Is Windows XP firewall any good?

Roy B wrote:
I'd very much like some advice regarding firewalls, please. I'm
currently planning to uninstall my Norton Internet Security Suite
2003 (too pricey to renew), and instead download the free AVG
anti-virus software. I understand the Windows XP Service Pack 2
included a much improved firewall. Is this considered a safe
firewall? I currently have it switched off to avoid conflicts with
the Norton one. Would it be better to download the free Zone Alarm
firewall?

I also wonder if it might be possible to keep the firewall part of
the Norton package and just ditch the anti-virus? I can't get advice
from Norton on this 2003 product.
Thanks for any help you can offer.
Roy Butterfield




From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft rant,
that I would write calmly about any goofs they make. It has been a hard
promise to keep at times. And now, I must break that promise. If I don't
rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to control
the computer's access to other computers. To do that, it blocks attempts to
send unauthorized data out over a network, as well as the attempts of other
computers to send data to the protected computer. A proper firewall allows
data into or out of the computer, only when the user gives the firewall
permission to do so. I think most people will agree that this is an accurate
description of the proper function of a software firewall.

So I am left to wonder if the Microsoft programmers who designed the Windows
Firewall have lost their freakin minds. While the Windows Firewall will
block network access like any other firewall, the settings which determine
whether or not an attempt to access the network is permitted is stored in
the registry. Any piece of software is allowed to edit that part of the
registry and give itself permission to send or receive data over the
network.

There are several viruses, worms and spyware programs that edit the registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be reinfected at any
time, if the virus edited the firewall settings. Many network worms can
infect a computer if it discovers certain unsecured network ports. It
happened to me once, when I turned off my firewall and forgot to turn it
back on.

Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those settings
should not EVER be written to the registry, where they can be altered by any
other program running on the PC. It takes only the smallest shred of common
sense to realize this.

Where was the common sense when they were creating the Windows Firewall?
This is like hiring security guards to keep gate crashers away from a party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface won't even
tell the user about an opened port, if the registry entry granting it
permission has a malformed name. Not only can a malicious programmer give
his evil creation permission to bypass the firewall, he can hide the fact
that he's done it!

It is boneheaded mistakes like this which make it difficult to use Windows
safely. God help us all when Microsoft begins to make its own antivirus
software. The only reason Microsoft's antispyware program works well
probably is because Microsoft didn't write it.


--
Mike Pawlak

"MAP" wrote in message
...
Roy B wrote:
I'd very much like some advice regarding firewalls, please. I'm



From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft rant,
that I would write calmly about any goofs they make. It has been a hard
promise to keep at times. And now, I must break that promise. If I don't
rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to
control
the computer's access to other computers. To do that, it blocks attempts
to
send unauthorized data out over a network, as well as the attempts of
other
computers to send data to the protected computer. A proper firewall allows
data into or out of the computer, only when the user gives the firewall
permission to do so. I think most people will agree that this is an
accurate
description of the proper function of a software firewall.

That is a somewhat inaccurate description which leads to users not
understanding exactly what a firewall does
and how it can protect or not protect your network. Firewalls do not manage
DATA. They simply manage network traffic
at the packet level based on rules for ports, protocols, IP address,
established traffic, and possibly applications in the case
of some personal firewalls. There are advanced firewalls that can do
application filtering such as ISA 2004 [expensive and complicated]
but that is not something you will normally see on a normal user or even
small business network. If the firewall rules allow the network
traffic flow the firewall will happily pass along any "data" included in
that traffic flow.


So I am left to wonder if the Microsoft programmers who designed the
Windows
Firewall have lost their freakin minds. While the Windows Firewall will
block network access like any other firewall, the settings which determine
whether or not an attempt to access the network is permitted is stored in
the registry. Any piece of software is allowed to edit that part of the
registry and give itself permission to send or receive data over the
network.

Lots of critical information for the function of the operating system is
stored in the registry and that
is what it is for. Normally only user passwords are protected by being
stored in one way hashes. Only system and
administrators have modify access to important registry keys so your
statement about any software is able to edit
that part of the registry
[HKLM\system\currentcontrolset\services\sharedacces s] is wrong. Now if you
are logged on as an administrator
and you activate malicious software that software runs under the context of
your user account because you authorized it knowingly
or not. Routinely logging on as an account that is also an administrator is
a really bad idea for any operating system particualry
when browsing the internet and opening email.


