Slashdot Mirror
How Secure is Windows Firewall?
Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.
Kerio Personal Firewall is much much better.
Why are windows users so obsessed with "stealth"?
It's annoying on two levels, firstly it breaks the requirements of the rfc's leaving other nodes on the network hanging waiting to see of a connection is going to succeed or be rejected, waiting for timeouts isnt fun. secondly, THERE IS ABSOLUTELY NO POINT, it is trivial to find out if there is a node at that address, all sufficiently intelligent scanners can tell if there is a machine there, nmap for example. YES WINDOWS USERS, I'M TALKING TO YOU, get rid of that stealth crap, if there is no machine there the nearest router will return no such host...if there's no icmp from the router, we know that there's a windows user there (of course, we cant determine the operating system of the node, but everyone knows only windows users do this)...
It's pointless, it's only used because having a "stealth" computer sounds cool on proprietory firewall marketing material (would it be so desirable if it were called "filtered"), please turn it off...
With the firewall, and the security center it was using an extra ~20 MB of memory that I need to play Doom3 faster!
If you build it, nerds will come. Soylentnews.org
I've installed SP2 on two machines now. In both cases SP2 had me reboot, and before offering a log-in prompt it presented a screen where I could enable or disable automatic updates. This is an administrative setting, and it should not have presented itself prior to an authenticated login. Sure, it only happens once, but by design it violates secure computing practices.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
While their new XP SP2 firewall is somewhat degraded comared to, say, ZoneAlarm, thats not entirely a bad thing. The new firewall is a step in the right direction, especially being on by default. Not only that, but by not including a "top of the line" firewall in XP, they allow for a market where 3rd parties can still sell firewalls as opposed to being yet another software industry crushed by Microsoft.
I think there's a reason for this. If M$ put a good firewall and good virus scanner in XP, they would be using their monopoly position to put third-party anti-virus and firewall software companies out of business. They wouldn't be doing this intentionally, but it doesn't matter. That whole incident with IE fucked them over.
If M$ could go back a few years, they would see that not putting IE in the OS would have avoided all the anti-trust problems AND made windows more secure. LOL at M$.
My other car is first.
I have run Windows XP Professional since its release. I run my box 24x7 connected to a 2MBit cable connection. I use the Windows firewall and have auto-updates downloaded automatically. I have an ftp port open using the Microsoft/IIS ftp server. I have a port open for remote desktop. It's been this way for 2+ years.My box has never been hacked into.
So, now some wise asses can ask for my IP address, sure. But my point is that by taking just the most basic precautions, you reduce your chance of being hacked to just about nothing.
The new firewall may not be perfect, but it will further reduce the number of easy targets, which is a giant step forward.
Never, ever lose a file again. Ever.
So for average users XP firewall is a good thing since you don't have to know anything, but we (Slashdot users and internet savvy) demand more.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Granted, I am ultra-paranoid, but I run a combination. I use the hardware firewall to deal with most inbound attacks, and then I also run a software firewall (Kerio for technical users who understand networking, ZoneAlarm for my father) to keep track of what software on my PC is doing. Really good for stuff like that crappy Real Player that constantly wants to phone home. Also keeps track of executable checksums to let me know if a program has been replaced. Sure, its a bit noisy when setting up the software firewall, but once it was properly configured, I almost never get messages from it that I'm not expecting.
Wait, a commercial firewall developer thinks Microsoft's free firewall isn't up to the challenge? Wow, what a surprise! What if Microsoft had put a full-fledged firewall into SP2? The same companies would be whining about how Microsoft bullied them out of the market.
Save your time - don't bother. It adds absolutely nothing to the body of knowledge. It reports that it blocks all the ports very adequately. It also reports that it doesn't block outgoing connections from your computer! Really? Well that has been common knowledge for the last year. Windows Firewall only blocks incoming connections. This doesn't mean it is less than adequate. It does point out that Windows responds when certain standard port connections are attempted. This is a good compromise, but hardly a hole in the firewall - it is not a hole in a firewall to block connections using certain standard ports. And as for stopping the firewall using another Windows command - absolutely no evidence supplied. FUD!. Windows Firewall is pretty good.
