Re: forbidden a programme under WinXP2
From: Pete (Pete_at_pete)
Date: 03/29/05
- Next message: Backup: "Re: block a user from deleting their temp internet files"
- Previous message: Noemi: "Sharing Encrypted files"
- In reply to: Steve Clark [MSFT]: "Re: forbidden a programme under WinXP2"
- Next in thread: Malke: "Re: forbidden a programme under WinXP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Mar 2005 15:04:39 -0600
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:OInLw0JNFHA.244@TK2MSFTNGP12.phx.gbl...
> I suggest reading our hardening guides which are targeted for the IT Pro.
Ok. Sounds fair. {One would hope that the IT Pro already has. :-) }
>
> For the home user, I recommend consulting the appropriate center on the
> microsoft.com/security site for specific recommendations and articles
> designed for the home user.
Ok, but where on http://www.microsoft.com/security/default.mspx does the
"average home user" find out about blocking applications with a firewall?
You had such a strong opinion on "a dangerous, and ill-informed
recommendation" yet you are extremely vague with your own recommedations.
Please be more specific.
>
> Also, since I replied *after* the post in question, it *should* be assumed
> to what I mean (i.e., that one read the thread I replied to). NG's have
> been that way for at least 11 years now...
*All* NG's or the MS NG's? I thought the acceptance of top-posting was an
informal thing here on the M.P.x.x's.
And (back on topic) I thought that the reponse to use a 3rd party firewall
(without worrying about the specific ports in question) was usefull and
effective. The use of IPsec filters with the limited infromation from the OP
was way over the top, IMO. I like keeping it simple.
ttfn,
Pete
>
>
>
> "Pete" <Pete@invalid.com> wrote in message
> news:uOn3ykJNFHA.164@TK2MSFTNGP12.phx.gbl...
> > Steve Clark [MSFT] wrote:
> >
> >> That is a dangerous, and ill-informed recommendation.
> >
> > Since you top-posted, nobody can be sure to what you are referring. We
> > will
> > assume.
> >
> >>
> >> While it is true that the current version of WF does not support
outbound
> >> filtering, it is NOT considered "best practice" to just "forget about
> >> mucking about with ports".
> >
> > Where exactly did you quote "best practices" from? This wasn't a thread
> > about best practices. I read that as use a third-party firewall and
don't
> > worry about specific ports since there is a specific application in
> > question.
> >
> >> Using IPsec filters, I can control inbound OR
> >> outbound behavior. Having said *that*, I will also acknowledge that
this
> >> is not something that the average home user would feel was within their
> >> remit or experience to configure.
> >
> > So what are you trying to say? You can't have it both ways. At least
offer
> > something the average home user can use. Is it in your opinion that the
> > average home user should "mess about" with specific ports?
> >
> >>
> >> 3rd party firewalls are not some panacea: defense in depth operates
under
> >> the premise that multiple controls exist at mutiple layers.
> >
> > There was no claim that third-party firewalls are a panacea. Is it the
> > phrase "third-party" that's bothering you?
> >
> >>Therefore, we can use a 3rd party firewall, but not at the expense of
> >>other
> >>controls (such as IPsec filters).
> >
> > In your own words, this isn't a viable option for the average home user.
> > What do you suggest?
> >
> > --
> > Pete
> >
> >>
> >>
> >>
> >> "Malke" <noreply@invalid.com> wrote in message
> >> news:%23XvbHSGNFHA.568@TK2MSFTNGP09.phx.gbl...
> >>> lecter wrote:
> >>>
> >>>> There have a standalone Windows XP sp2 computer.
> >>>> I want to forbidden a programme to visit net.
> >>>> This is a copy-paste-and-run programme, it need not to register.
> >>>> So a limited account, even a guest account can run it without the
> >>>> adiministrator account to install it!
> >>>> I think I can install a firewall to close the port the programme
> >>>> use.
> >>>> Does WindowsXP can accomplish this itself?(such as some security
> >>>> policies...etc)
> >>>> BTW, can I delet the adiministrator account ? I delet the
> >>>> adiministraotr account, but, as I log in in security mode, there
still
> >>>> have adiministrator account there!
> >>>>
> >>>
> >>> 1. A third-party firewall will block any program you wish to refuse
> >>> network access. ZoneAlarm and Sygate have firewalls that are free for
> >>> personal use. The Windows Firewall will not meet your needs. You do
not
> >>> need to mess about with ports - just deny that particular program
> >>> access with your third-party firewall.
> >>>
> >>> 2. You cannot delete the Administrator account, nor should you want
to.
> >>> You will break your operating system. Leave it alone.
> >>>
> >>> Malke
> >>> --
> >>> MS MVP - Windows Shell/User
> >>> www.elephantboycomputers.com
> >>> In Memoriam - MVP Alex Nichol
> >>> The world is diminished without him.
> >
>
>
- Next message: Backup: "Re: block a user from deleting their temp internet files"
- Previous message: Noemi: "Sharing Encrypted files"
- In reply to: Steve Clark [MSFT]: "Re: forbidden a programme under WinXP2"
- Next in thread: Malke: "Re: forbidden a programme under WinXP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