There are several viruses, worms and spyware programs that edit the
registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be reinfected at
any
time, if the virus edited the firewall settings. Many network worms can
infect a computer if it discovers certain unsecured network ports. It
happened to me once, when I turned off my firewall and forgot to turn it
back on

See above. Again allowing malware to have administrator/system access is a
very very bad idea. Most enterprises do not allow their users
to also be local administrators or power users and do not have near the
problems of those that do allow user to be local
administrator. They run Windows certified applications that work for a
regualr user account or make attempts to modify or replace
legacy software that does not. Giving users access according to the
principle of least privilige is a core security principal that too
many do not abide by. Microsoft has a white paper about it at the link
below. There are also technologies such as Software Restriction
Policies in XP Pro that can be used to effectively mitigate most malware
risk even if the user is logged on as an administrator account.

http://www.microsoft.com/technet/pro.../luawinxp.mspx
--- Applying the Principle of Least Privilege
http://www.microsoft.com/technet/pro.../rstrplcy.mspx
--- Using Software Restriction Policies

Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those
settings
should not EVER be written to the registry, where they can be altered by
any
other program running on the PC. It takes only the smallest shred of
common
sense to realize this.

Microsoft designed the Windows Firewall to be easily deployed and enforced
in an enterprise via Group Policy which uses the registry.
Group Policy can override registry settings for Windows Firewall at Group
Policy forced refresh interval. Again such access to the registry
requires system or administrator access [see a pattern here??]. Encryption
does not guarantee against deletion in a compromosed computer anyhow. If
critical
system files are deleted often the service will fail. Malware that has
system/administrator access could simply target disabling the Windows
Firewall service or
the service that ANY sofware firewall uses to disable it. When there is
malware on a computer that has system/administrator access the computer
should
considered seriously compromised and not trusted until proven otherwise
which many will say really is not possible. This is not a mentality that
home
users seem to understand as they want to avoid operating system reinstall at
all costs and seem to be willing to accept the risks of a compromised
computer
hoping that malware removal tools will fix their problem.


Where was the common sense when they were creating the Windows Firewall?
This is like hiring security guards to keep gate crashers away from a
party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface won't even
tell the user about an opened port, if the registry entry granting it
permission has a malformed name. Not only can a malicious programmer give
his evil creation permission to bypass the firewall, he can hide the fact
that he's done it!

Again the malware needs administrator/system access. Smart users do not
routinely logon as an administrator and even smarter users
use runas while logged on as a regualr user to do administrator level tasks
that only elevates the permisisons for that task/program.


It is boneheaded mistakes like this which make it difficult to use Windows
safely. God help us all when Microsoft begins to make its own antivirus
software. The only reason Microsoft's antispyware program works well
probably is because Microsoft didn't write it.

Windows XP Pro can be easily secured with some simple steps as I mentioned
and the user taking some effort to do such.
For users wanting more basic security information they can go to the Protect
Your PC link below
Far too often users are simply too lazy to use a non administrator account
though poorly written software
such as many games make this more difficult. Vista is going to make that
easier by prompting the user when
administrator access is needed and allowing user to elevate to administrator
for that specific task if the user approves.

Steve

http://www.microsoft.com/athome/secu...2/Default.mspx
--- Protect Your PC



--
Mike Pawlak

I believe that the original writer of that article is refering to network
traffic as DATA.
Which it is.
If you wish to debate this with him feel free
http://spywareinfo.com/

P.S.
allows data into or out of the computer
--
Mike Pawlak


Steven L Umbach wrote:
"MAP" wrote in message
...
Roy B wrote:
I'd very much like some advice regarding firewalls, please. I'm



From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft
rant, that I would write calmly about any goofs they make. It has
been a hard promise to keep at times. And now, I must break that
promise. If I don't rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to
control
the computer's access to other computers. To do that, it blocks
attempts to
send unauthorized data out over a network, as well as the attempts of
other
computers to send data to the protected computer. A proper firewall
allows data into or out of the computer, only when the user gives
the firewall permission to do so. I think most people will agree
that this is an accurate
description of the proper function of a software firewall.

That is a somewhat inaccurate description which leads to users not
understanding exactly what a firewall does
and how it can protect or not protect your network. Firewalls do not
manage DATA. They simply manage network traffic
at the packet level based on rules for ports, protocols, IP address,
established traffic, and possibly applications in the case
of some personal firewalls. There are advanced firewalls that can do
application filtering such as ISA 2004 [expensive and complicated]
but that is not something you will normally see on a normal user or
even small business network. If the firewall rules allow the network
traffic flow the firewall will happily pass along any "data" included
in that traffic flow.


So I am left to wonder if the Microsoft programmers who designed the
Windows
Firewall have lost their freakin minds. While the Windows Firewall
will block network access like any other firewall, the settings
which determine whether or not an attempt to access the network is
permitted is stored in the registry. Any piece of software is
allowed to edit that part of the registry and give itself permission
to send or receive data over the network.

