firewall not warning me?

[djc]

what am I missing here? I have an xp pro sp2 machine with the firewall
turned on and only the remote assistance exception active. The check box IS
check to "Display a notification when windows firewall blocks a program".
However I can port scan this box using very 'loud' methods and it does not
notify me at all? I tried to connect to it via several ways and although all
failed, as they should have, I was never notified?

what am I missing?

1) is thie 'notify' feature not for inbound traffic? maybe only outbound?
2) Does the xp sp2 firewall even block any outbound traffic?

any input would be greatly appreciated. Thanks.

 

[Guest]

that feature only warns of out-bound connections and silently blocks
unauthorized inbound. What do you want for free?! There is no active
intrusion detection feature.

 

[djc]

ok. good to know. Thank you.

that feature only warns of out-bound connections and silently blocks
unauthorized inbound. What do you want for free?! There is no active
intrusion detection feature.

 

[Steve Riley [MSFT]]

that feature only warns of out-bound connections

No, it does not. The Windows firewall allows all outbound connections without
any prompts. We have found in some pretty extensive testing that outbound
protection is not a security feature. Users will always answer "yes" and
pay no attention to what the firewall is asking. Furthermore, it's trivial
for a trojan to simply wait for an authorized outbound connection and ride
atop it.

Windows Firewall will raise a dialog when a program on your PC wants to *listen*
on a port for incoming connections. When it sees this happen, the firewall
will ask if you want to let this program accept incoming connections.

Steve Riley
(e-mail address removed)

 

[Bruce Chambers]

Steve Riley [MSFT] wrote:

We have found in some pretty extensive testing that
outbound protection is not a security feature.

You can't possibly be serious! That has got to be one of the stupidest
ideas I've ever heard.

Users will always answer
"yes" and pay no attention to what the firewall is asking.

Not so. Only the most foolish and/or uninformed of users (I'll grant
that there are a great many of them, though) would do this. Witness the
number of people who post to these newsgroups asking if they should
allow various applications to transmit.

Furthermore,
it's trivial for a trojan to simply wait for an authorized outbound
connection and ride atop it.

So Microsoft's official position is that it's impossible to secure a
computer, so there's no point in trying? I don't believe this.



--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Steve Riley [MSFT]]

We have found in some pretty extensive testing that outbound

You can't possibly be serious! That has got to be one of the
stupidest ideas I've ever heard.

There is a difference between a security mitigation and policy enforcement.
Policy enforcement -- preventing traffic -- is better handled elsewhere,
with ACLs or SRPs.

Not so. Only the most foolish and/or uninformed of users (I'll grant
that there are a great many of them, though) would do this. Witness
the number of people who post to these newsgroups asking if they
should allow various applications to transmit.

The number of people who post to this newsgroup is an extremely small subset
of the total number of people on the planet who use Windows -- indeed it's
even smaller than our user sample size. Do you seriously believe I would
make this up? The vast majority of people will behave exactly as I've described.
When the choice is between watching DancingPigs.exe or being secure, people
will choose the dancing pigs every time.

So Microsoft's official position is that it's impossible to secure a
computer, so there's no point in trying? I don't believe this.

Neither I nor Microsoft have ever made such an assertion. Outbound blocking
on a firewall is not a security feature because it is easy for users or trojans
to bypass. The lack of outbound protection on a firewall does not mean that
we don't care about securing a computer -- on the contrary, it means we care
about the *right* way to secure a computer, and in our view there are more
appropriate ways of preventing malware from wreaking havoc.


Steve Riley
(e-mail address removed)