Slashdot Mirror
How Secure is Windows Firewall?
Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
Kerio Personal Firewall is much much better.
They're NAT devices, and the "firewall" is just a side effect. If you want a real firewall, buy a real hardware firewall device, or run something like IPCop on an old computer.
Granted, I am ultra-paranoid, but I run a combination. I use the hardware firewall to deal with most inbound attacks, and then I also run a software firewall (Kerio for technical users who understand networking, ZoneAlarm for my father) to keep track of what software on my PC is doing. Really good for stuff like that crappy Real Player that constantly wants to phone home. Also keeps track of executable checksums to let me know if a program has been replaced. Sure, its a bit noisy when setting up the software firewall, but once it was properly configured, I almost never get messages from it that I'm not expecting.
Wolverine
::jafomatic
Uh no, welcome to your logical falacy of the day. The user can turn it off becuase it comes with a pretty point and clicky window for them to do it with. Applications can turn it off because it comes with a freaking API that lets them do it. The Windows firewall is the kid with a "kick me" sign taped to his back.
"Basic clue about CS -- it's a good thing."
Definitely. And while we're at it, maybe we should send the flexbeta editors a one-line shell script that'll disable the OpenBSD packet filter. I'm sure watching their heads explode would be fun.
What the hell do users expect if they run trojans under admin-accounts... "the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off." Ya think??
My Sig: SEGV
Windoze 9x/ME/2000/XP PC + New high speed cable connection + No firewall + No anti-spyware + No anti-virus + Kazza = The Killer CombinationTM!
Seriously folks, get yourself a decent firewall, don't trust Internet Connection Firewall in Windows XP, get anti-virus, get Spybot, and DITCH IE!
The mouse click events can be sent via code, don't be a retard.
But presumably you had to be admin to actually initiate the install of SP2 itself, so the Security Center setup could just be seen as simply being part of the (post-)install procedure itself.
You are doing what MS is doing: you assume too much. You think because you can't possibly know of any other workflow for a given problem (installing SP2) you can make assumptions about how the user will interact with your software.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Wrong. The security console, by default, will pop up a warning that the firewall is inactive. I've seen this myself when diabling the firewall for even a single connection. The only way to disable the warning is to turn off firewall status monitoring.
I'm fairly sure it doesn't do this on machines that are already on a domain.
... but in what it detects as an enterprise environment, it DOES behave *somewhat* correctly.
I installed xpsp2 on three machines in my lab, and none of them presented that. After the reboot, they came right back to the normal login prompt. First login after that was a bit slow (probably doing behind-the-scenes finishing up) but that was it.
I think that the presumption that feature operates under is that either your machine will be on a domain already, or it'll be home users with less predictable priveleges who'll likely just click ok on whatever keeps them from getting back to kazaa and solitaire.
Not saying it's the "right" thing to do
It should be noted the issue with SP2's presenting users with that "turn on automatic updates" screen was a legal issue, not a technical one. MS originally wanted to just turn auto updates on, and then present the user with the option of turning them off (via Security Center) at the time of the first admin login. However, turning them on in this manner violated laws "in several countries" where SP2 is being distributed, therefore MS chose to do it this way. I'm not defending MS per se, as it would have made more sense to leave them off and then present the first admin login with the Security Center and a blurb similar to the screen, but I just wanted to point out that a legal issue is at the root of the SP2 install weirdness.
And push out the update yourself.
If you really take away admin priviliges from your users, you probably also use MS' push system for installing updates. Using this push system means you can not only push the update and not wait the 50 mins, but also you can push the pref which turns on auto updates, no matter what the user selects at that screen.
v4.10 in beta apparently offers a split simple/advance config, with the advanced config being closer to v2.x.
For god sakes, what do you expect of them? They are not in this to make slashdotters safer, they know we can defend ourselves just fine. They have a firewall that, while not perfect, is easy enough for the average and new user to use and provides a decent amount of protection. No its not the second coming but I don't think they ever intended it to be. They did what needed to be done and I applaud them for their effort and end product.
MS bashing on here never bothered me until SP2 came out when A LOT of people mainly wrote it off as crap. They did a damn good job this time and a lot of you people should stop bitching about them.
"I am certain there will be office techs who have to install SP2 on more than one machine in a day who will leave the machine unattended while they start the install on others. That means that am office drone could see the reboot dialog, click OK, and wind up being presented with a dialog that changes an administrative setting."
Install nearly any type of linux, but let's say Mandrake...
(1) Do all the configuration stuff
(2) Choose the software you want
(3) Get several cups of coffee while it spends an hour and a half copying stuff from CDs (or downloading from the web, or compiling...)
(4) Return to find that it's finished, and is prompting you to set your administrator password
Um, let's see, my IP is stealthed, so you know I'm a Windows user, right? Sorry, I'm not. I'm using OS X with the built-in firewall (ipfw), behind a Netgear router/firewall.
Do not speak unless you can improve on the silence.
I'm afraid it does not.... there may be an AD setting that prevents it, but with a 2000 Domain server with a faily default AD configuration and a fresh install of XP (2600) it does pop up....
I just did it tonight and I had to join the domain to access the install file....
LEARN TO READ. How about trying the fucking program he mentioned, WHICH REQUIRES ADMIN RIGHTS TO RUN YOU FUCKSMACK. Quit trying to pretend anyone who has seen the problems are stupid and you are just so super fucking smart that you avoided it.
