Slashdot Mirror
Estimating the Time-To-Own of an Unpatched Windows PC
An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."
I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?
Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).
Andy
That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction.
No, this type of infection is sent to random computers all over the Internet.
If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive.
Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface.
You'll be surprised at the stuff you get without asking.
"I was in love with a beautiful blonde once, dear. She drove me to drink. It's the one thing I am indebted to her for."
Would be interesting to compare with Vista.
They tried. They ran into some obscure bug with Vista that prevents it from accessing the internet while the machine is powered on.
I keep hearing on /. about how slow Windows is. Now it turns out that Windows is very fast.
The fact that another Slashdot reader queried my insistence Windows 7 should have better host and network security is proof that there is still rampant ignorance on the subject. The fact that the time-to-pwn has not fallen over the past four years despite "security fixes" and security engines that inconvenience users and break applications is proof that the security methods employed by Microsoft are a failure. The fact that there is virtually nothing mainstream in the Windows world that compares with even the pittance of auditing offered by SARA and TARA is proof that there is no desire to fix this.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I think the Time to Infection on a college network is like... 45 seconds.
Fools, don't you know that all you have to do is make sure you scan any flopp
Buy Viagra Cheap at http://myipaddres/viaga
I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....
Indeed, your computer is a valued member of our botnet.
You can bundle all the patches & service-packs you want into a slipstream image and install everything at the same time.
Otherwise, there's WSUS (http://en.wikipedia.org/wiki/Windows_Server_Update_Services).
(Not that I disagree XP was horribly insecure when it came out)
throw new NoSignatureException();
At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.
When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.
In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").
These days, you turn on the firewall on XP SP2 or 2003 and don't have the problem. (As the OP said, just don't browse the web while you're doing a server install.)
cheers,
"It doesn't cost enough, and it makes too much sense."
The source for this post seems to be lacking on quite a few fronts when explaining how they arrived at this data.
- (As pointed out already by numerous posters) Which version of Windows are they using?
- What activity are they using the computer for?
- Who are the "all" in "placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas" ?
- How unpatched is unpatched? Is this a version of the OS that one needs to deliberately search for or if I go and buy a boxed version of the OS there is a pretty good chance it will be just as "unpatched" ?
The "piece" raises more questions than the answers it provides.
Haha, no problem for me with my Linux dis
Buy Viagra Cheap at http://myipaddres/viaga
I never patch my Mac unless its a point release and I run just fine... never used antivirus or any other program to shield me from the net... no complaints for the 5 year since I owned Mac's.
Jonathanjk.com
XP SP2 comes with a firewall on by default. Vista comes with a firewall on by default.
This is only seems interesting if you're installing from your vintage 2001 XP disk.
Business. Numbers. Money. People. Computer World.
I'm going to jump in, because I don't think anyone explained this.
Windows runs lots of services (server programs) by default, some of which have vulnerabilities. Some of which can't be turned off, because of the way MS programmed them. If you wonder why they are there, this is how things like filesharing works: it has a server program which will reply when someone else on the lan broadcasts asking for other shares. If someone creates specially formed packets, they can break into those vulnerable services, and you are rooted.
There could also be vulnerablilities in the kernel (main system), but they are rare. You could also be infected if you opened up a shared folder, and someone / a program uploads a hostile program to it, and you run that program.
This is in addition to getting infected by visiting a hostile site with an insecure browser.
I may not have explained this very well, but hopefully you get the idea.
How do you know you don't have a virus unless you scan your computer? Even then, if you have a rootkit successfully installed it might be possible for the rootkit to avoid the AV software.
The fact that the time-to-pwn has not fallen over the past four years...
Pray tell what has happened to the base Windows installation over the past for years? Those security fixes you mention aren't counted in this time, so you can't claim that they aren't contributing to overall security. From the article (sort of ) it sounds like this is still the time for XP and not Vista (though since neither the summary nor either linked article actually says or anything, so I'm not sure). So why, exactly, should we have expected the time to decrease?
These tech people from Comcast or SBC tell you to plug your machine directly. Maybe they work for the people who run botnets?
A spit on them. They seem to be as incompetent as the 'Geek Squad'
Fight Spammers!
