Can't Disable Firewall on XP Home Ed.

[Ken]

I'm trying to load Norton Internet Security 2004. I'm
supposed to disable XP's firewall. I'm the computer's
admin. I have an AOL dial-up connection. I right clicked
on the dial-up icon in Network Connections then clicked
properties and get no response. I also highlighted the
icon then clicked "Change settings of this connection"
and get no response. what else can I try?

 

[Carey Frisch [MVP]]

America Online installs its own connection settings that override
the ones that come with Windows XP. America Online's
connection settings don't include a way to turn on Windows XP's
built-in firewall.
--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

----------------------------------------------------------------------------------


| I'm trying to load Norton Internet Security 2004. I'm
| supposed to disable XP's firewall. I'm the computer's
| admin. I have an AOL dial-up connection. I right clicked
| on the dial-up icon in Network Connections then clicked
| properties and get no response. I also highlighted the
| icon then clicked "Change settings of this connection"
| and get no response. what else can I try?

 

[Bruce Chambers]

Greetings --

You don't need to worry about disabling ICF. If you're using AOL,
you could _not_ have enabled WinXP's built-in firewall - AOL
deliberately made doing so impossible.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Fri, 9 Apr 2004 10:28:38 -0600, "Bruce Chambers"

You don't need to worry about disabling ICF. If you're using AOL,
you could _not_ have enabled WinXP's built-in firewall - AOL
deliberately made doing so impossible.

Ouch! Does AOL's sware include a replacement firewall?

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Bruce Chambers]

Greetings --

No, not that I've ever heard of. AOL claims that their users are
"protected" by their (AOL's) network, which does isolate AOL users
from the real Internet. Unfortunately, AOL's "protection" has proven
to be about as good as their tech support.

Fortunately, in the up-coming WinXP SP2, the Windows Firewall
(renamed from ICF) can be enabled independently of 3rd-party
connectoid applets, so AOL, MSN, NetZero users (and the users of any
other OCP/ISP that requires proprietary dialers) will finally have
some built-in protection.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Bob Harris]

If you want a firewall, try the free verison of Zone Alarm. it seems to
work with AOL.

To safely test your PC's vunerabilities to assorted attacks, now and after
any firewall is installed, go to the "shield's up" website. No, it is not a
Star Trek site, but one that tests for open ports and other common holes:

http://grc.com/x/ne.dll?rh1dkyd2

 

[Bruce Chambers]

Greetings --

Actually, better sites for testing a firewall are:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

Gibson's Shields Up! checks only a very few of the more than
65,000 ports available, and even skips one of the ones exploited by
messenger service spam.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Sat, 10 Apr 2004 11:49:41 -0600, "Bruce Chambers"

Greetings --

Hi!

(in answer to "does AOL offer a firewall to replace the one in XP that
AOL disables or can't work with?")

No, not that I've ever heard of. AOL claims that their users are
"protected" by their (AOL's) network, which does isolate AOL users
from the real Internet. Unfortunately, AOL's "protection" has proven
to be about as good as their tech support.

Friends don't let friends AOL, I guess. I had one client on AOL here
(you can imagine, it's rare in Africa) and the software was pretty
horrible - VERY autocratic, no chance to back out, etc.

For example, you'd go online to get mail (using the proprietary email
app, natch) and the sware would announce "downloading update - you
will not be charged for the extra time". Not charged by AOL, that is;
too bad if your telco bills per second for calls to your ISP. No
indication how long you have to hang around waiting to disconnect the
line, either... it's like you're a passenger on your own PC.

I know it's fashionable to bash AOL - I learned as much from watching
posts even before I saw it - but the reality was quite a shock.

Fortunately, in the up-coming WinXP SP2, the Windows Firewall
(renamed from ICF) can be enabled independently of 3rd-party
connectoid applets, so AOL, MSN, NetZero users (and the users of any
other OCP/ISP that requires proprietary dialers) will finally have
some built-in protection.

That's good. Should it be off if one uses a 3rd-party firewall? If
so, does it start up and stay on until 3rd-party firewall kicks in?

It's always sad to find problems after a big SP is closed, but one
nasty I've recently become aware of is XP's command line interpreter's
running raw code within .ext-spoofed files, e.g....

Copy Arbitrary.exe ReadMe.txt
Del Arbitrary.exe
ReadMe.txt

....runs the raw code in the ".txt" file; very nasty. If they fix
that, please to sanity-check .pif and NOT run raw code in these too?

-------------------- ----- ---- --- -- - - - -

Trsut me, I won't make a mistake!

 

[Bruce Chambers]

Greetings --

(in answer to "does AOL offer a firewall to replace the one in XP
that
AOL disables or can't work with?")


Friends don't let friends AOL, I guess. I had one client on AOL
here
(you can imagine, it's rare in Africa) and the software was pretty
horrible - VERY autocratic, no chance to back out, etc.

