Slashdot Mirror
How Secure is Windows Firewall?
Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
Why are windows users so obsessed with "stealth"?
It's annoying on two levels, firstly it breaks the requirements of the rfc's leaving other nodes on the network hanging waiting to see of a connection is going to succeed or be rejected, waiting for timeouts isnt fun. secondly, THERE IS ABSOLUTELY NO POINT, it is trivial to find out if there is a node at that address, all sufficiently intelligent scanners can tell if there is a machine there, nmap for example. YES WINDOWS USERS, I'M TALKING TO YOU, get rid of that stealth crap, if there is no machine there the nearest router will return no such host...if there's no icmp from the router, we know that there's a windows user there (of course, we cant determine the operating system of the node, but everyone knows only windows users do this)...
It's pointless, it's only used because having a "stealth" computer sounds cool on proprietory firewall marketing material (would it be so desirable if it were called "filtered"), please turn it off...
As long as the firewall is activated prior to any ports being opened on bootup, it's probably better than nothing. That is, at least the 99% of users that don't understand what a firewall is will be safe.
Help! I'm a slashdot refugee.
Windows will always be insecure. I have tried its firewall and it feels very basic. If you want more protection you should buy a linksys router with a built in firewall that won't hinder your computers performance or bug you while you open your e-mail program. With a hardware solution you will not be as vulnerable as if you were using Windows but there are a few problems.
I've installed SP2 on two machines now. In both cases SP2 had me reboot, and before offering a log-in prompt it presented a screen where I could enable or disable automatic updates. This is an administrative setting, and it should not have presented itself prior to an authenticated login. Sure, it only happens once, but by design it violates secure computing practices.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
While their new XP SP2 firewall is somewhat degraded comared to, say, ZoneAlarm, thats not entirely a bad thing. The new firewall is a step in the right direction, especially being on by default. Not only that, but by not including a "top of the line" firewall in XP, they allow for a market where 3rd parties can still sell firewalls as opposed to being yet another software industry crushed by Microsoft.
I honestly wish the person who approved this article had read through flex aka dodgybeta's article; they concluded on the whole that the firewall stood most tests well - indeed to a comparable level in some areas as Zone Alarm. They only recommended (not that one would really follow their recommendations) against it because Microsoft didn't offer any out-bound monitoring. But wait.. the kind of thing that would be sending stuff out is covered by SP2's security center, which prompts users to get AV!
What were the boys expecting? A corporate level firewall for free? This is Microsoft trying to make good very old problems. It's a good attempt for what it is -of course people should go and get a proper solution. There goes 5 minutes i'll never get back.
The problem is that it can be turned off by another application. Reading comprehension -- it's a good thing.
To my knowlage, any software firewall can be turned off by the users account (or the administrator account, which is probally what people will be running as).
I don't see how this is a "goof" on their part, sinc e any software firewall would have this problem.
Perhaps a bit of thinking should go into your submition before you start to bash Microsoft?
-Termina
The article's website is timing out, but can't you 'turn off' Norton, Zonealarm by simply doing a WM_CLOSE or TerminateProcess anyway?
If the program has managed to make its way onto the host machine, then that is when the firewall isn't doing it's job.
Nothing costs nothing
I have run Windows XP Professional since its release. I run my box 24x7 connected to a 2MBit cable connection. I use the Windows firewall and have auto-updates downloaded automatically. I have an ftp port open using the Microsoft/IIS ftp server. I have a port open for remote desktop. It's been this way for 2+ years.My box has never been hacked into.
So, now some wise asses can ask for my IP address, sure. But my point is that by taking just the most basic precautions, you reduce your chance of being hacked to just about nothing.
The new firewall may not be perfect, but it will further reduce the number of easy targets, which is a giant step forward.
Never, ever lose a file again. Ever.
Wait, a commercial firewall developer thinks Microsoft's free firewall isn't up to the challenge? Wow, what a surprise! What if Microsoft had put a full-fledged firewall into SP2? The same companies would be whining about how Microsoft bullied them out of the market.
Well, if this situation were happening in a *nix-based system, it's likely that turning the firewall off would require a root password. So yes, obviously it requires some hook to turn it off, but one would think it's priviledged and not available for anything/anyone/any app to abuse.
Save your time - don't bother. It adds absolutely nothing to the body of knowledge. It reports that it blocks all the ports very adequately. It also reports that it doesn't block outgoing connections from your computer! Really? Well that has been common knowledge for the last year. Windows Firewall only blocks incoming connections. This doesn't mean it is less than adequate. It does point out that Windows responds when certain standard port connections are attempted. This is a good compromise, but hardly a hole in the firewall - it is not a hole in a firewall to block connections using certain standard ports. And as for stopping the firewall using another Windows command - absolutely no evidence supplied. FUD!. Windows Firewall is pretty good.
Hi;
The Windows Firewall is probably adequate if you only have a single computer and are connecting to the internet.
It is not built for network (ICS traffic bypasses any ICF filters) and so has absolutely no value for perimeter value.
Like most commercial products from Microsoft, supportability in Windows Firewall is more important than security. If you need security over supportability by Microsoft staff, this is not the product for you. But it is not bad for what it does.
