Is Windows XP firewall any good?


G

Guest

I’d very much like some advice regarding firewalls, please. I’m currently
planning to uninstall my Norton Internet Security Suite 2003 (too pricey to
renew), and instead download the free AVG anti-virus software. I understand
the Windows XP Service Pack 2 included a much improved firewall. Is this
considered a safe firewall? I currently have it switched off to avoid
conflicts with the Norton one. Would it be better to download the free Zone
Alarm firewall?

I also wonder if it might be possible to keep the firewall part of the
Norton package and just ditch the anti-virus? I can’t get advice from Norton
on this 2003 product.
Thanks for any help you can offer.
Roy Butterfield
 
Ad

Advertisements

J

Jupiter Jones [MVP]

Roy;
First get rid of Norton, completely.

The Windows Firewall does not protect your computer from outbound
transmissions but it is effective at protecting the computer from inbound
attacks.

If you are careful in what you install and successfully install and allow to
run only programs with features you want, the Windows Firewall may be
sufficient.
In that case nothing would be attempting outbound communication anyways.

But a firewall monitoring outbound is good to help make sure all is OK.

If low maintenance is desired/needed, the Windows Firewall bay be the best
option.
An outbound monitoring firewall may actually be a problem since it may be
disabled instead of properly configured if the user does not want to be
bothered.

But if you want to be more proactive, a firewall such as ZoneAlarm gives you
the flexibility to control inbound and outbound traffic:
http://www.zonelabs.com/store/conte...st_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za
 
B

Bruce Chambers

Roy said:
I’d very much like some advice regarding firewalls, please. I’m currently
planning to uninstall my Norton Internet Security Suite 2003 (too pricey to
renew), and instead download the free AVG anti-virus software. I understand
the Windows XP Service Pack 2 included a much improved firewall. Is this
considered a safe firewall? I currently have it switched off to avoid
conflicts with the Norton one. Would it be better to download the free Zone
Alarm firewall?

I also wonder if it might be possible to keep the firewall part of the
Norton package and just ditch the anti-virus? I can’t get advice from Norton
on this 2003 product.
Thanks for any help you can offer.
Roy Butterfield


WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is provide an important additional layer of protection by informing
you about any Trojans or spyware that you (or someone else using your
computer) might download and install inadvertently. It doesn't monitor
out-going network traffic at all, other than to check for IP-spoofing,
much less block (or at even ask you about) the bad or the questionable
out-going signals. It assumes that any application you have on your
hard drive is there because you want it there, and therefore has your
"permission" to access the Internet. Further, because the Windows
Firewall is a "stateful" firewall, it will also assume that any incoming
traffic that's a direct response to a Trojan's or spyware's out-going
signal is also authorized.

ZoneAlarm or Kerio are much better than WinXP's built-in firewall,
in that they do provide that extra layer of protection, are much more
easily configured, and have free versions readily available for
downloading. Even the commercially available Symantec's Norton Personal
Firewall provides superior protection, although it does take a heavier
toll of system performance then do ZoneAlarm or Kerio.



--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin
 
S

Steven L Umbach

The Windows Firewall works very well and I prefer it in situations where the
computer user makes reasonable attempts to keep their computer free of
spyware and malware and there is no need to restrict any user on the
computer to what applications they can run to access the internet. Its
strong points are it is a stateful firewall, it is easy to configure -
usually set and forget, the user is not bombarded with constant popup
warnings about a process trying to access the internet forcing the user to
make a decision, and it uses very low system resources. The downside is it
can not be configured to manage outbound access in situations where it is
needed and it does not have as much logging features as other firewalls if
that is important..

The Norton/Sygate/Zone Alarm firewalls can manage outbound management and
have increased logging but use more system resources, are harder to
configure particularly for the average computer user, confuse the user with
all the pop up warnings forcing the user to make a decision, and are prone
to misconfiguration or the user disabling it due to frustration. In any
case I strongly recommend that any user that has a cable/DSL connection also
use an internet router as the first line of defense to their network which
are very affordable. --- Steve
 
B

B. Nice

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes.

Please explain what You mean by saying it is just "adequate"?
What WinXP SP2's firewall does not do, is provide an important additional
layer of protection by informing you about any Trojans or spyware that
you (or someone else using your computer) might download and install
inadvertently.

First of all, it is not the job of a firewall to protect You from
installing malware. That is Your responsibility only.

Furthermore, If You have any concerns about security, You would never
allow someone else to install programs on Your computer. It even seems
like You would rely on someone else configuring Your firewall on the
fly.
It doesn't monitor out-going network traffic at all, other than to check
for IP-spoofing, much less block (or at even ask you about) the bad
or the questionable out-going signals. It assumes that any application
you have on your hard drive is there because you want it there,

Which, from a security standpoint, is a very good assumption.
and therefore has your "permission" to access the Internet.

It does'nt need Your permission. You authorized it already when
running or installing the program, most likely with administrator
rights.

Did You read the EULA?

Did You consider how it was supposed to work?
Further,because the Windows Firewall is a "stateful" firewall, it will
also assume that any incoming traffic that's a direct response to a
Trojan's or spyware's out-going signal is also authorized.

