SP2 vulnerability ?

hi all,

i was browsing through my registry when i've found the following key:

Quote:

---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\

---

the values in this key are:

Quote:

---

REG_DWORD AntiVirusDisableNotify 0 or 1
REG_DWORD AntiVirusOverride 0 or 1
REG_DWORD FirewallDisableNotify 0 or 1
REG_DWORD FirewallOverride 0 or 1
REG_DWORD UpdatesDisableNotify 0 or 1

---

i think this might be interesting to people who want to disable a firewall remotely without the target owner knowing it ;)

better keep this key in mind!

lol, MS Security Center is a joke anyway. the name itself is an irony. i disabled mine, and stuck wid Norton. atleast i have more control with my Norton systems.

You can't disable a firewall by changing those registry values... all it does is turn off the Security Center notifications that you don't have a firewall, not turn off the actual firewall.

Those keys come in handy if you have a firewall or AV installed that isn't recognized by the Security Center.

Quote:

---

You can't disable a firewall by changing those registry values... all it does is turn off the Security Center notifications that you don't have a firewall, not turn off the actual firewall.

Those keys come in handy if you have a firewall or AV installed that isn't recognized by the Security Center

---

i know, you have the option to turn off the alert in the security-center yourself, but this is a bit hard if your on a remote system, and what i meant, since there are other ways to turn of the firewall through the registry, this keys allows you to make sure the user didn't get notified...

p.s. the link in "other ways" will only work if you have a login..

Hah... I thought you were thinking you could turn off the firewall itself by changing those values.
I don't know if that's really a vulnerability, though... I don't see any other way to "fix" this, unless MS would make it impossible to turn off the Security Center (which would have to mean that unsupported firewalls/AV wouldn't run anymore without constant pop-ups).
And wouldn't that also mean that every firewall out there is vulnerable because you have the option to shut it down?
And it's still an extra step to take compared to XP without the Security Center...
Just some thoughts :)

You can turn the fireall by registry key! I have the registry key at job but not on this PC... I'm looking at my registry now..

5 Mins later! Here we go! This is for Xp Home... Might be different for XP Pro

Quote:

---

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

---

SDK > The question was how is being able to turn off the Security Center's warnings a vulnerability?
Your registry key doesn't do anything on my machine, btw... is this to turn off the internal firewall?

Well, the biggest vulnerability in security-center is that it makes people believe that it is save, while at the same time you have this kind of options..

if you would run just a firewall from a third party vendor, you would be a lot safer, since they don't usually have registry settings turning the firewall on or off...

Negative> can you speak dutch? that's nice to know ;)

Lepricaun > I'm Belgian ;)

that explains a lot!

and i thought you came from texas, i don't believe they have a place called "texas" in belgium :D

Well, it's nice to know...

Quote:

---

Sure, blame both the software and the vendor when people never place file/sys auditng and policies over their systems... blame everything except users when folks accept downloads from random people and do everything with full admin privileges. How is the ability to disable things in relation to AV or firewall software new, inginuitive, or original at all? It's been done before... mention an M$ product, and all of a sudden people actually care now?

---

the only thing i hate about this, is that microsoft SAYS it is safe, and that so much other events in the past have proven that windows isn't that safe...

but suppose i would write a script disabling the default firewall, and disable the notification of it, i know exactly what to do, since it is the same in every windows XP sp 2 system (no need to find out what firewall is running). and then use the bug that is found recently which allows me to access the netbios shares through the firewall, and put that script in startup. then next time the system boots up (2 times to be exact). the firewall is gone, and the user never noticed it. Complete system is open to attack!

that's what i hate about microsoft, the false feeling of safety they give you...
because most users don't participate in a security forum and don't even know what an IP adress is, and that is exactly the kind of people that are vulnerable to this flaw.

They give off a false sense of security therefore, you and millions of other people complain about M$ and the OS even though you run XP along with alot of the products? Gee uhhh, yeah, whatever...

It sounds like a bad joke at first but how many mindless Fother Muckers does it take to click update when MS goes as far as flashing things on screen and haveing to remind people how stupid and ignorant they are, how many of them does it take to screw in a light-bulb, or better yet... wipe your ass. Clearly it takes alot of Fother Muckers out there to accomplish even the most minor things.

The security centre is suposed to monitor the state of AV Firewall apps, Afaik, at least with Norton it asks you wether to allow the security centre to monitor. This must mean that the security centre access the app involved in some way at least. Norton doesn't recomend you allow this.

If you assume that Norton is vulnerable and the security centre is also vulnerable by allowing the security centre to monitor norton, you have just doubled your exposure.

Just some abstract thoughts.

Quote:

---

Originally posted here by Negative
SDK > The question was how is being able to turn off the Security Center's warnings a vulnerability?
Your registry key doesn't do anything on my machine, btw... is this to turn off the internal firewall?

---

If I change the EnableFirewall Key to 0, it's turn the firewall off (By looking at Security Center and Firewall Icon from Control Panel). Putting back the value 1 turn the firewall on again!

XP Firewall can be configured by Active Directory (I had to be for IT Administrator) so it had to be registry base!

Quote:

---

Originally posted here by SDK
If I change the EnableFirewall Key to 0, it's turn the firewall off (By looking at Security Center and Firewall Icon from Control Panel). Putting back the value 1 turn the firewall on again!

XP Firewall can be configured by Active Directory (I had to be for IT Administrator) so it had to be registry base!

---

negative PM'd me about this, and i gave him all i knew, he is going to try it out, but like i said to him too, i'm not sure if it is clever to post all the info here, since it may be read by people wanting to take advantage of it in the wrong way...
i told him i'd let him decide, so thats what i will do, but if my info is correct, it would be pretty easy to abuse this knowledge ;)

This information I gave here can be get from Regmon utilities from SysInternal in 2 mins. If you know how to read ADM file, it’s written in there also for XP Pro.

If I could find this information, a black hat can find this information in 2 mins also! I prefer to share the full disclosure that to hide the information for myself.

So be warn Antionline User, Windows XP SP2 Firewall can be disabled by a simple REG file!!

Quote:

---

If I could find this information, a black hat can find this information in 2 mins also! I prefer to share the full disclosure that to hide the information for myself.

---

i'm not talking about black hats, i'm talking about skiddies...
of course with a little research anyone can find it, but why help a skiddie by giving him al info in one place, perhaps even include the script so he can start of right away...

i suggest (if negative agrees), to post this in the addicts forum, so at least not everyone can find that info ;)

A script kiddie won't program a malware that is able to deactivate the XP Firewall. If he do, he's a true hacker :)

All of that stuff doesn't work on my box (XP Pro SP2)... SDK's registry key doesn't seem to do anything...

Feel free to post it wherever you want :)

well, thats strange, why wouldn't it work? i now have to find it out for myself ;-)

Check this key for XP Pro... It's probably different for XP Home and XP Pro.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000001

It might