It also has no outbound controls, unlike other personal firewalls. This is a slight issue, but I don't think it is major (what about hijacking IE to make the connections?)
LedgerSMB: Open source Accounting/ERP
It's not "LOL at M$", it's "LOL at millions of XP users". Microsoft isn't suffering (I hear they make good bank off their OS), it's the end user who has to put up with poor security.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
Lots of us told lots of people at Microsoft that integrating the MS HTML control in WIndows Explorer was a horrible security risk, way back when they first did it. They also knew that it was likely to cause legal probelms. They still did it, because they believed the danger of an independent application platform (which is how they saw Netscape and Java) was too high to be risked. Even if they had a certified message from Bill Gates 2004 to Bill Gates 1996 about the risks, they would probably still have done the same thing.
Microsoft doesn't care about any problem that doesn't hurt their bottom line. It's rare that any company does: that's just part of being a limited liability corporation. And in 1996 and 1997, security wasn't an issue, it didn't win sales, so they didn't care.
"Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again."
ANY software firewall can be disabled by an application running under Administrator credentials on the same box. Other software vendors may have more obfuscated hooks into the engine than Microsoft's firewall does, but that doesn't mean it can't be done. After all, when you use the UI to disable a firewall, that UI has to be making some API calls to actually set the internal state on or off.
If you aren't running as Administrator, then programs you run (or are tricked into running) can't disable the XPSP2 built-in firewall.
I use ZoneAlarm but it isn't about getting hacked; it's stopping all the crap trying to access the net e.g. Microsoft Intellipoint - no my mouse drivers are not such a fucking priority that I want you checking the web every time I boot.
In any event, it's obvious this is not a cure-all since it won't block outgoing connections. But it's still a big improvement and ought to immunize XP users against at least one class of attacks. In fact, coupled with a virus (especially an email virus) scanner it ought to wipe out 99.95% of all Windows desktop compromises. That's a pretty damn big step and we should credit MS for taking it, even if it doesn't go quite as far as we'd like.
It doesn't matter whether you're on Linux, on Windows, or on anything else, a firewall has to be outside the control of the objects it's protecting against. For Windows Firewall to protect against local applications, it would have to be running outside the security permiter around those applications.
I don't care if you're Windows Firewall or Zone Alarm, any settings the user can change an application can also change, because no application that the user runs can have any more rights than the user. Whatever the user interface application does, another application can do as well.
I agree that if you have to use Windows, you should use TPF. But, make no mistake, you have no way of really knowing for sure that TPF is actually seeing *all* of the connections. Your best setup is to use TPF on Windows, but also have a separate hardware firewall anyway.
You are being MICROattacked, from various angles, in a SOFT manner.
So we all complain that SP2 is taking far too long to come out. Then we complain it's far too complicated to deploy, so we don't install it. Then once we do, we immediately complain it's not good enough.
If it's not good enough, why didn't we all complain during the last 14 or so months when it was still in development.
FWIW, the built in firewall is better than the firewall in my router, in that it can open ports based on program, instead of statically keeping them open. Neither have outbound protection. Since most home users have only the router, if that, I'd say it's a step in the right direction.
Also, keep in mind that adding a full featured ZA-style firewall might risk more anti-trust lawsuits.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
It's incredible how ignorant and misleading this article is.
.NET code), it can do ANYTHING I can do. That includes turning off firewalls.
First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'. If I have admin privs, and I run a piece of software (unless it's managed like
Software running as a non-admin user CANNOT TURN OFF THE FIREWALL. That's all you can expect.
Second, outgoing protection just makes stupid people feel better. Any programmer with a clue can write software that gets around outgoing firewall protection. It took me about 20 minutes with VB (yeah, VB!!!) to write a proof of concept app that is able to do whatever it wants on the net even with Zonealarm installed.
The only way to reliably restrict outgoing communications is at the borders of the network, not on the machine generating the traffic.
All this FUD makes me sick.
> Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.
Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.
Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.
The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.
Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.
Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.
Contrary to what Flexbeta says, I suggest it's a better idea to first get the new firewall package, disconnect from the internet and then switch the firewall off before installing and initiating the new one.
Switching the firewall off [no matter how weak it is] while connected to the net will open your machine up to all sorts of problems.
I didn't use v4 for long before I went back to v2, but I've switched to Sygate Personal Firewall recently as it (Kerio) for some strange reason started to crash. Sygate's FW is nice and all, but its advanced rules configuration system is still somewhat annoying. For some reason it appers to be impossible to create a rule or set an option that blocks any traffic that isn't explicitly allowed *sigh*.
If you can tell me that Kerio v4 has dropped the horrid user interface, I'll probably have a look at it again.
________
Entranced by anime since late summer 2001 and loving it ^_^
In Linux land most users run apps (esp untrusted ones) as a normal user and not as root. (the obvious exception is lindows which is evil incarnate)
Firewall rules can only be changed as root.
Because of the extensive use of Linux in shell hosting enviroments Linux is fairly robust against local exploits. Windows is still terribly weak to local privlage escilation.
