Slashdot Mirror
How Secure is Windows Firewall?
Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
I think there's a reason for this. If M$ put a good firewall and good virus scanner in XP, they would be using their monopoly position to put third-party anti-virus and firewall software companies out of business. They wouldn't be doing this intentionally, but it doesn't matter. That whole incident with IE fucked them over.
If M$ could go back a few years, they would see that not putting IE in the OS would have avoided all the anti-trust problems AND made windows more secure. LOL at M$.
My other car is first.
So for average users XP firewall is a good thing since you don't have to know anything, but we (Slashdot users and internet savvy) demand more.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I ran into a similar flaw with Tiny Firewall (or was it Zone Alarm?).
:-)
The FW app would pop-up automatically to ask the user if they wanted to allow certain traffic the first time it occured. The problem I found was that there didn't have to be a user logged in.
This was on a co-workers machine and so of course while he was out of the office I tried to access his machine. When the FW app prompted with the pop-up, I just told it to always allow my host access to his machine.
Two problems I figured:
1. The app should have never prompted when the user was not actively using the system.
2. The OS should not allow input when there isn't anyone logged in.
Keep the Classic Slashdot.
A router that does port filtering like the Linksys does is more than "just" a NAT device. Not only does it do filtering, my ADSL modem does it, and I use ZA because port filtering in and of itself isn't enough.
Good, inexpensive web hosting
Yes, I was there, but how difficult would it have been to make the final dialog box before reboot state that the machine needed to reboot, and be logged into the Administrator account to finish the install?
I am certain there will be office techs who have to install SP2 on more than one machine in a day who will leave the machine unattended while they start the install on others. That means that am office drone could see the reboot dialog, click OK, and wind up being presented with a dialog that changes an administrative setting.
They took the easy path. The easy path is rarely the secure path. You can't assume that the admin will be there for the reboot unless you inform the admin it is necessary.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
I want to cover a few definitaions that aren't in the article. If they are using different definitions for these terms, they are going to confuse a lot of people (and may be confused themselves).
For the 'Connect' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. The 'Closed' ports will have sent back an ACK/RST packet.
For the 'SYN' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. At this point, the 'SYN' scan is identical to the 'Connect' scan, so the 'closed' ports should have sent back ACK/RST.
This leads me to believe that either the testers system was broken, the target system firewall was in a different state during the SYN scan, or there is something really weird going on there.
As for the 'Turning Off' claim, that appears to be when the user or process has admin rights. As with the ludicrous Trend Anti-Virus 'vulnerability' posted to Bugtraq last week, it's unreasonable to expect software to 'defend' against being reconfigured or turned off by an authorised administrator.
I've just realised I'm defending M$ here
Actually I was surprised by the Windows Firewall, it wouldn't let my laptop on my wireless subnet connect to my desktop on my wired subnet because by default the SMB ports are restricted to "local subnet only". I had to put in a custom filter that covered both my subnets to let me connect.
It only pops it up if the computer is NOT a member of a domain. If your computer is part of a domain you will NOT see this popup.
The fact is that Windows XP requires you to be an administrator to do just about anything.
This is easily given away by the fact that about 50% of the educational software we use in our schools requires admin rights to run.
That's right. Kid Pix requires Administrator-level rights or it simply will not run.
-- If you try to fail and succeed, which have you done? - Uli's moose
Parent sums it up well.
.NET code), it can do ANYTHING I can do. That includes turning off firewalls.
First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'. If I have admin privs, and I run a piece of software (unless it's managed like
Yep. Exactly. Maybe someday it will become standard practice to have Windows set up users at install time as restricted users. I run as restricted at all times, and with the exception of a few items, I simply use "run as" to do any admin chores that are necessary. I don't see why MS couldn't just provide an easier way to "suroot" from a restricted account and be done with 1/2 of the crap that afflicts Windows users who don't know better than to not run as Admin (give it a flash tutorial and a colorful GUI and I think MANY folks out there would get it).
Second, outgoing protection just makes stupid people feel better.
Stated harshly (hopefully that won't earn poster a "flamebait", because even though it's harsh, it's true). If you are running a firewall for incoming connections (and yes, Windows Firewall does this job WELL), use A/V and AntiSpyware software, and are reasonably intelligent about installing programs, you don't NEED outgoing protection.
As far as I'm concerned, why should I waste system resources on outgoing protection that I DON'T NEED? That's why I use the Windows Firewall (and have since it became standard on XP)....and surprise! My machine is spyware,trojan and virus free.
Well actually no it wont. They wont dominate firewall market because they have a deeply felt interest in security if thats what you meant by changing. They will come to dominate it because it is one area where consumers are still spending billions of dollars that aren't going in to Microsoft's pocket. This service pack is just the first step. Its designed to put Symantec, McAfee etc. off guard by putting their toe in the water in the security software market but without being really threatening. Once they dive all the way in they will turn in to Jaws.
I assure you this is already causing massive confusion with people that have a 3rd party firewall now. Will installing this screw it up, how do I turn off Microsoft's, should you turn off the firewall you already have. Should you jus not update to SP2 at all. What happens if both are running. Its way to complicated for most users just like replacing IE with Netscape was. Within a few years all but the most tech savvy will stop buying 3rd party security software and assume Microsoft's is good enough and of course its free, built in, no hassle, just like IE was.
What does Microsoft get out of it. Well they gain control of another large piece of the software market. Go to Walmart and see whats on the shelves, Microsoft XP and Office, 3rd party security software, tax software and games. They will in a couple years cross off all that 3rd party security software. They can increase the price of Windows and its still a net win for consumers who are paying less than they do now for Windows and 3rd party security software.
