how good is the XP firewall

[RoS]

I've happily been running Zone Alarm as the firewall, Grisoft's AVG as my
virus scanner, Ad-Aware and Spy-Bot for other nasties on my Win ME setup.

The last three presumably should be installed on a new XP machine? But does
the XP SP2 firewall do as good a job as Zone-Alarm? Quite a few articles
suggest that Microsoft offer 'cut-down' versions of 3rd party apps of this
nature. If one has something like Partition Magic, is it preferable to use
it?

RoS

 

[Plato]

nature. If one has something like Partition Magic, is it preferable to use
it?

You dont need partition magic to setup XP computers or add new hard
drives.

 

[Don Varnau]

Hi,
The XP firewall only monitors/blocks incoming traffic. It's certainly *much*
better than no firewall, but it can be useful to monitor/control outgoing
traffic. It's nice to know which programs are "phoning home."

Don
[MS MVP- IE/OE]

 

[Michael Stevens]

In

I've happily been running Zone Alarm as the firewall, Grisoft's AVG
as my virus scanner, Ad-Aware and Spy-Bot for other nasties on my Win
ME setup.

The last three presumably should be installed on a new XP machine?
But does the XP SP2 firewall do as good a job as Zone-Alarm? Quite a
few articles suggest that Microsoft offer 'cut-down' versions of 3rd
party apps of this nature. If one has something like Partition
Magic, is it preferable to use it?

RoS

XP firewall is intended to protect users from exploits that exist with the
initial internet connection after setup and users that do not want to
purchase, or have not purchased a third party firewall. As with all non-OS
additions included with Windows XP or any previous Windows, they are basic
applications that have the limitations a basic application would have. The
XP firewall blocks incoming traffic only.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm

 

[Canopus]

I've happily been running Zone Alarm as the firewall, Grisoft's AVG as my
virus scanner, Ad-Aware and Spy-Bot for other nasties on my Win ME setup.

The last three presumably should be installed on a new XP machine? But does
the XP SP2 firewall do as good a job as Zone-Alarm? Quite a few articles
suggest that Microsoft offer 'cut-down' versions of 3rd party apps of this
nature. If one has something like Partition Magic, is it preferable to use
it?

RoS

As has been pointed out the XP firewall can block incoming traffic only. It
does so by only allowing incoming traffic that has been initiated by your PC
which means if you get a Trojan, keyboard logger or other mass mail virus on
your PC the XP firewall will not stop them from turning your PC into a
zombie and sending out loads of spam, info etc. So saying, I am running the
XP firewall and Zone Alarm together without any conflicts although I
probably don't need the XP one any more.

Rob

 

[R. McCarty]

The XP Firewall may have one advantage to other 3rd Party firewall
programs. During XP's boot up there is a "Small" time during Network
initialization that the PC is exposed.

Excerpt from a MS Document on XP Firewall
In earlier versions of Windows, there was a small window of time between
the network starting and the firewall becoming active, leaving your
computer
vulnerable for that brief period time.In Service Pack 2, during startup
and
shutdown, the firewall driver uses a rule called a boot-time filter to
help prevent
attacks during those brief periods. Once Windows Firewall is up and
running,
it loads your custom firewall settings and removes the boot-time filters.
This makes your computer less vulnerable to attacks during startup and
shutdown
operations.

I've never checked to see if Zone Alarm and other 3rd party firewalls
have provisions to protect the system during these times, but it would
be worth knowing.

 

[DevilsPGD]

In message <[email protected]> "Canopus"

As has been pointed out the XP firewall can block incoming traffic only. It
does so by only allowing incoming traffic that has been initiated by your PC
which means if you get a Trojan, keyboard logger or other mass mail virus on
your PC the XP firewall will not stop them from turning your PC into a
zombie and sending out loads of spam, info etc. So saying, I am running the
XP firewall and Zone Alarm together without any conflicts although I
probably don't need the XP one any more.

