Windows XP SP2 Firewall API Security Questions
From: SlowJet (anonymous_at_discussions.microsoft.com)
Date: 08/19/04
- Next message: SlowJet: "sp2 Firewall Port Range"
- Previous message: SlowJet: "Connect with the defaults shares c$"
- In reply to: aphyr: "Windows XP SP2 Firewall API Security Questions"
- Next in thread: aphyr: "RE: Windows XP SP2 Firewall API Security Questions"
- Reply: aphyr: "RE: Windows XP SP2 Firewall API Security Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Aug 2004 01:09:50 -0700
If you sell your 8 track and bata vido player I bet you
could get one of those 64-bit 4 banger mobo for your
Linux OS.
>From my breif experence of pop-up about block by firewall.
I don't thing the application decides anthing.
First, standard ports are open by deftult according to
whant is on the system during SP2 install.
Those startard setting are in the firewall exception list
as non deletable (only check box)
When a program trys something, I get a pop-up and it
says ,
Windows Firewall is blocking this. Do you want to
continue blocking Unblock ask me later (or one time
shot)
So what are you talking about?
Windows Firewal has to open the port to let anyyhing in
coming back from a request from in side.
And the port is closed when not being used.
So yes, a program could try to set ports open, but only
if the user does not say keep blocking.
If the program is just listening on a port, it isn't
going to get any response until it tries to send
something out. Then the firewal and user get involved.
That's how I understand its operation.
Tell us how long it takes you to set up a firewall on a
Linux system. i a bit concerned about that. :)
SJ
>-----Original Message-----
>I've been reading over some of the network changes in XP
SP2, and am curious
>about the authorized applications collection. A quick
disclaimer: I'm really
>a linux person, so my experience with the windows
security model is
>incomplete at best. Please pardon my lack of knowledge.
>
>The windows XP firewall now prevents applications from
listening to ports.
>This makes sense, because a number of security
vulnerabilities arise from
>unsecured applications listening where they really have
no business. (I
>personally think that all new outbound connections
should be filtered as
>well, prompting the user for confirmation, but that's a
different matter). As
>I understand it, when an application would like to open
a port for listening
>it contacts the firewall (service?) and requests the
change to be made. An
>alert is displayed to the user providing notification of
the event and
>requesting confirmation. The user can choose to
authorize or deny the request.
>
>If I were implementing this, the firewall itself would
act on the command of
>the user and deny the application's request for an open
port. Instead, the
>users choice seems to be sent back to the application,
which has two choices.
>If the user chose to allow the modification, the new
rules are inserted and
>activated. If the user denied the request, the rules are
inserted (presumably
>for future manual activation) but are not made active.
This takes place
>through the INetFWAuthorizedApplication portion of the
firewall API.
>
>The concerns I have with this method are threefold.
>
>First, it requires that the application properly handle
both types of
>response. Guidelines are provided for how the
application should modify the
>ruleset (for example, by default servers should only
listen to requests from
>the local subnet), but are not required. While this
allows for customization
>in applications with unusal needs, the user's level of
knowledge and control
>is reduced, and the possibility exists for poorly
written or malfunctioning
>applications to perform unexpected actions without the
user's knowledge.
>
>Second, placing the responsibility on the application
*could* mean that an
>application which crashes or malfunctions could leave
it's firewall ruleset
>enabled. I presume there a method to clean up after
this, so it's not much
>of a concern.
>
>Finally, relying on the application to control it's own
firewall priveledges
>seems to counteract the point of enabling firewall
rulesets by default. It
>appears as though any malicious application could simply
choose to ignore the
>user's input and make whatever changes it would like.
While the restrictions
>that a program actually listen on ports that it opens
prevents a rogue
>application from exposing ports belonging to other
services, it still means a
>server could open its own ports without restriction.
Relying on potentially
>malicious applications to control their own firewall
privleges seems like a
>poor way to ensure security.
>
>There was one restriction mentioned that could limit
this: applications must
>run in the context of an administrator in order to
modify the firewall
>restrictions. Unfortunately, most home users under
Windows XP run as
>administrators--the people who could be the most at risk
from malicious code.
>
>Could someone kindly explain the restrictions in place
to prevent this from
>happening?
>
>Thanks,
> Aphyr <aphyr@alt154.org>
>.
>
- Next message: SlowJet: "sp2 Firewall Port Range"
- Previous message: SlowJet: "Connect with the defaults shares c$"
- In reply to: aphyr: "Windows XP SP2 Firewall API Security Questions"
- Next in thread: aphyr: "RE: Windows XP SP2 Firewall API Security Questions"
- Reply: aphyr: "RE: Windows XP SP2 Firewall API Security Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