While the laptop itself has very little internet presence (just downloading patches, drivers and s/w updates) I've occasionally remote-mounted it's disk to another box that runs Norton. I've never detected any spam, viruses, trojans or other nasties.
My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
How can you say this shows no improvement over the last 4 years when the test subject was an UNPATCHED version of Windows?
The article wasn't even particularly clear if it was good ol' Vanilla XP or XP SP2 or whatever.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Which is exactly my point. We know those machines get pwned quickly, so why is this news? The /. summary presents it as if it's a current measurement of a current OS and not one that was superseded almost four years ago? (Assuming they are using a pre-SP2 install. Which, since the site doesn't give any actual information, I don't know.)
Well, once again, me and my Mac have been proven to be superi
Buy Viagra Cheap at http://myipaddres/viaga
One question though - why exactly would I face out a machine with an unpatched OS (the "article" doesn't even mention the version), any OS?
Especially since a $20 Linksys router solves my problems, assuming I'm unable to splipstream service packs or errata or whatever?
If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install? Do I not have to go online to download the errata for that one as well? Or even the new version?
Even with the larger number of exploits for Windows vs Linux, that doesn't mean there are no exploits for Linux. So I have 20 minutes to download my patches, instead of 5? And that's some sort of median, right? Wow, that sure sounds a lot safer. I hope I make it.
This "metric" is like measuring how deep a machete can cut into your leg, or how much chlorine bleach you can chug before doubling over. Useful? Sure. Should you try it? Nope. With *any* operating system. Not even with any of the *BSDs, which I tend to trust a hell of a lot more than most Linux distros nowadays.
Looks like a slow news night for Slashdot, as usual.
The twitter monologues. Click on my homepage and be amazed.
You should be perfectly safe, as a dumb NAT firewall won't be sending your PC any traffic that it didn't originate. The only possible vectors would be: a) if its connection tracking code gets confused and lets in traffic which it thinks is associated with another connection but really isn't, b) bugs in the NAT firewall device (pretty much the same thing), or c) an attacker gets very lucky with spoofing connections that happen to be in the NAT table (tremendously unlikely).
All up, the chances of anything getting through are pretty much negligible.
The caveat is that stuff on your PC may be making connections without your knowing; and in particular, some programs may use UPnP to open a listening port for incoming traffic. This shouldn't be an issue with an out-of-the-box install.
This is of course assuming the common NAT device setup, where you have your modem/router which gets a public IP address and then NATs all outbound traffic. Inbound traffic will hit the router and not go any further unless the user has explicitly set up forwarding rules on it.
Pretty much everyone with broadband in Australia will be behind such a device, as this is the kind of device most every ISP recommends or sells. Not sure what the norm is elsewhere in the world.
4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!
The game.
Can you still buy Redhat 8?
"I've got more toys than Teruhisa Kitahara."
I took about 2 minutes the last time I remember this was *accidentally* tested on our /16 network (XP SP2, way down in mid-2006).
But this is not a Windows problem per-se. Any other OS, in a post-install state, will eventually get compromised. It's just a matter of time.
Solution: build + patch + secure offline, then deploy.
I actually forgot my car keys in my car overnight once and nothing happened. Well, this isn't LA downtown. I live in one of the cities with the least crime overall.
The problem is, with the internet space means nothing. You essentially automatically live in all the worst cities at once, they're all right in front of your doorstep.
That's what most people forget when they deal with the internet, especially if they live in a sheltered community where it's safe to walk the streets at night. They're not used to pondering being mugged any second. But that's exactly what happens on the internet, you live in the worst kind of neighborhood, anyone out there who wants to do something bad to you is camping right in front of your door.
Don't feel special, though. They camp in front of every else's door at the same time.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What's cooking here is worms. Those pesky little things that don't wait for you to click on an infected program but use security holes in your RPC to infect you. XP pre-SP2 was notorious for such a security hole, and my firewall logs tell me that such machines are still widely in use on the internet.
As I stated above, it took less than 2 minutes with SP1 in 2004. I should repeat that test, I wonder if it changed in the past 4 years.
