Slashdot Mirror
How Secure is Windows Firewall?
Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
Kerio Personal Firewall is much much better.
Why are windows users so obsessed with "stealth"?
It's annoying on two levels, firstly it breaks the requirements of the rfc's leaving other nodes on the network hanging waiting to see of a connection is going to succeed or be rejected, waiting for timeouts isnt fun. secondly, THERE IS ABSOLUTELY NO POINT, it is trivial to find out if there is a node at that address, all sufficiently intelligent scanners can tell if there is a machine there, nmap for example. YES WINDOWS USERS, I'M TALKING TO YOU, get rid of that stealth crap, if there is no machine there the nearest router will return no such host...if there's no icmp from the router, we know that there's a windows user there (of course, we cant determine the operating system of the node, but everyone knows only windows users do this)...
It's pointless, it's only used because having a "stealth" computer sounds cool on proprietory firewall marketing material (would it be so desirable if it were called "filtered"), please turn it off...
its only meant for basic basic basic protection
With the firewall, and the security center it was using an extra ~20 MB of memory that I need to play Doom3 faster!
If you build it, nerds will come. Soylentnews.org
It's better than nothing.
As long as the firewall is activated prior to any ports being opened on bootup, it's probably better than nothing. That is, at least the 99% of users that don't understand what a firewall is will be safe.
Help! I'm a slashdot refugee.
Windows will always be insecure. I have tried its firewall and it feels very basic. If you want more protection you should buy a linksys router with a built in firewall that won't hinder your computers performance or bug you while you open your e-mail program. With a hardware solution you will not be as vulnerable as if you were using Windows but there are a few problems.
I've installed SP2 on two machines now. In both cases SP2 had me reboot, and before offering a log-in prompt it presented a screen where I could enable or disable automatic updates. This is an administrative setting, and it should not have presented itself prior to an authenticated login. Sure, it only happens once, but by design it violates secure computing practices.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
While their new XP SP2 firewall is somewhat degraded comared to, say, ZoneAlarm, thats not entirely a bad thing. The new firewall is a step in the right direction, especially being on by default. Not only that, but by not including a "top of the line" firewall in XP, they allow for a market where 3rd parties can still sell firewalls as opposed to being yet another software industry crushed by Microsoft.
GRC - Shields Up: If you aren't stealthed, the evil boogeyman will get you... and your children!
This really shouldn't be a surprise. I've been running the betas of SP2 for a while and I was amazed that no matter how hard I tried, I could not get the Windows firewall to stay on. Some script kiddie found this out too and pulled a l33t on me. I decided that having a 14 year old mess with my system wasn't worth it and let McAffee take over.
I think there's a reason for this. If M$ put a good firewall and good virus scanner in XP, they would be using their monopoly position to put third-party anti-virus and firewall software companies out of business. They wouldn't be doing this intentionally, but it doesn't matter. That whole incident with IE fucked them over.
If M$ could go back a few years, they would see that not putting IE in the OS would have avoided all the anti-trust problems AND made windows more secure. LOL at M$.
My other car is first.
I honestly wish the person who approved this article had read through flex aka dodgybeta's article; they concluded on the whole that the firewall stood most tests well - indeed to a comparable level in some areas as Zone Alarm. They only recommended (not that one would really follow their recommendations) against it because Microsoft didn't offer any out-bound monitoring. But wait.. the kind of thing that would be sending stuff out is covered by SP2's security center, which prompts users to get AV!
What were the boys expecting? A corporate level firewall for free? This is Microsoft trying to make good very old problems. It's a good attempt for what it is -of course people should go and get a proper solution. There goes 5 minutes i'll never get back.
The problem is that it can be turned off by another application. Reading comprehension -- it's a good thing.
I have ignored software firewalls and have hidden (?) my computers behind a Linksys router.
1 - Am I correct in assuming that this is safer than software firewalls.
2 - My machines are Mandrake 10 mostly. Other than regular updates, is there anything else I should be doing?
To my knowlage, any software firewall can be turned off by the users account (or the administrator account, which is probally what people will be running as).
I don't see how this is a "goof" on their part, sinc e any software firewall would have this problem.
Perhaps a bit of thinking should go into your submition before you start to bash Microsoft?
-Termina
They're NAT devices, and the "firewall" is just a side effect. If you want a real firewall, buy a real hardware firewall device, or run something like IPCop on an old computer.
If you want to train Firefox not to accept cookies from the usual advertisers, then go to that Flexbeta site. Seems to ask for cookies for every media company on the web.
So if it couldn't be turned off by software that would mean...? that would mean that MS is abusing their monopoly.
The whole point of the firewall is so that bad applications (like the ones that would turn a firewall off) don't get installed in the first place.
And as far as I can tell, all the article is talking about is the fact that it asks you if you want to keep blocking a program or not. And it DOES ask you for every program that uses the LAN/internet/whatever.
And do you honestly think that it's impossible to turn off Zone Alarm and those other ones with an application? I'm willing to bet that it's possible
I have read reports like UK ADSL forum of certain ports still left *open* as it appears it breaks windows netwroking on sub-nets.
What a surprise.
Any windows wall is less secure than a solid wall.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
The article's website is timing out, but can't you 'turn off' Norton, Zonealarm by simply doing a WM_CLOSE or TerminateProcess anyway?
If the program has managed to make its way onto the host machine, then that is when the firewall isn't doing it's job.
Nothing costs nothing
If the user can turn it off, another application can turn it off. Basic clue about CS -- it's a good thing.
I have run Windows XP Professional since its release. I run my box 24x7 connected to a 2MBit cable connection. I use the Windows firewall and have auto-updates downloaded automatically. I have an ftp port open using the Microsoft/IIS ftp server. I have a port open for remote desktop. It's been this way for 2+ years.My box has never been hacked into.
So, now some wise asses can ask for my IP address, sure. But my point is that by taking just the most basic precautions, you reduce your chance of being hacked to just about nothing.
The new firewall may not be perfect, but it will further reduce the number of easy targets, which is a giant step forward.
Never, ever lose a file again. Ever.
So for average users XP firewall is a good thing since you don't have to know anything, but we (Slashdot users and internet savvy) demand more.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
A NAT device like a linksys router will "protect" you from inbound connections to ports you haven't forwarded, BUT it doesn't restrict outgoing port access (like most non-Microsoft software firewalls do.)
Hardware firewall... sorry but I don't trust anyone... why should I trust MS... in all reality their firewall may be good or bad, but what matters is that EVERY script kiddy on the planet is going to be gunning for every SP2 firewall they can find.. don't just walk away... RUN.
It has nothing to do with whether you can turn it off. It's that the API used to manage the firewall allows other applications to turn it off.
Other applications can turn off ANY software firewall. In fact, other applications can make your computer not turn on anymore... What's your point?
