Slashdot Mirror
How Secure is Windows Firewall?
Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
I think there's a reason for this. If M$ put a good firewall and good virus scanner in XP, they would be using their monopoly position to put third-party anti-virus and firewall software companies out of business. They wouldn't be doing this intentionally, but it doesn't matter. That whole incident with IE fucked them over.
If M$ could go back a few years, they would see that not putting IE in the OS would have avoided all the anti-trust problems AND made windows more secure. LOL at M$.
My other car is first.
So for average users XP firewall is a good thing since you don't have to know anything, but we (Slashdot users and internet savvy) demand more.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I ran into a similar flaw with Tiny Firewall (or was it Zone Alarm?).
:-)
The FW app would pop-up automatically to ask the user if they wanted to allow certain traffic the first time it occured. The problem I found was that there didn't have to be a user logged in.
This was on a co-workers machine and so of course while he was out of the office I tried to access his machine. When the FW app prompted with the pop-up, I just told it to always allow my host access to his machine.
Two problems I figured:
1. The app should have never prompted when the user was not actively using the system.
2. The OS should not allow input when there isn't anyone logged in.
Keep the Classic Slashdot.
Yes, I was there, but how difficult would it have been to make the final dialog box before reboot state that the machine needed to reboot, and be logged into the Administrator account to finish the install?
I am certain there will be office techs who have to install SP2 on more than one machine in a day who will leave the machine unattended while they start the install on others. That means that am office drone could see the reboot dialog, click OK, and wind up being presented with a dialog that changes an administrative setting.
They took the easy path. The easy path is rarely the secure path. You can't assume that the admin will be there for the reboot unless you inform the admin it is necessary.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
I want to cover a few definitaions that aren't in the article. If they are using different definitions for these terms, they are going to confuse a lot of people (and may be confused themselves).
For the 'Connect' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. The 'Closed' ports will have sent back an ACK/RST packet.
For the 'SYN' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. At this point, the 'SYN' scan is identical to the 'Connect' scan, so the 'closed' ports should have sent back ACK/RST.
This leads me to believe that either the testers system was broken, the target system firewall was in a different state during the SYN scan, or there is something really weird going on there.
As for the 'Turning Off' claim, that appears to be when the user or process has admin rights. As with the ludicrous Trend Anti-Virus 'vulnerability' posted to Bugtraq last week, it's unreasonable to expect software to 'defend' against being reconfigured or turned off by an authorised administrator.
I've just realised I'm defending M$ here
Anyway I've been looking through suggestions in these comments to see what comes up most often and trying it out. I have used Kerio before but didn't really like it but I might give Sygate Personal Firewall a go. I don't give much of a crap about privacy features in firewalls anymore as Mozilla basically does most of what I require privacy wise.
Mac OSX has a firewall supplied which does exactly the same - inbound connections only with an option to open ports for file sharing, remote desktop etc... except NOT enabled by default.
Again, if you're using it for serious stuff you'd add a hardware FW at the network perimeter.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
For the most part, if you're a savvy user you already have firewall software or are protected in some other fashion. What SP2 is aimed at is the unwashed masses who just have their Best Buy and Walmart boxes directly connected to the Internet with no protection at all.
If anyone reading Slashdot *needed* SP2 to make their XP system secure you should be ashamed of yourself. =)
So while it's not perfect, it's a situation where anything helps.
This also leaves the door open for other vendors who want to provide better or different firewall solutions. Ditto with not adding AV software.
Remember, unlike Apple and Linux distros MS can't bundle much into their OS unless they want to get dragged back to court...
A firewall should NOT need to be an extra application, it should have been part of the system when it was first concieved.
Hows about, a firewall should not be implemented in software on the same pc its protecting.
But it sure is cheaper and easier than buying a hardware firewall or buying/setting up a dedicated software firewall.
To make laws that man cannot, and will not obey, serves to bring all law into contempt. --E.C. Stanton
Want to know a **REALLY** interesting trick about that screen, now that you mention it?
Press SHIFT+F10 at that screen. You get a full CMD console...
EXCEPT as SYSTEM! Not as Administrator, but SYSTEM!!
Ummm, owned?
The vast majority of computer users -- Windows, Linux, OS X -- lack the knowledge to correctly configure a firewall. They also lack the will and intent to acquire that knowledge. Almost all computer users don't have the foggiest notion of how IP networks function, and will never acquire that knowledge.
Badmouthing Microsoft for rolling out a less-than-perfect firewall is more than a bit hypocritical when much of it comes in the form of kneejerk ritualistic abuse from open source users who couldn't implement a firewall if it involved anything more complicated than selected "Yes" during their Linux installation.
Insecurity on the network is, in the end, a human problem. Computers do what they're told. The only effective solution is to go after the behavior and the people who cause the insecurity.
-- Slashdot: When Public Access TV Says "No"
Honestly, Windows users who are using Windows firewall with 'stealth' mode aren't running anything where they're going to have "users". The only people attempting to reach them are crackers and skiddies.
As to netops, again, we're not talking core net routers. We're talking leaf nodes, and I'd note that the networks generally diagnose through the physical layer (talking to the cable/DSL modem) and not through the computer.
For *users*, this is actually a valid thing to do. Its basically a tarpit trap - anything that makes an attacker's mass attacks slow down can't really be viewed as bad if it doesn't interfere with the majority of legit uses.
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)