Understanding the future security of Windows SP2

Greetings,

Recently there was a large topic debating Microsoft's soon-to-be released SP2 patch, which would include many security fixes, changes to the OS, and build in functionality such as firewall configurability. The time has come to put things to rest, and show a few people what SP2 will be doing to help make Windows XP an amazingly secure box with the tools to do it already at your fingertips, while giving a glimps into how secure Longhorn release will be. Dedicated to helping the community see windows security in a fresh light, I became a beta tester for the SP2 release. Bare with me, have patience, and smile at least once during this. Remember, this does not speak of all the security updates and fixes, but it focuses on the primary ones that people are most concerned about. It is time, perhaps, to begin respecting Microsoft's strides to improve the security of it's distrobutions.


Internet Connection Firewall

On by default. What once was a horrible use of firewall technology, has sprung up to the level near ZoneAlarm Pro. This is a huge upgrade in terms of enhanced and maintained security. The ability for Windows to be able to protect itself by default on this level means people will start have to look for different Windows jokes, as the security ones may be phased out and invalid very soon.

- It has it's own specific icon on the Control Panel for much easier access to new users

Control Panel Icon - http://67.166.97.134/misc/sp2/icficon.png

- Default *quick* settings. It allows you to run the fire wall on with your configurations, with total lockdown configurations, or even the ability to still turn it off completely.

Firewall Main Settings - http://67.166.97.134/misc/sp2/icf1.png

- It has advanced firewall ruleset handling and configuration. Making rule exceptions for protocol, port, or program exe name based (or all combined), we can see the possibilities avalaible to this builtin firewall.

Ruleset Control - http://67.166.97.134/misc/sp2/icf2.png

- Profile based settings for multiple connections, save settings to a profile for multiple NIC handling. Windows will also notify you when a program tries to access the internet that is not listed on the ruleset.

Profile Control - http://67.166.97.134/misc/sp2/icf3.png

- Logging options. Moderate ability to log all illegal firewall activity, as well as log legal activity to a logfile.

Logfile Control - http://67.166.97.134/misc/sp2/icf4.png

- ICMP control settings to fine tune how you want ICMP handled.

ICMP Control - http://67.166.97.134/misc/sp2/icf5.png


Internet Explorer Security Enhancements

IE now comes with quite a few features to make browsing much more enjoyable and secure. While the plugin feature is common place in other browsers, don't forget to merely be happy that they did finally put it in IE.

- Pop up window blocking! Built in, and with settings that look strikingly similar to Firebird. Wildcards allowed as well.

IE Popup Control - http://67.166.97.134/misc/sp2/ie1.png

- You can now manage add on's, plug-ins, and features built into IE from 3rd part software not directly related to the IE software.

IE plugin management - http://67.166.97.134/misc/sp2/ie2.png


Outlook Express Security Enhancements

While not overhauled, they have added vital features for Outlook Express in a sense of worm and virus handling. From automatically letting you know when something is taking advantage of your Outlook, as well as the "Block images" selection now to prevent email hijacking. Activated by default, and even though a small feature, it should prove usefull to normal users.

- Quite a few new features, just look at the image.

Outlook Security panel - http://67.166.97.134/misc/sp2/oe.png


Windows Update Security and Management

Another update that isn't large, but useful. More compact, easier to understand and use, the Windows Update process has been cleaned up quite a bit.

- Windows update is now handled differently, with more security and configuration in mind than before. With more choices and information up front, it is easier for admins to decide what patches they want, while allowing uber geeks to learn exactally what the patches do.

Windows Update Control - http://67.166.97.134/misc/sp2/wu1.png

- Much cleaner and easier to understand dialogs

Dialog boxes and interface - http://67.166.97.134/misc/sp2/wu2.png


Automatic Update Settings

Some hate Automatic updates because they want to see what is going on, and not have them automatically installed. Worry no longer.

- Automatic update has been given a slight overhall to give the adminitrators more control over what is downloaded, when, why, and the choice to install or be reviewed first.

Automatic Update Control - http://67.166.97.134/misc/sp2/au1.png



And there you have it. I hope you are looking foward to the official SP2 release as much as I am. This will be a huge milestone for Microsoft, in which they finally figure out the balance between usability, configurability, and security. I wish you all a wonderful day, and may the Tao bring great things upon your path today!

regards,
Pooh Sun Tzu


PS: SP2 will NOT be including any sort of AV software built in. Microsoft tried it, but are far from satisfied with what they want to do with it.

