firewall on budget ?

[Leythos]

ok. I see. Makes sense now you mention using NAT Routers connected to
it. so you didn't mean no NAT in the system. just no NAT in the
firewall appliance thing.

And I can't keep going around in circles with you.

NAT does not have to be used anywhere in the networks, you could have
all computers on a PUBLIC IP and still be protected by a firewall setup
in Drop-In mode.

So, I could be assigned a c-block, have my firewall setup in Drop-In
mode, and all my PC's could use public IP's assigned to each of them,
and no private addresses at all.

indeed..Though when I said about 'no nat' I meant, examples of no NAT
anywhere.

I haven't seen a DSL user with such a device. - maybe a PCI DSL modem
- maybe, I can't remember, though I suspect that they, or that one I
had, gave a private ip too actually.

If your device is in Bridge Mode it will give the user a public IP at
their LAN network connection, if not, many provide a private IP address
at their lan connection.

Even the router/modems with one LAN port, tend to do NAT! (with the
DHCP server, handing out its 1 ip, to the NIC/NI of the device/comp
connected)

Why are you going in circles? DSL Modems often have two modes, one of
them is Bridge mode and it provides a PUBLIC IP to the users device
connected to it - the other mode provides a Private IP to the users
device.

I thought you had seen such examples and wondered if you could link me
to them. or name them ?

Thought? I see them all the time, I don't write down their part numbers.
Yahoo DSL is one that provides routers that do Bridge or NAT mode, so do
several other DSL services I see. Most of the Cable provides don't do
NAT.

By the way., what is an example of make/model of such a firewall
appliance that can do so-called routing amongst its physical ports all
of whome have the same ip?

Pick ANY major vendor of firewalls - WatchGuard is one I like to use a
lot.

can that firewall appliance sort of routing thing be used in a system
with no NAT at all? If the physical ports have ips then I think not.
'cos that'd be the only ip available on each physical port's subnet

Yes, it can. If I assign X.x.x.x/24 to the WAN port, it's assigned as
avaialble to all jacks - so that means I can assign the public IP's to
the devices on the LAN and then setup rules to allow traffic to them -
no NAT needed.

you mentioned about ISPs making NAT mandatory.
But, when it comes to DSL, who doesn't?

Ever DSL provider we have seen allows users to set their device for
Bridge Mode giving them a public ip at their device - all of them
started with a private IP at their device.

Your firewall appliance thing is designed for a NAT situation, as you
said, NAT routers are connected to it.

No, the firewall is designed to work in a network, NAT has nothing to do
with this.

ok, you have a different way of thinking to me. I'd think of 'the
router/modem' as the user's hardware too, and they can see its public
ip by going to www.whatismyip.com !

And we're talking about the IP that the user gets from the ISP's device
- they either get a Private IP or a Public IP, for their connection.

I'm not sure I can keep going around in circles with you on this.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[jameshanley39]

And I can't keep going around in circles with you.

NAT does not have to be used anywhere in the networks, you could have
all computers on a PUBLIC IP and still be protected by a firewall setup
in Drop-In mode.

So, I could be assigned a c-block, have my firewall setup in Drop-In
mode, and all my PC's could use public IP's assigned to each of them,
and no private addresses at all.








If your device is in Bridge Mode it will give the user a public IP at
their LAN network connection, if not, many provide a private IP address
at their lan connection.


Why are you going in circles? DSL Modems often have two modes, one of
them is Bridge mode and it provides a PUBLIC IP to the users device
connected to it - the other mode provides a Private IP to the users
device.


Thought? I see them all the time, I don't write down their part numbers.
Yahoo DSL is one that provides routers that do Bridge or NAT mode, so do
several other DSL services I see. Most of the Cable provides don't do
NAT.


Pick ANY major vendor of firewalls - WatchGuard is one I like to use a
lot.


Yes, it can. If I assign X.x.x.x/24 to the WAN port, it's assigned as
avaialble to all jacks - so that means I can assign the public IP's to
the devices on the LAN and then setup rules to allow traffic to them -
no NAT needed.