Of course it will. How could it possibly destinguish between return
traffic for good or bad programs?

By the way this has nothing to do with the Windows Firewall. It is
pretty normal behaviour.
ZoneAlarm or Kerio are much better than WinXP's built-in firewall,

ohh, I knew it. It's another promotion of personal firewalls ;-)
in that they do provide that extra layer of protection,

Don't impose a false sense of security on Yourself or others. The bad
malware that is determind to get past Your personal firewall will find
a way.
are much more easily configured,
Rubbish.

and have free versions readily available for downloading.
Even the commercially available Symantec's Norton Personal
Firewall provides superior protection, although it does take a heavier
toll of system performance then do ZoneAlarm or Kerio.

Why keep insisting that checking outgoing connections is a nescessary
extra layor of security? It is not. If You catch a malware that way,
what good does it do? It is already on Your machine, where it
should'nt have been in the first place.

Please also understand, that installing a personal firewall adds an
extra layer of insecurity. Personal firewalls are just as buggy as any
other software. Especially some of the ones You are mentioning (like
the Norton malware) are really big chunks of code.

You cannot rely on hard- or software solutions to take care of Your
security for You. You need to start acting differently.

/B. Nice
 
G

Guest

Many thanks to everyone who came up with firewall advice. I now know where
I'm going.
Cheers
Roy B
 
Ad

Advertisements

B

Bruce Chambers

B. Nice said:
Please explain what You mean by saying it is just "adequate"?


You apparently failed to comprehend the remainder of the post, although
you did interject mostly nonsense comments at several points, giving the
false impression of having actually read it.


First of all, it is not the job of a firewall to protect You from
installing malware.


I never said that it was. However, a properly configured firewall will
alert the user that something suspicious has slipped by his/her other
safeguards.

That is Your responsibility only.

Thank you for that observation, Captain Obvious.

Furthermore, If You have any concerns about security, You would never
allow someone else to install programs on Your computer.


Well, duh. Once again, you've pointed out the obvious. However, how
many households have a separate computer for each family member?
Remember, the advice offered in this newsgroup is aimed mostly at the
average computer user, not IT professionals.

It even seems
like You would rely on someone else configuring Your firewall on the
fly.


Where did that absurd idea come from?

Which, from a security standpoint, is a very good assumption.

Then why are you arguing? Didn't you realize that your so-called
"rebuttal" actually supports my position?
It does'nt need Your permission. You authorized it already when
running or installing the program, most likely with administrator
rights.

Not on any computer I manage...
Did You read the EULA?

Certainly, but how many others do so? Do you, each and every time?

Did You consider how it was supposed to work?

Again, the advice offered in this newsgroup is aimed mostly at the
average computer user, not IT professionals. What I know and can do has
very little in common with the knowledge and skill set of the average
home computer user.


Of course it will. How could it possibly destinguish between return
traffic for good or bad programs?

By being explicitly which was which, of course.

By the way this has nothing to do with the Windows Firewall. It is
pretty normal behaviour.

True, but a real firewall will first ask if the application in question
has the user's permission to send out-going data, and wait for an
answer. WinXP's firewall won't; it'll just pass everything.

ohh, I knew it. It's another promotion of personal firewalls ;-)

Ah, a light comes on....


Don't impose a false sense of security on Yourself or others. The bad
malware that is determind to get past Your personal firewall will find
a way.


Adding a layer of protection doesn't create a "false sense of
security." No one has claimed that any firewall is an inpenetrable
security shield. But it does make it a bit harder for the black hats.
However, no malware can "find a way" past a properly configured
firewall; it has to be invited in, normally by fooling the user into
opening the door.



Ah! Now we know why you dislike real firewalls. You can't or don't
want to learn how to use them. And by "more easily configured" I mean
that 3rd party firewalls *can* be configured. WinXP's firewall cannot,
to any meaningful extent.


Why keep insisting that checking outgoing connections is a nescessary
extra layor of security? It is not. If You catch a malware that way,
what good does it do? It is already on Your machine, where it
should'nt have been in the first place.


So, by your reasoning, when one finds a burglar leaving one's home with
one's property in hand, there's no point in calling the police or
resolving to use better locks in the future? It's already too late?
Now, that is rubbish.

Please also understand, that installing a personal firewall adds an
extra layer of insecurity.


Only if the user, like you, doesn't know how to configure them.

Personal firewalls are just as buggy as any
other software.


Really? Software can be buggy? Who knew?

You cannot rely on hard- or software solutions to take care of Your
security for You. You need to start acting differently.


Thanks for once again pointing out the obvious. I have always
maintained that there are several essential components to computer
security: a knowledgeable and pro-active user, a properly configured
firewall, reliable and up-to-date antivirus software, and the prompt
repair (via patches, hotfixes, or service packs) of any known
vulnerabilities.

The weakest link in this "equation" is, of course, the computer
user. No software manufacturer can -- nor should they be expected to --
protect the computer user from him/herself. All too many people have
bought into the various PC/software manufacturers marketing claims of
easy computing. They believe that their computer should be no harder to
use than a toaster oven; they have neither the inclination or desire to
learn how to safely use their computer. All too few people keep their
antivirus software current, install patches in a timely manner, or stop
to really think about that cutesy link they're about to click.

Firewalls and anti-virus applications, which should always be used
and should always be running, are important components of "safe hex,"
but they cannot, and should not be expected to, protect the computer
user from him/herself. Ultimately, it is incumbent upon each and every
computer user to learn how to secure his/her own computer.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin
 
B

B. Nice

You apparently failed to comprehend the remainder of the post, although
you did interject mostly nonsense comments at several points, giving the
false impression of having actually read it.

Nonsense. The remainder of the post is primarily about outgoing
connections. Maybe You should re-read Your own piece that I was
actually asking for an explanation about. You stated: "WinXP's
built-in firewall is adequate at stopping *incoming* attacks"

I was asking for an explanation about why You called the *incoming*
protection only adequate. You have'nt answered that yet.
I never said that it was.

Yes You did.

I quote: "What WinXP SP2's firewall does not do, is provide an
important additional layer of protection by informing you about any
Trojans or spyware that you (or someone else using your computer)
might download and install inadvertently"
However, a properly configured firewall will
alert the user that something suspicious has slipped by his/her other
safeguards.

Maybe, and too late anyway.
Thank you for that observation, Captain Obvious.

If it so obvious, then why does it repeatedly fail, Mr. Wiseguy?
Well, duh. Once again, you've pointed out the obvious. However, how
many households have a separate computer for each family member?

Irrelevant from a security standpoint.
Remember, the advice offered in this newsgroup is aimed mostly at the
average computer user, not IT professionals.

I *am* aiming at the average computer user. I am promoting the use of
the simple solution (the windows firewall) together with some common
sense about how to behave to prevent being infected. You are promoting
installing an additional complexity for the average user to
comprehend.
Where did that absurd idea come from?

You strongly indicated that.

I quote: "What WinXP SP2's firewall does not do, is provide an
important additional layer of protection by informing you about any
Trojans or spyware that you (or someone else using your computer)
might download and install inadvertently"

So someone else using Your computer should be alerted by Your
firewall. Would it be fair to assume that that same user would
afterwards also allow or deny the traffic? - I guess so.
Then why are you arguing?

Because You are arguing that not checking outbound connections is a
missing functionality.
Not on any computer I manage...

But it would'nt run if it was'nt allowed to.
Certainly, but how many others do so? Do you, each and every time?

That's no excuse. If they did care to do, they might spare themselves
of some spyware.
Again, the advice offered in this newsgroup is aimed mostly at the
average computer user, not IT professionals. What I know and can do has
very little in common with the knowledge and skill set of the average
home computer user.

The ways to prevent malware being installed on a computer does not
really have very much to do whether You are a home computer user or an
IT professional.
By being explicitly which was which, of course.

Not understood.
Adding a layer of protection doesn't create a "false sense of
security."

In most cases, for Your average user, it does.
However, no malware can "find a way" past a properly configured
firewall; it has to be invited in, normally by fooling the user into
opening the door.

Since the majority of users run as admin, it can.
Ah! Now we know why you dislike real firewalls. You can't or don't
want to learn how to use them.

Oh yes, I know how to use them. But why provide the average users with
a complex solution if they can do well with the simple?

I think it is only people like us in here who would even care about
outgoing connections. The average users would not know the difference
and furthermore most would'nt care. When they install an app it is
because they want to use it. It is meaningless to be asked if say
"Skype" should be allowed to access the internet.

Furthermore a personal firewall will ask also pretty technical
questions about windows services being allowed to make connections or
not. Questions that the average user has no chance to answer properly.
So, by your reasoning, when one finds a burglar leaving one's home with
one's property in hand, there's no point in calling the police or
resolving to use better locks in the future? It's already too late?
Now, that is rubbish.

Your anology is not nescessarily right. It could just as well be
something like:

A vandal smashes a part of Your house. He also manages to install some
hidden doors to allow him to get back in. On his way out You manage to
get his mobile phone so he can't phone home saying: Job done.

The point is, You don't know what has happened.
Only if the user, like you, doesn't know how to configure them.

Really? - So firewalls never had vulnerabilities that could be used by
attackers? - Come on. It is not just a question of configuration.
Really? Software can be buggy? Who knew?

According to Your previous answer You did'nt seem to know.
 
B

Bruce Chambers

B. Nice said:
You stated: "WinXP's
built-in firewall is adequate at stopping *incoming* attacks"

I was asking for an explanation about why You called the *incoming*
protection only adequate. You have'nt answered that yet.


Ah! Sorry, I should have realized there was a reading comprehension
problem. From Merriam-Webster:

One entry found for adequate.
Main Entry: ad·e·quate
Pronunciation: -kw&t
Function: adjective
Etymology: Latin adaequatus, past participle of adaequare to make equal,
from ad- + aequare to equal -- more at EQUABLE
1 : sufficient for a specific requirement <adequate taxation of goods>;
also : barely sufficient or satisfactory <her first performance was
merely adequate>

Does that help?

