[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: RE: Microsoft XP SP2-regarding outbound blocking
From: "Roger A. Grimes" <roger () banneretcs ! com>
Date: 2004-06-24 21:49:19
Message-ID: 096A04F511B7FD4995AE55F13824B83304D438 () banneretcs1 ! local ! banneretcs ! com
[Download RAW message or body]
[moderator's note: great discussion - but getting off-topic. This will be the last email
on this topic unless the moderators feel otherwise]
Underlying this discussion over WF not having outbound blocking (and it
doesn't, at all) is whether it significantly weakens it as a host-based
firewall? As a decade-long firewall user and reviewer of myriad of
personal firewalls, I initially blasted ICF/WF for not having outbound
blocking (and I have done so publically in a few articles over the last
two years).
But over the last year, I've decided to only use ICF/WF as my host
firewall...I said goodbye to my favorites of Zone Alarm and Tiny. I do
a lot of traveling and teaching and my laptops are constantly exposed to
malware-infected networks. A year later, my machines are uninfected.
So, although I can't say ICF/WF is better than Zone Alarm or Tiny, it
does do the main job.
Not having outbound blocking definitely bothered me...because if an
malicious executable gets executed on a computer, its outbound
connection(s) won't/can't be blocked. Then reality hit me. If an
untrusted executable gets executed on a user's computer, it's game over
anyway. The executable can disable or bypass any firewall, any
protection, and get by. The truth is that malware can hitch a ride on
any previously defined allowed executable and host-based firewalls won't
notice. Malware can do this by chaining itself to another process,
impersonation, as a Browser Helper Object, by naming itself as something
that a user might not get suspcious over (i.e. Windows Update), and a
bunch of other ways. And the even more telling truth is that 99% of
users don't know what they should and shouldn't allow anyway. I'm am
including the "security experts" in that assessment. Almost everyday
someone asks me if this process or that process should be initiating an
outbound connection. It could be VMWare, Windows Connection Manager,
MS-Office, Kodiak software, their favorite game, and the list goes on.
Users end up either allowing anything that sounds halfway decent or
denying most things (which has its own problems as well). So, in my
humble opinion, while it would be nice if WF had outbound blocking, most
people (certainly the general public) would screw up the decisions
anyway. With that said, I welcome outbound blockings inclusion in WF
one day if we get good management tools to control its use.
Roger
************************************************************************
***
*Roger A. Grimes, Computer Security Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Wednesday, June 23, 2004 9:30 PM
To: Patch Management Mailing List
Subject: Re: Microsoft XP SP2
Ah, good point but even though that may not be blocking to you...it's
still better than the Linksys box that lets it go out no matter what and
thus in my mind does "block". And my point to everyone that we need to
understand the build in different levels that it has.
Bottom line I think we all need to take the time to read the
documentation and not necessarily go by "I heard", "I read". [including
myself] :-)
Jerry Bryant wrote:
>Windows Firewall in XP SP2 does not do any outbound blocking. What it
>does do, and what people commonly mistake as outbound blocking, is ask
>you to approve or deny any program that tries to open a port to listen
>on. This is typical of a program that acts like a server.
>
>See the exceptions list section of this page for more details:
>http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk
.
>mspx#XSLTsection130121120120
>
>Another key feature of the Windows Firewall is boot time security. The
>new static filtering policy at boot time permits only DNS, DHCP and
>Netlogon. The Windows Firewall policy is then applied after logon and
>stays in affect until after the IP stack is shut down.
>
>There are lots of other cool features in WF such as:
>
>
>
>>Improved user interface
>>On by default on all network interfaces Global and per-interface
>>configurations Exceptions list Local subnet restrictions Command line
>>and better group policy management Multiple profiles and RPC support
>>Unattended setup
>>
>>
>
>I recommend a complete read of the documentation about WF here (in
>addition to all the other information about SP2):
>
>http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs
.
>mspx
>
>
>Jerry Bryant
>Microsoft Corporation
>This posting is provided "AS IS" with no warranties, and confers no
>rights.