Ever DSL provider we have seen allows users to set their device for
Bridge Mode giving them a public ip at their device - all of them
started with a private IP at their device.


No, the firewall is designed to work in a network, NAT has nothing to do
with this.






And we're talking about the IP that the user gets from the ISP's device
- they either get a Private IP or a Public IP, for their connection.

I wasn't disagreeing with you there. Or questioning you there. Maybe I
should've prefaced my sentence saying so!

I'm not sure I can keep going around in circles with you on this.

you might think you're going round in circles with me, but actually
you've answered most of it.


One of your answers, I don't disagree with but you misunderstood me.
The following paragraph from "When" to "NAT)" is what I meant. So you
may want to reconsider the answer to that one.
When I asked if your firewall appliance can be used without any NAT
anywhere i.e. without even NAT routers connected. I meant in a
situation where only one public ip is provided by the ISP. (your
answer addressed only when the isp provides many ips e.g. a block of
ips, and I agree it could be used with that without NAT)

By the way. The following/last paragraph starting from "what" and
ending in "sense". There's no disagreement with anything you said over
there!! so no need to 'worry' about the following paragraph or
anything after it!

What you said about the bridge mode and the comp getting the public
ip, was news to me(i.e. I don't disagree, I learnt something). I tried
it some years ago but couldn't get a net connection. I thought it was
disabling the modem. But I guess not. Now I now know why..
http://www.dslreports.com/faq/11340
"This modem can also be configured in bridge mode. In bridge mode, the
modem does not perform authentication. You need to configure your
operating system to connect for you (through Access Manager, RASPPPoE,
or Windows XP), or use a broadband router to perform the
authentication duties. "
So, it's a bit like [setting up] a usb dsl modem in that sense

 

[jameshanley39]

Not work around issues. Workarounds to the issue.









Post SP2 this is becoming much less of a problem. The biggest problem
still is malware spread through websites, e-mail and file sharing.
Your suggestion won't seriously protect us from the "ignorant masses".-

I don't see reason why you need to disagree. It reminds me of 2
people having a discussion about what should be done to deal with the
drug problem. Do you bomb the drug fields or do you work with people
and get them off their addiction. You do both. I told that to those 2
guys and one of them agreed with me, and the other didin't disagree. I
don't want to keep to that analogy.

Looking at the real thing.
I see, one doesn't need NAT for security, if he doesn't get the
software firewall on his computer compromised. A tall order.

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

note-
NAT also has its inconveniences, doing port forwarding, but that
inconvenience is not as often. And anyhow, it's necessary if one needs
many ips.. I don't see you arguing not to use NAT...

 

[Ansgar -59cobalt- Wiechers]

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1] http://www.planetcobalt.net/sdb/submission.shtml

cu
59cobalt

 

[jameshanley39]

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1]http://www.planetcobalt.net/sdb/submission.shtml

You reference currently only brings up or redirects to a welcome page.
I don't see what article has the relevant info.

For what I called running as guest,
I had in mind limited user account or non-admin account... But it's
quite a nuisance. For reasons mentioned . Maybe ok for an end user
that doesn't need administrative rights very often. Or for a techie
using the family machine (not commonly experimenting on it putting
servers on or amending the firewall settings, installing other
programs)

An obvious nuisance is you can't get the date up by double clicking
the clock. That can be sorted out. Under 'local security policy'.

You can't write a little file like c:\a.txt, ok, that can be sorted..
you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt

Installing a program, getting an error, then doing the run as, can be
a nuisance. If I was installing many programs, trying loads out, over
a few days, and I wanted to browse the internet and do other things.
It'd be too much hassle doing so from a limited account. It's a good
reason why a techie's computer may most practically be best off
running as administrator all the time.

My experience is that you can't burn a CD from a limited account. I
tried with a few different pieces of software. nero, cdburnerxp, and
prob another one. I guess maybe your reference would work for that.

Logging off and on is a hassle in time, and especially moreso if it
means closing your programs. Is a bit off-putting too. If you're busy
with all these windows up.
Furthermore, if one had a P2P app it means they'd end up far away in
the queue.. In annoyance that'd be fairly high on the richter scale
Or if they were logging IRC chat, that'd stop..