Wait, a commercial firewall developer thinks Microsoft's free firewall isn't up to the challenge? Wow, what a surprise! What if Microsoft had put a full-fledged firewall into SP2? The same companies would be whining about how Microsoft bullied them out of the market.
Well, if this situation were happening in a *nix-based system, it's likely that turning the firewall off would require a root password. So yes, obviously it requires some hook to turn it off, but one would think it's priviledged and not available for anything/anyone/any app to abuse.
Microsoft embed their own product that can't moved, turned off, or otherwise removed so you can't use an alternate product? That's against the law, not even Microsoft would be bold enough to do... THEY DID WHAT?!
As far as I can tell, the firewall in SP2 does a very good job protecting the desktop, which it is designed for.
What? You want to protect more than your desktop(s)? So, get a hardware firewall already!
Any fool can talk, but it takes a wise man to listen.
I think that this firewall is at least a small step in protecting those that are uninformed about these issues. As was pointed out, if the firewall were to be good at what it does, Microsoft would be hit with another lawsuit.
For new installs, however, couldn't Microsoft have a partnership with some antivirus/firewall company to put their software on by default? That way it wouldn't be a microsoft product that is included, however it would have a high rate of protection and not require intervention by uninformed users.
--Information Belongs To The World--
Uh no, welcome to your logical falacy of the day. The user can turn it off becuase it comes with a pretty point and clicky window for them to do it with. Applications can turn it off because it comes with a freaking API that lets them do it. The Windows firewall is the kid with a "kick me" sign taped to his back.
Save your time - don't bother. It adds absolutely nothing to the body of knowledge. It reports that it blocks all the ports very adequately. It also reports that it doesn't block outgoing connections from your computer! Really? Well that has been common knowledge for the last year. Windows Firewall only blocks incoming connections. This doesn't mean it is less than adequate. It does point out that Windows responds when certain standard port connections are attempted. This is a good compromise, but hardly a hole in the firewall - it is not a hole in a firewall to block connections using certain standard ports. And as for stopping the firewall using another Windows command - absolutely no evidence supplied. FUD!. Windows Firewall is pretty good.
Hi;
The Windows Firewall is probably adequate if you only have a single computer and are connecting to the internet.
It is not built for network (ICS traffic bypasses any ICF filters) and so has absolutely no value for perimeter value.
Like most commercial products from Microsoft, supportability in Windows Firewall is more important than security. If you need security over supportability by Microsoft staff, this is not the product for you. But it is not bad for what it does.
It also has no outbound controls, unlike other personal firewalls. This is a slight issue, but I don't think it is major (what about hijacking IE to make the connections?)
LedgerSMB: Open source Accounting/ERP
This whole website is a giagantic troll on the web, what did you expect?
So,
Lets just 'patch' the firewall to not turn off on request by the next remarkable worm or virus.
Just a thought.
And then the dialog box below it says:
Windows firewall has blocked this program from accepting connections from the internet So, kind of obvious really. And no demonstration application to backup the claim it blocks sockets from sending.Nothing costs nothing
Who can honestly and intelligently say a closed source operating system and closed source firewalls of any kinds are 100% safe?
Sorry, but I trust open source security solutions.
"Basic clue about CS -- it's a good thing."
Definitely. And while we're at it, maybe we should send the flexbeta editors a one-line shell script that'll disable the OpenBSD packet filter. I'm sure watching their heads explode would be fun.
What the hell do users expect if they run trojans under admin-accounts... "the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off." Ya think??
My Sig: SEGV
Windoze 9x/ME/2000/XP PC + New high speed cable connection + No firewall + No anti-spyware + No anti-virus + Kazza = The Killer CombinationTM!
Seriously folks, get yourself a decent firewall, don't trust Internet Connection Firewall in Windows XP, get anti-virus, get Spybot, and DITCH IE!
The mouse click events can be sent via code, don't be a retard.
Lots of us told lots of people at Microsoft that integrating the MS HTML control in WIndows Explorer was a horrible security risk, way back when they first did it. They also knew that it was likely to cause legal probelms. They still did it, because they believed the danger of an independent application platform (which is how they saw Netscape and Java) was too high to be risked. Even if they had a certified message from Bill Gates 2004 to Bill Gates 1996 about the risks, they would probably still have done the same thing.
Microsoft doesn't care about any problem that doesn't hurt their bottom line. It's rare that any company does: that's just part of being a limited liability corporation. And in 1996 and 1997, security wasn't an issue, it didn't win sales, so they didn't care.
"Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again."
ANY software firewall can be disabled by an application running under Administrator credentials on the same box. Other software vendors may have more obfuscated hooks into the engine than Microsoft's firewall does, but that doesn't mean it can't be done. After all, when you use the UI to disable a firewall, that UI has to be making some API calls to actually set the internal state on or off.
If you aren't running as Administrator, then programs you run (or are tricked into running) can't disable the XPSP2 built-in firewall.
I just installed a slipstreamed version of XP-SP2 and can't get Norton Antivirus 2002 or 2003 to work, both report the Liveupdate product list is corrupt
Both copies are known to work on XP SP1. I suspect Windows firewall is interfering. Anyone else had this?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
So, my wireless router handles my wired part too.
It has NAT - am I safe enough? I've never been r00t3d but then I have the g**-d**ned common sense not to open dumb ass attatchments, etc.
I had ZoneAlarm for awhile but for the past 2 to 3 years have run without it. I'm loathe to add yet another Microsoft service running in the background.
Someone, please, for those too lazy to google this, if I have a NAT box, do I really need to run a firewall as well?
"Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again."
Under linux, as root I can write a program to shut off any firewall as well. If the firewall is running in a limited account, and users don't have admin priveleges, they can't shut down the firewall, and neither can a owrm or other program.
I want to cover a few definitaions that aren't in the article. If they are using different definitions for these terms, they are going to confuse a lot of people (and may be confused themselves).
For the 'Connect' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. The 'Closed' ports will have sent back an ACK/RST packet.
For the 'SYN' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. At this point, the 'SYN' scan is identical to the 'Connect' scan, so the 'closed' ports should have sent back ACK/RST.
This leads me to believe that either the testers system was broken, the target system firewall was in a different state during the SYN scan, or there is something really weird going on there.
As for the 'Turning Off' claim, that appears to be when the user or process has admin rights. As with the ludicrous Trend Anti-Virus 'vulnerability' posted to Bugtraq last week, it's unreasonable to expect software to 'defend' against being reconfigured or turned off by an authorised administrator.
I've just realised I'm defending M$ here
In any event, it's obvious this is not a cure-all since it won't block outgoing connections. But it's still a big improvement and ought to immunize XP users against at least one class of attacks. In fact, coupled with a virus (especially an email virus) scanner it ought to wipe out 99.95% of all Windows desktop compromises. That's a pretty damn big step and we should credit MS for taking it, even if it doesn't go quite as far as we'd like.
