XP Pro - How'd I get hacked

[Leythos]

XP RTM has a firewall, it's not a catch-22.

And until SP2 was provided as part of the INSTALL CD, it was not enabled
by default - where have you been for the last couple years?

As I said, XP RTM has a firewall.

And SP2 in the release accounts for a VERY SMALL amount of systems
currently in use.

Yes, by using the firewall in XP.

And you have to have the release with SP2 embedded or you have to
download (or purchase) SP2 in order to have it. SP1 did not enable the
firewall by default.

So would the firewall that comes with XP RTM.

And just how many of those still contain the SP1 release? Some for sure,
and what about the already released updates for SP2 - they still have to
go on-line to get those.

You are missing the point entirely, most users, when installing XP,
unless it has SP2 in it already, are going to get recompromised before
they can reinstall SP2 unless the are behind a NAT box.

 

[Anna]

I find the built in firewall to be lacking somewhat...it doesn't have all
the features of a commercial firewall...My preference is Sygate.

 

[Torgeir Bakken \(MVP\)]

Via the wizard. It's a per connection setting. But old code
doesn't. I posted what steps did and didn't set it years ago.
I'll try a search but I think firewall is too common.

From memory the Create A New Connection wizard in Network
Connections turned on the firewwall.

Hi,

After further testing, I found out what default enables the firewall
when doing a OS install of WinXP SP1 (I haven't tested with WinXP RTM,
but I would think it would do the same).

During the OS installation, when asked for what type of network
connection you have, two choices is presented, one is LAN/home network,
the other one is direct connection to the Internet.

Selecting LAN/home network will not enable the firewall, but selecting
direct connection to the Internet will.

 

[Torgeir Bakken \(MVP\)]

But most home users don't know this method, they just connect ALL the
cables (as instructed) and then get hacked before their updates are
installed.

Yes, I know. This was for sure the main reason for Microsoft's decision
to let SP2 for WinXP by default enable the builtin firewall.

 

[SlowJet]

This was a good thread. Infomative discussion.

SJ

 

[Detlev Dreyer]

I have normally run Win2K with Norton Internet Security. I am
replacing that machine with XP Pro. Even though I have a
router/firewall in front, I liked the way NIS would monitor both
incoming and *outgoing* packets (as well as do popup blocking, and
site specific permissions).

Will the builtin XP firewall offer the same feature or should I
install Norton Personal Firewall on it as well?

Again, if there is a hardware firewall available (router), this will
be the best choice. Otherwise, the Windows Desktop Firewall (actually
it's a packet filter) is second best. There is absolutely no need to
install a third-party-firewall. Sure, there are desktop firewalls like
NIS, ZoneAlarm and Sygate, monitoring (and blocking) outgoing traffic
in addition. I do not recommend to install any third-party firewall on
a WinXP system. Norton/Symantec products are not Windows compatible
(although some users report that there are no problems regarding *their*
system) and ZoneAlarm/Sygate *do* cause various problems also. Many
postings show that monitoring the outgoing traffic will cause the user
to block essential Windows functions rendering their systems useless.

More than often there are arguments like monitoring outgoing traffic
allows for detecting malware (viruses, spyware). These arguments do
not count at all since it's not the firewall's job to detect malware.
In fact, the standard user doesn't know that "svchost.exe" needs to
connect while "svch0st.exe" is a trojan, and this is just one example.
Therefore, using the WinXP firewall is a good choice in most cases.

 

[Incognitus]

And until SP2 was provided as part of the INSTALL CD, it was not enabled
by default - where have you been for the last couple years?

Why is "not enabled by default" important? Most new users will encounter the
New Connection Wizard and have to click NO in order for the firewall not to
be enabled.
Besides, it's only about 3 or 4 clicks to turn it on.
Why is it any of your business where I've been?

And SP2 in the release accounts for a VERY SMALL amount of systems
currently in use.

Again, as I said, XP RTM has a firewall, why do you keep bringing up SP2?

And you have to have the release with SP2 embedded or you have to
download (or purchase) SP2 in order to have it.

That's not true, completly false statement, which part of 'XP RTM has a
firewall' do you fail to understand?

SP1 did not enable the firewall by default.

Again, why is "not enabled by default" important? Why are you bringing up
SP1?

And just how many of those still contain the SP1 release? Some for sure,
and what about the already released updates for SP2 - they still have to
go on-line to get those.

How is SP1 important? How is SP2 important in regards to the firewall other
than it's on by default?
They simply turn on the firewall that's in XP BEFORE going online. I did,
October 27, 2001 when I installed XP RTM.

Let me get this straight, you expect "Your typical home user" that you say
"while downloading the Windows Updates, if they even know enough to start
the update process" to have the knowledge to have a "NAT at the border"
while they are clueless about the built in firewall in XP, NOT SP1 and NOT
SP2 which have nothing to do with the firewall in XP other than SP2 turns it
on by default, is that correct?