Yes You did.

I quote: "What WinXP SP2's firewall does not do, is provide an
important additional layer of protection by informing you about any
Trojans or spyware that you (or someone else using your computer)
might download and install inadvertently"


And just where, pray tell, does that sentence even imply that a
firewall will *prevent* the installation of malware? Is English a
second or third language for you? Or have you not yet completed middle
school? You're really having a hard time with simple English.


......
Irrelevant from a security standpoint.


No, not at all irrelevant. Without physical security, there is *no*
security. If a computer has multiple users, it has multiple
vulnerabilities, based upon the knowledge, skill set, and activities of
each user.


I *am* aiming at the average computer user.


Whith whose computing practices you're apparently completely
unacquianted. You don't actually have any experience supporting the
average computer user, do you.

I am promoting the use of
the simple solution (the windows firewall) together with some common
sense about how to behave to prevent being infected. You are promoting
installing an additional complexity for the average user to
comprehend.


I*'m sorry, but if you find such relatively user-friendly applications
as ZoneAlarm or Kerio are too complicated, you'll never learn to
maintain your own computer, much less help someone else. (Or is it your
position that the average computer user is just too stupid to learn to
do something you find difficult?)

You strongly indicated that.


Translation: You made it up.


So someone else using Your computer should be alerted by Your
firewall. Would it be fair to assume that that same user would
afterwards also allow or deny the traffic? - I guess so.


Huh? Again, I feel compelled to ask, is English a second or third
language for you? As it is, the above paragraph is quite
undecipherable: the words used are from the English language, but are
almost completely meaningless as currently assembled. is

Because You are arguing that not checking outbound connections is a
missing functionality.


No, a simple statement of fact is not an argument.


That's no excuse. If they did care to do, they might spare themselves
of some spyware.


Excuse, no. However, it is reality.


The ways to prevent malware being installed on a computer does not
really have very much to do whether You are a home computer user or an
IT professional.


But it does have everything to do with the computer user's level of
knowledge.

Not understood.

Sorry, should have read: "By being explicitly told which was which, of
course." One configures ones firewall to know which applications are
permitted to access the outside world, something that cannot be done
with WinXP's firewall.


In most cases, for Your average user, it does.


I don't think you actually know any average users, then.

Since the majority of users run as admin, it can.


No, it's simply not technically possible, regardless of the privilege
level of the user, as long as the firewall is properly configured. The
user would have to initiate some action to install the malware.


Oh yes, I know how to use them. But why provide the average users with
a complex solution if they can do well with the simple?

Why do you think personal firewalls are "complex?"

I think it is only people like us in here who would even care about
outgoing connections. The average users would not know the difference
and furthermore most would'nt care. When they install an app it is
because they want to use it. It is meaningless to be asked if say
"Skype" should be allowed to access the internet.

You have an awfully low opinion of the average user, then. I suppose
you'd be correct in some cases, but I'd like to think that thhe consumer
is capable of learning.

Furthermore a personal firewall will ask also pretty technical
questions about windows services being allowed to make connections or
not. Questions that the average user has no chance to answer properly.


Ah... The questions aren't really all that technical.

Your anology is not nescessarily right.


"Analogy" "necessarily" And yes, that is exactly what you're saying:
That there's nothing to be gained by knowing that one's security has
been breached.

It could just as well be
something like:

A vandal smashes a part of Your house. He also manages to install some
hidden doors to allow him to get back in. On his way out You manage to
get his mobile phone so he can't phone home saying: Job done.

The point is, You don't know what has happened.


And, if relying upon the WinXP Firewall, you never will. You won't
even know the vandal has been there. Thanks for proving my point.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin
 
B

B. Nice

Does that help?

It does. Apologize. My mistake.
And just where, pray tell, does that sentence even imply that a
firewall will *prevent* the installation of malware?

I did not not use the term *prevent*. I used the term *protect* just
like You did.
Is English a second or third language for you?

It is. Sorry for not being part of the elite.
You don't actually have any experience supporting the
average computer user, do you.

You have no idea.
together with some common sense about how to behave to prevent being
infected. You are promoting installing an additional complexity for the average user to


I*'m sorry, but if you find such relatively user-friendly applications
as ZoneAlarm or Kerio are too complicated, you'll never learn to
maintain your own computer, much less help someone else.

You have no idea.
No, a simple statement of fact is not an argument.

When You later on promote other software because they *have* that
functionality, it becomes an argument to me.
Excuse, no. However, it is reality.

A reality that must be changed. By education, not by installing
additional software that alarms You when the harm is done.
But it does have everything to do with the computer user's level of
knowledge.

Exactly. That is why he should be taught how to act properly when
dealing with the internet.

If he can, as You claim, be taught how to properly use a personal
firewall, he can also be taught how to act properly. The latter being
the best of the two alternatives.
I don't think you actually know any average users, then.

You have no idea.
No, it's simply not technically possible, regardless of the privilege
level of the user, as long as the firewall is properly configured.
The user would have to initiate some action to install the malware.

Of course. I never argued otherwise.

