View Single Post
  #20  
Old January 2nd 18, 02:57 PM posted to alt.windows7.general,microsoft.public.windowsxp.general
Mayayana
external usenet poster
 
Posts: 6,438
Default Windows DNS cache

"Paul" wrote

| You could do it like this, where the SVCHOST only talks to the router.
| Does that assuage your sense of security ? The DHCP in this case,
| is in two hops. The router has a client it talks to the ISP with.
| The PCs have a client they talk to the router with. The evil svchost
| doesn't talk directly to the ISP in this picture.
|

The point is not that svchost is "evil" but that it's
a wrapper for many other things. For security and privacy
I want a system where only specific programs, like
Firefox or TBird, are allowed out, and only on specific
ports. To allow DHCP means allowing svchost through
the firewall as a process. DHCP itself is not the issue.
But using it means allowing all the other services that
run under it to go through the firewall. Since a fixed
IP is just as easy I don't need to allow svchost through.

Since nearly all software makers these days, including
Microsoft, think they have a right to call home without
asking, I consider it good practice to block all uninitiated
outgoing. That's also a good way to create a warning
system for malware. It means I'm informed about anything
trying to go out that's not pre-approved.

| Now, in that picture, all the PCs can see one another. The switch
| is a learning switch, and it keeps track by observation, as to
| what IPs are on each port.
|
| Yes, you can probably use separate subnets and net masks, to logically
| prevent the PCs from talking to one another. Is that what you're doing
| to silo the PCs on the right ? The router portion is not supposed to route
| non-routable addresses like 192.168.x.x, as far as I know.
|

Frankly I don't understand much about how a
local network is set up because I've never needed
one and always disabled things like filesharing and
networking services for the sake of security. None
of my computers sees another. There's no Network
Neighborhood. External requests are dropped by
the firewall. Filesharing is disabled. Remote Desktop
software would not be usable.

Windows default configuration is intended for
corporate workstation support "out of the box",
but I disable all of that. (The first bug in XP, if I
remember correctly, was the Messenger service.
It was enabled by default, meant to be used on
corporate intranets to allow the IT people to make
announcements. Instead it was being used by
online entities to pop up ads.)

One of the common scams these days is to call
people and tell them their Windows license is expiring.
The caller then convinces the person to download
a kind of Remote Desktop software. The callee then
sees someone controlling their computer, moving the
mouse, opening files... They're convinced that, yes,
Microsoft controls their computer and wants some
money! Personally I don't think that kind of thing
should be possible. The functionality shouldn't be
enabled on anything but a non-critical workstation
that's locked into an intranet.


Ads