Hi;
The Windows Firewall is probably adequate if you only have a single computer and are connecting to the internet.
It is not built for network (ICS traffic bypasses any ICF filters) and so has absolutely no value for perimeter value.
Like most commercial products from Microsoft, supportability in Windows Firewall is more important than security. If you need security over supportability by Microsoft staff, this is not the product for you. But it is not bad for what it does.
It also has no outbound controls, unlike other personal firewalls. This is a slight issue, but I don't think it is major (what about hijacking IE to make the connections?)
LedgerSMB: Open source Accounting/ERP
"Basic clue about CS -- it's a good thing."
Definitely. And while we're at it, maybe we should send the flexbeta editors a one-line shell script that'll disable the OpenBSD packet filter. I'm sure watching their heads explode would be fun.
What the hell do users expect if they run trojans under admin-accounts... "the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off." Ya think??
My Sig: SEGV
I want to cover a few definitaions that aren't in the article. If they are using different definitions for these terms, they are going to confuse a lot of people (and may be confused themselves).
For the 'Connect' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. The 'Closed' ports will have sent back an ACK/RST packet.
For the 'SYN' scan, the tester will have sent a 'SYN' packet to the port being tested. The 'Stealthed' ports will have sent back no response at all. At this point, the 'SYN' scan is identical to the 'Connect' scan, so the 'closed' ports should have sent back ACK/RST.
This leads me to believe that either the testers system was broken, the target system firewall was in a different state during the SYN scan, or there is something really weird going on there.
As for the 'Turning Off' claim, that appears to be when the user or process has admin rights. As with the ludicrous Trend Anti-Virus 'vulnerability' posted to Bugtraq last week, it's unreasonable to expect software to 'defend' against being reconfigured or turned off by an authorised administrator.
I've just realised I'm defending M$ here
In any event, it's obvious this is not a cure-all since it won't block outgoing connections. But it's still a big improvement and ought to immunize XP users against at least one class of attacks. In fact, coupled with a virus (especially an email virus) scanner it ought to wipe out 99.95% of all Windows desktop compromises. That's a pretty damn big step and we should credit MS for taking it, even if it doesn't go quite as far as we'd like.
It doesn't matter whether you're on Linux, on Windows, or on anything else, a firewall has to be outside the control of the objects it's protecting against. For Windows Firewall to protect against local applications, it would have to be running outside the security permiter around those applications.
I don't care if you're Windows Firewall or Zone Alarm, any settings the user can change an application can also change, because no application that the user runs can have any more rights than the user. Whatever the user interface application does, another application can do as well.
Wrong. The security console, by default, will pop up a warning that the firewall is inactive. I've seen this myself when diabling the firewall for even a single connection. The only way to disable the warning is to turn off firewall status monitoring.
It's incredible how ignorant and misleading this article is.
.NET code), it can do ANYTHING I can do. That includes turning off firewalls.
First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'. If I have admin privs, and I run a piece of software (unless it's managed like
Software running as a non-admin user CANNOT TURN OFF THE FIREWALL. That's all you can expect.
Second, outgoing protection just makes stupid people feel better. Any programmer with a clue can write software that gets around outgoing firewall protection. It took me about 20 minutes with VB (yeah, VB!!!) to write a proof of concept app that is able to do whatever it wants on the net even with Zonealarm installed.
The only way to reliably restrict outgoing communications is at the borders of the network, not on the machine generating the traffic.
All this FUD makes me sick.
Like the advice wilderness survival instructors have about knives. What's the best survival knife? The absolute best? It's the one you have with you. All the others are useless.
Being installed by default is a "feature" more important in real life than any other.
(Yes, I'd run something else in addition).
> Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.
Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.
Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.
The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.
Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.
Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.
Contrary to what Flexbeta says, I suggest it's a better idea to first get the new firewall package, disconnect from the internet and then switch the firewall off before installing and initiating the new one.
Switching the firewall off [no matter how weak it is] while connected to the net will open your machine up to all sorts of problems.
