may be another patch that fixes it.. i don't remember), this is why you remove the network cable before you boot the second time. After you patch it completely, you can install your firewall suite and virus scanners (as i stated).

I used to do this on a daily basis, before I switched to a fully automated ris build, and never had an infected machine.

-dk

Re:but if you can't....

[fucksl4shd0t]

How ironic! Wern't Windows 2000 and Windows XP supposed to be the most secure Microsoft OS's ever?

Right. They were.

And I remember a certain Microsoft CEO of a previous era saying something like, "Windows NT is going to be so easy to use, all point 'n click, that you will be able to hire sysadmins off the street."!

Right, and it happened.

I guess I'm not quite understanding your point.

make sure you block all incoming ports

[steve.m]

sasser exploits a vulnerability in lsass.exe, which listens on 445. Some software firewalls leave this open, as it is required for Active Directory logins under some circumstances. If you do that and then go straight to windows update you should be fine.

Re:Simple, Get an external Router.

[Qzukk]

I don't believe you when you say that you get viruses over the 20 minutes that it takes

Aside from the terminology, consider that at the peak of infection, many nimda attacks were being logged EVERY SECOND by logging machines setup for capturing and monitoring attacks. Slammer was scanning 55 million hosts PER SECOND. These things just pick random addresses and spit data out. If you haven't been getting any of these hits then either you're behind a firewall, or you're less random than the rest of the internet.

20 minutes is a long time to go without protection in computer time, especially on today's wild west of an internet.

Agreed though, the questioner should have just gone and gotten a firewall (or used one of his linux machines). I've never seen anything on windows update suggest that I turn off my firewall.

Re:Simple, Get an external Router.

[kevlar]

Actually.... jusdging by my router logs, I can believe it now...

Sunday, June 20, 2004 20:12:54 Unrecognized access from 24.164.33.43:9118 to UDP port 1026
Sunday, June 20, 2004 20:16:48 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:16:51 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:16:57 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:21:46 Unrecognized access from 195.250.112.73:35973 to TCP port 443
Sunday, June 20, 2004 20:22:18 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:22:21 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:22:27 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:31:26 Unrecognized access from 193.227.0.37:3365 to UDP port 1434
Sunday, June 20, 2004 20:45:50 Unrecognized access from 24.164.31.171:8860 to UDP port 1026

Re:Windows XP: Surviving the First Day

[eltoyoboyo]

Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.

February?

[wcbarksdale]

Windows Security Update CD: February 2004

Updated Date: April 16, 2004

This CD includes Microsoft critical updates released through October 2003

Well, as long as that's clear.

I don't give a DAMN what Microsoft says.

[grioghar]

" Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off."

Firewall is on before I connect to my cable modem if you're going to be DUMB enough to connect it without a hardware firewall protecting the machine. Get an intermediary device like a Linksys or Netgear router, and now you don't have to worry about it. And seriously. Don't install your AV until AFTER you've installed all your updates. You're only complicating the registry before it needs to be.

Seriously, is Slashdot a "News for Nerds", or "HOWTOs for N00bs"? Some of these questions would be better handled by Google and half a brain about networking.

Re:Simple, Get an external Router.

[ScrewMaster]

My firewall logs show that I get worm propagation attempts at a significant rate, sometimes dozens per second (you can hear the drive in my firewall machine chattering when that happens.) Mind you, I'm on Comcast and there's a bunch of machines on my subnet that are infected as hell (I've reported this to Comcast, but the same IPs keep showing up, sometimes with attempts from multiple worms!) but I have no problem believing that this dude got infected in twenty minutes. I'm surprised it took even that long. Last year, my cousin hooked up her Win2K box to her brand, spanking new cable modem. After two or three minutes, a console window popped up and she watched some nut case typing in "SECEDIT" trying to guess her admin password. Things happen FAST nowadays.

Re:RTFQ

[AKnightCowboy]

reallocate was just following the instructions that Microsoft and Symantec gave him/her.

If ANY piece of software ever lists "disable all firewalls" as a part of the instructions, toss it and run away. There's no reason to ever disable a hardware firewall on a properly written piece of software. As for software firewalls, well those are trash so I won't even bother.

Re:Simple, Get an external Router.

Sunday, June 20, 2004 20:31:26 Unrecognized access from 193.227.0.37:3365 to UDP port 1434
Sunday, June 20, 2004 20:45:50 Unrecognized access from 24.164.31.171:8860 to UDP port 1026

^^ RIGHT THERE! That was 14 minutes! You could have EASILY installed a few critical updates. You just need to install them between attacks, and unplug your network cable before each new attack starts.

How hard is that? What is everyone here complaining about?

Re:RTFQ

[SirCrashALot]

As for software firewalls, well those are trash so I won't even bother.

That depends entirely on what software you are talking about. All a hardware fireall is, is a firewall from a company that realized people won't pay $$ for a piece of software. I.e its a software firewall, just running on some different hardware.

XP software firewall is useless before SP2

[majid]

It is not active during startup or shutdown. This window of vulnerability will be fixed in SP2. That said, I wouldn't trust a "firewall" written by people clueless enough not to enable it before the network stack goes up.

Re:RTFQ

[photon317]

There's really no such thing as a hardware firewall. All hardware firewalls are in fact software firewalls running on a peice of hardware, just like all software firewalls do. Perhaps a better re-statement of your point is to say that you should use a seperate non-windows-based firewall rather than one which is installed locally on the windows machine. Personally I use a Sparc/Linux box for this, but you can have good results just using a netgear nat box or something. NAT is the ultimate home firewall anyways, just dont start routing inbound ports through it to your PC and you're gtg.

If you play a Microsft CD...

[Spoticus]

backwards, you can hear satanic messages. But even worse, if you play it forward, it installs their software!

Thanks, I'll be here all week... try the veal...

OP: The 100% best answer

[Glonoinha]

Go to Best Buy and get a Linksys BEFSR41 router / firewall device.
Plug your computer into the LAN side.
Clone the MAC address of your computer.
Change the password on the router to something other than 'admin'.
Plug in your cablemodem into the WAN side.
Enjoy your new worm/virus/trojan free existance.

How many times do we need to spell it out??

Visa

[gmuslera]

• Windows XP Pro Original - US$ 200
• Follow the Microsoft Instructions - US$ 0
• Apply recommended patches by microsoft using microsoft recommended way - US$ 0
• ...
• Getting worms, viruses, and trojans even after all of this work: priceless

Re:RTFQ

[fataugie]

That depends entirely on what software you are talking about. All a hardware fireall is, is a firewall from a company that realized people won't pay $$ for a piece of software.

You're fucking kidding, right?

So, what you're saying is, a majority of Fortune 500 companies can throw their Cisco PiX firewalls away and just install ZoneAlarm? Think of the money they'll save!

So that's what the second step to profit is...

This is exactly how to do it.

1. Pull machine off net
2. Install box
3. Configure TCP/IP and enable windows firewall
4. Plug in network cable
5. Windows update
6. Repeat windows update

Job done.

Re:This is exactly how to do it.

[phasm42]

Mod parent up. I don't understand why this guy simply didn't use the XP firewall and be done with it. It would've worked better, and he wouldn't have had to install Norton BS. Plus, in step 11 HE TURNS ALL FIREWALLS OFF. Of course he's getting infected. I don't think many people have pointed that out, but he got infected because he turned off the damn firewall like an idiot. Reading MS's line on the subject: here, they say to turn off ANTIVIRUS, not firewall. So he probably turned off all of NISP, not just the AV portion.

We have to get creative here.

[BroncoInCalifornia]

Here are some ideas:

1) Hide behind a NAT router - Install windows disconnected from networks. Find someone with DSL and a NAT router. Intall all the patches from the safety of their home network.

2) Before installing windows, format the disk to have a FAT partition. Boot Knoppix Linux from a CD. get on the internet and download the patches to the FAT partion. Boot Windows - install patches.

and play an *BSD CD forwards

[hughk]

...and you find it full of daemons!!!!

Sorry, I couldn't help it!

router

[DerWulf]

Pick up a router from SMC ( I can recommend the 7008/4 ABR series). Even if you don't want to setup a home network, this is the best way to go I think. Even with the sygate firewall it could ( in theory) happen that the software silently crashed, leaving the icon still in the system tray until you move the mouse cursor over it. Also I wouldn't rely on Windows Update to keep your computer safe. If your unpatched version can get infected, your updates will not prevent infection when someday an exploit gets releases sooner than the patch. When using a router, all incoming connections will be refused by default since the router itself is only running the administration tool. Add a personal firewall for save measure in case the router gets compromised and you are set to go. Also you can seamlessly add computers to your network, all sharing the same internet connection and printer. As a side note, the Norton firewall has crappy configuration options and its all in baby talk. I didn't like it very much. Zonealarm doesn't work well with edonkey, overnet, emule, also, if you forbid all the notorios windows applications (explorer.exe, alg.exe, svchost.exe) all access to the network, you are in for a very unstable windows expierence. Sygate is still the best of the three.
I bought the router to finally rid me of the personal firewalls tedious configuration ( which btw, you have to do again on each install, with the router it stays with you forever ;)

Not associated with SMC, I just picked up the model mentioned above friday and I am very happy with it.

Enable the built in firewall

[cascadefx]

Enable the built-in firewall in Windows XP before going online. This will resolve a lot of your problems.

Also go into the widnows update site (on another connected computer) and click the update options to the right. There is an option to turn on the catalog view (or something like that... in Linux right now). This will allow you to search for all the updates of a particular Windows platform.

Use this to download the patches and burn them to a CD... Use this CD to patch your system.

Jim