You argued that if malware *was* run, Your firewall should be there to
alarm You of outbound connections.

I argued that when malware *was* run, You could no longer rely on Your
firewall to protect You.
Why do you think personal firewalls are "complex?"

What You seem to miss is that for the average user, the technical
details of networking is not their prime focus.

I know a lot of users who are very skilled in what they are doing with
their computers. Still they have no idea what a port is. And, in my
opinion, they should not need to know.

The windows firewall does a good job in protecting without being
noisy.
You have an awfully low opinion of the average user, then.

Actually not.
I suppose you'd be correct in some cases, but I'd like to think that thhe consumer
is capable of learning.

He is definately capable of learning. Just teach him the right things
to do.
Ah... The questions aren't really all that technical.

Ah... yes they are.
And, if relying upon the WinXP Firewall, you never will. You won't
even know the vandal has been there. Thanks for proving my point.

It just proves that You don't truly get my point.
 
B

B. Nice

Huh? Again, I feel compelled to ask, is English a second or third
language for you? As it is, the above paragraph is quite
undecipherable: the words used are from the English language, but are
almost completely meaningless as currently assembled.


1. Someone else uses Your computer
2. Someone else installs crap
3. Someone else is alerted by Your firewall
4. Someone else allows or denies it's network traffic
5. Someone else just configured Your firewall

Does that help?
 
Ad

Advertisements

S

Shenan Stanley

B. Nice said:
1. Someone else uses Your computer
2. Someone else installs crap
3. Someone else is alerted by Your firewall
4. Someone else allows or denies it's network traffic
5. Someone else just configured Your firewall

Does that help?

Actually - that is the sign of a bad system administrator.

Other users of the system should be just that - users. They should not have
the authority needed to allow anything through your firewall or install
software. If they are otherwise - then perhaps they should be the
administrator instead of whom ever deemed themselves worthy in the first
place. =)
 
B

Bruce Chambers

B. Nice said:
1. Someone else uses Your computer
2. Someone else installs crap
3. Someone else is alerted by Your firewall
4. Someone else allows or denies it's network traffic
5. Someone else just configured Your firewall

Does that help?


Somewhat. It's a situation that could never arise on any computer I
manage, as I don't grant elevated privileges to another who is not
sufficiently knowledgeable and skilled.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin
 
B

B. Nice

Somewhat. It's a situation that could never arise on any computer I
manage, as I don't grant elevated privileges to another who is not
sufficiently knowledgeable and skilled.

I believe that.

But don't expect other people reading this NG to be at the same level
as Yourself.
 
M

MAP

Roy said:
I'd very much like some advice regarding firewalls, please. I'm
currently planning to uninstall my Norton Internet Security Suite
2003 (too pricey to renew), and instead download the free AVG
anti-virus software. I understand the Windows XP Service Pack 2
included a much improved firewall. Is this considered a safe
firewall? I currently have it switched off to avoid conflicts with
the Norton one. Would it be better to download the free Zone Alarm
firewall?

I also wonder if it might be possible to keep the firewall part of
the Norton package and just ditch the anti-virus? I can't get advice
from Norton on this 2003 product.
Thanks for any help you can offer.
Roy Butterfield




From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft rant,
that I would write calmly about any goofs they make. It has been a hard
promise to keep at times. And now, I must break that promise. If I don't
rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to control
the computer's access to other computers. To do that, it blocks attempts to
send unauthorized data out over a network, as well as the attempts of other
computers to send data to the protected computer. A proper firewall allows
data into or out of the computer, only when the user gives the firewall
permission to do so. I think most people will agree that this is an accurate
description of the proper function of a software firewall.

So I am left to wonder if the Microsoft programmers who designed the Windows
Firewall have lost their freakin minds. While the Windows Firewall will
block network access like any other firewall, the settings which determine
whether or not an attempt to access the network is permitted is stored in
the registry. Any piece of software is allowed to edit that part of the
registry and give itself permission to send or receive data over the
network.

There are several viruses, worms and spyware programs that edit the registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be reinfected at any
time, if the virus edited the firewall settings. Many network worms can
infect a computer if it discovers certain unsecured network ports. It
happened to me once, when I turned off my firewall and forgot to turn it
back on.

Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those settings
should not EVER be written to the registry, where they can be altered by any
other program running on the PC. It takes only the smallest shred of common
sense to realize this.

Where was the common sense when they were creating the Windows Firewall?
This is like hiring security guards to keep gate crashers away from a party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface won't even
tell the user about an opened port, if the registry entry granting it
permission has a malformed name. Not only can a malicious programmer give
his evil creation permission to bypass the firewall, he can hide the fact
that he's done it!

It is boneheaded mistakes like this which make it difficult to use Windows
safely. God help us all when Microsoft begins to make its own antivirus
software. The only reason Microsoft's antispyware program works well
probably is because Microsoft didn't write it.
 
