Re: controling ports
From: x y (jamescagney90210@excite.com)
Date: 06/16/02
- Next message: Nigel Kitcher: "Re: Installation of new 'automatic update'"
- Previous message: Alix: "EFS: Can't encrypt file"
- In reply to: pat: "Re: controling ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Sun, 16 Jun 2002 16:04:39 -0400
"pat" <hobo@speakeasy.net> wrote in message
news:ugo6rbbi4l5kc4@corp.supernews.com...
> I am exploring how to control outlook from executing java among other
things
> with ie security setting. Any thoughts?
Oh, OK, that can be done. I thought from your first post that you were
asking about IP ports. I'm not aware of any way to block what IP ports java
or active-x code can use [besides packet filters]. One thing I recommend is
searching support.microsoft.com for instructions on how to run Outlook in
the "Restricted Sites" zone. I believe many of the other settings can be
found in IE under Tools, Options, such as editing the settings of the
internet zones. IE6 seems to add a lot more granularity in various places
under Tools, Options. If necessary you can roll out these settings to other
PCs using group policy and/or using .reg files or the IEAK. Personally some
of the IE settings the experts advise cause too many popup messages and
broken page functionality for my liking, so I tend to not use all the
settings that are advised.
> A packet filter will not achieve what needs to be done. Personal firewalls
> are dangerous alpha/buggy products at best that do not do the
job.....period
> (IMHO). I agree with your point on ipsec filters BUT I trust MS code a
whole
> lot more than any of these "free personal firewalls" code hacks with or
> without logs. Their commercial versions are feature oriented and come with
> support...but they do not say anything about curing the security holes and
> screwy code of their twin free versions.
I've been using Sygate on multiple machines and have been pretty happy with
it. A trojan file run on the local computer could disable Sygate, Tiny, OR
Win2000 ipsec filters. If win2000 ipsec filters had logging, I would use
them. But they don't, so I don't. An external firewall device is probably
better than either of those, it all depends on your security needs.
> In any case trojans are not my true concern here. Tunneling and imbedded
> rogue scripts are. Case in point I do not want outlook opening port 80 and
I
> do not want ie opening port 25. I could go down a whole laundry list of
> don'ts for exe and ports. I am sure that the port opening behavior of
these
> programs and others can be customized in the reg. in someway.
I do still believe that controlling what IP ports outlook or IE open is best
done by a packet filter, either by using windows 2000 ipsec filters [not my
favorite due to lack of logging], personal firewall software or an external
firewall device. I'm not aware of any way to block use of specific IP ports
by script code in either outlook or IE, and if there was, that setting
probably wouldn't apply to all the malicious code that could be delivered
and spawned by those programs. It certainly wouldn't apply to, say, an
executable worm file such as Klez that is attached to an email with
malformed headers to make the code automatically launch. Such a trojan
could attempt to use any port it wanted to, unless you've got some packet
filtering. If I'm wrong, someone else can pipe up.
- Next message: Nigel Kitcher: "Re: Installation of new 'automatic update'"
- Previous message: Alix: "EFS: Can't encrypt file"
- In reply to: pat: "Re: controling ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
