Main Area and Open Discussion > General Software Discussion

Stop Windows from calling home

<< < (8/11) > >>

f0dder:
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.

Also, with proper software design, there's no reason that a 3rd-party software firewall can't be as secure as Windows' built-in... simply disallow configuration from non-elevated accounts, presto-done... as long as you don't write exploitable code, of course... and keep GUI and service separated.

Tuxman:
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.-f0dder (January 04, 2010, 06:49 PM)
--- End quote ---
There is one for the XP firewall, and I doubt there are none for newer versions ...

with proper software design, there's no reason that a 3rd-party software firewall can't be as secure as Windows' built-in... -f0dder (January 04, 2010, 06:49 PM)
--- End quote ---
If we assumed proper software design, there were no holes in Windows at all, right?

f0dder:
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.-f0dder (January 04, 2010, 06:49 PM)
--- End quote ---
There is one for the XP firewall, and I doubt there are none for newer versions ...-Tuxman (January 04, 2010, 06:56 PM)
--- End quote ---
Requires ICS to be enabled - dunno if it is by default, but if you're not using ICS I'd say you might as well turn it off. Also, while still serious, at least it does require the attacker to be on the LAN. And I'm not saying there's none for more recent versions, haven't googled and haven't heard any black-hat whispers about it, so *shrug*. Haven't seen one in the headlines yet, though.

If we assumed proper software design, there were no holes in Windows at all, right?-Tuxman (January 04, 2010, 06:56 PM)
--- End quote ---
Oh, sure thing, the world is filled with lots of not-so-very-well-written software. Windows, Linux and OS X have all had some very very embarassing security holes - both local-only and remotely exploitable. It's possible to write decent software, though, and one should think that a software firewall (if primarily focusing on packet filtering) isn't that hard a job to get right.

Tuxman:
one should think that a software firewall (if primarily focusing on packet filtering) isn't that hard a job to get right.-f0dder (January 04, 2010, 07:04 PM)
--- End quote ---
Given that we only talk about a packet filter and nothing more: You'll need some kind of an A.I. to decide which traffic is "good" and which is "bad". A packet filter completely controlled by its users does not do what it is intended to.

f0dder:
A packet filter can come with sensible defaults - that goes a long way.

As for configurable by users, that's going to require admin privileges. People running with admin privs and no UAC = dead in the water. People blindly clicking yes to everything = blind in the water. Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.

Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble. In a production environment, I wouldn't keep servers and other critical machines with AU on, but rather keep them properly firewalled, and have a team that's vigilant about reading security billboards and doing hotfixes in a test environment before deploying... that's obviously far outside the scope of end-user, but it's a situation where I'd still keep a packet-filter running on each and every machine. And obviously not as the only line of defense.

Navigation

[0] Message Index

[#] Next page

[*] Previous page