Interesting read that was, although it still doesn't convince me that Microsoft is any better. Just give it time, and there will be another patch for another Vulnebility..
It seems that no matte what they do, there always seem's to be something not quite right with Microsoft products, it's a label with a huge problem. And to be honest i really don't see this improving anytime soon.
Just look at those leaked sorce codes, you can see that there programmers don't have a clue on what there doing. I mean what sort of company would let there programmers right sorce codes, for an important product and let them leaves lines such as (this goes here, well not to sure on that.)
Now how is that meant to convince the public that Microsoft can be trusted, that you can use there Products and not be worried that your box might get infected? Your server won't get taken down due to a Vulnebility?
How can they say that, just look at some of the statistics on the thread that MemorY made, how are the general public meant to trust microsoft? Well i know that i don't, infact i wouldn't trust them with my children.
It just seems that they seem to make one mistake to many, and i can see that in the near future Microsoft will be nothing.

well that's just my 2 cents

cheers
.:front2back:.

Front, have you ever read bugtraq? Ever searched for a *nix security exploit?

*nix has just as many security problems as windows, and patches are made for both. You can not critisize windows for creating patches to HELP security, while Linux does the exact same thing.

You are, however, correct. Microsoft is not any better. Windows and Linux are 100% equal so long as you take the time to learn both.

The leaked source code was incomplete and the beta release of 2000. I don't expect it to be solid code yet. You also can not confirm that it was 100% Microsoft and not tampered for fun by the distrobutor.

And in the same sense, since Linux is opensource... would you dare say that they would suddenly be open to massive bugs and exploits? Open source makes little difference in terms of open exploiting.

MemoryY's thread is also biased, and uses statisics like good old CNN, only to their benifit rather than show both full sides of the story, of both topics.

How can we trust MS? I want to see you crack my box. Enough said. I honestly don't think you understand programming, Microsoft, or how the OS world works as a whole.

It'll be interesting to see and personally I won't pass judgement until it's in production and running. I've seen some ugly Service Packs released (I remember SP6 and Lotus Notes -- UGH!). I think one can honestly say that at least they are addressing the issues rather than ignoring them -- and that in itself is a big step up for MS. They have kept to that promise of putting security first.

While I'm personally happy on Linux I still muck around in WinXP at work. And it still is out there. In some ways, I'm sorta sad that MS is doing all this. Now I can't say to my students when an MS product doesn't work "Just remember.. as long as they maintain it like this, you'll be employed". ;)

I will ask one thing: PZT, where you getting the SP before release? You on beta testing or something?

Well put Ms :D Are the images working fine? Testing the new ruleset and making sure I properly configured that firewall. And yes, I am on the Microsoft Beta Testing Team.

Ah.. so your sorta as biased as Memory then? :D And yes, the images seem to be working fine.

Not, not biased at all, truthfully. Just because I am on the beta testing team does not mean I hold Microsoft in higher regards. I am also a faithful assistant to bugzilla on many projects, as well as a lover of the bugtraq mailing list. You can't confuse an eagerness to learn with zealotry :)

I always see Microsoft and Linux as 100% similar in terms of "Getting it to do what you want to do". Methods are different, but both can accomplish the same. This does mean, I can grow excited for both when one or the other acheives something special. Be it Gentoo finally reaching a solid, unmasked package, or Windows XP SP2 fixing a ton of security concerns.

As a matter of fact, my entire opinion regarding zealotry, and hate towards any OS is well defined and discussed in my tutorial:

http://www.antionline.com/showthread...hreadid=254589

Solo as it may be, there you have it.

"*nix has just as many security problems as windows, and patches are made for both. You can not critisize windows for creating patches to HELP security, while Linux does the exact same thing."

Linux distros announce any security problem straight away. MS dont even acknowledge most security problems until they have a fix to release.

Do you know why? Or did you hear that from someone else? ;)

They fully acknowledge the security holes, but the descision on how to handle them and what information to disclose is a very difficult buisness descision. Linux patches don't have to worry about lawsuits and staying 100% within the limitations of buisness protocol/ethics. Microsoft has a lot to consider when it comes to things like this, and not just themselves. Understanding buisness allows one to see the difference and reason between why Linux can release patches, and then patches of patches, and then patches of those patches, nightly and quickly, versus Microsoft's "hold back information so it can't be exploited by the entire public, solve situation on a coder level, figure out which way to distrubute, calculate side costs to damage or threat to subsidiaries, and then release"


What amazes me though, is that out of the entire post of how Microsoft security is improving, you bypass all of it and focus on a comment I sided out about nix.

"What amazes me though, is that out of the entire post of how Microsoft security is improving, you bypass all of it and focus on a comment I sided out about nix."

It was the bit that caught my eye :)

I`m glad to hear that they are moving in the right direction, or at least one possible right direction. Windows is always going to be bashed about, partly due to users experience with it and partly because they are in the spotlight so much.

As for the features, any improvement over the current internet firewall would be good, I half expected MS to buy Zonelabs or something....IE security enhancements, well pop up blockers are nice, as is the abiltiy to manages 3rd party plugins, but aren`t most of IE's problem IE based? And the rest all look like useful additions.