For god sakes, what do you expect of them? They are not in this to make slashdotters safer, they know we can defend ourselves just fine. They have a firewall that, while not perfect, is easy enough for the average and new user to use and provides a decent amount of protection. No its not the second coming but I don't think they ever intended it to be. They did what needed to be done and I applaud them for their effort and end product.
MS bashing on here never bothered me until SP2 came out when A LOT of people mainly wrote it off as crap. They did a damn good job this time and a lot of you people should stop bitching about them.
Mac OSX has a firewall supplied which does exactly the same - inbound connections only with an option to open ports for file sharing, remote desktop etc... except NOT enabled by default.
Again, if you're using it for serious stuff you'd add a hardware FW at the network perimeter.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
For the most part, if you're a savvy user you already have firewall software or are protected in some other fashion. What SP2 is aimed at is the unwashed masses who just have their Best Buy and Walmart boxes directly connected to the Internet with no protection at all.
If anyone reading Slashdot *needed* SP2 to make their XP system secure you should be ashamed of yourself. =)
So while it's not perfect, it's a situation where anything helps.
This also leaves the door open for other vendors who want to provide better or different firewall solutions. Ditto with not adding AV software.
Remember, unlike Apple and Linux distros MS can't bundle much into their OS unless they want to get dragged back to court...
Heh, I was just about to reply saying the same thing. Just because Microsoft offers an API to turn off or disable the firewall doesn't mean it's any less secure than just doing what you described. In fact, doing what you described is far easier (or stopping/disabling the service, etc).
Saying it's a bad idea for the reason stated in the write-up is just plain ignorant.
All I know about Bush is I had a good job when Clinton was president.
Is still around 10000000 times better than no firewall.
and the 'doesnt block outbound traffic' flaw everyone's going on about is similarly a good thing, as the PCworld article said:
Microsoft's user testing showed that asking users to approve every application trying to communicate with the Internet tends to backfire.
"If you flood the user with messages like that, they say 'yes' all the time," he says.
Just like making passwords minimum 25 character length won't improve security as people will just write them down. This is good enough for the majority.
Find me something that -can't- be turned off by another application, if you know how it works?
That's a really lame complaint. If a program has the proper authorities, or can hack the proper authorities, then of course it can stop the operating of another application.
In Unix, they call it "kill".
How many Windows viruses will auto kill your task-window process whenever they see it come up? I bet lots of them. Same deal.
While delousing Windows boxes, I usually find myself downloading the least popular anti-virus programs I can possibly find to do it, because then I am usually able to get it running on the machine without bringing the whole system down.. any good virus would automatically kill norton, mcafee, and other popular virus scanners..
and even if you can't kill the running process, if you have access to change the configuration files, then you can effectively take it down that way as well..
think about your complaints before you make them!
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
The vast majority of computer users -- Windows, Linux, OS X -- lack the knowledge to correctly configure a firewall. They also lack the will and intent to acquire that knowledge. Almost all computer users don't have the foggiest notion of how IP networks function, and will never acquire that knowledge.
Badmouthing Microsoft for rolling out a less-than-perfect firewall is more than a bit hypocritical when much of it comes in the form of kneejerk ritualistic abuse from open source users who couldn't implement a firewall if it involved anything more complicated than selected "Yes" during their Linux installation.
Insecurity on the network is, in the end, a human problem. Computers do what they're told. The only effective solution is to go after the behavior and the people who cause the insecurity.
-- Slashdot: When Public Access TV Says "No"
on an interesting note, apparantly, my entire system is 'stealthed' (or at least the first 1056 ports of it are) - yay me. Shields Up thinks this is 'very cool'. I'm inclined to agree, since the only firewall I have running is the built-in Windows firewall. This is a fresh, as-of-yet untweaked version of Windows XP, with only the messenger service turned on, and Shields Up was unable to get any information whatsoever on my machine, excepting a ping reply.
My roommate's computer, which is installed pretty much the same as my own, minus SP2, is reporting all kinds of information - computer name, workgroup, and a ton of open ports - to the ShieldsUp scanner.
I just thought I'd mention that, since the only thing I have installed that could be closing these ports and fixing things up is SP2 and the Firewall.
--Dan