XP's built-in firewall unreliable?
From: Matthias Fichtner (mf-list_at_FICHTNER-MEYER.COM)
Date: Tue, 19 Aug 2003 17:35:34 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
last week, while checking our Windows machines to make sure
they're all properly patched and secured against the Blaster
worm, I noticed that one of the XP Pro machines responded to
ICMP packets -- even though its ICF feature (the build-in
Internet Connection Firewall) was supposed to be enabled. A
quick scan showed that ports 135, 445, and 1025 were wide
So I assumed that someone had disabled the firewall. But
that was not the case: Upon logging into the machine, I
found that the network connection's ICF option was enabled
and the SharedAccess service (the NT Service that provides
ICF functionality) was running. Yet, the firewall simply
didn't do what it is supposed to do: Checking pfirewall.log,
I learned that not a single inbound packed had been dropped
in almost a month!
Rebooting the machine didn't help. Uninstalling stuff that
I suspected might interfere with the ICF's functionality --
that is: Microsoft's "Advanced Networking Pack for XP" and
WinPcap (a kernel-level packet filter that is needed for
running nmap) -- didn't help either.
Finally, I tried stopping and restarting the SharedAccess
service. Bingo: Suddenly, the ICF was back online and
happily started dropping all sorts of inbound traffic. No
more pinging, no more wide open ports.
Now, every time that machine is rebooted, I have to log in,
stop the SharedAccess service, and restart it. Otherwise,
the firewall just sits there and does nothing -- even though
there is not a single error message (at least none I could
find in any of the logs) and the network connection is
clearly marked "Enabled, Firewalled" in XP's Network
Has anybody else seen this? Anything I can do to fix the
problem? Or do we need to consider the ICF yet another OS
feature one simply cannot rely on?
-- Matthias Fichtner [MF70-RIPE] firstname.lastname@example.org oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo