Main Area and Open Discussion > General Software Discussion

Stop Windows from calling home

<< < (10/11) > >>

Stoic Joker:
ICS is disabled by default, and the only unscheduled reboots in the last 10 years on the (approx 20) Windows servers I manage were due to either hardware failures or power outages that outlasted the UPS.

f0dder:
Let us revisit your five bullet points:

* 1. Executable modification detection is not the job of a packet filter firewall, but more in the area of a HIPS. This is material for a different discussion.
* 2. You can click "Allow", but this requires a UAC transition (at least on Win7 - I'd be surprised if it doesn't on Vista). UAC transitions can't be scripted[/sup]1[/sup].
* 3. The packets have "entered your computer" but haven't hit applications yet. This is the purpose of a packet filter: to avoid service exploitation2. Somebody more clever than me can comment on the implementation, but I'll highlight that "If the traffic does not match an exception, the NAT driver determines that the traffic is unsolicited; the packets are dropped and do not continue through the TCP/IP stack".
* 4. I assume you're talking "outbound leaking" here. Ultimately, there's nothing you can do to stop outbound leaking, whether on the individual host or an external boundary firewall, short of blocking all outgoing traffic3. This is topic for a whole separate discussion, though; my stance is that when you need outbound filtering you're pretty much game over, but it can help mitigate some attacks. And if you only need to defend against usermode code, you can do a lot.
* 5. If you're reckless and run in admin mode without UAC: yes - otherwise: no.
Footnotes:
1: I know of no way to script UAC transitions when running with UAC on max settings, which is what you should be doing. I'm not excluding the possibility that there's bugs that will eventually be found, but so far we don't know of any.
2: yes, it's possible that the packet filter itself has bugs, just like everything else - including your "hardware" firewall firmware.
3: no, really. An external firewall knows nothing about applications, and can only judge on packet data. Make an outgoing HTTPS connection and you can't do much traffic inspection except looking at destination.

You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says).-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
http://en.wiktionary.org/wiki/potential-Tuxman (January 04, 2010, 09:53 PM)
--- End quote ---
That's the best you can do? Nice move ignoring the iptables link, which sounds like it could potentially be a lot worse than the cry-wolf XP bug. Yep, it was serious, if you had enabled ICS - not something most home users do... and the resources I've seen say that server editions weren't affected.

Some are "better" however.-Tuxman (January 04, 2010, 09:53 PM)
--- End quote ---
"Secure by Default" is a very nice goal, and MS has been sleeping in class. The XP-SP2 firewall and DEP were steps in the right direction, UAC was a major step (too bad default user wasn't made non-admin alread in Win2k). And then there's ASLR and a whole bunch of enhancements to the heap manager, not to mention various security enhancments in the Visual C++ compiler. None of this by itself is perfect, but it shows that MS certainly aren't ignoring the problem any longer - and you get a lot of stuff with NT now that you don't get with linux unless manually choosing a kernel with SELinux patches.

Of course you can configure *ix to be insecure, of course you can even have a secure Windows XP server or something. The software running on the server is the bottleneck - and now we're on topic again. The one who installs and maintains the software is responsible for it to work properly. If he fails, not even a firewall of any kind can help him. If he succeeds, he doesn't need paranoia. There might be something in between. Does it really matter?-Tuxman (January 04, 2010, 09:53 PM)
--- End quote ---
Well, duh, isn't this what I've been saying all along? Except for the "doesn't need paranoia" part... a packet filter isn't paranoia, it's an additional level of security. Hopefully it'll never be needed on neither hosts nor servers, but if you have a breach it can save your ass - and I bet you aren't able to measure a performance difference whether it's enabled or disabled.

So what, really? Windows isn't unix, things work differently.-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
Now this is not a reason for having to use a rather mediocre shell, is it?
-Tuxman (January 04, 2010, 09:53 PM)
--- End quote ---
If you don't need something complex, why waste time developing it? *u*x and Windows are different philosophies. Apparently enough users wanted a more powerful shell, and MS responded with PowerShell. Haven't used it myself so I can't comment on it's quality.

By this, you're saying that packet filters which require administrative privileges to configure are useless-f0dder (January 04, 2010, 09:32 PM)
--- End quote ---
... to me. Maybe there are some rare circumstances that might be easier to handle with something like a "packet filter". Using such does not necessarily make your system more secure, though.
-Tuxman (January 04, 2010, 09:53 PM)
--- End quote ---
Ah, now you're talking a lot more sense. But let us revisit your original statement, which is what got this started:
Disable Windows Firewall - And there it is!-Innuendo (January 04, 2010, 04:18 PM)
--- End quote ---
How many reasons why the Windows "Firewall" is neither a firewall nor of any use would be enough to convince you that disabling it is a good idea? I think I could find dozens of them.
-Tuxman (January 04, 2010, 04:23 PM)
--- End quote ---
...see a slight difference between those two statements?

ICS is disabled by default, and the only unscheduled reboots in the last 10 years on the (approx 20) Windows servers I manage were due to either hardware failures or power outages that outlasted the UPS.
-Stoic Joker (January 04, 2010, 10:06 PM)
--- End quote ---
Do you have a clean & untweaked XP-SP2 you can confirm this on, or official docs? :P - I'm almost tempted to do a test install in vmware (damn insomnia!), but it'd make a helluva lot sense not to have it enabled by default.