Ad

Advertisements

S

Steven L Umbach

MAP said:
From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft rant,
that I would write calmly about any goofs they make. It has been a hard
promise to keep at times. And now, I must break that promise. If I don't
rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to
control
the computer's access to other computers. To do that, it blocks attempts
to
send unauthorized data out over a network, as well as the attempts of
other
computers to send data to the protected computer. A proper firewall allows
data into or out of the computer, only when the user gives the firewall
permission to do so. I think most people will agree that this is an
accurate
description of the proper function of a software firewall.

That is a somewhat inaccurate description which leads to users not
understanding exactly what a firewall does
and how it can protect or not protect your network. Firewalls do not manage
DATA. They simply manage network traffic
at the packet level based on rules for ports, protocols, IP address,
established traffic, and possibly applications in the case
of some personal firewalls. There are advanced firewalls that can do
application filtering such as ISA 2004 [expensive and complicated]
but that is not something you will normally see on a normal user or even
small business network. If the firewall rules allow the network
traffic flow the firewall will happily pass along any "data" included in
that traffic flow.
So I am left to wonder if the Microsoft programmers who designed the
Windows
Firewall have lost their freakin minds. While the Windows Firewall will
block network access like any other firewall, the settings which determine
whether or not an attempt to access the network is permitted is stored in
the registry. Any piece of software is allowed to edit that part of the
registry and give itself permission to send or receive data over the
network.

Lots of critical information for the function of the operating system is
stored in the registry and that
is what it is for. Normally only user passwords are protected by being
stored in one way hashes. Only system and
administrators have modify access to important registry keys so your
statement about any software is able to edit
that part of the registry
[HKLM\system\currentcontrolset\services\sharedaccess] is wrong. Now if you
are logged on as an administrator
and you activate malicious software that software runs under the context of
your user account because you authorized it knowingly
or not. Routinely logging on as an account that is also an administrator is
a really bad idea for any operating system particualry
when browsing the internet and opening email.
There are several viruses, worms and spyware programs that edit the
registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be reinfected at
any
time, if the virus edited the firewall settings. Many network worms can
infect a computer if it discovers certain unsecured network ports. It
happened to me once, when I turned off my firewall and forgot to turn it
back on

See above. Again allowing malware to have administrator/system access is a
very very bad idea. Most enterprises do not allow their users
to also be local administrators or power users and do not have near the
problems of those that do allow user to be local
administrator. They run Windows certified applications that work for a
regualr user account or make attempts to modify or replace
legacy software that does not. Giving users access according to the
principle of least privilige is a core security principal that too
many do not abide by. Microsoft has a white paper about it at the link
below. There are also technologies such as Software Restriction
Policies in XP Pro that can be used to effectively mitigate most malware
risk even if the user is logged on as an administrator account.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
--- Applying the Principle of Least Privilege
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Using Software Restriction Policies
Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those
settings
should not EVER be written to the registry, where they can be altered by
any
other program running on the PC. It takes only the smallest shred of
common
sense to realize this.

Microsoft designed the Windows Firewall to be easily deployed and enforced
in an enterprise via Group Policy which uses the registry.
Group Policy can override registry settings for Windows Firewall at Group
Policy forced refresh interval. Again such access to the registry
requires system or administrator access [see a pattern here??]. Encryption
does not guarantee against deletion in a compromosed computer anyhow. If
critical
system files are deleted often the service will fail. Malware that has
system/administrator access could simply target disabling the Windows
Firewall service or
the service that ANY sofware firewall uses to disable it. When there is
malware on a computer that has system/administrator access the computer
should
considered seriously compromised and not trusted until proven otherwise
which many will say really is not possible. This is not a mentality that
home
users seem to understand as they want to avoid operating system reinstall at
all costs and seem to be willing to accept the risks of a compromised
computer
hoping that malware removal tools will fix their problem.
Where was the common sense when they were creating the Windows Firewall?
This is like hiring security guards to keep gate crashers away from a
party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface won't even
tell the user about an opened port, if the registry entry granting it
permission has a malformed name. Not only can a malicious programmer give
his evil creation permission to bypass the firewall, he can hide the fact
that he's done it!

Again the malware needs administrator/system access. Smart users do not
routinely logon as an administrator and even smarter users
use runas while logged on as a regualr user to do administrator level tasks
that only elevates the permisisons for that task/program.
It is boneheaded mistakes like this which make it difficult to use Windows
safely. God help us all when Microsoft begins to make its own antivirus
software. The only reason Microsoft's antispyware program works well
probably is because Microsoft didn't write it.

Windows XP Pro can be easily secured with some simple steps as I mentioned
and the user taking some effort to do such.
For users wanting more basic security information they can go to the Protect
Your PC link below
Far too often users are simply too lazy to use a non administrator account
though poorly written software
such as many games make this more difficult. Vista is going to make that
easier by prompting the user when
administrator access is needed and allowing user to elevate to administrator
for that specific task if the user approves.

Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC
 
M

MAP

I believe that the original writer of that article is refering to network
traffic as DATA.
Which it is.
If you wish to debate this with him feel free
http://spywareinfo.com/

P.S.
allows data into or out of the computer
--
Mike Pawlak

MAP said:
From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft
rant, that I would write calmly about any goofs they make. It has
been a hard promise to keep at times. And now, I must break that
promise. If I don't rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to
control
the computer's access to other computers. To do that, it blocks
attempts to
send unauthorized data out over a network, as well as the attempts of
other
computers to send data to the protected computer. A proper firewall
allows data into or out of the computer, only when the user gives
the firewall permission to do so. I think most people will agree
that this is an accurate
description of the proper function of a software firewall.

