Re: Fw: Serious Security Issue in Windows XP SP2's Firewall
From: Frank Knobbe (frank_at_knobbe.us)
Date: 09/29/04
- Previous message: Thor: "Re: Fw: Serious Security Issue in Windows XP SP2's Firewall"
- In reply to: Thor: "Re: Fw: Serious Security Issue in Windows XP SP2's Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Thor <thor@hammerofgod.com> Date: Wed, 29 Sep 2004 10:49:34 -0500
On Tue, 2004-09-28 at 13:59, Thor wrote:
> > Design Flaw #1: While the approach to determine if the PC is used at
> > home or in a corporate setting (domain membership) seems like a sensible
> > way, the fact that it is treating all interfaces as equal is not.
> Sure-- but remember- [...] Regarding the RAS adapter dialing into the
> Internet, in that case, F&P would not be bound in the first place
> (when the connection was created).
I guess that's a well deserved black eye for me to take for not
realizing that this default does treat interfaces as ...uhm... not
equal. I shall concede that point to you.
(BTW: How are existing RAS interfaces treated during upgrades? Are F/P
bindings removed?)
> > Design Flaw #2: Multiple policies conflict in interface protection.
> Not really "multiple policies" conflicting... It is an updated policy
> replacing existing policies at install time-- there aren't 2 at the same
> time... It's very easy to check out what settings are implemented for the FW
> in general, and for each individual adapter...
hmm... I'm confused. But perhaps I should drive the car before junking
it. I don't have XP around to see how these two policies present
themselves to the user. My concern is that there are settings in one
place and settings in another, but no means to see the effective,
combined settings in a single dialog. All too often offer systems
immense capabilities for configuration (may I use the word
configurability) only to leave the operator/user lost in all those
choices. As I was saying, a simple and coherent configuration model
helps security greatly.
Perhaps you, Tim, could send me a screen shot with the dialog box that
shows the current FW policy settings on an interface (or a link to a
demo version of XP). Until then I only concede half a point ;)
> I really should have been more clear about that- it sounds like "mitigating
> factors" junk..
> I wasn't trying to sugar coat it-- I was directly responding to the claims
> in the article where they said "world readable, no password access" etc...
Oh, okay. I didn't know the article was talking about accessing the
systems. I thought the issue was that the ports are unfiltered and
exposed. Perhaps I need to re-read that article.
> There is only one policy- everything is blocked, and you open what you need.
> I think some of the other posts may have confused that, but it really is
> pretty easy...
Ah, I see. Good. Easy is good. Not just for lamers like me :) but if a
system is made easy to configure and use, then there are less threats to
the security of that system. I'll make sure I have a copy of XP in front
of me before I yell again... ;)
Later dude.
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Thor: "Re: Fw: Serious Security Issue in Windows XP SP2's Firewall"
- In reply to: Thor: "Re: Fw: Serious Security Issue in Windows XP SP2's Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