Although I believe that MS's decision not to release patches has nothing to do with the threat of a lawsuit (to the best of my knowledge no such lawsuit has ever materialised) and is more to do with the business of PR, if you hold of telling anyone about the bug until you have a patch (or nearly have a patch) then you look far better in the eyes of the masses.

In fact, MS's reaction to security is again a PR exercise, and this is where I still think the problem lays, they provide security now due to the bad press they have received in the past couple of years regarding Windows security. There are now several viable alternatives to Windows, so its time to address the security issues and start making a stand. Security is however still not in the culture at MS due to the fact that they are forever bolting security on to an OS that is inherently unsecure (that was a rallying cry to every OpenBSD fan..).

What i would like to see in the future is an OS where security is an integral part, how about Windows Server editions having mandatory access controls in place and behave more like the secure computing platforms (i.e. B Level operating systems). Oh, and do we now have the trusted computing platform to look forward to.....

Quote:

---

In fact, MS's reaction to security is again a PR exercise, and this is where I still think the problem lays, they provide security now due to the bad press they have received in the past couple of years regarding Windows security. There are now several viable alternatives to Windows, so its time to address the security issues and start making a stand. Security is however still not in the culture at MS due to the fact that they are forever bolting security on to an OS that is inherently unsecure (that was a rallying cry to every OpenBSD fan..).

---

Very solid point, and never thought of it that way before in terms of PR being a primary variable. Microsoft may now take a stand because their userbase is slowly catching onto the important of security beyond the call of duty. And I am a flaming OBSD user.

Quote:

---

What i would like to see in the future is an OS where security is an integral part, how about Windows Server editions having mandatory access controls in place and behave more like the secure computing platforms (i.e. B Level operating systems). Oh, and do we now have the trusted computing platform to look forward to.....

---

Then you are going to adore Longhorn release (minus the palladium chip, if they *force it*). It's going to have the base benifits of SP2 release, of course, but with a direct focus towards the auditing process of OBSD. No documentation to prove that, just inside source gossip. Longhorn is going to be a massive leap in terms of security (yes yes, so maybe I've used Longhorn release 4051) and default security. The dream you seek, may be viable in many distrobutions in the future, which will most certainly be including Microsoft Windows this time around.

Good reply :) Thanks for your comments.

This may be all well and good for home users, which will make life a bit better for the rest of us that actually have a clue, but ,How does this help me do my job? Seems to me that it just makes it more dificult.

Having a choice of firewalls and Antivirus due to fair competition is a good thing, will Microsofts, security "improvements" trully be improvements, or have they just decided that they don't like currently available antivirus and firewalls becuase they don't make any money off them, and are going to force those producers out of business by using unfair competition pratices. The availability of these functions internal to windows is a mixed blessing.

Do I have to add even more complexity to our Group Policy's to FIX the problems created by this, and by doing so add more opportunity for someone in IT to make bad mistakes?

Does it BREAK Outlook's connection to Exchange servers like Internet Connection Firewall currently in XP does? Can you disable the built Antivirus?

With the current ICF enabled new messages never appear in your inbox, unless you select another folder, and then reselct your inbox because Internet Connection Firewall does not allow the Exchange server to communicate with the client except when the client originates the request.

Applications run by a good number of our scientists and engineers require the ability to turn off AV software for certain functionality to work. Matlab for instance.

Seems like all this does for me is make my job harder.

Quote:

---

I will ask one thing: PZT, where you getting the SP before release? You on beta testing or something?

---

MS Mittens, in addition to what Poo has mentions, Microsoft Technet Plus subscription comes with all beta licensed software in current betta construction along with all resource kits etc... Love it. I didn't mention it in the other thread but I am typing this on service pack2. In fact I was looking for the antivirus stuff that was supposed to ship buut then got bored with it. :D

I have given a few plugs for Technet because it's a valuable tool asset to windows administrators and engineers.

Home users? If you are a network admin and you can't realise how this helps easily scale controlled networking abilities.....

Quote:

---

Having a choice of firewalls and Antivirus due to fair competition is a good thing, will Microsofts, security "improvements" trully be improvements, or have they just decided that they don't like currently available antivirus and firewalls becuase they don't make any money off them, and are going to force those producers out of business by using unfair competition pratices. The availability of these functions internal to windows is a mixed blessing.

---

Since the firewall is able to be turned off, don't see the problem.

Quote:

---

Do I have to add even more complexity to our Group Policy's to FIX the problems created by this, and by doing so add more opportunity for someone in IT to make bad mistakes?

---

No.

Quote:

---

Does it BREAK Outlook's connection to Exchange servers like Internet Connection Firewall currently in XP does? Can you disable the built Antivirus?