Lots of critical information for the function of the operating system
is stored in the registry and that
is what it is for. Normally only user passwords are protected by being
stored in one way hashes. Only system and
administrators have modify access to important registry keys so your
statement about any software is able to edit
that part of the registry
[HKLM\system\currentcontrolset\services\sharedacces s] is wrong. Now
if you are logged on as an administrator
and you activate malicious software that software runs under the
context of your user account because you authorized it knowingly
or not. Routinely logging on as an account that is also an
administrator is a really bad idea for any operating system
particualry
when browsing the internet and opening email.


There are several viruses, worms and spyware programs that edit the
registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be
reinfected at any
time, if the virus edited the firewall settings. Many network worms
can infect a computer if it discovers certain unsecured network
ports. It happened to me once, when I turned off my firewall and
forgot to turn it back on

See above. Again allowing malware to have administrator/system access
is a very very bad idea. Most enterprises do not allow their users
to also be local administrators or power users and do not have near
the problems of those that do allow user to be local
administrator. They run Windows certified applications that work for a
regualr user account or make attempts to modify or replace
legacy software that does not. Giving users access according to the
principle of least privilige is a core security principal that too
many do not abide by. Microsoft has a white paper about it at the link
below. There are also technologies such as Software Restriction
Policies in XP Pro that can be used to effectively mitigate most
malware risk even if the user is logged on as an administrator
account.


http://www.microsoft.com/technet/pro.../luawinxp.mspx
--- Applying the Principle of Least Privilege

http://www.microsoft.com/technet/pro.../rstrplcy.mspx
--- Using Software Restriction Policies

Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those
settings
should not EVER be written to the registry, where they can be
altered by any
other program running on the PC. It takes only the smallest shred of
common
sense to realize this.

Microsoft designed the Windows Firewall to be easily deployed and
enforced in an enterprise via Group Policy which uses the registry.
Group Policy can override registry settings for Windows Firewall at
Group Policy forced refresh interval. Again such access to the
registry
requires system or administrator access [see a pattern here??].
Encryption does not guarantee against deletion in a compromosed
computer anyhow. If critical
system files are deleted often the service will fail. Malware that has
system/administrator access could simply target disabling the Windows
Firewall service or
the service that ANY sofware firewall uses to disable it. When there
is malware on a computer that has system/administrator access the
computer should
considered seriously compromised and not trusted until proven
otherwise which many will say really is not possible. This is not a
mentality that home
users seem to understand as they want to avoid operating system
reinstall at all costs and seem to be willing to accept the risks of
a compromised computer
hoping that malware removal tools will fix their problem.


Where was the common sense when they were creating the Windows
Firewall? This is like hiring security guards to keep gate crashers
away from a party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface
won't even tell the user about an opened port, if the registry entry
granting it permission has a malformed name. Not only can a
malicious programmer give his evil creation permission to bypass the
firewall, he can hide the fact that he's done it!

Again the malware needs administrator/system access. Smart users do
not routinely logon as an administrator and even smarter users
use runas while logged on as a regualr user to do administrator level
tasks that only elevates the permisisons for that task/program.


It is boneheaded mistakes like this which make it difficult to use
Windows safely. God help us all when Microsoft begins to make its
own antivirus software. The only reason Microsoft's antispyware
program works well probably is because Microsoft didn't write it.

Windows XP Pro can be easily secured with some simple steps as I
mentioned and the user taking some effort to do such.
For users wanting more basic security information they can go to the
Protect Your PC link below
Far too often users are simply too lazy to use a non administrator
account though poorly written software
such as many games make this more difficult. Vista is going to make
that easier by prompting the user when
administrator access is needed and allowing user to elevate to
administrator for that specific task if the user approves.

Steve

http://www.microsoft.com/athome/secu...2/Default.mspx
--- Protect Your PC



--
Mike Pawlak

Well that is technically incorrect. Data is considered payload which again
firewalls do not manage and often is encrypted. Firewall logs will easily
show how firewalls determine what traffic to pass or not. --- Steve


"MAP" wrote in message
...
I believe that the original writer of that article is refering to network
traffic as DATA.
Which it is.
If you wish to debate this with him feel free
http://spywareinfo.com/

P.S.
allows data into or out of the computer
--
Mike Pawlak


Steven L Umbach wrote:
"MAP" wrote in message
...
Roy B wrote:
I'd very much like some advice regarding firewalls, please. I'm



From www.spywareinfo.com



I promised myself a while back not to go on another anti-Microsoft
rant, that I would write calmly about any goofs they make. It has
been a hard promise to keep at times. And now, I must break that
promise. If I don't rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to
control
the computer's access to other computers. To do that, it blocks
attempts to
send unauthorized data out over a network, as well as the attempts of
other
computers to send data to the protected computer. A proper firewall
allows data into or out of the computer, only when the user gives
the firewall permission to do so. I think most people will agree
that this is an accurate
description of the proper function of a software firewall.