I prefer the other option, of browsing as limited - less hassle .
Still, that has similar issues related to launching the browser, as
mentioned.

 

[jameshanley39]

[may appear twice]

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1]http://www.planetcobalt.net/sdb/submission.shtml

You reference currently only brings up or redirects to a welcome page.
I don't see what article has the relevant info.

For what I called running as guest,
I had in mind limited user account or non-admin account... But it's
quite a nuisance. For reasons mentioned . Maybe ok for an end user
that doesn't need administrative rights very often. Or for a techie
using the family machine (not commonly experimenting on it putting
servers on or amending the firewall settings, installing other
programs)

An obvious nuisance is you can't get the date up by double clicking
the clock. That can be sorted out. Under 'local security policy'.

You can't write a little file like c:\a.txt, ok, that can be sorted..
you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt

Installing a program, getting an error, then doing the run as, can be
a nuisance. If I was installing many programs, trying loads out, over
a few days, and I wanted to browse the internet and do other things.
It'd be too much hassle doing so from a limited account. It's a good
reason why a techie's computer may most practically be best off
running as administrator all the time.

My experience is that you can't burn a CD from a limited account. I
tried with a few different pieces of software. nero, cdburnerxp, and
prob another one. I guess maybe your reference would work for that.

Logging off and on is a hassle in time, and especially moreso if it
means closing your programs. Is a bit off-putting too. If you're busy
with all these windows up.
Furthermore, if one had a P2P app it means they'd end up far away in
the queue.. In annoyance that'd be fairly high on the richter scale
Or if they were logging IRC chat, that'd stop..

I prefer the other option, of browsing as limited - less hassle .
Still, that has similar issues related to launching the browser, as
mentioned.

 

[Ansgar -59cobalt- Wiechers]

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1] http://www.planetcobalt.net/sdb/submission.shtml

You reference currently only brings up or redirects to a welcome page.
I don't see what article has the relevant info.

The URL worked with Mozilla, but apparently not with other browsers.
Fixed.

For what I called running as guest, I had in mind limited user account
or non-admin account...

Guest is something completely different from LUA. Don't confuse the two.

But it's quite a nuisance. For reasons mentioned . Maybe ok for an
end user that doesn't need administrative rights very often. Or for a
techie using the family machine (not commonly experimenting on it
putting servers on or amending the firewall settings, installing other
programs)

Once a box is set up properly, people do not need administrative rights
very often. BTDT.

An obvious nuisance is you can't get the date up by double clicking
the clock. That can be sorted out. Under 'local security policy'.
Exactly.

You can't write a little file like c:\a.txt, ok, that can be sorted..
you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt

Ummm... normal users are not supposed to create files in C:\. Users have
full write access in their %USERPROFILE%, which is the place where they
are supposed to create their files (preferrably either in the "My
Documents" subfolder or %TEMP%).

Besides, I don't see any reason at all why non-administrative users
should be allowed to create anything (be it files or folders) in C:\ in
the first place. Which is why I restrict limited users to read-only
access to C:\ on all systems I set up.

Installing a program, getting an error, then doing the run as, can be
a nuisance. If I was installing many programs, trying loads out, over
a few days, and I wanted to browse the internet and do other things.
It'd be too much hassle doing so from a limited account. It's a good
reason why a techie's computer may most practically be best off
running as administrator all the time.

I've been doing exactly what you call "too much hassle" for years now,
without any problems. If you need to grow progress bars while doing
other work as a limited user, you just start your preferred file manager
via runas and run all setups from there. Problem solved.

My experience is that you can't burn a CD from a limited account. I
tried with a few different pieces of software. nero, cdburnerxp, and
prob another one. I guess maybe your reference would work for that.

Install Nero Burn Rights and put the users that should be able to burn
CDs into the group "Nero" (works for other burning software too). Or use
a different program. Deep Burner for instance works just fine as a
limited user here.

Logging off and on is a hassle in time, and especially moreso if it
means closing your programs. Is a bit off-putting too. If you're busy
with all these windows up.