For example, you'd go online to get mail (using the proprietary
email
app, natch) and the sware would announce "downloading update - you
will not be charged for the extra time". Not charged by AOL, that
is;
too bad if your telco bills per second for calls to your ISP. No
indication how long you have to hang around waiting to disconnect
the
line, either... it's like you're a passenger on your own PC.

Too true. You're lucky not to have to deal with AOL very often.
Sadly, the only practical way I've ever found to _completely_ remove
AOL from an operating system is to format the hard drive and perform a
clean installation. It takes a lot less time than manually
removing/replacing all of the Windows system files that AOL replaces
with their own versions and the hundreds of registry entries.

That's good. Should it be off if one uses a 3rd-party firewall? If
so, does it start up and stay on until 3rd-party firewall kicks in?

In general, Microsoft recommends running only one software
firewall at a time. If you're going to use a 3rd-party solution, I'd
recommend disabling the built-in firewall. It's not automated,
though. You'll have to manually enable and/or disable the built-in
Windows Firewall, as the situation warrants.

Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

"cquirke (MVP Win9x)" <[email protected]>

Too true. You're lucky not to have to deal with AOL very often.

Amen - along with the wrath of Thor (lightning-destroyed modems and
PCs are a fact of life inland, but rare in Cape Town)

Sadly, the only practical way I've ever found to _completely_ remove
AOL from an operating system is to format the hard drive and perform a
clean installation. It takes a lot less time than manually
removing/replacing all of the Windows system files that AOL replaces
with their own versions and the hundreds of registry entries.

That's nasty. The time equation may differ for me, given I spend a
lot of time setting up the system from scratch. OTOH Winsock-level
hassles are the one DUN failure situation where I can't guarantee a
clean fix (http://users.iafrica.com/c/cq/cquirke/dundebug.htm refers)

I remember the very first incarnation of the SFP concept, dating all
the way back to the original Win95. Before that, Winsock and TCP/IP
were things that had to be added by the ISP or proprietary online
service, and were; typically, this was the 16-bit Trumpet Winsock.

Win95 defended its own Winsock by auto-replacing these files when it
found them to be changed on each startup, using backup copies stored
in the SYSBCKUP directory that Win98 later used for RB*.cab

In general, Microsoft recommends running only one software
firewall at a time. If you're going to use a 3rd-party solution, I'd
recommend disabling the built-in firewall. It's not automated,
though. You'll have to manually enable and/or disable the built-in
Windows Firewall, as the situation warrants.

Yes, but I was thinking specifically about the window of vulnerability
between onset of networking and the startup of the 3rd-party firewall.

AFAIK from reading docs on the topic, SP2 addresses this by having
XP's firewall in place and active from the moment networking starts;
the firewall starts with restrictive initial settings, then once
everything's up and running it adjusts to the user's chosen settings.

Where the user's settings are to disable the firewall, does the
firewall then exit? Or if disabled, does it not startup in the first
place, thus leaving the PC at risk until the 3rd-party gets going?

I can think of one problem with the former (malware-safer) approach,
namely that the built-in firewall effect may tangle the 3rd-party
firewall's initialization. This isn't a new issue; one often sees
Zone Alarm dialogs to the effect that it's trying to init the
TrueVector engine, when other startup fleas are calling home etc.

Presumably this happens to other firewalls that don't show a
(non-)progress indication?

-------------------- ----- ---- --- -- - - - -

"If I'd known it was harmless, I'd have
killed it myself" (PKD)

 

[Bruce Chambers]

Greetings --

I understand and concur with your concerns, but I'm afraid I can't
answer your questions. Uncertainly in this area is one reason I
usually recommend that anyone with an always-on, broadband Internet
connection use a router with NAT between their PC and the cable/DSL
modem.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Fri, 16 Apr 2004 10:25:20 -0600, "Bruce Chambers"

Greetings --
Hi!

I understand and concur with your concerns, but I'm afraid I can't
answer your questions. Uncertainly in this area is one reason I
usually recommend that anyone with an always-on, broadband Internet
connection use a router with NAT between their PC and the cable/DSL
modem.

That's what I'm recommending too - typically it's a 4-port router with
the ADSL built in (the one I "do") or a 1-hole router/ADSL that needs
an extra hub or switch to connect other PCs (the one the telco sells,
for a bit more money than the one I "do").

But that begs the question: Does the router do as much to protect the
LAN as not having F&PS bound to TCP/IP? What, if any, additional
safety does the router offer beyond NAT, and is the NAT offered by ICS
as effective from a safety perspective?

I think a stand-alone router would be safer than a Windows ICS host,
as the Windows ICS host would be more infectable.

Context...

....is quite different to what I replied about, and perhaps we should
wait until SP2 is released before we can delve into how it works.

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...