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpa@pacbell.net]
>Sent: Tuesday, June 22, 2004 11:12 PM
>To: Patch Management Mailing List
>Subject: Re: Microsoft XP SP2
>
>Click on the firewall in the control panel and you can see the
>settings.....
>
>http://www.winsupersite.com/images/reviews/xp_sp2_winfirewall_01.gif
>
>See the three settings in there especially the "on with no exceptions"
>option?
>
>Bob Daamen wrote:
>
>
>
>>Mike,
>>
>>I agree with you, that if the firewall does do outbound blocking, that
>>having this firewall is a good thing. A lot better than nothing. And
>>firewalls that keep asking questions can prove to be a pain in the
neck
>>
>>
>as
>
>
>>well. All those people calling the helpdesk......
>>
>>I'm starting to question the article at Ziff-Davis that says the
>>
>>
>firewall
>
>
>>does NOT do outbound blocking.
>>Hmmm....strange.
>>
>>No one from Microsoft monitoring this list?
>>
>>Bob
>>
>>-----Original Message-----
>>From: Mike [mailto:mike@superiorholidayadventures.ca]
>>
>>I have been testing SP2 RC2 for about a week now and it has asked me a
>>
>>
>few
>
>
>>times (maybe three times in total) if I want to allow a program
>>
>>
>outbound
>
>
>>network access. It doesn't ask me nearly as much as ZoneAlarm does,
>>
>>
>and has
>
>
>>never asked about any MS programs (IE, SERVICES, etc. My guess is
that
>>
>>
>it's
>
>
>>configured with a base set of rules to explicitly trust (all?)
>>
>>
>Microsoft
>
>
>>programs.
>>
>>It seems like a very rudimentary firewall and IMO that's a good thing.
>>Not for the technical side of things, but MS may see themselves in
>>
>>
>court
>
>
>>again if they make the product too good and end up competing against
>>(read: stifling) other popular firewalls.
>>
>>Mike Fetherston
>>
>>
>>
>>
>>
>>>-----Original Message-----
>>>
>>>By the way,
>>>
>>>Has anyone in the group noticed yet that the Windows Firewall is
>>>
>>>
>>>
>>>
>>blocking
>>
>>
>>
>>
>>>incoming traffic only?
>>>It doesn't do outbound blocking.....
>>>
>>>To my opinion that disqualifies the firewall as it will render
useless
>>>
>>>
>>>
>>>
>>as
>>
>>
>>
>>
>>>soon as a virus/worm has surpassed this level of defense.
>>>
>>>Read about it here
>>>
>>>
>>>
>>>
>>>
>>http://techupdate.zdnet.com/techupdate/stories/main/personal_firewall_
o
>>
>>
>b
>
>
>>so
>>
>>
>>
>>
>>>le
>>>te.html
>>>
>>>Bob
>>>
>>>This e-mail and any attachment is for authorised use by the intended
>>>recipient(s) only. It may contain proprietary material, confidential
>>>information and/or be subject to legal privilege. It should not be
>>>
>>>
>>>
>>>
>>copied,
>>
>>
>>
>>
>>>disclosed to, retained or used by, any other party. If you are not an
>>>intended recipient then please promptly delete this e-mail and any
>>>attachment and all copies and inform the sender. Thank you.
>>>
>>>---
>>>To unsubscribe send a blank email to leave-
>>>patchmanagement@patchmanagement.org
>>>
>>>
>>>
>>>
>>---
>>To unsubscribe send a blank email to
>>leave-patchmanagement@patchmanagement.org
>>
>>This e-mail and any attachment is for authorised use by the intended
>>
>>
>recipient(s) only. It may contain proprietary material, confidential
>information and/or be subject to legal privilege. It should not be
>copied, disclosed to, retained or used by, any other party. If you are
>not an intended recipient then please promptly delete this e-mail and
>any attachment and all copies and inform the sender. Thank you.
>
>
>>---
>>To unsubscribe send a blank email to
>>
>>
>leave-patchmanagement@patchmanagement.org
>
>
>>
>>
>>
>>
>
>
>
--
http://www.sbslinks.com/really.htm
---
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
---
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic