Re: Finally, a secure computer

From: Walter E. (wer25@yahoo.com)
Date: 03/17/03 

From: "Walter E." <wer25@yahoo.com>
Date: Mon, 17 Mar 2003 06:06:09 GMT

Hi Karl, thank you for your thoughtful observations.

I am merely offering my comments because I wonder if there is an element of
paranoia in the security aspects of IIS administration.

Of course, a great deal depends on the vulnerability of a system. If the
security at the IBM website is compromised, it is a disaster. If the
security at my "web" is compromised, I merely re-load a clean image or I
reformat and the damage is repaired. Easier to fix than to prevent.

I feel that this is the area that most persons do not pay sufficient
attention to. They spend endless hours and efforts to protect a system that
can easily be repaired if it is ever invaded. The chances of any hacker
invading my system are practically nil because he would not get any kudos
for this accomplishment. Therefore it is extremely unlikely that any hacker
worth his salt would bother with my computer.

Maybe MS would be better served to assign different levels of vulnerabillty
to different types of systems. What is the point in fortifying a system that
is not protecting anything of value? Instead, they insist that the owner of
a tiny system served by IIS or the PWS protect himself with the same
measures applicable to security measures necessary for the Dept. of Defense.
This seems ridiculous.

I installed Zone Alarm. The AVG Port Scan found Port 80 and 5000 open
(because I was running IIS with http). After I installed the XP Firewall
(ICF), all ports were invisible. I ran a port check on 10,000 plus ports (I
forget which site I used). Maybe this has something to do with the nature of
ICF which does not listen on ports but only opens to responses to messages
that have previously gone out through a particular port. Anyway, it worked
fine for my web server.

I have been running IIS fully open for several days now. Just ran my virus
checker and there is no problem.

What you said is true: One can never know what ingenious hackers will come
up with. However, we can only provide reasonable safeguards for our doors,
commensurate with the potential damage. Therefore I am not seriously
contemplating the installation of machine gun nests in the entry area of my
home.

There is a lot of hype, scare-mongering, sensationalism and paranoia in the
field of computer protection. It might be helpful if potential threats could
be evaluated in terms of their relevance to the vulnerability of a system.

Thanks for your kind response

Have a great day

-
Walter
The Happy Iconoclast www.rationality.net
-

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:#MHsRj#6CHA.3400@TK2MSFTNGP11.phx.gbl...
> You've certainly got a good start, though
>
> 1) adding ICF to ZoneAlarm is probably not going to add extra security.
> It's probably better to only run one software firewall [e.g. disable ICF]
> since this is probably untested and unsupported;
>
> 2) you do want to confirm from time to time that your antivirus didn't
have
> trouble downloading updates [I'm not sure about AVG pro, but my AVG
freeware
> antivirus by default only downloads updates once a month, which probably
> isn't enough, and also I'm not sure what happens if the download attempt
> occurs when the internet connection isn't connected];
>
> 3) I don't know which port scanner you used, but usually they don't check
> all ports, just the common ones. There are 130,000 TCP and UDP ports and
it
> takes quite a while to check them all. It may be adequate to just check
> some and not all ports, but sites like www.grc.com just don't check enough
> ports.
>
> 4) Note that both AVG and Zone Alarm can be disabled by trojans or stop
> working for a variety of reasons.
>
> 5) Your configuration sounds pretty secure, though you never know what new
> security vulnerabilities will be discovered later. What's secure today
> might not be secure tomorrow. Also, I would never say that it's
impossible
> for a hacker to get into a system, just that it's unlikely.
>
> You didn't mention patches and hardening checklists. I would really
> consider doing some of these for "defense in depth" in case your firewall
or
> antivirus fails to protect you at some future date.
>
> http://securityadmin.info/faq.htm#harden
>
> While you say that you would never open an email attachment, there are a
> number of ways an attachment could run automatically if you're using
Outlook
> or OE with the preview pane open, or an email could download and run
> malicious code from a web site even if there is no attachment on the
email.
>
> There are other types of attacks that are uncommon, but theoretically
> possible, such as 1) you or your computer is enticed to visit a web page
> containing hostile code, 2) DNS cache poisoning is used to redirect you to
> such a web site; 3) DNS trickery is used to make your AVG software or
> another auto-update software to download and run malicious code from a web
> server masquerading as an update server, etc.
>
> Last, your firewall is only as secure as its configuration. One thing
that
> disturbs me about ZoneAlarm is that the configuration changes dynamically
> depending on whether the computer user accidentally clicks the wrong
thing.
> Any security setup that offers a choice to the computer operator and
relies
> on the human to make the correct decision 100% of the time is IMHO less
than
> 100% secure.
>
>
> "Walter E." <wer25@yahoo.com> wrote in message
> news:Avnca.13848$0r1.1575165@twister.socal.rr.com...
> > I recently switched from win 98 and PWS4 to Win XP and IIS. I was
> concerned
> > about the inherent security problems with IIS. I only use the IIS for
web
> > design and uploading changes to my website.
> >
> > I seem to have resolved the problem as follows: I installed Zone Alarm
Pro
> > plus the WinXP Firewall.
> > I also run AVG Pro virus checker.
> >
> > Now, when I run a port check of my computer with IIS running, I find
that
> > all of my ports are in "stealth" mode, including Port 80. IIS works fine
> in
> > uploading my website.
> >
> > Since my computer cannot be seen from the web, it seems impossible for
any
> > hackers or viruses to get in here. Am I deluding myself?
> >
> > --
> > Walter
> > The Happy Iconoclast www.rationality.net
> > -
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
>
>

Relevant Pages

  • Re: Finally, a secure computer
    ... adding ICF to ZoneAlarm is probably not going to add extra security. ... trouble downloading updates [I'm not sure about AVG pro, ... There are 130,000 TCP and UDP ports and it ... Your configuration sounds pretty secure, though you never know what new ...
    (microsoft.public.inetserver.iis.security)
  • OT: What will he do next?
    ... That was National Security. ... President Bush said Tuesday that a deal allowing an Arab company to take ... Senate Republican Leader Bill Frist urged the administration to ... Ports World, a state-owned business in the United Arab Emirates. ...
    (comp.sys.hp.mpe)
  • Re: Political Analysis of Security Products
    ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
    (Pen-Test)
  • Re: Port security, continued
    ... CITING NATIONAL SECURITY, ... WASHINGTON - PRESIDENT BUSH WAS UNAWARE OF THE PENDING SALE ... THE WHITE HOUSE SAID WEDNESDAY. ... EMERGENCY LEGISLATION TO SUSPEND THE PORTS DEAL. ...
    (sci.med.transcription)
  • Re: How you can help
    ... pleased to have you here as I sign a bill that will help protect the ... American people and our ports. ... Homeland Security, Michael Chertoff, for his service to the country. ... appreciate that Senate Majority Leader Bill Frist has joined us. ...
    (rec.gambling.poker)