It's worth noting that if you are running XP using an administrator
account, any malware you install on your system can bypass your firewall
to connect out anyway.

 

[Frank Saunders, MS-MVP]

In message <[email protected]> "Canopus"


It's worth noting that if you are running XP using an administrator
account, any malware you install on your system can bypass your firewall
to connect out anyway.

No matter what the firewall.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[Guest]

The last three presumably should be installed on a new XP machine? But does
the XP SP2 firewall do as good a job as Zone-Alarm? Quite a few articles
suggest that Microsoft offer 'cut-down' versions of 3rd party apps of this
nature.

In my opinion, based on extensive personal experience as well as regularly
reading firewall-related posts on these newsgroups, is that the Windows
firewall is better than third party firewalls -- better from the standpoint
of overall performance, reliability, and even security. If you feel like you
need to depend on a third party firewall to prevent crudware already on your
machine from phoning home, then you already don't know what you really need
to know about security in the first place. Knowledge is power. Learn what
crudware actually is, how some POS attempts to install it on your machine,
and how to avoid downloading and installing crudware in the first place, and
then implement what you have learned. One of the things you'll learn is that
all you need is an up-to-date Windows XP system with SP2 set to default
settings, any good standalone antivirus program, and a good antispyware
program that runs in real time (I use Microsoft Antispyware -- it's the best
one of many that I have tried).

Think of it this way. If your computer is already secure enough, installing
a third party firewall is redundant and unnecessary -- it would be like
adding a few more burglar alarms to Fort Knox. If it is insecure, installing
a third party firewall will, at best, help you minimize any resulting damage.
You are, therefore, much better off devoting your time, energy, and money to
making your system secure than making an insecure system slightly less
insecure.

Even more generally, a good rule of thumb about XP is that the less you mess
with how it was designed to run, the better it will operate. It is currently
designed to run with the Windows firewall, working in conjunction with an
antivirus program that the user must install separately. It is a good
design. Don't mess with it.

Ken

 

[Rock]

The XP Firewall may have one advantage to other 3rd Party firewall
programs. During XP's boot up there is a "Small" time during Network
initialization that the PC is exposed.

Excerpt from a MS Document on XP Firewall
In earlier versions of Windows, there was a small window of time between
the network starting and the firewall becoming active, leaving your
computer
vulnerable for that brief period time.In Service Pack 2, during startup
and
shutdown, the firewall driver uses a rule called a boot-time filter to
help prevent
attacks during those brief periods. Once Windows Firewall is up and
running,
it loads your custom firewall settings and removes the boot-time filters.
This makes your computer less vulnerable to attacks during startup and
shutdown
operations.

I've never checked to see if Zone Alarm and other 3rd party firewalls
have provisions to protect the system during these times, but it would
be worth knowing.

The Sygate firewall has a setting to block all traffic when the firewall
service is not loaded including during shutdown and boot up.

 

[R. McCarty]

Thanks Rock, I'll have to check with Zone Alarm's forum and see if
the same protection exists in their product.

 

[Ken Blake]

In

In my opinion, based on extensive personal experience as well
as
regularly reading firewall-related posts on these newsgroups,
is that
the Windows firewall is better than third party firewalls --
better
from the standpoint of overall performance, reliability, and
even
security.

You certainly have a right to that opinion, but I wanted to point
out that most of us here disagree with you completely.

Not only that, but Microsoft also disagrees with you. Read
http://www.microsoft.com/athome/security/protect/firewall.mspx
which includes the following:

"Q. Should I use a non-Microsoft personal firewall instead
of the built-in Internet Connection Firewall?
A. If you already have a non-Microsoft firewall on your
computer, you should continue to use it. If you do not have a
firewall, then you have a choice. If you want a simple firewall
that is very easy to configure, then you should use the Windows
XP Internet Connection Firewall. If you want more advanced
control over the traffic that passes through your computer and
you also want to block outgoing traffic (that is the traffic from
your computer out to the Internet) then choose a personal
firewall from another company."

Think of it this way. If your computer is already secure
enough,
installing a third party firewall is redundant and unnecessary

Yes, but what does "secure enough" mean? The problem is that you
never really know. I have a lock on my front door, and no burglar
has ever broken in. Does that mean I am "secure enough"? How do I
know that tomorrow a more skilled burglar won't come along and
pick my lock?

So I were given the opportunity to easily install a better lock,
and one that cost me nothing, I would take it. I may protect me
against that better burglar, or he may never come along and it
may not. But I don't care. There's no downside to enhancing my
security for free, whether or not it turns out that it's
necessary.

 

[Husky]

and how to avoid downloading and installing crudware in the first place, and
then implement what you have learned. One of the things you'll learn is that
all you need is an up-to-date Windows XP system with SP2 set to default
settings, any good standalone antivirus program, and a good antispyware
program that runs in real time (I use Microsoft Antispyware -- it's the best
one of many that I have tried).

Having a good program watching for your 'crudware' is just a stop gap measure.
You need to be able to identify WHEN you've been compromised. All the backup
virus software, firewall's, adware removers popup killers etc.. don't mean
diddly if something gets past them. And something WILL get past them. That's
when you need to know when something's wrong and go after it the best you can.
You might have to run several different NEW virus scanners or adware programs
cause not all of them are equal. Trend might find 98%. Then you might need
mcaffee, Norton or any others to find what's causing trouble.
something calling itself desktop xxxx made it to my system ages ago. Trend had
no idea what it was, Adaware didn't. I had to search the web for desktop xxx to
find someone else that had been hit by it and find out how to dump it.
I never found it in time. I just did a reformat and reinstall of the OS. Just
reinstalling the OS and rollbacks was doing nothing.

That right there is the only guaranteed solution to a virus.

Think of it this way. If your computer is already secure enough, installing
a third party firewall is redundant and unnecessary -- it would be like
adding a few more burglar alarms to Fort Knox. If it is insecure, installing
a third party firewall will, at best, help you minimize any resulting damage.

More eyes open, better chance of survival, but adding software isn't the same
comparison. Identical software will wind up fighting each other for resources,
and cause more trouble than it solves.
IIRC The XP OS specifically says ONLY use 1. If you have a 3rd party either
disable that one or XP's but don't run both.

 

[Guest]

You certainly have a right to that opinion, but I wanted to point
out that most of us here disagree with you completely.

Sure. I don't deny it. Usually when I give this speech, I throw in the
caveat that many people, including people like you whose opinions I greatly
respect, disagree with me. This time I simply forgot to do it.

Not only that, but Microsoft also disagrees with you. Read
http://www.microsoft.com/athome/security/protect/firewall.mspx
which includes the following:

"Q. Should I use a non-Microsoft personal firewall instead
of the built-in Internet Connection Firewall?

A. If you already have a non-Microsoft firewall on your
computer, you should continue to use it. If you do not have a
firewall, then you have a choice. If you want a simple firewall
that is very easy to configure, then you should use the Windows
XP Internet Connection Firewall. If you want more advanced
control over the traffic that passes through your computer and
you also want to block outgoing traffic (that is the traffic from
your computer out to the Internet) then choose a personal
firewall from another company."

I could respond, in hypertechnical fashion, that this blurb refers to ICF,
not the (much improved) Windows firewall. But despite the first sentence, it
is unclear to me what it is really saying because the user always has the
choice to uninstall the third party firewall -- which then puts him in the
same position as the person who must choose between one or the other (which
is what the rest of the blurb addresses).

Why would Microsoft do this? My guess is that there are separate problems
that are likely to come up if the user uninstalls a third party firewall that
don't exist if the firewall was never installed in the first place. I have
experienced some of these problems myself, especially with Zone Alarm
(admittedly a very popular choice, but one that, for some reason, always
seems to constipate my system), and we can read about the problems others
have experienced right here in these newsgroups. So of course it would make
sense for Microsoft to advise a person who is already using a third party
firewall to keep using it and thereby avoid these types of problems.

But leaving all this aside, I completely agree with the rest of what
Microsoft wrote, even if you substitute the (improved) Windows Firewall for
ICF. However, I have no desire or need to monitor outgoing communications or
otherwise take "more advanced control" (or what I would call using additional
bells and whistles). I use other software and related security measures to
keep crudware off my system in the first place, and otherwise I don't want
anything obstructing legitimate outbound communications even long enough to
bother me to make decisions on which legitimate communications I should block
when the answer will almost always be "none." I would rather have the
simpler firewall that is much easier to configure -- and which has never
caused me a single problem or security breach going all the way back to the
day Microsoft introduced XP in 2001. I agree that others may prefer the
"more advanced" features. I'm simply not one of them.

I can never know with 100 percent certainty. I also don't know with 100
percent certainty that I won't be killed in an automobile accident the next
time I drive to work, but this uncertainty will not stop me from ever again
driving to work. I do know with pretty much 100 percent certainty when
something is wrong with my computer or with someone else's computer,
including the signs of crudware. I don't need a third party firewall to tell
me that something is wrong.

I have a lock on my front door, and no burglar
has ever broken in. Does that mean I am "secure enough"? How do I
know that tomorrow a more skilled burglar won't come along and
pick my lock?

Well, I can also increase the number of locks on the door, install an
electric fence, get some guard dogs, booby-trap my front yard, etc. But at
some point the law of diminishing returns kicks in. The locks and electric
fence costs money, the guard dogs need to be feed and then they mess up your
yard, booby traps can also injure young children, etc., etc.

So I were given the opportunity to easily install a better lock,
and one that cost me nothing, I would take it. I may protect me
against that better burglar, or he may never come along and it
may not. But I don't care. There's no downside to enhancing my
security for free, whether or not it turns out that it's
necessary.

Even with the best of third party firewalls, there is some downside. There
may be compatibility issues (especially as Microsoft continues to update
Windows), they may sometimes make mistakes in deciding which outbound
communications to block, there is a small hit on resources and memory, these
programs have to be maintained and updated from time to time, etc.

Ken

 

[Husky]

But leaving all this aside, I completely agree with the rest of what
Microsoft wrote, even if you substitute the (improved) Windows Firewall for
ICF. However, I have no desire or need to monitor outgoing communications or
otherwise take "more advanced control" (or what I would call using additional
bells and whistles). I use other software and related security measures to

Ask yourself what is outgoing ? Normally once the burglars entered, he TAKES
the stuff OUT.
Your passwords, social security number, home address, children's ages, anything
personal you've stuck on a drive could be included in the OUTGOING that you
don't feel a need to monitor.

You sound like one of those commercials now, Nostradamus didn't predict Trojans
or computer virus, so I'm protected. I want my machine to make a sound like a
Yeti, AAAOOOOOOWWWWWWW!!!

keep crudware off my system in the first place, and otherwise I don't want
anything obstructing legitimate outbound communications even long enough to
bother me to make decisions on which legitimate communications I should block
when the answer will almost always be "none." I would rather have the
simpler firewall that is much easier to configure -- and which has never
caused me a single problem or security breach going all the way back to the
day Microsoft introduced XP in 2001. I agree that others may prefer the
"more advanced" features. I'm simply not one of them.

You've been lucky so far. I see on average at least 5 attempts daily to
compromise my computer. The kiddie scripts are still out there. And if they can
turn your machine into a slave for forwarding their spam [you'll never know if
they do], or even better, turning your machine into a source for pirate ware.
You could benefit from www.dshield.org and help others. It'd increase your web
paranoia, but it'd make you think about how much traffic you want to ignore.

I can never know with 100 percent certainty. I also don't know with 100
percent certainty that I won't be killed in an automobile accident the next
time I drive to work, but this uncertainty will not stop me from ever again
driving to work. I do know with pretty much 100 percent certainty when
something is wrong with my computer or with someone else's computer,
including the signs of crudware. I don't need a third party firewall to tell
me that something is wrong.

But you still keep your seat belts and other safety devices [brakes] in working
order. If one starts to fail, and a weak firewall you can almost guarantee will
fail, you wouldn't stay with it. M$ has already said it's not the best out
there.
You can't stop the burglar, but you can make it hard enough to give you the
breathing space to call 911. IOW: You don't post signs on your roof that you
leave your doors unlocked and aren't home between the hours of xx and xx.

If some kiddy script can identify you as an easy mark, they'll be back until
they get thru.

Check your security with XP at this site

http://grc.com/intro.htm look for the Shields up page and then tell us just how
secure you feel. Or go to Norton, they have something similar but it may take
hours for results. GRC can tell you in minutes how vulnerable and where you
aren't secure. It's sobering when they can tell you more about you than you
know about you just by visiting their web site..

And for all you know the link I'm giving you above isn't sending you off to a
malicious java script that won't have any problem dropping it's load on you.
It isn't, but you don't know that unless you've been to GRC.com b4.

I would say take a look at the counter I use, it grabs everything but blood
type and mothers maiden name.

That's way more info than a visit to a web site needs to know. But the
technology exists to scan your entire machine and send it to Osama Bin Laden.

Well, I can also increase the number of locks on the door, install an
electric fence, get some guard dogs, booby-trap my front yard, etc. But at

Guard dogs and booby trapping your front yard, and you can kiss your freedom
goodbye. It's ILLEGAL. And if you do catch a burglar in one, he'll own you, If
he survives, if not his relatives will own you.

 

[Bruce Chambers]

I've happily been running Zone Alarm as the firewall, Grisoft's AVG as my
virus scanner, Ad-Aware and Spy-Bot for other nasties on my Win ME setup.

The last three presumably should be installed on a new XP machine? But does
the XP SP2 firewall do as good a job as Zone-Alarm? Quite a few articles
suggest that Microsoft offer 'cut-down' versions of 3rd party apps of this
nature. If one has something like Partition Magic, is it preferable to use
it?

RoS

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is protect you from any Trojans or spyware that you (or someone
else using your computer) might download and install inadvertently.
It doesn't monitor out-going traffic at all, other than to check for
IP-spoofing, much less block (or at even ask you about) the bad or the
questionable out-going signals. It assumes that any application you
have on your hard drive is there because you want it there, and
therefore has your "permission" to access the Internet. Further,
because the Windows Firewall is a "stateful" firewall, it will also
assume that any incoming traffic that's a direct response to a
Trojan's or spyware's out-going signal is also authorized.

ZoneAlarm, Kerio, or Sygate are all much better than WinXP's
built-in firewall, and are much more easily configured, and there are
free versions of each readily available. Even the commercially
available Symantec's Norton Personal Firewall is superior by far,
although it does take a heavier toll of system performance then do
ZoneAlarm or Sygate.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Leythos]

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes.

Bruce, while I respect your technical skills, I completely disagree with
the above. Sure, on a virgin system, with no users, it will block inbound
connections, except those configured in the exception list, but the same
is not true on a system that's in heavy use.

Most applications can now create exceptions for their own use, many
applications do it, and users have no clue. If you move a machine from a
private network where file sharing is permitted as an exception then hang
it directly on a public network, the exception is still there for file
sharing.

The SP2 Firewall is a joke, in fact, it's so much a joke that I disable
the Windows Firewall service on every machine we manage just so people
can't mistakenly think they are protected.

I've never installed a firewall that was "Adequate", I've installed ones
that work, without question, without being able to be compromised by the
users. Heck, even NAT/PAT boxes sold as pseudo firewalls are more
protection than SP2 firewall.

Hoe you don't take this personally, it was not intended as an attack.

 

[Guest]

Husky, ask yourself this... will a reformat stop a *BOOT* VIRUS?? or will it
only stop viruses that are on your harddrive? use your head

one program that i use that seems to be much better than Zone Alarm is Kerio
Personal Firewall. it's a great program, tells you *everything* that goes on
in your system, such as which programs are starting which programs, whether
you want to start such-and-such program or not, as well as whether you want
such-and-such program to accept connections or send a connection to the
internet.

if you *really* want a solution for viruses, get Linux. it's another OS
(operating system) that's MUCH better than anything windoze has ever been
able to come up with. it's designed after Unix, which is THE most stable OS
*ever* made. best part is, it's too hard to get into, and windoze viruses
don't work on it. even better than that, is that it's FREE. it's shareware,
but it falls nowhere close to categories that include any file-sharing
programs such as Kazaa. there are many distributions of Linux, only a few of
which you have to pay for, like Red Hat, but it's also the most customizable
OS out there. check out Linux.com for some of the various distributions.
Like Ken said, "You are, therefore, much better off devoting your time,
energy, and money to making your system secure than making an insecure system
slightly less insecure." if you Really want to make your system secure, for
one, don't use Internet Explorer. use something like Mozilla, Opera, or
Netscape. another thing you can do is keep an eye on programs that are
installed on your computer (My Computer --> Control Panel --> Add/Remove
Programs), and also keep an eye on what tasks are running (Start --> Run -->
taskmgr.exe). if you REALLY want your computer to be secure, disconnect it
from the internet.

Ken, just so you know... windoze ITSELF is insecure... even the xpsp2
firewall sucks, it doesn't stop everything, and many of the things it doesn't
stop can be damaging to your computer. also, if you want to access an ftp
server, you always have to disable the firewall before you can do so. using
something like Kerio saves you from having to continuously open the firewall
settings, disabling it, and then enabling it again, because all you get is a
program-generated popup asking if you want to allow the outgoing connection
once, or if you want to allow it all the time.

Now, what happens if you want it to run the way that YOU want it to run,
rather than the way the people who wrote the OS want it to run? i'll tell
you, it messes up. when it first came out, i installed xpsp2, which turned
out to be a BIG mistake. my computer started processing a lot slower, ftp
access was denied (happened a few times even when the windoze firewall was
disabled), and when i tried to uninstall it, the uninstaller froze and i had
to re-format and re-install everything. i also tried installing NVidea
drivers on a non-NVidea card, xp messed up. installed IIS so i could run an
ftp server, xp messed up. changed IE settings, IE messed up. think about
those for a while, before you start again to talk about how good windoze is.
note: i have made *many* changes to my Linux box running Mdk (Mandrake), and
nothing's gone wrong so far.

 

[Walter Clayton]

Can you say "Can of worms"?

I have this discussion with my clients on a regular basis. Two questions:

Do you know how to determine if an application requesting outbound
connection is legit?
Do you want to know how to make that determination and are you willing to do
the legwork?

There is also the final issue: Once the nasty is loose on your machine, what
guarantee is there that it hasn't compromised the outbound scanner?

And the challenge for those that are "in the know", can you guarantee that
it is utterly impossible to compromise the outbound scanner? Hint: MD5 is
compromised; piggy backing; proof of concepts already exist to compromise
any client side firewall you care to name some of which have been addressed
and some of which haven't; I can and have hand killed a firewall and had
unfettered access...

I'd leave ZA off unless you want to do the legwork to research polite code
that's attempting to reach out.

PM is a different story, but that depends on your needs. If you're actively
repartitioning then you'll need a 3rd party tool. Personally I switched to
BootItNG about the time that PM5 came out and haven't looked back since.

 

[Kelly]

Nice to see your great info, even though via a cross, Walter. <w>

--
In memory of our dear friend, MVP Alex Nichol: http://www.dts-l.org/

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com