Re: Client End Firewalls

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 10/19/04

  • Next message: Peter Rodger: "Re: Group policy help" 
    Date: Tue, 19 Oct 2004 14:31:56 +0200
To: security-basics@securityfocus.com

    On 2004-10-18 GuidoZ wrote:
    > > With Windows 98 you're doomed since you have to rely on the users
    > > not making mistakes :(
    >
    > Yeah, I've kinda had the same problem. There are ways to apply
    > policies and such (poledit), which is helpful though. I've used this
    > successfully to thwart some curious users.

    That may or may not help, depending on the user's skills. The problem
    with policies in Win9x is that you can't enforce them. Any user who
    knows the way around it will be able to bypass your measures.

    > (A useful write-up can be found here: http://www.zisman.ca/poledit/)
    > Although, in the long run it's still Windows 98. As my father always
    > said, "You can't polish a turd."

    Heh.

    [...]
    > > Services that don't run can't be exploited and thus don't need to be
    > > protected by a PFW. Services that need to be available can't be
    > > protected by a PFW.
    >
    > While this is true, that only applies to the services that I expressly
    > defined as necessary, or shut down. Again I'll remind you that I still
    > have to depend on users in certain circumstances. I've been in there
    > removing Spyware on a weekly basis. Having the Firewall set to allow
    > access to ONLY what I have defined and password protected adds a layer
    > that, again, I prefer to keep in place.

    Point already taken, though with respect to spyware I would rather set
    up other measures like using other browsers and restricting IE to
    localhost and some pages that expressly need IE to work (see other
    sub-thread).

    > I'll also comment on your second statement - you certainly CAN control
    > necessary services with a PFW. You can setup advanced rules and
    > filters to, for example (but not limited to), only allow access to a
    > machine from or to a certain IP#. That way Tom (who found the password
    > on a post-it note) can't be jumping into Jane's network share even
    > though it's open to Bill (who had the post-it note).

    I've seen this one coming ;)

    It is true that the packet filter of a PFW allows you to control
    connections on a per-IP-basis. However, you should ask yourself why
    users need to share folders on their desktop-PCs anyway. IMHO a central
    file server would be a much more reasonable approach (think about
    backups, too).

    Don't get me wrong, I'm not totally against host-based packet filtering.
    In some cases (like notebooks that get connected to various networks
    inside and outside your company) they are indeed very useful. I just
    don't see their use for computers that will always be connected to your
    internal network. I prefer a reasonable network setup over software
    based solutions.

    As a side-note: passwords should never be noted on post-its (or their
    like) and users should be educated about this. But you already know
    that, right? ;)

    [...]
    > > Well, you don't always have to have a Checkpoint or Cisco. A small
    > > packet-filtering router (or a Linux|*BSD box) may very well suffice
    > > and are a lot cheaper.
    >
    > This is true. I've run Smoothwall a few times as a test and it's
    > worked quite well. There are still some minor kinks that I've yet to
    > solve through forums, lists, and Google. Maybe I'll run them by you
    > off-list. =)

    Feel free to do so, but don't expect too much from me. Though I have
    some experience with iptables I'm far from being a professional.

    > > [1] http://www.luckie-online.de/programme/UserManager/index.shtml
    > > [2] http://www.fajo.de/portal/index.php?option=content&task=view&id=6
    >
    > I've seen #2 before, though I haven't really given it a test run.
    > Thanks for the reminder. As for #1, is there an English version?

    AFAIK not. I mailed that question to the author and will keep you posted
    on any reply I get.

    Regards
    Ansgar Wiechers 

    -- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
  • Next message: Peter Rodger: "Re: Group policy help"

    Relevant Pages

    • RE: Mass Distribution of Security Policies
      ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
      (Security-Basics)
    • Re: Force local policies
      ... 1000+ policies that might be enforced by a domain it's a bit daunting ... automatically login and forget about it. ... separately from the rest of the network. ... enforcement of certain local policies. ...
      (microsoft.public.windowsxp.embedded)
    • Re: Do I need a firewall?
      ... > - it's not hard for a user running as Root or Administrator to compromise ... > their own computer and any services running on it, including their PFW, ... My family network allows users to access filtered HTTP, ... > there is no filtering of transport methods, ...
      (microsoft.public.windowsxp.general)
    • Re: Windows XP firewall behind DSL-Router firewall ?
      ... >>> Windows XP computer from outside your network you may have trouble ... >>> router firewall and ZoneAlarm Pro without problems. ... >> But if the machines are sharing resources with each other and the PFW ... and a packet filter like IPsec that's on the Win 2K and up O/S. ...
      (comp.security.firewalls)
    • Re: Force local policies
      ... E.g., well-known 'look&feel' related policies of Explorer to provide user access to some system folders or, even more, hide/show ... This is often used in domain environments by administrators as a way to protect workstations from a mess that end user ... If local policies came first, ... administrators wouldn't have a way to protect the network from "curious users". ...
      (microsoft.public.windowsxp.embedded)