Then use runas. It's only the second best option, but an option
nonetheless.

Furthermore, if one had a P2P app it means they'd end up far away in
the queue..

I'm running a BitTorrent client on this Win2k box as a limited user
without any problems. Your point being? It's not like somebody's forcing
you to use crappy P2P software.

cu
59cobalt

 

[Straight Talk]

I don't see reason why you need to disagree.

I disagree to a false claim that NAT devices would be some kind of
"silver bullet" to protect the rest of us from the ignorant masses.

It reminds me of 2 people having a discussion about what should be
done to deal with the drug problem. Do you bomb the drug fields or do
you work with people and get them off their addiction. You do both.
I told that to those 2 guys and one of them agreed with me, and the other
didin't disagree. I don't want to keep to that analogy.

Difference is, Leythos is promoting a solution that doesn't work. NAT
does not provide protection from the ignorant masses. Period.

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.

No.

<snip>

 

[Leythos]

I disagree to a false claim that NAT devices would be some kind of
"silver bullet" to protect the rest of us from the ignorant masses.

And yet they are, clearly, a great way to protect people from
compromised machines.

Difference is, Leythos is promoting a solution that doesn't work. NAT
does not provide protection from the ignorant masses. Period.

Yes, it clearly does. If the infected machine can't reach another
infected machine then it's protected.

You just don't seem to understand how networking works.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Straight Talk]

And yet they are, clearly, a great way to protect people from
compromised machines.

But this wasn't what you were advocating. You were advocating
installing NAT on the ignorant masses machines to protect the so
called rest of us.

Yes, it clearly does. If the infected machine can't reach another
infected machine then it's protected.

It's protected against certain threats just like if a simple packet
filter like the WF is installed.

Still, NAT doesn't protect "the rest of us" from being DDoS'ed into
oblivion by "the ignorant masses" behind NAT devices.

You just don't seem to understand how networking works.

Oh yes, let's get personal...

What I do understand is that you are very good at constantly twisting
the topic a little bit.

 

[jameshanley39]

Google messed up in posting this yesterday, hopefully this will
appear. I may use Forte

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1]http://www.planetcobalt.net/sdb/submission.shtml

Your reference currently only brings up or redirects to a welcome
page. I don't see what article has the relevant info.

For what I called running as guest,
I had in mind limited user account or non-admin account... But it's
quite a nuisance. For reasons mentioned . Maybe ok for an end user
that doesn't need administrative rights very often. Or for a techie
using the family machine (not commonly experimenting on it putting
servers on or amending the firewall settings, installing other
programs)

An obvious nuisance is you can't get the date up by double clicking
the clock. That can be sorted out. Under 'local security policy'.

You can't write a little file like c:\a.txt, ok, that can be sorted..
you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt

Installing a program, getting an error, then doing the run as, can be
a nuisance. If I was installing many programs, trying loads out, over
a few days, and I wanted to browse the internet and do other things.
It'd be too much hassle doing so from a limited account. It's a good
reason why a techie's computer may most practically be best off
running as administrator all the time.

My experience is that you can't burn a CD from a limited account. I
tried with a few different pieces of software. nero, cdburnerxp, and
prob another one. I guess maybe your reference would work for that.

Logging off and on is a hassle in time, and especially moreso if it
means closing your programs. Is a bit off-putting too. If you're busy
with all these windows up.
Furthermore, if one had a P2P app it means they'd end up far away in
the queue.. In annoyance that'd be fairly high on the richter scale
Or if they were logging IRC chat, that'd stop..

I prefer the other option, of browsing as limited - less hassle .
Still, that has similar issues related to launching the browser, as
mentioned.

 

[Leythos]

But this wasn't what you were advocating. You were advocating
installing NAT on the ignorant masses machines to protect the so
called rest of us.

And I still say that, even above, you just seem to be missing the
technology and how it works.

It's protected against certain threats just like if a simple packet
filter like the WF is installed.

No, the NAT appliance is not anywhere near as easy to compromise as the
Windows firewall is, and it's not subject to applications making holes
(exceptions) in it.