---

No it doesn't break outlook. And did you read the article? Because I specifically said Antivirus software was not going to be included in sp2

Quote:

---

With the current ICF enabled new messages never appear in your inbox, unless you select another folder, and then reselct your inbox because Internet Connection Firewall does not allow the Exchange server to communicate with the client except when the client originates the request.

---

So keep the configuration and use the firewall ruleset configuration to allow full access to exchange. Yes, this means read the parent post completely.

Quote:

---

Applications run by a good number of our scientists and engineers require the ability to turn off AV software for certain functionality to work. Matlab for instance.

---

All of these new features (if you viewed the images) can be turned off.

Quote:

---

Seems like all this does for me is make my job harder.

---

That is because you are misinformed, and didn't read the whitepaper

Has anyone examined the hardware-linked security features (NX or execution protection I believe they're calling it...) introduced with sp2?

I cannot help but correlate this with the TCG platform. Sure, there's no "Fritz" chip or encrypted cpu instructions (well, maybe there is...isn't the CPU responsible for NX?), but isn't sp2 a step in that direction? Certainly MS is looking at this from the tortoises' view- slow and steady wins the race- rather than attempting to pearl harbor their user base with TCG all at once.

What does everyone think?


Pooh: does the beta sp2 version have a EULA? I wouldn't mind reading through it if so...or if you could point out any relevant parts i'd appreciate it.

Cheers,
<0

Quote:

---

Has anyone examined the hardware-linked security features (NX or execution protection I believe they're calling it...) introduced with sp2?

---

Very little has been changed in the hardware part of SP2, but it does have beginning structures for the Intel anti-bufferoverflow chip.

Quote:

---

What does everyone think?

---

I think it may not be, or it may be a step in that direction. For now, it's SP2 and not Longhorn, and thus I don't see it getting near Palladium. I also don't see them *forcing* palladium. And even then, since I only run legit software, I don't have anything to worry about.

I'll get the white paper, edit this post, and give you some actual documentation on what SP2 will be doing and fowarding to.

SP2 information links:

Deep, deep review into the components of SP2 :
http://www.winsupersite.com/reviews/...2_preview2.asp

The official Whitepaper :
http://www.microsoft.com/downloads/d...DisplayLang=en

Quote:

---

Pooh: does the beta sp2 version have a EULA? I wouldn't mind reading through it if so...or if you could point out any relevant parts i'd appreciate it.

---

I'll include the EULA attachment to the sp pack here, and thanks for your comments :)

Quote:

---

Just look at those leaked sorce codes, you can see that there programmers don't have a clue on what there doing. I mean what sort of company would let there programmers right sorce codes, for an important product and let them leaves lines such as (this goes here, well not to sure on that.)

---

Have you never seen how almost all AMD and Intel chips have hidden messages incribed into them? I would venture to guess that almost 95% of the code out there has messages and other "easter eggs" hidden in it.

Quote:

---

With the current ICF enabled new messages never appear in your inbox, unless you select another folder, and then reselct your inbox because Internet Connection Firewall does not allow the Exchange server to communicate with the client except when the client originates the request.

---

This is true of all firewalls, so it is not an issue that is isolated to ICF. This is an issue with all firewalls because in exchange when you first connect to the endpoint mapper on port 135 exchange tells the client which ports it is going to use to continue communicating. These ports are usually in the range of 1024 and higher. Exchange does this so that it can have an unlimited of connections at the same time, and not have conflicts between clients. This issue is pretty much resolved by using RPC over HTTP in exchange 2003. Well, it would be resolved if your firewall allows all port80 packets to reach the workstation. If not, the problem still exists.

And if he would have read the article instead of skimming it (obvious), he would have noticed the ruleset configurations can be fined tuned for exchange servers, or any other service.

Quote:

---

MS Mittens, in addition to what Poo has mentions, Microsoft Technet Plus subscription comes with all beta licensed software in current betta construction along with all resource kits etc...

---

I remember TechNet Plus subscriptions when I got it as part of being an MCSE NT. *bah* I wasn't interested in paying for well over $1000CDN for certs and then an additional $1000+ CDN for TechNet on the maybe chance I'd be using it somewhat... Eh. I miss it sometimes but not that much. ;)

Hey Pooh, Check it out. I never understand this. MS is in the process of releasing what looks like a decent SP and then the PR department opens it's yap and, IMHO, makes MS look like idiots!

I don't see how that is any different than what someone can do on Linux patches, sorry :) Check bugTraq and you see people reverse engineer patches and fix releases all of the time for nix based distros.

Oh.. don't get me wrong. I believe that does happen through any OS that releases patches (some more than others). I don't think, however, that it is a correct statement to say that exploits only come out because of reverse engineering and that no Windows system has been taken down by a known exploit (except one). I think that creates a big sense of false security as well as I question how true that statement really is.