Wrong. Process Explorer tells me that the firewall and security center are hosted in the main svchost process, along with 21 other services. With the SharedAccess (firewall) and wscsvc (Security Center) services stopped, that svchost was using 18,872k of private memory. With both of them running, the process was using 19,108k of private memory, a difference of 236k. The services are implemented in DLLs so they are considered shared memory: the Securty Center binary (wscsvc.dll) is 80k and the firewall binary (ipnathlp.dll) is 323k. That's a total 639k of memory used by the firewall and security center on my computer (xpsp2). Hardly 20mb.
I'm curious; how did you come up with the 20mb number?
Yes, Kerio 2.1.5 is the best software firewall for Windows, in my opinion. It is still available for download on the official site, although I can't find any links pointing to it. I used it before getting my new Nvidia nForce3 250GB with a firewall on the actual motherboard.
Definitely avoid Zonealarm, whatever you do. It is more bloated and less effective than most alternatives.
According to Microsoft guidelines, you aren't supposed to let privledged services interact directly with the user at any time, except for error message boxes in some cases. You have to go out of your way to make a service interactive; you can override the setting in the services control snap-in: in service properties in the log on tab, clear the 'Allow service to interact with desktop' checkbox. It will be given its own sandbox to create windows in; the user can't see or interact with them. Like it says in the page, you can set the registry value HKLM\SYSTEM\CurrentControlSet\Control\Windows\ NoInteractiveServices to 1 to prevent all services from interacting directly. The 'correct' way to do it is to create a client program that uses IPC to communicate with the service; something that would only be running with a logged-on user.
...of VBScript code to turn it off:. FirewallEnabled = FALSE
---------------------
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy
A customised linux firewal distribution like Smoothwall, ClarkConnect or eSmith would be by far the easiest way for you. They are generaly very easy to setup and require little to no linux experience.
Under some of these distros, the file erver can be the same machine, but it is no reccomended. Every service you add on the forewal machine increased the risk of a vulnerability. Most of the time you would be fine, but there is still a risk.
The firewall PC can be very low powered - Pentium 100MHz with a 2GB drive or less. Your file server may want to be much higher spec'd.
EXCEPT as SYSTEM! Not as Administrator, but SYSTEM!!
There is no differnce between System and Administrator from the security point of view. They both have full control over the entire OS.
And the Shift+F10 thing works during the GUI part of windows setup, it's not something specific to this particular dialog.
Ntsd is already installed on all NT based systems, and can even be run without showing any UI.
That's not the point though - it all comes down to the fact that if you run a piece of native code then this code has the same privileges as you do. You have full control over what your processes are doing (you can debug your processes, you can inject arbitrary code into them, hide or change any part of their UI etc). So the malware can do all of this as well.
then any and all of those methods should be considered critical security flaws
Well, that's how native code works - any executable you run has the same rights as you do. Unless you restrict yourself to only running managed code (like .NET or Java) there's nothing you can do about it.
on an interesting note, apparantly, my entire system is 'stealthed' (or at least the first 1056 ports of it are) - yay me. Shields Up thinks this is 'very cool'. I'm inclined to agree, since the only firewall I have running is the built-in Windows firewall. This is a fresh, as-of-yet untweaked version of Windows XP, with only the messenger service turned on, and Shields Up was unable to get any information whatsoever on my machine, excepting a ping reply.
My roommate's computer, which is installed pretty much the same as my own, minus SP2, is reporting all kinds of information - computer name, workgroup, and a ton of open ports - to the ShieldsUp scanner.
I just thought I'd mention that, since the only thing I have installed that could be closing these ports and fixing things up is SP2 and the Firewall.
--Dan
Your statement that there's _nothing_ wrong with security through obscurity (whether it's all you got or not) is a very dangerous statement to stand behind, which is why I suspect you posted as an AC.
I have worked for military, top tier financial and law enforcement entities (I am not the AC poster, BTW). In the military, no matter how high your security clearance is, if you don't "need to know" something to carry out the job at hand, then you will not get to know it. If you do need to know it and have a high enough clearance, then you will get to know it. That is a security through obscurity policy that helps to make a nation safer.
If a military satelite communications system uses some hypothetically perfect authentication and encryption, then would there be any good reason to publish to the World the specifications of the control codes? No, there would be no good reason, so it should not be made public, regardless of the fact that the crypto is supposed to be perfect. "More eyes looking at the code" would not be good enough in this instance.
Obscurity techniques that lead to higher security, does get used and should get used. Because they usually add a layer of security.
The problem here, is that YOU, along with a lot of others around here, think of "security through obscurity" in the same weak light.
Security through weak obscurity is bad. Relying on it, is unforgivable.
As I said in another post, passwords and encryption are obscurity methods that can be strong.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
I also note that a lot of M$ programs seem to want to connect somewhere or other, Bill's firewall will allow them to do so, whether you want them to or not. Then there are the trojans which inevitably slip past virus scanners in the time (hours or days) before the virus scanner is updated (even if you do so scrupulously). A firewall blocking outbound connections will stop almost all of these.
The never-ending email spam is largely coming from PCs which have been trojaned, and have no outbound firewall protection. Yours may be one....
Grandparent already stated this, the router will return icmp unreachable. If one comes back, then you know nobody is at that ip. If not then you know your request was delivered and dropped.