Obviously there are ways around (say sabotaging the users enviroment and tricking them into giving the software root access), but it actually makes things harder on Linux. It's not worth the bother on windows.
Not only does windows have greater need for security measures (due to the allure of a large uninformed userbase) but they continue to lag behind.
For example, SP2 has added nx support... which enables non-executable stacks on Windows but only on some CPUs (which have just started coming out).
Compare this to RedHat Fedora. Since FC1 fedora has had exec-shield. Not only does execshield feature non-exec stack, heap, protection buffer zones, libraries mapped with a 0x00 in their address, address space randomization for all parts of the binary, but it even provides all this on old hardware.
Such patches have been available for Linux outside of distros for years. Solaris has even offered non-exec stack for years.
Microsoft is inexcusably behind.
When will people learn that the contents of your computer may be irrelevant to many viruses and hacks? If the goal of the virus writer is to hijack your machine in order to use it as a spam relay or zombie, you don't have to have anything interesting on your computer at all...the virus will conveniently come with its own interesting stuff to install on your machine!
Is still around 10000000 times better than no firewall.
By using the native System Preferences panel? No, it sure doesn't. But you can write your own firewall rules and load them from the command line or use a 3rd party GUI to configure them. Of course these rules would apply to all programs. To block outgoing connections on a per application basis, you'd have to use Little Snitch
It's not a matter if there's anything good on it, fact is, your box can be used as a platform to do other attacks on other hosts, all without you knowing about it.
When the guys in dark sunglasses and earpeices break down your door because your computer was involved in a break-in to a government computer, you'll wish you had that firewall, gunky or not.
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
Every Microsoft Conf. that I have attended in the last 8 mos has stressed that with the Firewall installed and turned on in a windows XP machine. They strongly recommend running another Firewall appliance in additon to this. Such as ISA or a Hardware solution. Or both. The firewall is designed to supliment your other security measures not replace them. The reason file sharing ports are enabled is because of complaints microsoft had recieved of the firewall breaking netbios.
Find me something that -can't- be turned off by another application, if you know how it works?
That's a really lame complaint. If a program has the proper authorities, or can hack the proper authorities, then of course it can stop the operating of another application.
In Unix, they call it "kill".
How many Windows viruses will auto kill your task-window process whenever they see it come up? I bet lots of them. Same deal.
While delousing Windows boxes, I usually find myself downloading the least popular anti-virus programs I can possibly find to do it, because then I am usually able to get it running on the machine without bringing the whole system down.. any good virus would automatically kill norton, mcafee, and other popular virus scanners..
and even if you can't kill the running process, if you have access to change the configuration files, then you can effectively take it down that way as well..
think about your complaints before you make them!
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
That's horrible, horrible logic. I'm supressing lines of cursing and name calling due to that little line you just spouted because it is just plain stupid to say that. For one, pretty much any program can do anything it pleases if the user has permission to.
What 90% of people forget is that the great majority of users are running windows in an administrator's permission set. It's just like someone running their linux box as root. You run a certian program, you're screwed.
Give me root permissions on your unix machine and I'll write a nice little script, not even a program, to do lots of nice little things to your computer.
The one thing that drove me nuts about setting Joe SixPack, Computer Luser, up on a software based firewall is that it would check with them each time their computer tried making an outbound connection to anything. This happens a lot when the software first gets installed; but a dangerous thing happens.
People get rapidly conditioned to click the yes button, to permit the traffic to pass, because they quickly find out that if they click no, something breaks (i.e. IM Client).
What happens is that users become afraid to click no, for fear of breaking something - which effectivly negates the integrity of the firewall.
It appears that MS has integrated it pretty well into windows (duh, would you expect anything else?), to allow dynamic opening and closing of ports without having to confirm each connection with the user.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Windows? Blech :)
The government which is strong enough to protect you from everything is strong enough to take everything from you.
and here's why. If Microsoft gives you a basic port blocker and says "here. this isn't a network level firewall solution, but it will help a little", then it's not their fault that you were 0wned. It's your fault, because you're on a network that doesn't have proper security precautions. If Microsoft gives you a port blocker/firewall with some serious kung-fu, guarantees you're secure, and someone breaks it... then it's Microsoft's fault, 'cause they said it was secure. MS seems to care about its image with regard to security, anyway, which is an improvement...
of course, pcflank.com didn't find anything to worry about on my computer. then again, my computer's a mac... (no, I don't care about karma, do what ya gotta do)
Karma only matters to me now and zen.
Obviously so-called "personal firewalls" suffer from a few problems.
...) makes some people feel more secure, hence drive less careful. The same applies to PFWs, especially with users who aren't that knowledgeable in computer security. Those also suffer from the fact that PFWs are often difficult to understand for them, so user error may also contribute to reduce the security provided.
They run on the exact machine they are supposed to protect, often under the same user account (since Windows programs often want to run as Administrator, so lots of people have administrator privileges on their "normal" accounts).
Obviously, they can therefore easily be defeated by trojans.
Then there's a few social problems. Having a car with additional security (big crumple zones, ABS, SIPS, airbag,
A big point is, PFWs are not trivial to write and test, and often have to run as superuser. This can actually mean that they introduce new security holes.
Free as in mason.