It doesn't matter whether you're on Linux, on Windows, or on anything else, a firewall has to be outside the control of the objects it's protecting against. For Windows Firewall to protect against local applications, it would have to be running outside the security permiter around those applications.
I don't care if you're Windows Firewall or Zone Alarm, any settings the user can change an application can also change, because no application that the user runs can have any more rights than the user. Whatever the user interface application does, another application can do as well.
So we all complain that SP2 is taking far too long to come out. Then we complain it's far too complicated to deploy, so we don't install it. Then once we do, we immediately complain it's not good enough.
If it's not good enough, why didn't we all complain during the last 14 or so months when it was still in development.
FWIW, the built in firewall is better than the firewall in my router, in that it can open ports based on program, instead of statically keeping them open. Neither have outbound protection. Since most home users have only the router, if that, I'd say it's a step in the right direction.
Also, keep in mind that adding a full featured ZA-style firewall might risk more anti-trust lawsuits.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
A piece of software on the local machine can disable the firewall? Is this even a flaw?
Any firewall that runs as a user-started service (such as Kerio WinRoute Firewall) can be disable by other pieces of software. Kerio WinRoute can be disable simply by typing "net stop winroute" at a windows command line. I suspect much is true of other firewalls - even those that done run as services could probably be terminated with good ol' taskkill.
If the malicious software is already on your machine disabling the firewall is the least of your worries.
It's incredible how ignorant and misleading this article is.
.NET code), it can do ANYTHING I can do. That includes turning off firewalls.
First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'. If I have admin privs, and I run a piece of software (unless it's managed like
Software running as a non-admin user CANNOT TURN OFF THE FIREWALL. That's all you can expect.
Second, outgoing protection just makes stupid people feel better. Any programmer with a clue can write software that gets around outgoing firewall protection. It took me about 20 minutes with VB (yeah, VB!!!) to write a proof of concept app that is able to do whatever it wants on the net even with Zonealarm installed.
The only way to reliably restrict outgoing communications is at the borders of the network, not on the machine generating the traffic.
All this FUD makes me sick.
And push out the update yourself.
If you really take away admin priviliges from your users, you probably also use MS' push system for installing updates. Using this push system means you can not only push the update and not wait the 50 mins, but also you can push the pref which turns on auto updates, no matter what the user selects at that screen.
"Inform all the troops that communications have completely broken down." (Unknown)
> Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.
Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.
Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.
The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.
Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.
Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.
Comment removed based on user account deletion
Contrary to what Flexbeta says, I suggest it's a better idea to first get the new firewall package, disconnect from the internet and then switch the firewall off before installing and initiating the new one.
Switching the firewall off [no matter how weak it is] while connected to the net will open your machine up to all sorts of problems.
they want their "M$" back.
And here is a C# and VB.Net example for these things
Security thru obscusomething!
The reason the market for things like zonealarm exist is because the operating system was faulty in the first place. A firewall should NOT need to be an extra application, it should have been part of the system when it was first concieved. It took me 15 minutes to setup a gateway using iptables that was smart enough to recognize the few services that should potentially be coming from the internet, and which services stay within the local network. Would it be that hard to have coded most windows services to ignore requests outside of the local subnet by default?
Internet explorer added functionality. It is not the purpose of an operating system to interpret and display ***ML. A firewall removes functionality. By improperly designing the windows system, they created a niche market, which other companies have exploited, just driving the cost of owning a windows pc up that much higher.
What the heck is a 'sig'?
Can any Mac users tell us if the OS X firewall prevents outgoing connections ? Just wondering.
Care to post your IP address?
I didn't use v4 for long before I went back to v2, but I've switched to Sygate Personal Firewall recently as it (Kerio) for some strange reason started to crash. Sygate's FW is nice and all, but its advanced rules configuration system is still somewhat annoying. For some reason it appers to be impossible to create a rule or set an option that blocks any traffic that isn't explicitly allowed *sigh*.
If you can tell me that Kerio v4 has dropped the horrid user interface, I'll probably have a look at it again.
________
Entranced by anime since late summer 2001 and loving it ^_^
all suffer from the same problem, how are you going to detect outgoing traffic if its coming from the same process. the average user wont suspect a thing when IE suddenly wants outgoing ftp access or something, and since its easy as fuck to inject code into other process spaces if you already own the damn thing people with personal firewalls who dont carefully read every single popup is out of luck
From what I can determine, all the Windows Firewall does is block ports to incoming connections. Why not just have those ports, oh I don't know, off to begin with? Yes, some need to be open in order for local subsystems to function correctly--but isn't that what binding to a particular interface is for?
No comment.
Mod parent up. he's so right.
I have discovered a truly remarkable sig which this 120 chars is too small to contain.
In Linux land most users run apps (esp untrusted ones) as a normal user and not as root. (the obvious exception is lindows which is evil incarnate)
Firewall rules can only be changed as root.
Because of the extensive use of Linux in shell hosting enviroments Linux is fairly robust against local exploits. Windows is still terribly weak to local privlage escilation.
Obviously there are ways around (say sabotaging the users enviroment and tricking them into giving the software root access), but it actually makes things harder on Linux. It's not worth the bother on windows.
Not only does windows have greater need for security measures (due to the allure of a large uninformed userbase) but they continue to lag behind.
For example, SP2 has added nx support... which enables non-executable stacks on Windows but only on some CPUs (which have just started coming out).
Compare this to RedHat Fedora. Since FC1 fedora has had exec-shield. Not only does execshield feature non-exec stack, heap, protection buffer zones, libraries mapped with a 0x00 in their address, address space randomization for all parts of the binary, but it even provides all this on old hardware.
Such patches have been available for Linux outside of distros for years. Solaris has even offered non-exec stack for years.
Microsoft is inexcusably behind.
There is outbound connection blocking. It is on by default and asks the user if they want to allow the connection.
For god sakes, what do you expect of them? They are not in this to make slashdotters safer, they know we can defend ourselves just fine. They have a firewall that, while not perfect, is easy enough for the average and new user to use and provides a decent amount of protection. No its not the second coming but I don't think they ever intended it to be. They did what needed to be done and I applaud them for their effort and end product.
MS bashing on here never bothered me until SP2 came out when A LOT of people mainly wrote it off as crap. They did a damn good job this time and a lot of you people should stop bitching about them.
Mac OSX has a firewall supplied which does exactly the same - inbound connections only with an option to open ports for file sharing, remote desktop etc... except NOT enabled by default.
Again, if you're using it for serious stuff you'd add a hardware FW at the network perimeter.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
For the most part, if you're a savvy user you already have firewall software or are protected in some other fashion. What SP2 is aimed at is the unwashed masses who just have their Best Buy and Walmart boxes directly connected to the Internet with no protection at all.
