topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 1:12 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Stop Windows from calling home  (Read 39896 times)

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #25 on: January 04, 2010, 05:29 PM »
I have yet to see where you say it is not useful. You merely point out features it does not have and is not designed to have. If you install bad stuff, then your A/V or spyware app should catch it. Windows firewall routinely prompts me when a new program attempts to establish a connection.

So basically, because this firewall does not do application filtering (web content, etc) it is not a good measure to have? Most of what you have listed here is speculative and has not shown me a truly valid reason to disable something that, for most, will do what it is supposed to (filter traffic). It is not a PIX device or a router with the firewall feature set, it is a firewall designed to be operated at the lowest level, the host. Let the antivirii and spyware apps do what they are supposed to do but don't tell a user they should disable the windows firewall because it is useless when there is no backing for that claim.

y0himba

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 448
  • Yar.
    • View Profile
    • y0himba.net
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #26 on: January 04, 2010, 05:30 PM »
At the very least the Windows firewall is yet another layer that needs to be penetrated to allow access to your computer. Whether or not it can be bypassed, as can ANY firewall or software is not a valid point when determining its usefulness.  If you need at least one reason why, it HELPS prevent problems.  I have used the Windows firewall for quite a few years in conjunction with my router's built in security features and firewall, and have found that the Windows firewall, even though it started simple, added an easy to use, unobtrusive layer of protection and sense of security.

From what I have seen above, you have given us nothing but the usual "I hate Windows/Microsoft" diatribe, which always comes with no hard evidence, just empty statements on how useless or horrible MS and it's software is.

Show us facts, reports, white papers, examples or stories?

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #27 on: January 04, 2010, 05:32 PM »
Windows firewall routinely prompts me when a new program attempts to establish a connection.
If this prompt is not clicked away automatically (or the malware even installs a rule there), you'll still have to consider that explorer.exe is not explorer.exe, right?
Still, the problem is the user here. You can't compensate that with a software.

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #28 on: January 04, 2010, 05:36 PM »
Whether or not it can be bypassed, as can ANY firewall or software is not a valid point when determining its usefulness.
Of course it is. Security software that can be bypassed simply doesn't protect you. Period.

If you need at least one reason why, it HELPS prevent problems.
How?

and have found that the Windows firewall, even though it started simple, added an easy to use, unobtrusive layer of protection and sense of security.
Placebo effect?

From what I have seen above, you have given us nothing but the usual "I hate Windows/Microsoft" diatribe, which always comes with no hard evidence, just empty statements on how useless or horrible MS and it's software is.
I am a proud Windows user. You won't get me this way.

(BTW: Every firewall software has, as all other software products, potential holes itself, so it may even make you even more insecure.)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #29 on: January 04, 2010, 05:48 PM »
1) what Josh said
2) what Josh said
3) what Josh said - besides the firewall gets the packets before passing them on to the application layer, which is... surprise surprise... the purpose of a firewall. As long as there isn't a severe bug in the TCP/IP stack or the firewall code, this is perfectly fine, even if you're silly and run your box DMZ.
4) what Josh said
5) what Josh said

The Windows Firewall is a firewall, and it is useful - it guards you against automated service attacks. Which is useful even if you have a more sophisticated firewall device guarding WAN->LAN traffic; ever considered what can happen on a LAN or WLAN if one computer gets infected and there isn't a software firewall running on the individual hosts?

A firewall's main purpose is preventing access to the computer, not preventing the computer from reaching out - if your box is compromised, you're already Game OverTM. Imho outbound protection is pretty much placebo; it can't be done 100% reliably per hosts, and if it's done at the LAN->WAN boundary you end up with really nazi rules... and can't do the useful "is this originating from a valid executable" check anyway.

Also, it's been a while since I've had a firewall popup, but iirc a limited user account on XP can't modify firewall rules, and on Vista/Win7 you get an UAC prompt? If I rememebr correctly, that pretty much rules out your "automate the click" theory.

Oh, I almost forgot: you've already spouted this nonsen.
- carpe noctem
« Last Edit: January 04, 2010, 05:50 PM by f0dder »

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #30 on: January 04, 2010, 05:59 PM »
The Windows Firewall is a firewall
Wrong, because:

A firewall's main purpose is preventing access to the computer, not preventing the computer from reaching out
You can not protect a machine from unauthorized access when running a prevention system on it!