Still, NAT doesn't protect "the rest of us" from being DDoS'ed into
oblivion by "the ignorant masses" behind NAT devices.

LOL - and DDOS is such a minor part of what the ignorant masses impact
us with. But you appear to mave missed the point again, even if my NAT
device is being DDOS's, I can still work behind my NAT device, still
print to my network printer, still get work done, I just have an issue
with internet traffic, but it never impacts my local network.

Oh yes, let's get personal...

What I do understand is that you are very good at constantly twisting
the topic a little bit.

LOL, really, me twisting? You've got to be kidding, you're twisting like
Chilly does.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Straight Talk]

And I still say that, even above, you just seem to be missing the
technology and how it works.

Not much of an argument.

No, the NAT appliance is not anywhere near as easy to compromise as the
Windows firewall is, and it's not subject to applications making holes
(exceptions) in it.

That's true. But when it comes to the chance of "the ignorant masses"
getting compromised, it doesn't make much of a difference.

LOL - and DDOS is such a minor part of what the ignorant masses impact
us with.

Just one example. Being spammed by bot nets from ignorant masses
behind NAT devices is another. Having your domain abused by bot nets
spreading spam or malware from ignorant masses behind NAT devices is
yet another.

But you appear to mave missed the point again, even if my NAT
device is being DDOS's, I can still work behind my NAT device, still
print to my network printer, still get work done, I just have an issue
with internet traffic, but it never impacts my local network.

It seems like you're the one having a problem focusing on a topic.

LOL, really, me twisting? You've got to be kidding, you're twisting like
Chilly does.

You seem to be running out of arguments.

 

[jameshanley39]

[I tried sending this in google, a few times today and yesterday.
Google groups is playig up. Now trying using Forte free agent 3.3 , I
hope the message text wraps right and appears in the right place in
the tree. I haven't used this for a while]

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1]http://www.planetcobalt.net/sdb/submission.shtml

You reference currently only brings up or redirects to a welcome page.
I don't see what article has the relevant info.

For what I called running as guest,
I had in mind limited user account or non-admin account... But it's
quite a nuisance. For reasons mentioned . Maybe ok for an end user
that doesn't need administrative rights very often. Or for a techie
using the family machine (not commonly experimenting on it putting
servers on or amending the firewall settings, installing other
programs)

An obvious nuisance is you can't get the date up by double clicking
the clock. That can be sorted out. Under 'local security policy'.

You can't write a little file like c:\a.txt, ok, that can be sorted..
you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt

Installing a program, getting an error, then doing the run as, can be
a nuisance. If I was installing many programs, trying loads out, over
a few days, and I wanted to browse the internet and do other things.
It'd be too much hassle doing so from a limited account. It's a good
reason why a techie's computer may most practically be best off
running as administrator all the time.

My experience is that you can't burn a CD from a limited account. I
tried with a few different pieces of software. nero, cdburnerxp, and
prob another one. I guess maybe your reference would work for that.

Logging off and on is a hassle in time, and especially moreso if it
means closing your programs. Is a bit off-putting too. If you're busy
with all these windows up.
Furthermore, if one had a P2P app it means they'd end up far away in
the queue.. In annoyance that'd be fairly high on the richter scale
Or if they were logging IRC chat, that'd stop..

I prefer the other option, of browsing as limited - less hassle .
Still, that has similar issues related to launching the browser, as
mentioned.

 

[jameshanley39]

<snip>

something went wrong here..

My reply to ansgar only went to
microsoft.public.windowsxp.security_admin not to
comp.security.firewalls. I think 'cos ansgar added a 'follow-up'
field, and it seems what that did was cause my reply to only go there,
and not to the newsgroup where I read the message and clicked
reply(comp.security.firewalls). I was only looking in csf so didn't
see them. I hadn't encountered that before, it's true of not just
google's web interface, but forte or any news reader client. Was news
to me.

this explains my duplicate posts in that windows xp security
newsgroup.

sorry

 

[jameshanley39]

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.
For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.
[1]http://www.planetcobalt.net/sdb/submission.shtml

You reference currently only brings up or redirects to a welcome page.
I don't see what article has the relevant info.