You are missing the point entirely, most users, when installing XP,
unless it has SP2 in it already, are going to get recompromised before
they can reinstall SP2 unless the are behind a NAT box.

I'm not missing any point, maybe you're missing the point, my point is,
there is a firewall in XP RTM, I would expect users to have the knowledge to
turn it on when installing XP, OTOH, you expect them to be ignorant about
turning it on but at the same time to have the knowledge to have a "NAT at
the border". That's funny.

 

[Leythos]

I'm not missing any point, maybe you're missing the point, my point is,
there is a firewall in XP RTM, I would expect users to have the knowledge to
turn it on when installing XP, OTOH, you expect them to be ignorant about
turning it on but at the same time to have the knowledge to have a "NAT at
the border". That's funny.

What's funny is that you don't understand the mind set of anyone but
yourself, at least from your posts you don't seem to have any experience
with anyone but yourself.

I've seen hundreds of users of XP RTM, and XP SP1, that took the
computer out of the box, installed it, got on-line with their ISP (Cable
or DSL) and have the built-in pseudo firewall NOT ENABLED.

The BS you spew about it having a firewall is meaningless without it
being enabled. If the user does not utilize the firewall, they, in
effect, don't have a firewall.

The difference between XP RTM / SP1 and XP SP2 is that SP2 will enable
the firewall by default on all communications paths where the other MAY,
POSSIBLY, be enabled.

There are simple things that home users can do - for the most part, if
they have to do more than connect cables (which is a challenge for
many), they are not going to do/use it. For most, purchasing a NAT box
at the time of purchasing the computer is as easy as picking out a
printer, and many sales people jump at the idea to sell additional
hardware they call a firewall, and the users jump at the idea to protect
their systems. The NAT appliances are easy to use, plug and it's ready.
For DSL it takes about 10 minutes reading the 3rd Grade level manual to
get it working. The same is not true about the XP Firewall, prior to SP2
most people don't even know it exists.

So, get off your low horse, realize that people don't have a clue, don't
care, don't want to LEARN something unless forced, and won't enable the
XP firewall by default in most cases. Why the heck do you think that MS
released SP2 with the firewall enabled BY DEFAULT!

 

[Al Smith]

That's true, most people need to connect to the net to install their

software such as a firewall.

All my software is on CD so I installed it prior to connecting to the net.

That is surely the best way. Which makes me wonder why Microsoft
doesn't want us to be able to do this with Microsoft software.
They try to force their users to install software directly from
the Internet, rather than letting them download it to their
harddrive or CD, and install it later off-line.

 

[Leythos]

That is surely the best way. Which makes me wonder why Microsoft
doesn't want us to be able to do this with Microsoft software.
They try to force their users to install software directly from
the Internet, rather than letting them download it to their
harddrive or CD, and install it later off-line.

I downloaded SP2 from MS and was able to install it from a CD I burned.
You just need to know where to look. You've always been able to download
the version designed for managed environments from MS.

 

[Malke]

That is surely the best way. Which makes me wonder why Microsoft
doesn't want us to be able to do this with Microsoft software.
They try to force their users to install software directly from
the Internet, rather than letting them download it to their
harddrive or CD, and install it later off-line.

Sigh. You've always been able to download patches and upgrades from
Microsoft. The reason for the direct download is to lighten the burden
of huge downloads for dialup users. Lots of other software mftrs. use
this method also, where the installer downloads a small stub and then
checks to see what components are actually needed and only downloads
the necessary files.

Malke

 

[David Candy]

Yes I can remember writing a scathing post about how it was only on in the least likely way to be used. It was the 1/2 and 1/2 approach I was complaining about.

 

[Anna]

And SP2 in the release accounts for a VERY SMALL amount of systems

currently in use.

Is there a stats page somewhere that shows what percentage of the internet
users have a pc with win98, wintnt, win2k, winxp SP1, winxp SP2, unix, etc?

It would be interesting to see a breakdown.

 

[Anna]

One more update on this pc I imaged....seems with all the discussion in this
thread, it's perked my interest and I'm more curious about the various
security options available.

On Friday, this pc was imaged, no SP were installed and the pc had Sygate
Personal Firewall and Symantec AntiVirus software. In the almost 36 hours
that the pc has been up, there have been a lot of attempts to get into the
pc, but all have been blocked by Sygate.

I am currently in the process of updating to SP2 and will then disable
Sygate and use the built in firewall...I'm interested in seeing if the pc
gets compromised.

If people are interested, I'll let you know what happens.

 

[Incognitus]

What's funny is that you don't understand the mind set of anyone but
yourself, at least from your posts you don't seem to have any experience
with anyone but yourself.

I've seen hundreds of users of XP RTM, and XP SP1, that took the
computer out of the box, installed it, got on-line with their ISP (Cable
or DSL) and have the built-in pseudo firewall NOT ENABLED.

There you go, you've proven my point, those "hundreds" that you've seen were
also probably clueless about a "Nat at the border". If any of those
"hundreds" had to set up a dial-up connection, as opposed to Cable or DSL,
then they would've ran head on into the firewall settings. If they had
simply clicked Start | Help and Support | What's new.... they would find
info on the firewall.