If anyone reading Slashdot *needed* SP2 to make their XP system secure you should be ashamed of yourself. =)
So while it's not perfect, it's a situation where anything helps.
This also leaves the door open for other vendors who want to provide better or different firewall solutions. Ditto with not adding AV software.
Remember, unlike Apple and Linux distros MS can't bundle much into their OS unless they want to get dragged back to court...
>There is outbound connection blocking. It is on by default and asks the user if they want to allow the connection.
If an application tries to listen on a port for *incoming* connections, you will be prompted. If an application tries to connect out, you won't. RTFA.
I actually do this when I play UT2004 on one of my old boxes that's still running windows. Of course I also disable the network connection when I do this and restart the firewall when I'm done....
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
A false sense of security. lol. At least it will stop most of the exploits out in the world now. That should cut down some of the background noise.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I'm afraid it does not.... there may be an AD setting that prevents it, but with a 2000 Domain server with a faily default AD configuration and a fresh install of XP (2600) it does pop up....
I just did it tonight and I had to join the domain to access the install file....
the sheep mentality around here is astounding with the famous line "get a hardware firewall" but it's definitely not what you really want if you're to secure your system.
Now for the common man, the belief that you have to have a hardware firewall is perpetuated by companies that make them. They're entirely unneeded, although they are by far the easiest solution for simple protection from the outside world. In fact in the recent light of cisco's magical super duper admin username and password scheme it makes me in general practice, not trust many of these hardware vendors in principle.
Here's my take on it and by all means if someone would love to correct me, please do. For a single PC on a broadband connection, it can be sufficiently taken care of with a software firewall of your choice. Personally I use a GPL based product and have customised it for displaying certian access information. disable all services and ports you don't need, then things should be sufficient. turning your computer off at night when you aren't using it, or disconnecting it from the network physically is what you could do.
for multiple computers, there are two options I like to exersise. simple:
Hhardware router (WAP optional), the to each system. Each system configured as the above.
harder:
Server acting as a firewall and NAT box and routing to each pc with the first software firewall mentioned above. You could also go for hardware if you really feel like it but it's unneccicary.
I will always advocate the purchase of a system based firewall/NAT box over the use of hardware firewall that uses firmware. Always.
MS is a bully because they used illegal extortion tactics to take over the IBM-clone OS market, and then leveraged that monopoly to take over desktop software. MS successfully killed the desktop software market, as well as a number of others, with their bloated, feature-stuffed, buggy, crufty software.
Network security, however, should start with the OS. All other makers of OS's (especially IBM, Sun, and Apple) build powerful network protection into the OS. Only MS gets away with creating a terribly insecure OS and then pasting some inadequate security on top. They're trying to catch up at this point and I appreciate that attempt (the horrid Winluser-spread virii of the last two years were not fun for anyone using the internet). However, as a CONSUMER, rather than a computer security professional (who makes money off MS's failures), I won't pay up for an OS that is not designed with network security in mind if I'm going to use that box to connect.
Is still around 10000000 times better than no firewall.
Putting a firewall _on_ the machine you're trying to protect is like making your girlfriend wear a chastity belt on her foot: If you do it this way, you obviously don't understand the fundamentals of the problem.
If this be true, then 'tis unethical _or_ fraudulent, perhaps both? Sure does seem to be alot of that going around in the Microsoft OS world, however one chooses to catagorize such silliness.
Best go check your girlfriend's foot.
Everything in the Universe sucks: It's the law!
If Microsoft would do a better hob testing they would have to send fixes out so fast. I was thinking the main idea of this service pack was security. Firewall is big issue to me Do we ever see this problem in Linux? I am Bata testing SP2 for my company this is a big red flag in my mind
Chris Wulliams Help Dessk Agent Easter Seals UCP of NC
...I have a Mac. :-)
Microsoft did the right thing by letting the firewall be turned off by another program. Otherwise, people who install SP2 and already have a firewall would be pretty screwed up. Two software firewalls on the same machine is never a good idea.
What really pissed me off was the comment that Zone Alarm people gave that a worm could turn off the firewall. OK....A worm could turn off their product too.
There has also been criticism that the firewall doesn't block outgoing connections. I guarantee you if they did do that, firewall manufacturers and "Type A" slashdot readers would be crying anti-trust.
I stear newbies away from advanced firewalls and towards the Windows one. It is, in my evaluation, the simplest to use and the least likely to interfere with legitimate work. The flip side is, of course, that it is the least secure by default but that's fine. If the program prevents the user from doing what they want, and they can't figure out how to change it, they'll just stop using it.
For example Kerio, in the default mode, bitches for every incomming or outgoing request and for other things such as applications launching other applications (like game front ends) and apps updating. Well all these popups are extremely frustrating to normal users since they aren't meaningful. Many get angry and just disable the thing.
Windows firewall is much less agressive. It doesn't watch app behaviour, allows outbound, and provides a fairly meaningful inbound request. Most users can handle it. Thus they run WFW, I run Kerio.
i use my computer at home only and don't expect to be a target. isn't windows firewall in conjunction with my NAT router enough protection?
I know SP2 turns it on by default, and the firewall is enhanced, but it seems the basic thing MS is saying is it's there and it's on, which is what makes Windows more safe. That could have been true before SP2, right?
I don't know how well these people know TCP, but the results they report aren't possible as far as I can see. If the NetBIOS ports report closed on a connect scan (i.e send a reset in response to the SYN, or a reset to the first ACK), they cannot be "stealthed" against a syn-only scan, since they would get the reset there too.
A common opinion is that the Windows XP firewall is better the nothing, but it's wrong ! Worse than lack of security, it is to think that the machine is secure when actually it is not. Too many average users will think they are now safe with XP-SP2 and its so called firewall, and they'll never imagine what can still be done with outbound connections and all the information leaking out. Just install a real firewall and configure it to block everything ( inbound and outbound), except the applications you explicitly authorize to access the internet, and let everything else raise an alarm. Even if your machine is "spyware free", You'll be surprised of all the applications/games trying to call home with no good reason. Enough to get rapidly paranoiac. Now, Why ? Why does Microsoft deliberately issues in a Security oriented service pack a key component they perfectly know to be deficient ? In XP, they first issued a limited "firewall", but it was turned off by default ( contrarily to their "everything should be turned on" default rule). After the disastrous consequences we all witnessed these last months, they now reluctantly issue a new firewall with new rules, but still not blocking these outbound connections, and furthermore it can be silently disabled ! I don't think that Microsoft developers are incompetent and have all flunked "Computer Security 101", it looks like Microsoft does not want to prevent some kind of backdoor or some access to user information. ...all conspiracy theories are unleashed.
Sad consequence : nothing will be solved by XP-SP2. It will not stop trojan/worms/virus writers, spies, spammers and evil hackers. It will make their life just a bit more difficult.