The URL worked with Mozilla, but apparently not with other browsers.
Fixed.

thanks, i'll look at that info

Guest is something completely different from LUA. Don't confuse the two.

ok


Once a box is set up properly, people do not need administrative rights
very often. BTDT.

end users in a company don't, at home - some want it at their own
risk, and call a cheap geek if it goes wrong.

But techie users may well need it.

What do you do? Suppose you browse frequently, and do admin operations
sometimes during te day, and install programs often. Are you logging
off and on often for the admin operations?

Are you spending extra time to load up your browser, Right clicking an
icon and typing a password? Just to start your browser.
Then if you close it, you have to do it again!!!

Ummm... normal users are not supposed to create files in C:\. Users have
full write access in their %USERPROFILE%, which is the place where they
are supposed to create their files (preferrably either in the "My
Documents" subfolder or %TEMP%).

*end users* But a techie user may well want to put a txt file on c:\ ,
for the benefit of it being a short easy path. Easy to get to from the
command line.

What do you do?

For your computer.

Besides, I don't see any reason at all why non-administrative users
should be allowed to create anything (be it files or folders) in C:\ in
the first place. Which is why I restrict limited users to read-only
access to C:\ on all systems I set up.

what about you, a techie user ?

I can do notepad c:\a.txt
and even a LUA account allows c:\a\a.txt
Do you type
notepad c:\document...bloody long path..\

or a load of percentages to type an environment variable?!! Don't you
ever want to type things with a brush of the hand

<slightly unnecessary and eccentric elaboration>
notepad, easy.
cd \ , easy. Even easier on a uk keyboard, to do cd\
%userprofile%\desktop . Even the %s are an issue. that's not nice to
type often. You have to look where the number is.. People tend to
touchtype with the keypad.. Typing shift+ one of those top numbers
isn't so smooth.
All you want to do is create a file on the comp. Your comp !!

At the moment i'm in a room and some idiot turned the lights out. I
can still type but % are even more of a nuisance than usual 'cos I
can't see the numbers. I'd have to get out of my chair to turn the
lights on. Anyhow, besides that, one should be able to touchtype
something so simple. Those top numbers aren' so accessible without
looking beforehand.. To create a file on the computer I shouldn't have
to squint or even look, at the keyboard.

I've been doing exactly what you call "too much hassle" for years now,
without any problems. If you need to grow progress bars while doing
other work as a limited user, you just start your preferred file manager
via runas and run all setups from there. Problem solved.

So you're doing runas once, but then you need you file manager's
window open all the time.

Here's a big issue. Windows xp only has preinstalled, windows explorer
as a file manager. Doing runas on that has issues.

(probably linked to the fact that in the ctrl alt delete world, it's a
shell one can end and restart, and one the windows shell has started,
explorer.exe is a file manager! well, if you double click the icon)

A Workaround I briefly read of that I hadn't tried, is to do runas on
IE, and use the address bar to access local files (though I read
something about that not working with IE7) .
A workaround I use on the rare occassions that I use a LUA, is to do
runas on cmd.exe (typing a long runas command to bring up a command
prompt with administrative priviledges)
And apparently there's a fix that can be done on a per account basis,
to allow you to do runas on explorer.exe

http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1251819,00.html

If you use a 3rd party file manager and get around it that way, you
have to install that + do so for all your end users.

Install Nero Burn Rights and put the users that should be able to burn
CDs into the group "Nero" (works for other burning software too). Or use
a different program. Deep Burner for instance works just fine as a
limited user here.

Such a trivial thing, and nero needs special treatment. Doesn't cover
other cd burners though . At least that hassle is a one-off, ok.
Though for the rare times I burn a CD. I can deal with runas.

Then use runas. It's only the second best option, but an option
nonetheless.

That doesn't apply here.
Runas works for installing or running programs that need
administrative priviledges to install or run respectively.

But it doesn't let you make administrative amendments, e.g. to the
windows firewall. Or adding/deleting users, resetting a password.