The "hundreds" I've encountered, most don't have a clue about, scandisk,
defrag, firewalls, routers, chkdsk, attachments, HTML, spybots, DoS, port
scanning, scumware, spyware, malware, trojans, keyloggers, AV definitions,
porno dialers, display drivers, OS updates, security of any kind, the
difference between the act of installing and downloading, cookies, TIF,
temp, tmp, fake file ext's, newsgroups, TS, which files to delete and which
not to delete, NOT needing AOL or any software other then the OS to connect
to the internet etc etc, all I can think of in 10 seconds, you know, the
simple things.

However, they do quickly learn to, install something like KaZaa (sic) so
they can steal music and movies, download/install all of the kewl free stuff
and then can't figure out why their "puter is slow", "cpu is hanging".

"mind set"? Yes, I have one, but it's not the only one I understand.

 

[Leythos]

There you go, you've proven my point, those "hundreds" that you've seen were
also probably clueless about a "Nat at the border". If any of those
"hundreds" had to set up a dial-up connection, as opposed to Cable or DSL,
then they would've ran head on into the firewall settings. If they had
simply clicked Start | Help and Support | What's new.... they would find
info on the firewall.

The point is that a sales person is more likely (or a friend or a kid)
is more likely to tell them about using a router with NAT than they are
to find the firewall and enable it.

Sure, without any contact with a technical type they are not going to
even hear about NAT devices, but the same is true about their non-
enabled firewall service - they won't know about it either.

They are more likely to hear about a NAT device that requires no setup,
just plug-in and go, than they are about the firewall built into PRE-SP2
Windows XP systems.

Here's one more goodie for you - even on machines running XP SP1, with
auto-update installed, SP2 is not automatically installed - so the
benefit of the firewall is none, unless the user takes action to install
SP2.

I have yet to see a single person / SOHO using a NAT device that has
been compromised (when also using quality AV products and FireFox to
surf, or IE in high security mode - as suggested by MS). I have, on the
other hand, seen many compromised systems that are using the XP
firewall, even the SP2 version.

 

[Bruce Chambers]

That is surely the best way. Which makes me wonder why Microsoft doesn't
want us to be able to do this with Microsoft software. They try to force
their users to install software directly from the Internet, rather than
letting them download it to their harddrive or CD, and install it later
off-line.

Why blame Microsoft just because you lack the basic ability to find
your way around their site? Updates, patches, and service packs have
*always* been readily available for downloading to the hard drive and
off-line installation. And when Microsoft adds an automated update
service to help those less adept at navigating the web, such as
yourself, and you accuse them of "forcing" the issue? Why not just
admit that you've made up your mind to hate all things Microsoft, and
aren't going to let either the facts or logic influence your decision?

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Incognitus]

The point is that a sales person is more likely (or a friend or a kid)
is more likely to tell them about using a router with NAT than they are
to find the firewall and enable it.

Really? Almost all sales people I've made contact with are less
knowledgeable about computers than my 4 1/2 year old great grand-daughter
that has her own account. =)

 

[Leythos]

Really? Almost all sales people I've made contact with are less
knowledgeable about computers than my 4 1/2 year old great grand-daughter
that has her own account. =)

I didn't say they know what they are telling the customers, only that
they spread the idea of a firewall device that will protect them - none
of the chain store drones know anything other than they need to sell
more service contracts or they'll loose their job

The nice thing about a NAT box is that the documents for installing them
were written so that your 4.5y/o gd could install one.

 

[SlowJet]

Hi Anna,

It would be an interesting experment but the difference in the two FW
(output ports blocked vs. open) would not stop Malware, Spyware, Adware and
these would only show up as the websites are used over times. The outpout
ports much be blocked by a FW and to make the P/C disk save from Malware
some version of anti (M,S,A)ware must be used in batch mode from time to
time, but also as a real time blocker. And SP2 pop-up and add-on blockers
help greatly to reduce Malware.

Ther's no other way to be safe on the internet and even with all that is is
not completely safe, as something can get in and do its thing between scans.

One could subjectively make a guessimate of life time on the net before the
disk is compromised.

Any OS without FW - 4-12 minutes.
Input ports blocked FW with no AV - 2 days- 1 week for V, 4 hours for
Malware.

With I/O ports FW , AV - 4 hours for Malware

With I/O ports plus extra Ports closed, AV, Adware and Spyware blocker real
time, and weekly scans. SP2 pop-up and add-on blockers, new security
settings,
- Minimum adware with least affect.
- No Virus
- No system files compromised (DEP and / or NX)
- Signed drivers and roll back.

All assume NTFS with complex Password protected accounts, and no
Multi-booted or Foreign F/S like FAT32.

A rounter between the ISp Host and the Modem (or a hadware FW) would be even
more protection.

The bottom line is "Know who, what, why your clicking on some link."

If you really want to do the experiment, I'm all EARS.

SJ