Tuxman:
Nice move ignoring the iptables link, which sounds like it could potentially be a lot worse than the cry-wolf XP bug.-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
Not ignoring it, but keeping the discussion on-topic.

too bad default user wasn't made non-admin alread in Win2k-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
AFAIK he still is not?

it shows that MS certainly aren't ignoring the problem any longer - and you get a lot of stuff with NT now that you don't get with linux unless manually choosing a kernel with SELinux patches.-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
Which is, at least, a giant step into the right direction after rolling backwards for years. Let's hope they'll stick with it.

Well, duh, isn't this what I've been saying all along?-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
Not quite, as we were still on "Personal Firewalls".  :P

Except for the "doesn't need paranoia" part... a packet filter isn't paranoia, it's an additional level of security.-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
... or maybe also insecurity. See, most people I know mix up "consider your system's security" with "install a security suite and everything is fine", and then they'll wonder why their system is fucked up.
Maybe I just know the wrong people.

 ;D

Hopefully it'll never be needed on neither hosts nor servers, but if you have a breach it can save your ass-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
So far I (personally) never had a problem that could have easier been fixed by installing a packet filter. Lucky me.

If you don't need something complex, why waste time developing it?-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
cmd.exe is complex but not mighty. "Scriptable" but not "flexible". For my own workstation(s) it is more than enough, but fiddling with config files without grep or something sounds hard.
(There is grep [with ls. love that.] for Windows, but I actually doubt that it is installed on common Windows servers.)

Apparently enough users wanted a more powerful shell, and MS responded with PowerShell. Haven't used it myself so I can't comment on it's quality.-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
To me, the PowerShell more looks like some .net command console, not a valid MinGW/Cygwin replacement. I really wish MS would consider making Windows POSIX-compatible by default for everyone, not only the high-class editions... would make life a lot easier.

...see a slight difference between those two statements?-f0dder (January 04, 2010, 10:23 PM)
--- End quote ---
Yep, I missed the "IMO" in my original posting. The statement is, basically, the same, but the second one seems to be more clearly or something. Sorry for fuzzy phrasing.  :D

Josh:
After all of this discussion, the real reason to disable windows firewall has not been given. I see you have given personal reasons for not liking the Windows PFW but have not seen concrete evidence, or anything remote to that, where you show why users should disable it.

The Windows PFW does what it is supposed to do, filter packets. The case still remains that it is NOT a host intrusion prevention or detection system. Those are an entirely different suite of applications.

So please tux, I ask you in this post, give me a reason that a user should remove this layer of protection which shows it as being unnecessary. Added layers of security are always better than none. Telling users to run as a LUA is fine and good but when this is mom and pop and they do not want to have to login and logout, or enter credentials every time they run something, or even understand why they have to do that, I guarantee they will be just fine leaving the Windows PFW enabled because it will serve as an intermediate between the packets from the internet and their applications (the exploitable code, for the most part). Also, saying that running a software firewall is nowhere near as good as a hardware firewall is laughable due to the fact that hardware firewalls are SOFTWARE based running embedded on a set of dedicated hardware. In most cases, systems running personal firewalls are faster than the hardware included in the average home user firewall/router.

So, I await your reply and hopefully this can be backed.

Innuendo:
1. It can not detect if "explorer.exe" is really "explorer.exe" when asking you if explorer.exe may access the internet.-Tuxman (January 04, 2010, 04:57 PM)
--- End quote ---

By that logic the high-end firewalls by such companies as Cisco, Juniper, and SonicWall are not firewalls, either as they cannot determine the difference between explorer.exe and another program, either. A firewall's job is to restrict what kinds of traffic come across which ports. If you are going to want to control things at the application level then you are talking about something else. Yes, some advanced personal firewall software offers this additional functionality, but it's not core firewall programming.

2. It is not that hard to write a script which automatically clicks "Allow".
--- End quote ---

It is that hard to write one if you have your UAC set where it's supposed to be. Follow the advice to turn off UAC because some knob on the internet told you to then you get what you deserve.

3. It is behind your internet connection, so any packets passing it are already on your computer.
--- End quote ---

Sandboxes, virtual machines, etc. make this point moot.

4. ... if they pass it anyway (there is always a way to create your own, independent TCP connections).
--- End quote ---

And none of these ways can circumvent the low-level hooks for firewall functionality in Windows 7. The old days of the Windows XP RTM firewall are behind us.

5. A virus, worm or trojan runs with your own user privileges, so it can easily disable your PFW completely.
--- End quote ---

Not if you have UAC turned on.

If you actually use software from dubious sources and click unknown links (the only ways to get infected), you'll fail anyway. A "personal firewall" can not help you.

--- End quote ---

People don't have to use dubious software these days to be vulnerable. It's possible to get attacked just by visiting regular web sites. It's a dangerous world out there & the only sane defense is one of multiple layers that can catch almost all, if not all, attack vectors present on the internet.

Navigation

[0] Message Index

[#] Next page

[*] Previous page