If doing admin tasks many times a day, at any time, it'a a hassle to
close all your programs and go to administrative mode, do them. Then
to go back as LUA to browse the web. And what if you want to do an
admin task and browse the web to check something.

I'm running a BitTorrent client on this Win2k box as a limited user
without any problems. Your point being? It's not like somebody's forcing
you to use crappy P2P software.

Bit Torrent does not supercede P2P in any way. It has its issues

For a start, there's playing the game of searching for torrents. It
may take searching on a few websites to find what you want, and those
websites go down often and you have to be \in the loop' as to what the
current good torrent search sites are.

They are also different communities, diferent programs are availale.
Even from one P2P app to another. One may be good for music, another
for various genre of short video clips, another for (big) movies.. I
found an old program AA - autodesk animator - on kazaa. Kazaa made it
easy to share files. Yet, te first bit torrent client (The standard
one), i didnt' 'use it much but I recall it being messy to share the
files you downloaded, I think you had to keep windows open, one per
file.. Maybe a good client like uTorrent improves that. But all these
things have issues. P2P is good. For programs, vid clips, movies,
anything.

If you can tell me a way to find torrents that doesn't involve
googling myself into a new seat in hell, i'd like to know. One website
with all the torrents, a website that doesn't go down. I sitll doubt
it'll have the array of files that P2P apps do..

 

[jameshanley39]

I disagree to a false claim that NAT devices would be some kind of
"silver bullet" to protect the rest of us from the ignorant masses.


Difference is, Leythos is promoting a solution that doesn't work. NAT
does not provide protection from the ignorant masses. Period.

Whatever Leythos was saying in resposne to you, is a good as lost,
since your posts will vanish from archives, and we don't see the
discussion in the future.

So, without quotinf from that discussion. I'll try to keep any
discussion I have with you self-contained within my posts.

NAT Routers do block incoming.
The Win XP Firewall does too.

They would have different vulnerabilities. The vulnerabilities of the
Win XP FW - or any PFW / software firewalls - have been discussed.
Many users have theirs taken down when they go to a website!

There's no doubt that NAT Routers block incoming, and they don't fool
for the old website thing - website exploiting a commonly used browser
you run, and running malicious code on your system!

Here's a technical question though..
Even if you're in a LUA account. Can't a site run some malicious code.
The code is a bit more limited in what it can access(certain
directories and registry parts are no-go areas), but still it can do
quite a bit. (just as many programs can do what they need in a non-
admin account)

 

[jameshanley39]

Not much of an argument.







That's true. But when it comes to the chance of "the ignorant masses"
getting compromised, it doesn't make much of a difference.



Just one example. Being spammed by bot nets from ignorant masses
behind NAT devices is another. Having your domain abused by bot nets
spreading spam or malware from ignorant masses behind NAT devices is
yet another.

Out of interest, what do you mean by bot net ?

Is it a malicious server / trojan that receives a command, and then
could cause trouble to other machines, maybe acting as a client
sending spam mail through a mail server that lets anybody in ?

If it is indeed a server that receives a command, then a NAT router
would prevent it from receiving an incoming connection.

I see if it's a malicious client program, then a NAT router wouldn't
stop that.

There a alot of malicious server programs around though e.g. malicious
smtp servers. Other comps then connect to the compromised one send
spam through it. The user at the compromised machine then gets
contacted by his ISP saying 'stop it or your get DCed/disconnected'.
A NAT router stops that other users getting attacked, and in the
process, stops that poor user from getting an email threat from his
ISP.

 

[Leythos]

You seem to be running out of arguments.

And you seem to be trolling by picking a small item and saying that it
invalidates everything else.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Straight Talk]

Here's a technical question though..
Even if you're in a LUA account. Can't a site run some malicious code.
The code is a bit more limited in what it can access(certain
directories and registry parts are no-go areas), but still it can do
quite a bit. (just as many programs can do what they need in a non-
admin account)

It sure can. What you seem to be missing is that I made my LUA point
in response to Leythos claiming that any program could poke holes
(open servers) in the WF. As a limited user you cannot do that, my
point being that the fault is not in the WF but in users running with
admin rights.