Bottom line of it all, a router for 20 bucks can already solve that problem if it's configured to drop any incoming packets (which it is by default). An expense of 20 bucks is all that keeps Joe Average from defeating about 99% of today's worms. I know of a few POCs that can actually find ways around this, but so far I'm not aware of any widespread use of any of those.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I recall a former boss's computer getting compromised during the installation. It was either NT4 or 2000 server. I'm not sure his disk (most likely an MSDN disk) had any service packs on it. (this was late '03.) It was beyond the firewall, naked on a Bellsouth DSL line.
I also recall a friend (sysadmin) had his linux (redhat 6.2 maybe) machine compromised within a day of installing it. I don't know if it was within 4min or 16hrs; the next day we noticed it was scanning the network. That was a "naked" workstation on an ISP's core network -- no firewall of any kind. That was 7-8 years ago, and we still kid him about it.
The T1 at the office was seeing about 100 probes per minute years ago when I cared enough to log all that shit. The DS3 was seeing just as much crap the instant it was turned on a few months ago. (seeing how the morons setup that router (cisco), I wouldn't be surprised if people have broken into it -- with no logging turned on, how would anyone know?!?)
Which is exactly my point. We know those machines get pwned quickly, so why is this news?
Because it's about Windows and in the current trend, you don't have to bother on /. with little annoyances like facts and the truth if it's to do with Microsoft - any old shite will do if it is trying to make Microsoft look bad.
Yet you'll notice that the /. crowd isn't bleating on about the 33 year old Unix bug that's only just been fixed this week.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
Hey, are you hitting on me?!?
http://xkcd.com/350/
Slashdot the spammers!
Lock the wife and the dog in the boot of the car.
Return one hour later.
Who's happy to see you?
If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install?
Can you still buy Redhat 8?
Can you still buy Windows XP?
Lock the wife and the dog in the boot of the car.
Return one hour later.
Who's happy to see you?
As the OP said, just don't browse the web while you're doing a server install.
Yeah, let's see YOU install Gentoo without browsing the web.
Lock the wife and the dog in the boot of the car.
Return one hour later.
Who's happy to see you?
Considering that the average Linux distro from 5 (or rather, if you want to make a real comparison since they're obviously using XP SP1 to "prove" their point, 7 years) already came with an iptables/ipchains firewally built in and rather few, if any, remotely accessable services running if you don't want them to run (they ask you if you want to have SSH running and yes, should you enable a 7 year old version of SSH then you're vulnerable), I'd think XP would still lose.
The problem is that even if you KNOW that the RPC is a deadly remote exploit vector in XP, you CANNOT turn it off during install. With Linux, at least I have the option to avoid enabling SSH or other services that I know are no longer safe.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
But it has SP2 (look at picture).
Yes! Iinstall a firewall and just watch the log file. Your machine is probably scanned around once every 20 seconds by some botnet or other.
America, Home of the Brave.
Considering that one of their "security" links is referencing XP SP1,I would say the data was pretty old. I know we used to hook XP SP2 machines straight in my last shop and after patches always did an online scan and I can't remember the scan ever finding anything. If they want to be taken seriously on the subject,they should list specific service pack,PC specs,and connection used. Then their data would be easily replicable if someone disputed their findings.
ACs don't waste your time replying, your posts are never seen by me.
Will this be pwned the same way?
say run an unpatched Win98, Win2k or WinXP VM (VirtualBox or VirtualPC) inside a host box with its own personal firewall.
Will the firewall protect the VM, or will it be pwned just as fast because it's running on NAT and it's probably just the host VM software that's being monitored by the firewall?
http://www.object404.com
Exactly. Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
I'm not even sure what it is they're trying to prove - that Microsoft can't bend time and space and retroactively patch ALL XP disks every time they release an update?
This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?
Luckily, Linux is pretty good at not getting owned so it's a bit of a non-issue at the moment, but I dare say it's only a matter of time before someone starts targeting them as well.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Funny thing is that Zone Alarm has had some serious remote exploit vulnerabilities where if you hadn't installed a 3rd party FW in to your Windows XP computer, you'd be safe. Here's an example of one http://secunia.com/advisories/10921/. Windows XP, Vista, Server 2003 and 2008 Firewall has been rock solid and secure. You're simply talking out of your ass and you're giving the typical knee jerk reaction against Microsoft products. You do not have a single example of where Windows XP SP2 firewall is vulnerable to a remote exploit and there isn't a single example of hackers getting through it if all ports are closed.
Best thing to do is have a $20 router with NAT enabled by default. It allows you to share your Internet connection with NAT, automatically log in to your PPPoE account, give you a DHCP server, and give you a safe environment with all inbound ports blocked by default. Most Broadband services come bundled with a router/modem in a single device anyways and it's been a non-issue at least for AT&T DSL users since NAT is enabled by default. A lot of cable providers are also sending out routers with new service.
I do agree with you that downloading an offline SP3 installer is a good thing though I would suggest that using nLite to slip stream it in to a new ISO and CD is the best way to go.
I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....
Would you even know if your PC was a Botnet client?
Wasn't measuring recently.
In worst times, I had seen one exploit attempt per 10 seconds on average. Since I have seen this all from pov of Linux router/firewall for sub-C net with 30 IPs, the logs were pretty messy and I had to do special script to clean syslog.
Right now my friend was setting up for himself firewall too and was seeing about 1 exploit attempt per 1-2 minutes.
That's Windows side.
On Linux side this isn't much prettier. In past some botnets from South Korea were dumbly scanning whole net trying to probe well known services (ssh, rsh, telnet, mysql, etc) as root with well knows passwords. I had something like 20-30 "auth failed" per minute in my syslog. Right now still some botnets try to scan *nix systems with weak passwords continuously. It is not as bad as it was with attack from SK, still I'm not leaving SSH running on port 22 anymore (just in case).
All hope abandon ye who enter here.
If the internet is so f--- up that plugging a new computer onto it brings it under immediate attack, then, well, the good guys have -lost-.
It's really time to start unplugging bad guys from the internet period, applying stricter filtering at the ISP level, and more rigidly filtering countries who don't police their networks.
Five minutes to be attacked? The internet is LOST.
This is my sig.
It'd be behind a NAT, so you'd basically be safe. (Of course you're never completely safe, but you have to pound hard to get through a NAT that doesn't have ports opened administratively.) The fact that it's VMWare providing the NAT doesn't matter; you'd see the same if you were to plug in a cable modem router.
There are still hosting companies that offer virtual machines and even complete servers with Red Hat 7.3
So I would be interested in the time it takes for that one to be infected.
Do they even give patches for that any more?
I am not trying to say Linux or Windows is safer. I am just trying to say it might not be wise to put an unpatched machine on the net without a firewall to download patches. Regardless of the os.
Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
No, it's more like saying that a car is likely to be stolen before the locksmith has a chance to install locks.
Why would you bother? A live CD can only be infected upon creation. After that, any infection is automatically removed when the computer is shut down & the ramdisk is closed.
As for using an old disk for installs, the big advantage is that most Linux install CD's assume you know what your doing & have a minimum of exposure - letting you install/start the services you need. From my experience, MS turns most of the stuff on, presumably on the theory you're too stupid to do it yourself if you should ever want to.
Yes they did.
And you're seriously trying to compare a bug in a largely obsolete parser generator that only runs on one version of BSD, with an entire OS that's so poorly written that it can't even last 5 minutes without being pwned?
You evangelists are getting desperate. No wonder Microsoft is having to spend +$300 million to try to persuade MVPs not to abandon ship...
The time of worry is over.
Lol...
"I've got more toys than Teruhisa Kitahara."
Not true at all. It's a common misconception that NAT protects anything at all. Why so?
NAT uses translation routing based upon multiple inside computers to one outside address. The key here is the NAT device does NOT reconstruct packets if they are heavily fragmented. Even upper end Ciscos and Junipers are vulnerable to fragment based attacks.
The key is you construct a IP-IP tunnel to target victim, try to guess the internal IP addressing scheme, and then use a program called Fragrouter to properly "make mal-fragmented packets". Once you do this, it will hop over damn near every router.
I think there's a setting in IPF that forces reconstruction before passing packets. That's the only defense, along with a proactive filtering in both directions.
.
I don't think it gets much easier than this:
What Is Service Pack 3?
Read the XP SP3 white paper.
Steps to take before you install SP3
Download SP3 from Windows Update
Order SP3 on CD-ROM
Download and deploy SP3 to multiple computers [Network Installation for the IT Professional]
Free [basic] unlimited installation and compatibility support
---your choice of e-mail, online chat, or toll-free telephone.