Then I fail to see the point of talking about it, unless it's just to "HAHA look AT M$ be dumb!". PR situations can go badly at times, and Microsoft is not exempt. If we brought up bad PR events, we would be here all day in regards to Linus' older days.

Making fun of Microsoft. Making fun of Linux. Neither is needed, and only helps fuel the fire between the haters of both OSes. Companies say dumb things, and sometimes do dumb things (Windows ME, Redhat 6).

As my father said, which applies to OS bashing, and something I try hard to follow:


"If you can not help someone, do not choose to hurt them instead"

But what if those bad PR events lead to poor security? Education of users is a key factor in ensuring good security. Most users do not visit sites like AO or other security sites but rather get their security from local media. And a lot of the general media aren't too "security" savvy either. Misinformation isn't a good thing to produce either. I'll agree that perhaps the "laughing at an OS" may not be the best but I don't think it's corporately responsible for an organization with as large as a user base to put out information that could potentially lead to security laxness and misinformation.

Mr. pooh, or whatever your name is.

You are correct, I did not read the whitepaper. I do not need to read the whitepaper to know that turning something off which is on by default means more work for me.

I am a network admin, and my network works just fine thank you very much. No issues here with ANY worm or virus or hacks in 5 years. My not liking the idea of a builtin windows firewall means nothing about my abilities as a network admin. I can easily understand the added controll this MAY enable, forgive me for being skeptical, not bothering to read a microsoft whitepaper telling me how wonderfull microsofts latest feature is. I am not a fanboi. I will wait to see how it really performs before making a judgement, I was merely asking some questions of others here who had more information, such as yourself, you HAVE used it you say? Attacking someone(i.e. calling into question their abilities) for asking legitimate questions(i.e. calling into question their abilities), which I did, and backing them up with examples, which I did, well .... how much is MS paying you?

Intelligent network design, policy and user education have served us very well for years now, without any HELP from a builtin microsoft firewall.

All the builtin firewall will do for us(except possibly laptops) is break things which work well and securely now. It took lots of tweaking to get everything locked down yet still working adding this new complexity will certainly cause problems.

I have seen your, all losers should upgrade to the absolute latest blahblahblah post, you need to keep in mind that many organizations have to meet requirements for certain aspects of their operation. Those requirements often have certain requirements for what system they run on, this prevents accross the board upgrades whenever Microsoft decides their bank accounts are too low and they decide to release their latest early beta test quality application or OS as a finished product.

MsMittens

And what if they lead to poor security? Whether it will or not, or whether their default security can make up for it in the future... is not for us to decide.

Microsoft will handle their own affairs. And if someone is out of line in the PR with that statement, Microsoft will certainly step in. They did it when ME was released early. They did it when a similar statement was said about 98 SE. Microsoft has a good understanding of PR, I feel, but there are just a few idiots they have hired that never seem to catch on. Errored in life to repeat the mistakes of the people they replaced in the corporation, these people will continue to give Microsoft PR a bad name.

So yes I agree, it was a dumb thing to say. But what about it? What can we do about it, or worry about? Let Microsoft handle it, which will result I'm sure in someone going home with a pink slip :)

tabich

Quote:

---

You are correct, I did not read the whitepaper. I do not need to read the whitepaper to know that turning something off which is on by default means more work for me.

---

Then don't moan and complain when someone says RTFM to your questions.

Quote:

---

I am a network admin, and my network works just fine thank you very much. No issues here with ANY worm or virus or hacks in 5 years. My not liking the idea of a builtin windows firewall means nothing about my abilities as a network admin. I can easily understand the added controll this MAY enable, forgive me for being skeptical, not bothering to read a microsoft whitepaper telling me how wonderfull microsofts latest feature is. I am not a fanboi. I will wait to see how it really performs before making a judgement, I was merely asking some questions of others here who had more information, such as yourself, you HAVE used it you say? Attacking someone(i.e. calling into question their abilities) for asking legitimate questions(i.e. calling into question their abilities), which I did, and backing them up with examples, which I did, well .... how much is MS paying you?

---

If your network is perfect, then why come and complain about SP2? Since you said yourself your network is perfect, you shouldn't need to even worry thinking about SP2.

Quote:

---

Intelligent network design, policy and user education have served us very well for years now, without any HELP from a builtin microsoft firewall.

---

So because everything is perfect, you won't accept a secondary layer of protection? That doesn't make any sense. Well it does, but you never read the whitepaper.

Quote:

---

All the builtin firewall will do for us(except possibly laptops) is break things which work well and securely now. It took lots of tweaking to get everything locked down yet still working adding this new complexity will certainly cause problems.

---

So turn it off. Or read the white paper.

Quote:

---

I have seen your, all losers should upgrade to the absolute latest blahblahblah post, you need to keep in mind that many organizations have to meet requirements for certain aspects of their operation. Those requirements often have certain requirements for what system they run on, this prevents accross the board upgrades whene...

---

You say the same things over and over. If you don't want SP2. Don't get SP2. IF you want the enhacements of SP2 (RTFM) then use SP2. It's that simple. No one is forcing SP2 down your throat, and I don't think you are grasping how important that white paper is

You either need to read the whitepaper to see what the fuss is about, or continue to make uninformed descisions.

I was asking you questions about it in my initial post. You have proclaimed yourself the expert, I asked a few simple questions of a "expert". I never made uninformed decisions. I didnt make a decision one way or the other about it. As I said several times, I was merely asking questions of someone who claims to have knowledge.

You jumped down my throat.

I never said someone was forcing SP2 on me, I asked specific questions about it's functionality, in return I got RTFM, and then answers to several of the questions in one word.

If you are posting here to help out you are certainly doing a poor job of it.

You come and rave about something new and good, I ask a few specific questions and you act like an @ss.

Nice guy.

Quote:

---

I was asking you questions about it in my initial post. You have proclaimed yourself the expert, I asked a few simple questions of a "expert". I never made uninformed decisions. I didnt make a decision one way or the other about it. As I said several times, I was merely asking questions of someone who claims to have knowledge.

---

And I answered all of your questions. Did you see that list of no's? No claiming needed, as I did write the parent post after all.

Quote:

---

You jumped down my throat.

---

Correct. Because you did not come in here with a "hmmm wonder how it works". You can in here with a "Prove to me that I should even care. Oh, and what is this ****** here! That makes my life harder."

Quote:

---

I never said someone was forcing SP2 on me, I asked specific questions about it's functionality, in return I got RTFM, and then answers to several of the questions in one word.

---

Because I will not quote a 100k whitepaper to you. I answered your questions simply, and anything that requires pages of explaination I told you to use the white paper. Stop whining, read the white paper, and get your answers in more complete thoughts.

Quote:

---

If you are posting here to help out you are certainly doing a poor job of it.

---

I created this parent post. What on earth are you talking about?

Quote:

---

You come and rave about something new and good, I ask a few specific questions and you act like an @ss.

---

You came in here screaming about how it was going to ruin your precious network, how it was a waste, and never with the intent on learning. The questions you asked were rhetorical. I answered them anyways. The questions you asked were snobby-"prove it to me!", not questions of actual curiosity.

You have come to the wrong forums to play games. You either ask questions and get answers, or demand proof and give opinions on something before reading a white paper... and get scolded for it.

Quote:

---

Nice guy.

---

I can be, and when you choose to read the white paper and my origonal parent post before makine uninformed descisions on a patch you never read about, I will be again.

RTFW

RTFW? Read The Fine Wall???? :D

OK Mr Pooh,

I went back and reread your first post, I am still looking for a link to a whitepaper though, you did post a link to itright, come to think of it, I didnt even see a mention of a whitepaper in your first post? or was your post the whitepaper? I suppose I should just go "google" for windows xp service pack 2 whitepaper right?

It was a very nice post. The screen captures of various new features was interesting, and the description of the new features available in the next service pack for XP was very usefull.

however, I still have a few questions for an expert.

There is a problem with the current version of ICF, in that when enabled, it causes issues with Outlook and Exchange. The bottom line is, unless outlook initiates a conversation with exchange, the traffic from exchange is denied, therefore users get no notification that they have new mail, nor does any new mail appear in their inbox, unless the user takes some action which causes Outlook to make a request to exchange, such as, changing folders.

I notice in the your post that there are a few screenshots of the firewall, one of those screenshots allows me to select an application from a list and set it to be allowed to send or recieve traffic, so, theoretically I could go there, and enable outlook and everything would be fine.

Problem is, from past experience, there are many times when Exchange initiates communication to the client, for example, when a user recieves new mail, also, from my current experience, the ports used by exchange to do communicate with outlook is a dynamic range, it is not always the same one, like for example, everyone knows that port 25 is smtp, with the communication between exchange and an outlook client there is no one port(although a number of your standard windows type ports are used for "controll" or initiation perposes) there are lots of different ports that could be used.

So, I guess after all that, my question is the same as it was before I went back to re-read your post.

Does the new version of ICF work properly with Outlook and Exchange? Does it recognize seemingly unrelated traffic(from a tcp/ip standpoint) as being legitimate traffic going from exchange to the outlook client?

If it does not recognize that traffic, that means I have to create additional rules to specificaly allow that traffic, not a problem, been there before, but, I do not seem to see a of allowing a specific IP address to access the machine which has the firewall. I see, allow access to a port, from either everywhere, or local subnet. I do not want to allow all, to the machine, nor do I want to allow local subnet too the machine, I want to allow exchangeserver.example.com to the machine, or more properly 172.X.X.X. Allowing local subnet kind of defeats the purpose of this firewall in the first place(except maybe for laptops, as I said previously) because they are already protected quite well from the outside world, the point of using this firewall would be to prevent a worm or other internal danger from accessing this users machine, assuming that someone has managed to succesfully plug an infected laptop into our internal network.

Since I have now made an effort to educate myself and make "informed decisions", can you please please please answer the question.

Mittens: lol. "Read the ****ing Whitepaper"

Quote:

---

I went back and reread your first post, I am still looking for a link to a whitepaper though, you did post a link to itright, come to think of it, I didnt even see a mention of a whitepaper in your first post? or was your post the whitepaper? I suppose I should just go "google" for windows xp service pack 2 whitepaper right?

---

Use google, yes, or better yet the direct link to the white paper in my white paper subpost.

Quote:

---

There is a problem with the current version of ICF, in that when enabled, it causes issues with Outlook and Exchange. The bottom line is, unless outlook initiates a conversation with exchange, the traffic from exchange is denied, therefore users get no notification that they have new mail, nor does any new mail appear in their inbox, unless the user takes some action which causes Outlook to make a request to exchange, such as, changing folders.

---

The current ICF is horrible, disgusting, and limited. The ICF before SP2 was an nightmare for all admins and usually disabled with a snicker. What you will like about ICF is it now controls outbound and inbound, instead of just inbound. This means you can configure a service, a port, a protocol, or even a program name to have access in and out according to the ruleset you define. Much better than the origonal ICF, and quite literally like how Zonealarm handles their rulesets. This means too that if an app is caught trying to access the net that is not defined in the ruleset, ICF will now alert you for permission or denial. SP2 makes the most changes and upgrades to the ICF, since they knew how much people like you and me hated the crippled version.

Quote:

---

Problem is, from past experience, there are many times when Exchange initiates communication to the client, for example, when a user recieves new mail, also, from my current experience, the ports used by exchange to do communicate with outlook is a dynamic range, it is not always the same one, like for example, everyone knows that port 25 is smtp, with the communication between exchange and an outlook client there is no one port(although a number of your standard windows type ports are used for "controll" or initiation perposes) there are lots of different ports that could be used.

---

See above responce. Since we can define program name, protocol, and service it allows much more control. And since ICF now does inbound and finally outbound checking, The clients connecting to the exchange server, should be a peice of cake. In theory of course, this isn't the final release of SP2 so who knows. I am hopeful though :)

Quote:

---

So, I guess after all that, my question is the same as it was before I went back to re-read your post.

---

It is. And I thank you for reading and coming back with a learning frame of mind. Before, things seemed rather "prove it!" than question/answer, so I am glad we can take a step back to explain and understand. My thanks for your patience.

Quote:

---

Does the new version of ICF work properly with Outlook and Exchange? Does it recognize seemingly unrelated traffic(from a tcp/ip standpoint) as being legitimate traffic going from exchange to the outlook client?

---

See my above responces to you on ICF outbound and inbound control. In short, yes it does work properly :) (tested with outlook)

Quote:

---

If it does not recognize that traffic, that means I have to create additional rules to specificaly allow that traffic, not a problem, been there before, but, I do not seem to see a of allowing a specific IP address to access the machine which has the firewall. I see, allow access to a port, from either everywhere, or local subnet. I do not want to allow all, to the machine, nor do I want to allow local subnet too the machine, I want to allow exchangeserver.example.com to the machine, or more properly 172.X.X.X. Allowing local subnet kind of defeats the purpose of this firewall in the first place(except maybe for laptops, as I said previously) because they are already protected quite well from the outside world, the point of using this firewall would be to prevent a worm or other internal danger from accessing this users machine, assuming that someone has managed to succesfully plug an infected laptop into our internal network.

---

Understandable, and even if the Exchange server goes a bit nuts (which it shouldn't, testing went perfect) you can fine tune that ruleset and even put them in a profile. This means people using laptops remotely could use the laptop profile (for different security settings) than the internal nodes would use.

Quote:

---

Since I have now made an effort to educate myself and make "informed decisions", can you please please please answer the question.

---

I think I pretty much answered the question in the first part of my reply here, in regards to ICF now having outbound and inbound control, on much more fine tuned rulesets. However, if any questons remain, don't hesitate to ask :)

Ah.. that'd be RTWP or "Dammit Jim, RTFngWP!!" :D

Ok, maybe it was I who was acting the @ss here, then again, font doesn't allow much in the way of clues to how someone really mean something, no non verbal clues here.. Havent been having the best day today, oh well.

If I may, what version or Outlook and Exchange did you succesfully test, 2003? Any idea if it will succesfully work with older versions, 2000 specifically, as circumstances outside of our/my controll prevent upgrading.

No need to apologize, as it is behind us and a part of the past. :)

I am testing Outlook Express 6 (6.00.2900.255 xpsp_sp2_beta1.031215-1745), and emulating the connection a 2003 Exchange server would be doing. How? Asking a friend of mine to request data held by my netcat, and then vice versa. Sure it is only an emulation, but I have a good feeling that a field test would preform just as well (I don't have exchange 2003 on me). I say, test the patch yourself on your home computer. See for yourself if interaction and ruleset control is going to help or hurt the connectivity with the exchange servers. I don't see why it shouldn't work with 2000, as it is still connection based and not version based, though. PM me if you are interested in beta testing it, and tabich, I will more than happily get you setup to do a test run on your home computer if you have XP pro installed (and a legal copy of it)

Sometimes first hand experience is the best testing method.

Thanks Pooh for posting both the whitepaper and EULA. I'm going to review them in depth later tonight.

The only additional comment i have at the moment is in response to your statement:

Quote:

---

And even then, since I only run legit software, I don't have anything to worry about.

---

Whilst I agree that TCG won't be forced on us, i do disgree respectfully that we all have something to worry about in regards to NGSCB/Palladium and the legislation that a.) has already been enacted to support DRM (chiefly, the DMCA and IRP directive in the European Union) and b.) propsed bills such as the CBDTPA. Although the CBDTPA apparently has died and Hollings plans to retire this year, I think we'd be naieve in believing it won't be reborn yet again...

But i digress...I'm drifting from my point:

We should be concerned as a community i believe b/c the TCG initiative prevents interoperability between TCG-compliant and non-TCG-compliant platforms. Run all the legal software you wish, but you won't be able to open up my Dia diagrams in your TCG compliant Visio. And I agree Pooh that sp2 is opt-in patching...but what if your patched sp2 system won't interoperate with content borne from non-patched systems? I don't think such a comment is far off base either...MS has made specific statements that speak to specific apps breaking post-sp2, although I'm sure this will be corrected by "gold" release.

I'm obviously jumping forward a little, but I believe sp2 is setting the foundation (or at least a piece of the foundation) for this.

Anyway, thanks for the exchange Pooh. If anyone feels i've unintentionally hijacked this thread; apologies. I'd be happy to go U2U to continue...

Cheers,
<0

I agree with lessthanzero, as this may the be starting platform for TCG. However, I welcome it. Whoa whoa, before the flames kick in allow me to explain.

Mac does not run on x86 hardware, and most likley never will. Why is that? Because they have decided to stick with that they know works, what works best for them, and to fine tune and handle with those specifics. It means less time worrying about hardware incompatabilities if you made the hardware specifically for the OS, and more time worrying about getting the most out of the OS.

So while we may loose compatability in future Windows releases, I want to accept the possibility that Microsoft may be eventually taking a OSX route, and founding their OS on their own hardware. Sure, that eliminates configurability, but in a buisness and OS perspective there are a ton of advantages. I won't list them all here for the sake of time, but just some leeway long enough to consider it. This of course doesn't mean we should boycott Microsoft if it does this, but instead applaud it.

While configurability may be the primary concept people go after, we have learned that Linux is the primary focus of that concern. I think we can see a pattern here. Once a company can fully grasp what it's primary concern is, they branch off so they can worry and deal with that alone. Mac for example, has a primary focus on being gorgeous, fast, and a primary design workstation. Microsoft has a primary concern of balancing usability with security. That focus may take them to their own hardware. Should we scream at them for it? Not unless you want to scream at Mac too.

So I agree with you, but try to see it in a different light.

Quote:

---

Mac for example, has a primary focus on being gorgeous, fast, and a primary design workstation.

---

MWAHAHAHAAHHA... sorry. This statement made me chuckle given the speed issues the SO and I have had with his G4 Blue box and OS X (pre-Jaguar). Mac OS, even with it's specific hardware platform, does not always result in speed. ;)

Anyways... carry on. :D

-looks at Mac G5 benchmarks- Then he must have been doing something wrong.

http://www.njfcpug.org/Pages/Reviews/G5.htm

http://apple.slashdot.org/apple/03/0...id=126&tid=181

but again, no reason to make fun of an OS. "If you can not help..."

no flames here Pooh :) Very well stated opinion.

I too welcome trusted computing- some of the benefits and tech. innovations could be staggering. I'm just don't particularly care for a.) the government collusion and b.) the possiblity for abuse once the power structure is in place.

Cheers,
<0

Well put and agreed :)