+------------------+
| teh internetz    |
+---------+--------+
          |
   +------+--------+
   | PROTECTION    |
   +----+----------+
        |
  +-----+------------+
  | The machine that |
  | shall be protec- |
  | ted from OUTSIDE |
  +------------------+

Now do this with a "software firewall". Good luck.

but iirc a limited user account on XP can't modify firewall rules, and on Vista/Win7 you get an UAC prompt?
People who use limited accounts and/or the UAC prompt will, like, never have serious system failures caused by malware. They just don't need any extra protection anyway.

Oh, I almost forgot: you've already spouted this nonsen.
I was right.
« Last Edit: January 04, 2010, 06:01 PM by Tuxman »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #31 on: January 04, 2010, 06:12 PM »
You can not protect a machine from unauthorized access when running a prevention system on it!
See above:
3) what Josh said - besides the firewall gets the packets before passing them on to the application layer, which is... surprise surprise... the purpose of a firewall. As long as there isn't a severe bug in the TCP/IP stack or the firewall code, this is perfectly fine, even if you're silly and run your box DMZ.

People who use limited accounts and/or the UAC prompt will, like, never have serious system failures caused by malware. They just don't need any extra protection anyway.
See above:
ever considered what can happen on a LAN or WLAN if one computer gets infected and there isn't a software firewall running on the individual hosts?

Oh, I almost forgot: you've already spouted this nonsen.
I was right.
You were - and are - wrong.
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #32 on: January 04, 2010, 06:25 PM »
ever considered what can happen on a LAN or WLAN if one computer gets infected and there isn't a software firewall running on the individual hosts?
A LAN or a WLAN don't actually send data between the clients without requesting them. Infected clients in my network don't make my Windows more insecure. Still talking about nonsense?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #33 on: January 04, 2010, 06:38 PM »
Let's try to spell this out, then...

LAN has bunch of computers all without packet filters, and some OS with some 0day service exploit.

One computer gets infects with 0day malware - this can happen for a wide variety of reasons; I've seen the following reasons in real-life situations:
  • Infected laptop is brought to school/work/friend's place.
  • Moronic uneducated user clicks obviously bad email attachment.
  • Uneducated user runs a video codec trojan.
  • WLAN is breached - either with the purpose of infecting, or simply to leech internet access.
  • User is hit by browser exploit - before blaming IE, consider that IE8 in UAC+Sandbox mode is pretty secure and that most holes are in flash or java.
  • User is hit by intentionally inserted malware in warez.

There's a whole bunch of other possibilites as well, some of them more obscure than others, but these are reasons I've all witnessed. It takes one such slip to get an infected host on your LAN... and if that happens, your boxes aren't running PFs, and there's a service exploit... boom, game over. If you've ever tried bringing an XP box pre-SP2 on the internet without 3rd party PF or a NAT'ing router, you'll see how fast this happens with internet traffic.

Fortunately, service exploits aren't that common today - and even better, the PF differentiates between localhost, LAN and WAN... and has relatively reasonable defaults for what it lets get through to which services.

Now, for you a PF might not be of much use, especially if you don't run a WLAN, are the only user on your network, and don't have any friends. But throwing a blanket statement about PFs being useless is plain wrong.
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #34 on: January 04, 2010, 06:46 PM »
If you've ever tried bringing an XP box pre-SP2 on the internet without 3rd party PF or a NAT'ing router, you'll see how fast this happens with internet traffic.
Like that Sasser worm? I know it, yep ...  :-\
A well-configured machine is daily patched and does not run any services which just are not needed. Of course, there are always some (rare) exploits for needed services. But there are also exploits for common "firewall software", and I think there are more of them. So, actually, a LAN/WLAN system running a "personal firewall" and the default services is more probably vulnerable than a LAN/WLAN system running only the default services.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #35 on: January 04, 2010, 06:49 PM »
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.

Also, with proper software design, there's no reason that a 3rd-party software firewall can't be as secure as Windows' built-in... simply disallow configuration from non-elevated accounts, presto-done... as long as you don't write exploitable code, of course... and keep GUI and service separated.
- carpe noctem
« Last Edit: January 04, 2010, 06:52 PM by f0dder »

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #36 on: January 04, 2010, 06:56 PM »
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.
There is one for the XP firewall, and I doubt there are none for newer versions ...

with proper software design, there's no reason that a 3rd-party software firewall can't be as secure as Windows' built-in...
If we assumed proper software design, there were no holes in Windows at all, right?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #37 on: January 04, 2010, 07:04 PM »
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.
There is one for the XP firewall, and I doubt there are none for newer versions ...
Requires ICS to be enabled - dunno if it is by default, but if you're not using ICS I'd say you might as well turn it off. Also, while still serious, at least it does require the attacker to be on the LAN. And I'm not saying there's none for more recent versions, haven't googled and haven't heard any black-hat whispers about it, so *shrug*. Haven't seen one in the headlines yet, though.

If we assumed proper software design, there were no holes in Windows at all, right?
Oh, sure thing, the world is filled with lots of not-so-very-well-written software. Windows, Linux and OS X have all had some very very embarassing security holes - both local-only and remotely exploitable. It's possible to write decent software, though, and one should think that a software firewall (if primarily focusing on packet filtering) isn't that hard a job to get right.
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #38 on: January 04, 2010, 07:27 PM »
one should think that a software firewall (if primarily focusing on packet filtering) isn't that hard a job to get right.
Given that we only talk about a packet filter and nothing more: You'll need some kind of an A.I. to decide which traffic is "good" and which is "bad". A packet filter completely controlled by its users does not do what it is intended to.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #39 on: January 04, 2010, 07:32 PM »
A packet filter can come with sensible defaults - that goes a long way.

As for configurable by users, that's going to require admin privileges. People running with admin privs and no UAC = dead in the water. People blindly clicking yes to everything = blind in the water. Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.

Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble. In a production environment, I wouldn't keep servers and other critical machines with AU on, but rather keep them properly firewalled, and have a team that's vigilant about reading security billboards and doing hotfixes in a test environment before deploying... that's obviously far outside the scope of end-user, but it's a situation where I'd still keep a packet-filter running on each and every machine. And obviously not as the only line of defense.
- carpe noctem
« Last Edit: January 04, 2010, 07:35 PM by f0dder »

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #40 on: January 04, 2010, 07:46 PM »
Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.
So, at least, we're talking on a similar level. Quite a progress yet.

Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble.
I know about that, but I wouldn't count this as a reason to disable AU for standard users. We're not talking about important servers right now (which should never run Windows anyway), right?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #41 on: January 04, 2010, 08:02 PM »
Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.
So, at least, we're talking on a similar level. Quite a progress yet.
I don't think anybody claimed you could have a secure environment if you let uneducated users run amok with admin accounts. You're the one who flat-out claimed that packet filters aren't firewalls and that Windows' built-in firewall is useless - which is ludicruous, for reasons mentioned in this thread as well as the previous one.

Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble.
I know about that, but I wouldn't count this as a reason to disable AU for standard users. We're not talking about important servers right now (which should never run Windows anyway), right?
1) I already said this didn't apply to regular users (but I find it worth mentioning nonetheless).
2) why would't I run an important server on a Windows box? Ever checked this list? Which environment you choose depends on the requirements. I wouldn't be comfortable with neither Windows nor Linux controlling nuclear plants or aircrafts - neither were written for realtime demands, and neither of them have strict enough code quality. But web- or database server or DNS or mail or whatever, even for something important? I wouldn't rule out Windows before doing a little research.

My personal fileserver (which can hardly be thought of as a critical machine) runs linux - simply because it's free. Free as in beer.
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #42 on: January 04, 2010, 08:55 PM »
You're the one who flat-out claimed that packet filters aren't firewalls
Packet filters and "real" (hardware) firewalls work on the network layer, "software firewalls" mainly on the application layer. (With a driver-thingy on another layer, probably, but then we'll have a packet filter again.)

and that Windows' built-in firewall is useless
... and potentially dangerous.

2) why would't I run an important server on a Windows box?
Because Windows is not known for stability and security, both of them are the most important attributes of servers IMO.
(Oh, and Windows' cmd.exe without [at least] some *ix tools is, at best, a sick joke when it is about configuration and server maintenance. This refers explicitly to this special case. In other threads I'll stick with my opinion that cmd.exe is everything I need. Maybe because I don't have to control a server system with it. But we're drifting a bit OT here, aren't we?)

Ever checked this list?
Uptime depends on various things. That Windows servers are on top of the list doesn't necessarily mean something. (edit: Missed a dot.)

My personal fileserver (which can hardly be thought of as a critical machine) runs linux - simply because it's free. Free as in beer.
Now that's not actually a reason. If it was, no-one would use Windows anymore, as it is not free.  :D

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #43 on: January 04, 2010, 09:32 PM »
Packet filters and "real" (hardware) firewalls work on the network layer, "software firewalls" mainly on the application layer. (With a driver-thingy on another layer, probably, but then we'll have a packet filter again.)
The personal firewalls I've seen - included Windows' own - have been packet filters, your link talks about a completely different thing. Some of the personal firewalls additionally knows about socket<>app relationship and can do application integrity checking... and then there's the next class that adds packet/protocol inspection. But let's stick with packet filters since that's what Windows' firewall does.

[you claim that] Windows' built-in firewall is useless
... and potentially dangerous.
Proof? You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says). Using linux iptables can be potentially dangerous; ironically, a lot of "hardware firewalls" run linux kernels.

Because Windows is not known for stability and security, both of them are the most important attributes of servers IMO.
That's a claim I've heard before... of course we have no way of knowing if any of the servers on the uptime lists have been exploited (my guess is not), but you wouldn't really have multi-year uptime if the system wasn't stable. As for security goes, any internet-facing server set up by a competent sysadmin will only have necessary services exposed, and will have those services running in reasonable security contexts. NT has a lot more flexible security model than your standard run of the mill linux, by the way - adopted from VMS.

And it's not like *u*x daemons haven't had their fair share of exploits during the years. Apache, BIND, wu-ftpd, whatnot. Also, both OS X and Linux kernels have had very interesting local privilege escalation during the recent months, some of which are present in several years worth of kernels... could that with a remote exploit in a single third-party service (or even something as a lowly PHP bug) and boom, you've got root. Non-Windows doesn't automagically equate secure - no matter what you run, you need competent server admins who keep their eyes open.

(Oh, and Windows' cmd.exe without [at least] some *ix tools is, at best, a sick joke when it is about configuration and server maintenance.
So what, really? Windows isn't unix, things work differently. You can automate settings with policies... sure thing, I use tools like grep on my windows box pretty often. But for the tasks I do here, I don't need a more powerful shell. The few times when a simple batch file won't suffice I'd much rather be whipping up a Python script... if you don't feel that way, go PowerShell or Bash. But yes, we're drifting. My point is that, well, you use different systems differently. Being able to handle configuration via SSH is nice though, especially over slow links (but thanks doyc that the RDP protocol isn't as retarded as VNC).

Anyway, OS pissing contest aside, your premise was that Windows built-in firewall is useless. By this, you're saying that packet filters which require administrative privileges to configure are useless... which I still find to be a ludicrous claim.
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #44 on: January 04, 2010, 09:53 PM »
You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says).
http://en.wiktionary.org/wiki/potential

And it's not like *u*x daemons haven't had their fair share of exploits during the years. Apache, BIND, wu-ftpd, whatnot. Also, both OS X and Linux kernels have had very interesting local privilege escalation during the recent months, some of which are present in several years worth of kernels... could that with a remote exploit in a single third-party service (or even something as a lowly PHP bug) and boom, you've got root. Non-Windows doesn't automagically equate secure - no matter what you run, you need competent server admins who keep their eyes open.
Some are "better" however.
Of course you can configure *ix to be insecure, of course you can even have a secure Windows XP server or something. The software running on the server is the bottleneck - and now we're on topic again. The one who installs and maintains the software is responsible for it to work properly. If he fails, not even a firewall of any kind can help him. If he succeeds, he doesn't need paranoia. There might be something in between. Does it really matter?

So what, really? Windows isn't unix, things work differently.
Now this is not a reason for having to use a rather mediocre shell, is it?

By this, you're saying that packet filters which require administrative privileges to configure are useless
... to me. Maybe there are some rare circumstances that might be easier to handle with something like a "packet filter". Using such does not necessarily make your system more secure, though.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #45 on: January 04, 2010, 10:06 PM »
ICS is disabled by default, and the only unscheduled reboots in the last 10 years on the (approx 20) Windows servers I manage were due to either hardware failures or power outages that outlasted the UPS.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Stop Windows from calling home
« Reply #46 on: January 04, 2010, 10:23 PM »
Let us revisit your five bullet points:
  • 1. Executable modification detection is not the job of a packet filter firewall, but more in the area of a HIPS. This is material for a different discussion.
  • 2. You can click "Allow", but this requires a UAC transition (at least on Win7 - I'd be surprised if it doesn't on Vista). UAC transitions can't be scripted[/sup]1[/sup].
  • 3. The packets have "entered your computer" but haven't hit applications yet. This is the purpose of a packet filter: to avoid service exploitation2. Somebody more clever than me can comment on the implementation, but I'll highlight that "If the traffic does not match an exception, the NAT driver determines that the traffic is unsolicited; the packets are dropped and do not continue through the TCP/IP stack".
  • 4. I assume you're talking "outbound leaking" here. Ultimately, there's nothing you can do to stop outbound leaking, whether on the individual host or an external boundary firewall, short of blocking all outgoing traffic3. This is topic for a whole separate discussion, though; my stance is that when you need outbound filtering you're pretty much game over, but it can help mitigate some attacks. And if you only need to defend against usermode code, you can do a lot.
  • 5. If you're reckless and run in admin mode without UAC: yes - otherwise: no.

Footnotes:
1: I know of no way to script UAC transitions when running with UAC on max settings, which is what you should be doing. I'm not excluding the possibility that there's bugs that will eventually be found, but so far we don't know of any.
2: yes, it's possible that the packet filter itself has bugs, just like everything else - including your "hardware" firewall firmware.
3: no, really. An external firewall knows nothing about applications, and can only judge on packet data. Make an outgoing HTTPS connection and you can't do much traffic inspection except looking at destination.

You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says).
http://en.wiktionary.org/wiki/potential
That's the best you can do? Nice move ignoring the iptables link, which sounds like it could potentially be a lot worse than the cry-wolf XP bug. Yep, it was serious, if you had enabled ICS - not something most home users do... and the resources I've seen say that server editions weren't affected.

Some are "better" however.
"Secure by Default" is a very nice goal, and MS has been sleeping in class. The XP-SP2 firewall and DEP were steps in the right direction, UAC was a major step (too bad default user wasn't made non-admin alread in Win2k). And then there's ASLR and a whole bunch of enhancements to the heap manager, not to mention various security enhancments in the Visual C++ compiler. None of this by itself is perfect, but it shows that MS certainly aren't ignoring the problem any longer - and you get a lot of stuff with NT now that you don't get with linux unless manually choosing a kernel with SELinux patches.

Of course you can configure *ix to be insecure, of course you can even have a secure Windows XP server or something. The software running on the server is the bottleneck - and now we're on topic again. The one who installs and maintains the software is responsible for it to work properly. If he fails, not even a firewall of any kind can help him. If he succeeds, he doesn't need paranoia. There might be something in between. Does it really matter?
Well, duh, isn't this what I've been saying all along? Except for the "doesn't need paranoia" part... a packet filter isn't paranoia, it's an additional level of security. Hopefully it'll never be needed on neither hosts nor servers, but if you have a breach it can save your ass - and I bet you aren't able to measure a performance difference whether it's enabled or disabled.

So what, really? Windows isn't unix, things work differently.
Now this is not a reason for having to use a rather mediocre shell, is it?
If you don't need something complex, why waste time developing it? *u*x and Windows are different philosophies. Apparently enough users wanted a more powerful shell, and MS responded with PowerShell. Haven't used it myself so I can't comment on it's quality.

By this, you're saying that packet filters which require administrative privileges to configure are useless
... to me. Maybe there are some rare circumstances that might be easier to handle with something like a "packet filter". Using such does not necessarily make your system more secure, though.
Ah, now you're talking a lot more sense. But let us revisit your original statement, which is what got this started:
Disable Windows Firewall - And there it is!
How many reasons why the Windows "Firewall" is neither a firewall nor of any use would be enough to convince you that disabling it is a good idea? I think I could find dozens of them.
...see a slight difference between those two statements?

ICS is disabled by default, and the only unscheduled reboots in the last 10 years on the (approx 20) Windows servers I manage were due to either hardware failures or power outages that outlasted the UPS.
Do you have a clean & untweaked XP-SP2 you can confirm this on, or official docs? :P - I'm almost tempted to do a test install in vmware (damn insomnia!), but it'd make a helluva lot sense not to have it enabled by default.
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #47 on: January 04, 2010, 10:43 PM »
Nice move ignoring the iptables link, which sounds like it could potentially be a lot worse than the cry-wolf XP bug.
Not ignoring it, but keeping the discussion on-topic.

too bad default user wasn't made non-admin alread in Win2k
AFAIK he still is not?

it shows that MS certainly aren't ignoring the problem any longer - and you get a lot of stuff with NT now that you don't get with linux unless manually choosing a kernel with SELinux patches.
Which is, at least, a giant step into the right direction after rolling backwards for years. Let's hope they'll stick with it.