That is a somewhat inaccurate description which leads to users not
understanding exactly what a firewall does
and how it can protect or not protect your network. Firewalls do not
manage DATA. They simply manage network traffic
at the packet level based on rules for ports, protocols, IP address,
established traffic, and possibly applications in the case
of some personal firewalls. There are advanced firewalls that can do
application filtering such as ISA 2004 [expensive and complicated]
but that is not something you will normally see on a normal user or
even small business network. If the firewall rules allow the network
traffic flow the firewall will happily pass along any "data" included
in that traffic flow.


So I am left to wonder if the Microsoft programmers who designed the
Windows
Firewall have lost their freakin minds. While the Windows Firewall
will block network access like any other firewall, the settings
which determine whether or not an attempt to access the network is
permitted is stored in the registry. Any piece of software is
allowed to edit that part of the registry and give itself permission
to send or receive data over the network.

Lots of critical information for the function of the operating system
is stored in the registry and that
is what it is for. Normally only user passwords are protected by being
stored in one way hashes. Only system and
administrators have modify access to important registry keys so your
statement about any software is able to edit
that part of the registry
[HKLM\system\currentcontrolset\services\sharedacces s] is wrong. Now
if you are logged on as an administrator
and you activate malicious software that software runs under the
context of your user account because you authorized it knowingly
or not. Routinely logging on as an account that is also an
administrator is a really bad idea for any operating system
particualry
when browsing the internet and opening email.


There are several viruses, worms and spyware programs that edit the
registry
settings for the Windows Firewall. Even if the user discovers a virus
infection and cleans it successfully, that computer can be
reinfected at any
time, if the virus edited the firewall settings. Many network worms
can infect a computer if it discovers certain unsecured network
ports. It happened to me once, when I turned off my firewall and
forgot to turn it back on

See above. Again allowing malware to have administrator/system access
is a very very bad idea. Most enterprises do not allow their users
to also be local administrators or power users and do not have near
the problems of those that do allow user to be local
administrator. They run Windows certified applications that work for a
regualr user account or make attempts to modify or replace
legacy software that does not. Giving users access according to the
principle of least privilige is a core security principal that too
many do not abide by. Microsoft has a white paper about it at the link
below. There are also technologies such as Software Restriction
Policies in XP Pro that can be used to effectively mitigate most
malware risk even if the user is logged on as an administrator
account.


http://www.microsoft.com/technet/pro.../luawinxp.mspx
--- Applying the Principle of Least Privilege

http://www.microsoft.com/technet/pro.../rstrplcy.mspx
--- Using Software Restriction Policies

Changes to a firewall's settings should be possible only through the
firewall program's interface. Those changes should be saved into an
encrypted file, which cannot be altered by any other program. Those
settings
should not EVER be written to the registry, where they can be
altered by any
other program running on the PC. It takes only the smallest shred of
common
sense to realize this.

Microsoft designed the Windows Firewall to be easily deployed and
enforced in an enterprise via Group Policy which uses the registry.
Group Policy can override registry settings for Windows Firewall at
Group Policy forced refresh interval. Again such access to the
registry
requires system or administrator access [see a pattern here??].
Encryption does not guarantee against deletion in a compromosed
computer anyhow. If critical
system files are deleted often the service will fail. Malware that has
system/administrator access could simply target disabling the Windows
Firewall service or
the service that ANY sofware firewall uses to disable it. When there
is malware on a computer that has system/administrator access the
computer should
considered seriously compromised and not trusted until proven
otherwise which many will say really is not possible. This is not a
mentality that home
users seem to understand as they want to avoid operating system
reinstall at all costs and seem to be willing to accept the risks of
a compromised computer
hoping that malware removal tools will fix their problem.


Where was the common sense when they were creating the Windows
Firewall? This is like hiring security guards to keep gate crashers
away from a party
but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface
won't even tell the user about an opened port, if the registry entry
granting it permission has a malformed name. Not only can a
malicious programmer give his evil creation permission to bypass the
firewall, he can hide the fact that he's done it!

Again the malware needs administrator/system access. Smart users do
not routinely logon as an administrator and even smarter users
use runas while logged on as a regualr user to do administrator level
tasks that only elevates the permisisons for that task/program.


It is boneheaded mistakes like this which make it difficult to use
Windows safely. God help us all when Microsoft begins to make its
own antivirus software. The only reason Microsoft's antispyware
program works well probably is because Microsoft didn't write it.

Windows XP Pro can be easily secured with some simple steps as I
mentioned and the user taking some effort to do such.
For users wanting more basic security information they can go to the
Protect Your PC link below
Far too often users are simply too lazy to use a non administrator
account though poorly written software
such as many games make this more difficult. Vista is going to make
that easier by prompting the user when
administrator access is needed and allowing user to elevate to
administrator for that specific task if the user approves.

Steve

http://www.microsoft.com/athome/secu...2/Default.mspx
--- Protect Your PC



--
Mike Pawlak