RE: Interesting thing about ICF and SP2
From: Moser, Scott (scott.moser_at_smead.com)
Date: 10/15/04
- Previous message: Erik Pace Birkholz: "Interesting thing about ICF and SP2"
- Maybe in reply to: Erik Pace Birkholz: "Interesting thing about ICF and SP2"
- Next in thread: Matt Ostiguy: "Re: Interesting thing about ICF and SP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Oct 2004 10:46:04 -0500 To: "Erik Pace Birkholz" <erik@specialopssecurity.com>, <focus-ms@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>
I noticed the same thing. The solution is to enable/disable the
firewall with Group Policy (local or domain). This removes the local
admin right to turn it on and off, and the script doesn't work based on
my testing.
Scott
-----Original Message-----
From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com]
Sent: Thursday, October 14, 2004 2:04 PM
To: focus-ms@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com
Cc: Erik Pace Birkholz
Subject: Interesting thing about ICF and SP2
Importance: High
I wrote a script back in 2002 for Internet Connection Firewall (ICF)
called
toggleICF.vbs. The purpose of the script was to turn ICF on and off via
command line. It saved time (fighting through the GUI) when using port
scanners and other security tools. FYI, the script is still available
from
www.SpecialOpsSecurity.com under the Resources, Scripts section.
http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html
The only bummer was WMI prompted the user via Win32 popup and asked for
permission before it would activate/deactivate. This made it less useful
for
scripting purposes, but more secure. Here is a reference from a MSDN
page
about the ICF disable method and it clearly states (in the remarks) that
the
user makes the final disabling decision.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics
/inetsharingconfiguration_disableinternetfirewall.asp
Here is the new problem I just found today after finally installing SP2
on
my XP system. I noticed that if you run the toggleICF.vbs script, it no
longer prompts the user via that annoying popup. Albeit annoying, that
little popup did buy some mitigation against the bad guys trying to turn
off
ICF with a script.
Microsoft's new ICF activation/deactivation "process" change has
introduced
a new attack vector for malicious scripts. If my script can be used to
turn
ICF on and off for "good" without requiring user-intervention, then it
can
certainly be done for "evil".
Erik Pace Birkholz, CISSP
Special Ops Security, Inc.
[Cell] 323.252.5916
[SOPS] 888.RU.OWNED
[Email] erik@SpecialOpsSecurity.com
Read Special Ops and mount an assault to eradicate network negligence
today.
www.SpecialOpsSecurity.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Erik Pace Birkholz: "Interesting thing about ICF and SP2"
- Maybe in reply to: Erik Pace Birkholz: "Interesting thing about ICF and SP2"
- Next in thread: Matt Ostiguy: "Re: Interesting thing about ICF and SP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