Or however people are getting it. There is a link on Windows Update for the SP2 download but it says it is not appropriate to single uworkstations. So I turned on automatic downloading of updates about a week ago, when SP2 was announced, but still haven't gotten it. I've tried to force it a couple times but still no go.
What's the secret to getting SP2?
LEARN TO READ. How about trying the fucking program he mentioned, WHICH REQUIRES ADMIN RIGHTS TO RUN YOU FUCKSMACK. Quit trying to pretend anyone who has seen the problems are stupid and you are just so super fucking smart that you avoided it.
You can check the code of your open source OS and firewall for yourself. Even if you aren't able to do this, you still have the fact that far more people have looked at it, and not seen any hidden trojans or backdoors, which means an open source solution is more trustworthy. It doesn't have to be 100% safe to be better, nothing is perfect, and if being perfect were the only way you would use software, you wouldn't use software. In the future, try not to be such a vagina.
It is laughable that M$ is arrogant enough to market a security product, when they can't provide more than rudimentary security for their OS products. ... but it is like hiring a crack-whore to tutor your kids in math.
Are their actually people out there that would buy a security product from M$?? (I guess so
It is insulting, though, that M$ wants windoze users to buy yet another product, to reach a level of security that should come with their OS products out of the fucking box. Frankly, I think that it would go a long way towards their public image (at least with the tech/semi-tech crowd) if they included that firewall functionality in their base products.
Offering a security product like this, when their OS security is so infamously lax, is tantamount to saying "We did a half-assed job on our OS, 'cause we knew we could get you to drop more dime after the fact. Yup. That's right. We know how, we just didn't fucking bother. Ha Ha.".
Find me something that -can't- be turned off by another application, if you know how it works?
That's a really lame complaint. If a program has the proper authorities, or can hack the proper authorities, then of course it can stop the operating of another application.
In Unix, they call it "kill".
How many Windows viruses will auto kill your task-window process whenever they see it come up? I bet lots of them. Same deal.
While delousing Windows boxes, I usually find myself downloading the least popular anti-virus programs I can possibly find to do it, because then I am usually able to get it running on the machine without bringing the whole system down.. any good virus would automatically kill norton, mcafee, and other popular virus scanners..
and even if you can't kill the running process, if you have access to change the configuration files, then you can effectively take it down that way as well..
think about your complaints before you make them!
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
You seem to be forgetting this hasn't been released to the 'public'. Public including system/network administrators who (should!) be getting their regular updates from software update services (soon to become windows update services).
The fact is that this was an OEM release, basically for dell, hp, and the rest of them. Of course this update is going to be easy to streamline onto installs. Of course it is going to be straitforward to turn the update into an un-attending install.
There is no-doubt documentation on how to do all this, but lo and behold! this is not a public release.
People should reserve their judgement until the final product (for the intended audience!) comes out.
What does anybody think of Blackice? I find it pretty good, expecially since it can detect malware trying to tunnel through IE or any other legit program. But the "outbound protection" is based on a list of trusted programs, and any unknown or modified programs are stopped. It's not based on detection of *outbound* traffic, but it seems like a good approach. Heck, it could detect and stop viruses and spyware from running as well.
"In America, you can always find a party. In Russia, party always finds you."
You are only as strong as your weakest link.
The Windows Firewall may be secure, but how secure is the underlying windows tcp/ip stack, windows itself, etc..
"Software is like sex: it's better when it's free."
The vast majority of computer users -- Windows, Linux, OS X -- lack the knowledge to correctly configure a firewall. They also lack the will and intent to acquire that knowledge. Almost all computer users don't have the foggiest notion of how IP networks function, and will never acquire that knowledge.
Badmouthing Microsoft for rolling out a less-than-perfect firewall is more than a bit hypocritical when much of it comes in the form of kneejerk ritualistic abuse from open source users who couldn't implement a firewall if it involved anything more complicated than selected "Yes" during their Linux installation.
Insecurity on the network is, in the end, a human problem. Computers do what they're told. The only effective solution is to go after the behavior and the people who cause the insecurity.
-- Slashdot: When Public Access TV Says "No"
http://www.avast.com/
Free as in beer and updates itself automagically.
Knowledge is power. Knowledge shared is power multiplied.
How about "iptables -F" ?
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
I don't recall the article saying you needed to be logged in as an admin for this to work actually.
Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
That's horrible, horrible logic. I'm supressing lines of cursing and name calling due to that little line you just spouted because it is just plain stupid to say that. For one, pretty much any program can do anything it pleases if the user has permission to.
What 90% of people forget is that the great majority of users are running windows in an administrator's permission set. It's just like someone running their linux box as root. You run a certian program, you're screwed.
Give me root permissions on your unix machine and I'll write a nice little script, not even a program, to do lots of nice little things to your computer.
The one thing that drove me nuts about setting Joe SixPack, Computer Luser, up on a software based firewall is that it would check with them each time their computer tried making an outbound connection to anything. This happens a lot when the software first gets installed; but a dangerous thing happens.
People get rapidly conditioned to click the yes button, to permit the traffic to pass, because they quickly find out that if they click no, something breaks (i.e. IM Client).
What happens is that users become afraid to click no, for fear of breaking something - which effectivly negates the integrity of the firewall.
It appears that MS has integrated it pretty well into windows (duh, would you expect anything else?), to allow dynamic opening and closing of ports without having to confirm each connection with the user.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Every time the topic of firewalls come up I become interested in setting up an old AMD Athlon 1ghz box I have on the shelf, as a firewall for the network, but I'm unsure of the best way to accomplish this.
I'm a Linux Newb, and other than playing around with a Mandrake for a few weeks a couple of years ago I have no experience with it.
What is the easiest/best way to setup an extra PC as a firewall in the network? Can I use the same PC as my network file server? Or should the file server always be seperate from the firewall?
Are there arny FAQ's covering this geared towards a linux newbie?
I'm using sygate firewall (whenever my laptop runs XP and i'm on an unknown network/directly connected to the net), and it has an option "Block all traffic when the service is not loaded."
:) This would at least stop worms from spreading. And if the worm tried to use a socket without disabling the firewall I'd get a message of the access attempt, asking me if i want to let it go through.
It also has an option "allow initial traffic" so it still picks up on DCHP etc.
Using this feature, anything that tries to deactivate it can delete all my files, but can't access the network
Incidently, anyone know of any open source firewalls for XP? I'd love to be able to add a few features - ie. spoofing host unreachable messages from my gateway when I block a host.
But then again, i think raw sockets are disabled in SP2. Unless you do the old ICMP ping.dll method AFAIK.
I tried installing Sygate. I'm running IIS under XPSP2. Can't get the web site to host with Sygate, unless I set security to "Allow All". Anyone else have this problem?
...of VBScript code to turn it off:. FirewallEnabled = FALSE
---------------------
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy
A customised linux firewal distribution like Smoothwall, ClarkConnect or eSmith would be by far the easiest way for you. They are generaly very easy to setup and require little to no linux experience.
Under some of these distros, the file erver can be the same machine, but it is no reccomended. Every service you add on the forewal machine increased the risk of a vulnerability. Most of the time you would be fine, but there is still a risk.
The firewall PC can be very low powered - Pentium 100MHz with a 2GB drive or less. Your file server may want to be much higher spec'd.
If it's not good enough, why didn't we all complain during the last 14 or so months when it was still in development.
There's no point in acting all surprised about it. All the planning charts and demolition orders have been on display in your local planning department on Alpha Centauri for fifty of your Earth years, so you've had plenty of time to lodge any formal complaint and it's far too late to start making a fuss about it now.
The angel in the oatmeal.
Half of this was about Symantec and Mcafee complaining about being pushed out of the market. Along with Cisco and Dlink and everyone else that makes hardware firewalls.
This was the most "market friendly" path. Rather than force a bit of fucking CHANGE on the market, MSFT just toes the line and strives to maintain quota.
Whoot for Cristopher Columbus, Joan of Arc, and everyone else that turned the place upside down trying to get people to use a better method.
Windows Firewall?
BWAHAHAHAHAHAHAHA!
You so funny!
Chas - The one, the only.
THANK GOD!!!
I don't think WF is lame. Perhaps this time around, Microsoft decided to provide a better firewall just good enough not to kill other personal firewall products sales.
and here's why. If Microsoft gives you a basic port blocker and says "here. this isn't a network level firewall solution, but it will help a little", then it's not their fault that you were 0wned. It's your fault, because you're on a network that doesn't have proper security precautions. If Microsoft gives you a port blocker/firewall with some serious kung-fu, guarantees you're secure, and someone breaks it... then it's Microsoft's fault, 'cause they said it was secure. MS seems to care about its image with regard to security, anyway, which is an improvement...
of course, pcflank.com didn't find anything to worry about on my computer. then again, my computer's a mac... (no, I don't care about karma, do what ya gotta do)
Karma only matters to me now and zen.
all this is pure bull
1) its good enough for the average user
2) when running on an ADMIN account NO SHIT u can turn off a firewall...O M F G
3) blocking outgoing traffic just makes users press ok - true, NOT a problem DAMNIT
4) we arnt the average user, dont complain its not good enough
5) wine about it taking so long to be released, wine when it si released cause its not good ~ NICE JOB
"Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again"
Any 3rd party filewall could easily be turned off by another application as well. It would just have to end the process and there are about 9 different ways to go about that in windows.
Hikery.net - The best hiking site ever. Made by yours truly.
Having windows provide a firewall is like having a fox watching the hen house. Wonder how many back doors that windows intentionally put into it. Quite lucrative those back doors when you sell the secrets to spammers. Those fools who think they are safe will never know where the stuff is coming from. The best back door will be so transparent that the user/victim never knows it was there or that he/she/it was exploited for someone's commercial gain.
On a practical standpoint, the ICF ignoring ICS is actually a bigger problem. I have in the past seen malware install additional network interfaces and bridge them through the outbound address. That way, even if you turn it on, ICF does absolutely nothing regarding the bridged interface.....
LedgerSMB: Open source Accounting/ERP
Yeah, on Windows all you need is an Administrator account, which is totally not the same thing as a root account.
A lot of people would do oppotunistic nastiness, like sending "I am a gay american" e-mail from your account to all your coworkers, but wouldn't do anything unless the opportunity presents itself. Anything that discourages them is good.
COL = ?
Check out the netfilter/iptables documentation. It does not advise using the REJECT target over DROP in most configuration examples. Most examples given use the DROP target, simply dropping packets without a rejection notification. Note that the DENY target is the same as DROP.
m l
I believe that the correct action would be to use a target of "REJECT".
Note that --reject-with icmp-port-unreachable is the default for the REJECT target, so stating it is superfluous.
http://www.netfilter.org/documentation/index.ht
You are correct, but the bad behavior is encouraged everywhere, not just for Windows users.
If you have a GNU/Linux implementation, I encourage you to use the REJECT --reject-with icmp-port-unreachable target to cover your host ports rather than DROP, unless performance or true security reasons prevent you from doing so. Note that LIMITing your replies is probably a good idea at perhaps 10% of the link total bandwidth, or something reasonable.
Corrections to my comments welcome.
Hysterical.
Ouch.
You are correct, but the bad behavior is encouraged everywhere, not just for Windows users.
I'm an OpenBSD and pf user. I don't see it as bad behaviour, since you should typically only be "breaking standards" on packets you should not be receiving anyway.
If you should not receive a particular packet, then why honour it with a polite reply? It is either a mistaken or malicious packet. Unless of course, it is a legitimate tech who should quickly be able to figure out what is going on and be empowered to fix it. If he is not empowered to fix it, then that is a problem with policy (or lack of) or configuration at a more fine grained level. Certainly not the fault of DROP overall.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
You do realize that most standalone "hardware" firewalls are nothing more than embedded systems running *software* (typically Linux) to actually process the packets?
The only true hardware firewalls are the very expensive core router grade devices (mainly from Cisco and Juniper) with specialized circuits (ASICs) to do pattern matching on packets in realtime. Everything else is just marketing spin.
regardless, the fact that Windows (Unlike, say Mac OS X) promotes being logged in as admin at all times , is a security problem.
Has there any real testing be done to "prove" that MS screwed up again? All I can see in the article is that the SP2 firewall bolcked all attacks pointed at it, which means it actually acieved full frickin score in that category!
About the part of the firewall not "stealthing" some ports, I suppose that's the equivalent of an iptables DROP rule which is highly controversial anyway. What remains is the point that the firewall doesn't police outbound traffic, a "flaw" that a proper virus scanner will gladly make unnecessary. I mean, what do you expect of Microsoft? Block access to their precious ports 135, 137-139 outbound? I don't think so. What they delivered is a valid attempt at defending from blaster-style creepers.
And BTW, I don't like Microsoft. But neither do I like biased whining.
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
Obviously so-called "personal firewalls" suffer from a few problems.
...) makes some people feel more secure, hence drive less careful. The same applies to PFWs, especially with users who aren't that knowledgeable in computer security. Those also suffer from the fact that PFWs are often difficult to understand for them, so user error may also contribute to reduce the security provided.
They run on the exact machine they are supposed to protect, often under the same user account (since Windows programs often want to run as Administrator, so lots of people have administrator privileges on their "normal" accounts).
Obviously, they can therefore easily be defeated by trojans.
Then there's a few social problems. Having a car with additional security (big crumple zones, ABS, SIPS, airbag,
A big point is, PFWs are not trivial to write and test, and often have to run as superuser. This can actually mean that they introduce new security holes.
Free as in mason.
The statement "Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." is just plain incompedent. I love it when people that have never used Windows or haven't used it in a ton of years, start telling us Windows users what Microsoft goofed on. Well last time I checked, I was able to turn off Sygate and ZoneAlarm from other applications too. In addition I know of many programs that can start and stop the Linux firewall and the iptable chain too. Webadmin is one of them if I remember from the days when I use to play around with Linux.
i'm quite happy with all the hotfixes for SP1 ... ...
... ...
so far.
i don't want the "new" MS firewall just yet,
though it's cool to have a firewall icon in the
config panel
i want the newly compiled progis, dlls, etc. from
the SP2
i'm using kerio personal firewall and "cbps.exe".
cbps.exe is a easy command-line portscanner progi,
you can get from www.bluebitter.de.
so what i basically do, is portscan myself and look
for KERIO to ask me if i want to allow incoming
connection. if you do this the first time, you'll
be amazed at how many ports are opened by the
XP system. just click for advanced rule and
deny inomcing and outgoing for said ports
finish
I'm an OpenBSD and pf user. I don't see it as bad behaviour, since you should typically only be "breaking standards" on packets you should not be receiving anyway.
Good point. Is there an RFC for virus behavior?
+++ATHZ 99:5:80
i hope i'm cool enough to talk about a multibillion dollar corporation's highly considered and thouroughly scrutinized implementations as being 'braindead'.
god, won't i be cool then.
Oh do fuck off, you don't think someone might notice the Start menu opening, the Control Panel starting and something clicking around inside a window when they're not the ones doing it? Even the most simple Windows user would notice something was up.
Good point. Is there an RFC for virus behavior?
; ) That's the thing. Malicious people don't always adhere to RFC's and they are quite happy to break them if it helps their activities. So people who are required to protect networks, need to make the most appropriate decisions to do so, which might include breaking standards.
If it mostly only hurts the malicious, then that should be an acceptable and appropriate decision.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Your computer clock is wrong!
Yep this is the advertising banner displayed on their homepage, nice very nice.
consider this: if the majority of users were behind a NAT firewall / router, Blaster & Sasser and the likes would never have been so successful and widespread...
I hope I didn't brain my damage.
well, M$ says it's OK to run multiple PFs, but I was told that it is basically a bad idea because "The conflicts happen as they both need kernel drivers to intercept tcp/ip traffic, and they are fighting over the same resource. One firewall will be the 'big dog', and the other firewall will basically get what the first one allows."
same goes for AV software...
I hope I didn't brain my damage.
When I got my (vastly overpriced) Telstra 2-way satellite internet setup going with Windows XP (no Linux drivers available), I paid for ZoneAlarm, and found it to be totally useless. Because of the high latency of the satellite connection, I open lots of pages in new tabs, so that they could load in the background while I read the main page. This usage pattern made ZoneAlarm barf badly - many of the connections for the pages loading in the background would just time out. At first I thought it was just the 2-way satellite drivers screwing up, but I then disabled Zone Alarm and moved to the standard Windows Internet Connection Firewall, and never saw that problem again. So if you only ever have a couple of TCP connections active, maybe ZoneAlarm will not annoy you to death... but it was a dead loss for my situation.
As for Windows ICF being insecure because it lets programs connect outwards, well, that's the way Red Hat 9's firewall came configured by default, too - any complaints there? I had this satellite access WinXP machine attached to the network 12 hours a day for a *whole year*, with *no windows updates*, and it never got 0wned. (Why did it had no updates for that long? It's a bit embarassing: I eventually found out you have to apply the WinXP compatibility patch to Adobe Type Manager 4.0 (which installed itself with PageMager 6.5) before you apply WinXP SP1, otherwise things bork big time.)
In summary: As long as you don't let dingbat relatives or friends run IE or Outlook on your machine, Windows ICF is perfectly serviceable.
OTOH, if you're the kind of person who simply must visit randow sites with IE, or use Outlook for email, or use MS Office, or gets suckered into installing Gator's weather update craplets, or you have a burning need to download trojan-filled warez, then you need something much more draconian than the standard WinXP ICF. You also need a for-money antivirus software subscription, which I haven't had a need for either.
(And yes, to deflect the obvious retort, I would notice if my machine was compromised... 12 years of Unix sysadmin duties is not lost on me when I use an XP box.)
-Snorbert, somewhere in the antipodes
Really, that sucks. Windoze users will continue to polute the internet. They will keep being auto rooted by email bombs and this new "firewall" will let their zombie box spew. The user will remain clueless.
It does point out that Windows responds when certain standard port connections are attempted.
Windoze and "standard" are two words that don't belong together.
I'm too lazy to read an article about an OS I have no intention of running. Would you tell me which ports are still open and how many known exploits there are for M$ junk that listens to them? Thanks, the exercise will do you some good. It will do me some good if you quit deploying windoze.
Friends don't help friends install M$ junk.
The Linux survival knife comes with a cell phone, fits into a shirt button and costs much less than commercial versions and regular shirt buttons. Yes, the retracting monomolecular sword and fusion powered fire starter might be handy in a pinch, but I've never been out of Linux springer rescue and ambulance range. I have one sewn onto every shirt I own. I pity all those wackos I see who lug around those huge pieces of M$ sharpened steel and think they are secure. Their ignorance is a menace to themselves and others.
Friends don't help friends install M$ junk.
Why does windows give regular Joes root access by default.
This is a legacy problem. Most older software installations (and I don't mean ancient, I mean just a couple of years old) have no idea of administrator access. Newer XP-compatible software is starting to address this problem.
I've experienced this, because when I first got my XP box, I discovered the different privilege levels and thought, "Cool! Microsoft has done something right." And then I wondered exactly what you wondered, which was why they give all users administrator access by default. But I went ahead and set up two accounts for myself, one with root access and one without, and I was off and running with my new machine.
I very quickly realized the answer to the question. You see, legacy programs assume that any user can modify any file in the system folders, like C:\Program Files. This, of course, is untrue if you installed the program as root. You will not believe the hoops I had to jump through to get older software to work. I needed to figure out which files were used by the application and individually open up permissions on them by using "CACLS" (Change Access Control Lists, a command that's not documented in XP Home) at the command prompt.
Of course, there were other options I could have followed: just install the program as myself instead of root - but this has the drawback that if I ever made other user-level accounts, they wouldn't be able to use that program; or I could have just given full access to all files and directories for the entire application - but this defeats the purpose of installing as root in the first place. And I was just being pig-headed about keeping a separate root account and user account. Personally, I feel it was worth the effort. But Joe user wouldn't have had the aptitude to even make the effort.
The other option for Microsoft was to immediately obsolete all legacy software and force everyone to upgrade to XP-compatible applications - but this would not have been palatable at all to the consumer public. They would not have been able to sell XP if they'd done that.
Like I said, newer programs expect you to use an administrator account to install programs, and a user account to do your daily work. If you try to install an XP application as an unprivileged user, it will bring up a dialog that lets you temporarily log in as an administrator just to perform the installation. It's actually very nice.
I'm expecting that when enough time has passed and enough applications have made this switch, Microsoft will do all the user education that will be required (and a LOT of education will be required), and switch the default such that user accounts don't have administrator access any more. I don't work at Microsoft, but I'd be willing to bet that this is their plan.
Accountability on the heads of the powerful.
Power in the hands of the accountable.
Quote from PCWorld:
But if an installer can switch off Windows Firewall, so could an attacker, argues Zone Labs, maker of the popular ZoneAlarm firewall. The company says its own products are locked down in such a way that third-party applications can't disable firewall protection without uninstalling the software.
What zone alarm fail to mention is that a third party application can easily uninstall zonealarm. A simple call to the msiexec utility is all that is required, and it can be done without the user being made aware.
Anyone remember a certain media player bundled with spyware that uninstalled Ad Aware?
This is a big problem because of the piss-poor privledge seperation in Windows. With Linux or Mac OS X, you have to re-enter your password to make system changes, either in a gui widget or at the command line. There isn't anything like sudo for Windows, so its a pain in the ass not to run as an administrator (no, "run as" does not count, since it doesn't work in the gui and its for an account other than your own). Which means that any program you run is going to have super-user priveldges. Which means that the next Internet Explorer trojan could turn off your firewall.
The eyes/brain are good at detecting "motion" at the edge of vision. I don't see every packet, but if all other layers of protection fail, I'll notice when my computer becomes a spam-spewing zombie.
One line blog. I hear that they're called Twitters now.
First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'.
The fault is that Windows has shitty priveldge seperation. You don't see this problem occuring under Linux, BSD or Mac OS X.
All this FUD makes me sick.
All you Microsoft apologists make me sick.
This is a big problem because of the piss-poor privledge seperation in Windows.
Well, perhaps it is. But no other Windows firewall software (e.g. the one they are recommending) solves the problem.
no, "run as" does not count, since it doesn't work in the gui
I'm not sure what you mean by that. When I want to run a GUI application as another user, I create a shortcut to it, check the 'run as different user' box and then execute the shortcut. The only problem I have with MS's "run as" implementation is that it doesn't isolate applications from each other via DDE, so it's impossible to bring up an explorer window as another user (or any other app that checks for its existence in another process before starting up). But there are plenty of alternatives to using explorer -- I'll live.
and its for an account other than your own
I don't understand that, sorry. What do you mean?
Quick question for anyone who might be able to give me an answer here -- how do you set XP up to require a secure attention key sequence at login? I've tries setting the Local Security Policy setting "Interactive logon: Do not require CTRL+ALT+DEL" to "Disabled", but that had no effect, I can still log in by clicking on the user name in the list with the mouse and then typing the password. This is too easy to spoof with a fake login screen for my liking, and I would worry about deploying it on any general access machines.
Well, perhaps it is. But no other Windows firewall software (e.g. the one they are recommending) solves the problem.
So they do. That doesn't change the veracity of the article, just means that it would have been a better one if they had talked about privledge seperation and how it affect security, rather than only focusing on the firewall.
When I want to run a GUI application as another user, I create a shortcut to it, check the 'run as different user' box and then execute the shortcut.
Sure, that works, but it's a big pain which ensures that the vast majority of users will just run as an administrator rather than having to research, make and keep track of esoteric shortcuts.
I don't understand that, sorry. What do you mean?
I mean that "run as" doesn't work like sudo, in that it allows you to re-enter your own password to gain privledges. With "run as", you have to know the password for an administrator account rather than just your own, which can cause more security problems. If you have one machine with a lot of users, how do you keep track of who makes changes to what if there is just one shared admin account that everyone can log in to? Or are you going to have a seperate admin account to go with every user account?
I turned off my antivirus to make Doom3 go faster. And just as I was about to get the amulet of yendor from the Zerg on the secret cow level, I got hit by the Sasser worm. Talk about irony.
I guess this is the last time I get to play Doom3 on my boss's computer....
But I do serious work in Linux and BSD, and am on a secure (i,e. totally isolated) network at work, for very good reasons. my Windoze machine is on line for about 40 hours a week, for other reasons, and has not been compromised once since I loaded ZA, some years ago.
I wonder how many trojans are on your machine, and how much damage it is doing, quite illegally, to other people? I bet you don't even know.
I am sick of the problems caused by filesharers, I just wish you would all go away and play with something else which does not damage other people.
He's full of shit.
And how does nmap make the determination that an IP number is for a non exsisting machine or for a machine that returns no values, eh?
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Completely agreed, in that most people run everything in the highest privilege level possible within Windows.
Same thing could potentially happen to any system - just as we already all know, it's a lot more likely to happen to a Windows box. But, if some trojan horse program got in to a Unix box, and hacked the proper privileges, then all Hell could be broken loose there as well. (like the Robert Morris Internet Worm)
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Ye gods, am I actually posting "MODE PARENT UP"? Yep.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
The software that came with my Kodak digital camera installed some special software called BackWeb to check for updates to it's picture viewing software. BackWeb apparently waits for idle CPU and then checks for updates "when you're not using the computer". It doesn't work so great, as whenever I come back to my machine with a coffee it takes 10 seconds for the display to be refreshed due to backweb being CPU bound. It appears that it checks for updates many, many times a day, even though there has NEVER been an update become available since I got the camera last year.
turn off system monitoring (otherwise it'll warn everytime a program calls another) and click the "create rule" button when you permit/deny. it'll never ask you again.
Once again the media has managed to throw the insecurity of microsoft slightly out of wack. Please keep in mind that the windows firewall can only be disabled by another process/application LOCALLY. The command(s) {Three lines of vbscript code to be exact} can not be run from a remote console (including from another user with non-administrative privledges on the same computer.) With this in mind... with the default notification of "blah blah.exe has turned off the firewall for :port" is more of a assistance, then a hassle or security flaw.
The NVidia NForce 2 and 3 chipsets have firewalls built-in to the firmware. Dunno how good they are, but hey, can't be worse than Windows firewall.
To activate the firewall in OS X, you have to do this:
1)Open system preferences
2)Click sharing
3)Click the Firewall tab
4) click the start button to start the firewall.
Yeah. Pretty difficult. =)
The one non-intuitive part is that it's in the sharing prefs, not in the security prefs, at least as of 10.3.4. I heard that this would change, but I'm not sure if that will happen with Tiger or before.
If you need more control, you can use a shareware app like brickhouse or you can tweak ipfw yourself.
It's not offtopic, dumbass. It's orthogonal.