TTY/TDO service for the hearing-impaired
If Microsoft set every fresh Windows install to connect to only Microsoft.com on the Internet until either Microsoft.com, or the console, or some other specific named/numbered host said that Windows is "safely* patched", then this race condition would not be a problem. They could allow the "patch lock" on network access to be released by the installing operator at the console, or that operator could set a pointer to some other machines allowed access, or Microsoft.com's patch servers could send a list of servers. All other network access would be locked out until someone authorized said the machine was ready to connect to the general network/Internet access.
Such a revision should take a couple of Microsoft programmers a week or so to implement and test. Of course, if Windows were OSS, then anyone in the Microsoft developer community could patch Windows to work right. And anyone could inspect that patch to ensure that it worked right, before trusting it not to be just another security hole.
But of course, Microsoft is so far from anything approaching real openness or modern security practices that its fundamental insecurity in an Internet environment is one of its basic features. Its most prized feature on the hundreds of millions of machines compromised worldwide, many the first time they're connected to the Internet, among the bad guys out there who love Microsoft's closed and counterproductive "security" practices even more than Microsoft loves them.
(* OK, Windows is never "safely patched", but it's a start.)
--
make install -not war
That's what you think...until the day you reboot and say "Why is my machine loading an mIRC client at startup?"
I've got a Windows 2003 SBS machine on the bench right now, only even that question wasn't sufficient for the inhouse IT staff to realize they had a problem!
Personally installed blinders can be a powerful thing.
Hey all...
During the blaster/codered days, I witnessed a win2000 (yeah, slightly off topic, i know) workstation fall victim DURING THE INSTALL (prior to install completing / prior to the first real boot into OS). This occured shortly after the network configuration etc screen that is displayed after TZ / regional configuration...
reminds me of some multiplayer-game respawn location exploitism (don't remember which game[s])
There really isnt any "manual" you can learn about this kind of stuff. However, we all have the toolkit to test and investigate with it at our homes.
1. Search fragrouter in google first. All hits on front page are on topic. Get it and compile cleanly. I prefer Debian, but works for all Linux.
2. Go buy a router from any ol box store. I prefer the WRT54G ones that can be modded to run either DD-WRT or OpenWRT.
3. Get some test machines up and running, including a separate machine running DHCP on the "Internet" side of the router. You'll want to fake a internet connection with this, so tell the router to pull DHCP from the "Internet" box. The Internet Box is your attacking machine. You will want to set up NAT if it's not already.
4. Set up fragrouter and proper routing utils on the attacking box ("Internet" machine). You can use your real network as the attacked network, as you wont cause damage. fragrouter has something like 14 options of bad routing. You can use this in conjunction of other routing daemons and others that exploit active services already existing on the el'cheapo router.
5. Since you have inside knowledge about your network, you can easily guess the subnet mask and ip addressing scheme and "hack through" the NAT.
I've done precisely that on many routers, including mid-range ciscos. And as I said before, the only machines that are immune from fragmenting attacks are ones that piece back together packets before they are passed on to the internal network. OpenBSD, FreeBSD, and Linux can do this reliably ONLY with a large amount of ram and fast CPU.
Good Luck.
.
This is what Microsoft's Steve Riley had to say about outbound protection:
There's an important axiom of security that you must understand: protection belongs on the asset you want to protect, not on the thing you're trying to protect against. The correct approach is to run the lean yet effective Windows firewall on every computer in your organization, to protect each one from every other computer in the world. If you try to block outbound connections from a computer that's already compromised, how can you be sure that the computer is really doing what you ask? The answer: you can't. Outbound protection is security theater--it's a gimmick that only gives the impression of improving your security without doing anything that actually does improve your security. This is why outbound protection didn't exist in the Windows XP firewall and why it doesn't exist in the Windows Vista(TM) firewall.
Earlier, I said that the typical form of outbound protection in client firewalls is just security theater. However, one form of outbound control is very useful: administratively controlling certain types of traffic that you know you don't want to permit. The Windows Vista firewall already does this for service restrictions. The firewall allows a service to communicate only on the ports it says it needs and blocks anything else that the service attempts to do. You can build on this by writing additional rules that allow or block specific traffic to match your organization's security policy. Exploring The Windows Firewall
In one page, Riley covers quite a bit of ground.