Well, duh, isn't this what I've been saying all along?
Not quite, as we were still on "Personal Firewalls".  :P

Except for the "doesn't need paranoia" part... a packet filter isn't paranoia, it's an additional level of security.
... or maybe also insecurity. See, most people I know mix up "consider your system's security" with "install a security suite and everything is fine", and then they'll wonder why their system is fucked up.
Maybe I just know the wrong people.

 ;D

Hopefully it'll never be needed on neither hosts nor servers, but if you have a breach it can save your ass
So far I (personally) never had a problem that could have easier been fixed by installing a packet filter. Lucky me.

If you don't need something complex, why waste time developing it?
cmd.exe is complex but not mighty. "Scriptable" but not "flexible". For my own workstation(s) it is more than enough, but fiddling with config files without grep or something sounds hard.
(There is grep [with ls. love that.] for Windows, but I actually doubt that it is installed on common Windows servers.)

Apparently enough users wanted a more powerful shell, and MS responded with PowerShell. Haven't used it myself so I can't comment on it's quality.
To me, the PowerShell more looks like some .net command console, not a valid MinGW/Cygwin replacement. I really wish MS would consider making Windows POSIX-compatible by default for everyone, not only the high-class editions... would make life a lot easier.

...see a slight difference between those two statements?
Yep, I missed the "IMO" in my original posting. The statement is, basically, the same, but the second one seems to be more clearly or something. Sorry for fuzzy phrasing.  :D

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #48 on: January 05, 2010, 01:05 AM »
After all of this discussion, the real reason to disable windows firewall has not been given. I see you have given personal reasons for not liking the Windows PFW but have not seen concrete evidence, or anything remote to that, where you show why users should disable it.

The Windows PFW does what it is supposed to do, filter packets. The case still remains that it is NOT a host intrusion prevention or detection system. Those are an entirely different suite of applications.

So please tux, I ask you in this post, give me a reason that a user should remove this layer of protection which shows it as being unnecessary. Added layers of security are always better than none. Telling users to run as a LUA is fine and good but when this is mom and pop and they do not want to have to login and logout, or enter credentials every time they run something, or even understand why they have to do that, I guarantee they will be just fine leaving the Windows PFW enabled because it will serve as an intermediate between the packets from the internet and their applications (the exploitable code, for the most part). Also, saying that running a software firewall is nowhere near as good as a hardware firewall is laughable due to the fact that hardware firewalls are SOFTWARE based running embedded on a set of dedicated hardware. In most cases, systems running personal firewalls are faster than the hardware included in the average home user firewall/router.

So, I await your reply and hopefully this can be backed.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Stop Windows from calling home
« Reply #49 on: January 05, 2010, 10:42 AM »
1. It can not detect if "explorer.exe" is really "explorer.exe" when asking you if explorer.exe may access the internet.

By that logic the high-end firewalls by such companies as Cisco, Juniper, and SonicWall are not firewalls, either as they cannot determine the difference between explorer.exe and another program, either. A firewall's job is to restrict what kinds of traffic come across which ports. If you are going to want to control things at the application level then you are talking about something else. Yes, some advanced personal firewall software offers this additional functionality, but it's not core firewall programming.

2. It is not that hard to write a script which automatically clicks "Allow".

It is that hard to write one if you have your UAC set where it's supposed to be. Follow the advice to turn off UAC because some knob on the internet told you to then you get what you deserve.

3. It is behind your internet connection, so any packets passing it are already on your computer.

Sandboxes, virtual machines, etc. make this point moot.

4. ... if they pass it anyway (there is always a way to create your own, independent TCP connections).

And none of these ways can circumvent the low-level hooks for firewall functionality in Windows 7. The old days of the Windows XP RTM firewall are behind us.

5. A virus, worm or trojan runs with your own user privileges, so it can easily disable your PFW completely.

Not if you have UAC turned on.

If you actually use software from dubious sources and click unknown links (the only ways to get infected), you'll fail anyway. A "personal firewall" can not help you.

People don't have to use dubious software these days to be vulnerable. It's possible to get attacked just by visiting regular web sites. It's a dangerous world out there & the only sane defense is one of multiple layers that can catch almost all, if not all, attack vectors present on the internet.