That is a somewhat inaccurate description which leads to users not
understanding exactly what a firewall does
and how it can protect or not protect your network. Firewalls do not
manage DATA. They simply manage network traffic
at the packet level based on rules for ports, protocols, IP address,
established traffic, and possibly applications in the case
of some personal firewalls. There are advanced firewalls that can do
application filtering such as ISA 2004 [expensive and complicated]
but that is not something you will normally see on a normal user or
even small business network. If the firewall rules allow the network
traffic flow the firewall will happily pass along any "data" included
in that traffic flow.
So I am left to wonder if the Microsoft programmers who designed the
Windows
Firewall have lost their freakin minds. While the Windows Firewall
will block network access like any other firewall, the settings
which determine whether or not an attempt to access the network is
permitted is stored in the registry. Any piece of software is
allowed to edit that part of the registry and give itself permission
to send or receive data over the network.

Lots of critical information for the function of the operating system
is stored in the registry and that
is what it is for. Normally only user passwords are protected by being
stored in one way hashes. Only system and
administrators have modify access to important registry keys so your
statement about any software is able to edit
that part of the registry
[HKLM\system\currentcontrolset\services\sharedaccess] is wrong. Now
if you are logged on as an administrator
and you activate malicious software that software runs under the
context of your user account because you authorized it knowingly
or not. Routinely logging on as an account that is also an
administrator is a really bad idea for any operating system
particualry
when browsing the internet and opening email.
There are several viruses, worms and spyware programs that edit the
registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be
reinfected at any
time, if the virus edited the firewall settings. Many network worms
can infect a computer if it discovers certain unsecured network
ports. It happened to me once, when I turned off my firewall and
forgot to turn it back on

See above. Again allowing malware to have administrator/system access
is a very very bad idea. Most enterprises do not allow their users
to also be local administrators or power users and do not have near
the problems of those that do allow user to be local
administrator. They run Windows certified applications that work for a
regualr user account or make attempts to modify or replace
legacy software that does not. Giving users access according to the
principle of least privilige is a core security principal that too
many do not abide by. Microsoft has a white paper about it at the link
below. There are also technologies such as Software Restriction
Policies in XP Pro that can be used to effectively mitigate most
malware risk even if the user is logged on as an administrator
account.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
--- Applying the Principle of Least Privilege
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Using Software Restriction Policies
Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those
settings
should not EVER be written to the registry, where they can be
altered by any
other program running on the PC. It takes only the smallest shred of
common
sense to realize this.

Microsoft designed the Windows Firewall to be easily deployed and
enforced in an enterprise via Group Policy which uses the registry.
Group Policy can override registry settings for Windows Firewall at
Group Policy forced refresh interval. Again such access to the
registry
requires system or administrator access [see a pattern here??].
Encryption does not guarantee against deletion in a compromosed
computer anyhow. If critical
system files are deleted often the service will fail. Malware that has
system/administrator access could simply target disabling the Windows
Firewall service or
the service that ANY sofware firewall uses to disable it. When there
is malware on a computer that has system/administrator access the
computer should
considered seriously compromised and not trusted until proven
otherwise which many will say really is not possible. This is not a
mentality that home
users seem to understand as they want to avoid operating system
reinstall at all costs and seem to be willing to accept the risks of
a compromised computer
hoping that malware removal tools will fix their problem.
Where was the common sense when they were creating the Windows
Firewall? This is like hiring security guards to keep gate crashers
away from a party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface
won't even tell the user about an opened port, if the registry entry
granting it permission has a malformed name. Not only can a
malicious programmer give his evil creation permission to bypass the
firewall, he can hide the fact that he's done it!

Again the malware needs administrator/system access. Smart users do
not routinely logon as an administrator and even smarter users
use runas while logged on as a regualr user to do administrator level
tasks that only elevates the permisisons for that task/program.
It is boneheaded mistakes like this which make it difficult to use
Windows safely. God help us all when Microsoft begins to make its
own antivirus software. The only reason Microsoft's antispyware
program works well probably is because Microsoft didn't write it.

Windows XP Pro can be easily secured with some simple steps as I
mentioned and the user taking some effort to do such.
For users wanting more basic security information they can go to the
Protect Your PC link below
Far too often users are simply too lazy to use a non administrator
account though poorly written software
such as many games make this more difficult. Vista is going to make
that easier by prompting the user when
administrator access is needed and allowing user to elevate to
administrator for that specific task if the user approves.

Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC
 
Ad

Advertisements

S

Steven L Umbach

Well that is technically incorrect. Data is considered payload which again
firewalls do not manage and often is encrypted. Firewall logs will easily
show how firewalls determine what traffic to pass or not. --- Steve


MAP said:
I believe that the original writer of that article is refering to network
traffic as DATA.
Which it is.
If you wish to debate this with him feel free
http://spywareinfo.com/

P.S.
allows data into or out of the computer
--
Mike Pawlak

MAP said:
Roy B wrote:
I'd very much like some advice regarding firewalls, please. I'm



From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft
rant, that I would write calmly about any goofs they make. It has
been a hard promise to keep at times. And now, I must break that
promise. If I don't rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to
control
the computer's access to other computers. To do that, it blocks
attempts to
send unauthorized data out over a network, as well as the attempts of
other
computers to send data to the protected computer. A proper firewall
allows data into or out of the computer, only when the user gives
the firewall permission to do so. I think most people will agree
that this is an accurate
description of the proper function of a software firewall.

That is a somewhat inaccurate description which leads to users not
understanding exactly what a firewall does
and how it can protect or not protect your network. Firewalls do not
manage DATA. They simply manage network traffic
at the packet level based on rules for ports, protocols, IP address,
established traffic, and possibly applications in the case
of some personal firewalls. There are advanced firewalls that can do
application filtering such as ISA 2004 [expensive and complicated]
but that is not something you will normally see on a normal user or
even small business network. If the firewall rules allow the network
traffic flow the firewall will happily pass along any "data" included
in that traffic flow.
So I am left to wonder if the Microsoft programmers who designed the
Windows
Firewall have lost their freakin minds. While the Windows Firewall
will block network access like any other firewall, the settings
which determine whether or not an attempt to access the network is
permitted is stored in the registry. Any piece of software is
allowed to edit that part of the registry and give itself permission
to send or receive data over the network.

Lots of critical information for the function of the operating system
is stored in the registry and that
is what it is for. Normally only user passwords are protected by being
stored in one way hashes. Only system and
administrators have modify access to important registry keys so your
statement about any software is able to edit
that part of the registry
[HKLM\system\currentcontrolset\services\sharedaccess] is wrong. Now
if you are logged on as an administrator
and you activate malicious software that software runs under the
context of your user account because you authorized it knowingly
or not. Routinely logging on as an account that is also an
administrator is a really bad idea for any operating system
particualry
when browsing the internet and opening email.
There are several viruses, worms and spyware programs that edit the
registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be
reinfected at any
time, if the virus edited the firewall settings. Many network worms
can infect a computer if it discovers certain unsecured network
ports. It happened to me once, when I turned off my firewall and
forgot to turn it back on

See above. Again allowing malware to have administrator/system access
is a very very bad idea. Most enterprises do not allow their users
to also be local administrators or power users and do not have near
the problems of those that do allow user to be local
administrator. They run Windows certified applications that work for a
regualr user account or make attempts to modify or replace
legacy software that does not. Giving users access according to the
principle of least privilige is a core security principal that too
many do not abide by. Microsoft has a white paper about it at the link
below. There are also technologies such as Software Restriction
Policies in XP Pro that can be used to effectively mitigate most
malware risk even if the user is logged on as an administrator
account.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
--- Applying the Principle of Least Privilege
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Using Software Restriction Policies
Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those
settings
should not EVER be written to the registry, where they can be
altered by any
other program running on the PC. It takes only the smallest shred of
common
sense to realize this.

Microsoft designed the Windows Firewall to be easily deployed and
enforced in an enterprise via Group Policy which uses the registry.
Group Policy can override registry settings for Windows Firewall at
Group Policy forced refresh interval. Again such access to the
registry
requires system or administrator access [see a pattern here??].
Encryption does not guarantee against deletion in a compromosed
computer anyhow. If critical
system files are deleted often the service will fail. Malware that has
system/administrator access could simply target disabling the Windows
Firewall service or
the service that ANY sofware firewall uses to disable it. When there
is malware on a computer that has system/administrator access the
computer should
considered seriously compromised and not trusted until proven
otherwise which many will say really is not possible. This is not a
mentality that home
users seem to understand as they want to avoid operating system
reinstall at all costs and seem to be willing to accept the risks of
a compromised computer
hoping that malware removal tools will fix their problem.
Where was the common sense when they were creating the Windows
Firewall? This is like hiring security guards to keep gate crashers
away from a party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface
won't even tell the user about an opened port, if the registry entry
granting it permission has a malformed name. Not only can a
malicious programmer give his evil creation permission to bypass the
firewall, he can hide the fact that he's done it!

Again the malware needs administrator/system access. Smart users do
not routinely logon as an administrator and even smarter users
use runas while logged on as a regualr user to do administrator level
tasks that only elevates the permisisons for that task/program.
It is boneheaded mistakes like this which make it difficult to use
Windows safely. God help us all when Microsoft begins to make its
own antivirus software. The only reason Microsoft's antispyware
program works well probably is because Microsoft didn't write it.

Windows XP Pro can be easily secured with some simple steps as I
mentioned and the user taking some effort to do such.
For users wanting more basic security information they can go to the
Protect Your PC link below
Far too often users are simply too lazy to use a non administrator
account though poorly written software
such as many games make this more difficult. Vista is going to make
that easier by prompting the user when
administrator access is needed and allowing user to elevate to
administrator for that specific task if the user approves.

Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top