Security is also great since they can follow in Symantec's footsteps and charge annual fees for update services and get some steady software services revenue that they probably very much want so they can insure stable revenue as they saturate the OS and office markets, face competition from Linux and still need to grow their revenues to keep the sharks on Wall Street happy.
@de_machina
Anyway I've been looking through suggestions in these comments to see what comes up most often and trying it out. I have used Kerio before but didn't really like it but I might give Sygate Personal Firewall a go. I don't give much of a crap about privacy features in firewalls anymore as Mozilla basically does most of what I require privacy wise.
Mac OSX has a firewall supplied which does exactly the same - inbound connections only with an option to open ports for file sharing, remote desktop etc... except NOT enabled by default.
Again, if you're using it for serious stuff you'd add a hardware FW at the network perimeter.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
For the most part, if you're a savvy user you already have firewall software or are protected in some other fashion. What SP2 is aimed at is the unwashed masses who just have their Best Buy and Walmart boxes directly connected to the Internet with no protection at all.
If anyone reading Slashdot *needed* SP2 to make their XP system secure you should be ashamed of yourself. =)
So while it's not perfect, it's a situation where anything helps.
This also leaves the door open for other vendors who want to provide better or different firewall solutions. Ditto with not adding AV software.
Remember, unlike Apple and Linux distros MS can't bundle much into their OS unless they want to get dragged back to court...
A firewall should NOT need to be an extra application, it should have been part of the system when it was first concieved.
Hows about, a firewall should not be implemented in software on the same pc its protecting.
But it sure is cheaper and easier than buying a hardware firewall or buying/setting up a dedicated software firewall.
To make laws that man cannot, and will not obey, serves to bring all law into contempt. --E.C. Stanton
Want to know a **REALLY** interesting trick about that screen, now that you mention it?
Press SHIFT+F10 at that screen. You get a full CMD console...
EXCEPT as SYSTEM! Not as Administrator, but SYSTEM!!
Ummm, owned?
Microsoft did the right thing by letting the firewall be turned off by another program. Otherwise, people who install SP2 and already have a firewall would be pretty screwed up. Two software firewalls on the same machine is never a good idea.
What really pissed me off was the comment that Zone Alarm people gave that a worm could turn off the firewall. OK....A worm could turn off their product too.
There has also been criticism that the firewall doesn't block outgoing connections. I guarantee you if they did do that, firewall manufacturers and "Type A" slashdot readers would be crying anti-trust.
I don't know how well these people know TCP, but the results they report aren't possible as far as I can see. If the NetBIOS ports report closed on a connect scan (i.e send a reset in response to the SYN, or a reset to the first ACK), they cannot be "stealthed" against a syn-only scan, since they would get the reset there too.
The vast majority of computer users -- Windows, Linux, OS X -- lack the knowledge to correctly configure a firewall. They also lack the will and intent to acquire that knowledge. Almost all computer users don't have the foggiest notion of how IP networks function, and will never acquire that knowledge.
Badmouthing Microsoft for rolling out a less-than-perfect firewall is more than a bit hypocritical when much of it comes in the form of kneejerk ritualistic abuse from open source users who couldn't implement a firewall if it involved anything more complicated than selected "Yes" during their Linux installation.
Insecurity on the network is, in the end, a human problem. Computers do what they're told. The only effective solution is to go after the behavior and the people who cause the insecurity.
-- Slashdot: When Public Access TV Says "No"
I don't recall the article saying you needed to be logged in as an admin for this to work actually.
Half of this was about Symantec and Mcafee complaining about being pushed out of the market. Along with Cisco and Dlink and everyone else that makes hardware firewalls.
This was the most "market friendly" path. Rather than force a bit of fucking CHANGE on the market, MSFT just toes the line and strives to maintain quota.
Whoot for Cristopher Columbus, Joan of Arc, and everyone else that turned the place upside down trying to get people to use a better method.
Microsoft has shown very often that it is king of good enough. Microsoft does not strive to be the best, just good enough to stop the majority of people from searching out and installing alternatives. Microsoft does not strive to satisfy the average /. reader.
The real "Libtards" are the Libertarians!
all this is pure bull
1) its good enough for the average user
2) when running on an ADMIN account NO SHIT u can turn off a firewall...O M F G
3) blocking outgoing traffic just makes users press ok - true, NOT a problem DAMNIT
4) we arnt the average user, dont complain its not good enough
5) wine about it taking so long to be released, wine when it si released cause its not good ~ NICE JOB
"Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again"
Any 3rd party filewall could easily be turned off by another application as well. It would just have to end the process and there are about 9 different ways to go about that in windows.
Hikery.net - The best hiking site ever. Made by yours truly.
Honestly, Windows users who are using Windows firewall with 'stealth' mode aren't running anything where they're going to have "users". The only people attempting to reach them are crackers and skiddies.
As to netops, again, we're not talking core net routers. We're talking leaf nodes, and I'd note that the networks generally diagnose through the physical layer (talking to the cable/DSL modem) and not through the computer.
For *users*, this is actually a valid thing to do. Its basically a tarpit trap - anything that makes an attacker's mass attacks slow down can't really be viewed as bad if it doesn't interfere with the majority of legit uses.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
I see everybody has conveniently ignored the PUTTING IT IN YOUR WALLET bit.
But on slashdot an entire well spoken argument will be completely ignored if there is a single error somewhere in the middle...
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin