zonealarm/win9x logon

[zigar]

anyone know the load order of ZA in win9x...i know in win2k it loads as a service and is already up a the logon box...in win9x...it 'appears' to load after logon...

the kids leave their game box on running win 9x w.cable but log off of their desktops to the ms networking uname/pwd dialog....

does this leave the box in a vulnerable state with no ZA loaded?

[antihaxor]

You really do not need a firewall before login. You actually need it when you sign on to the internet. You do not have any remote connections before logon ..hence no threat.

[zigar]

well...yes...but since the box is on a cable modem, it's always got an ip...which seems to me... makes it vulnerable...or am I wrong...does win9x only pick up the ip when someone logs on...?


duh...well..i guess i could actually test it myself now couldn't i...i'll nmap it when it's sitting at the logon dialog..

[Vorlin]

If you have a DHCP assigned IP to a router which is hooked to the cable modem, it will get an IP address before you log in, because network services (much like unix) are started at boot time. Same thing for static IP addressing which, based on the definitions for your TCP/IP settings, will have information (which may or may not be valid). ZA is more like a service which will be started regardless of whether you're logged in or not, otherwise the box would be vulnerable to internet access without anyone on the machine. If any of this is incorrect, please let me know as this is from what I've found out by digging myself (as the NT "admins" didn't know what really was). Example: look at IIS servers which are infected with Code Red (did I mention my linux box has crossed 7000 hits from infected servers over 3 months?) don't have to have anyone sitting at the console for it to do it's dirty work. When you log into win9x, your desktop is updated with systray and such, but that doesn't mean the service isn't loaded already. Maybe I should make a VB program (heaven help me, what the fsck did I just say?!) that'll show load times of services compared to systray updates. But that's really only if I'm considering suicide, hehe...

[antihaxor]

Originally posted by zigar
well...yes...but since the box is on a cable modem, it's always got an ip...which seems to me... makes it vulnerable...or am I wrong...does win9x only pick up the ip when someone logs on...?


duh...well..i guess i could actually test it myself now couldn't i...i'll nmap it when it's sitting at the logon dialog..

well Vorlin knows more about it than I do....it seems to me that even if there is a brief period when ZA is not active and the internet connection is..the attacker would have to work fast to do anything. Vorlin could files and such be accessed before login or would the box only be vunerable to some sorta Ddos attack? When ZA does load would it hen stop the attack?

[jhmarable]

Windows hardware services, such as your cable modem connection, are included in the system.dat portion of the registry. These registry entries are processed on system start up. This can be confirmed by pinging a Windows machine that has not been logged in. It will reply. Software services are included in the user.dat part of the registry. These registry entries are processed when the user logs on as part of his user profile. If you can create one user profile that runs Zone Alarm and another that doesn't, then your fears may be well founded

[zigar]

it seems to me that even if there is a brief period when ZA is not active and the internet connection is

the thing i'm worried about is that the box sometimes sits for hours at the logon dialog...so unless za loads as a 'service' (not really the right way to put it for 9x but...) on boot..it might be vulnerable...

i guess one could also f8 on start up and 'confirm device drivers' or whatever it's called...might be able to see if the za driver loads on boot...and it's just the interface that loads on logon (ala win2k)or if nothin happens until after logon...which seems to me a scary prospect...

will check it when i get home...

[Vorlin]

Vorlin could files and such be accessed before login or would the box only be vunerable to some sorta Ddos attack? When ZA does load would it hen stop the attack?

From my understanding, shares are also processed, but on the user's setup (one shares a drive, the other doesn't) but that doesn't exclude the local drives. I would hazard a guess concerning the vulnerability being limited to a short-access timeframe if ZA doesn't do anything to outside-in connections once it's loaded. That, I'm not sure if it stops anything or not. It'd be great if it did, with rulesets and such so you can allow certain things and deny others. DDoS seems to be the prevalent way for skr1pt kiddiots to go, which is filtered on the fly once ZA is loaded.

Once again, this is my best knowledge of this, and could be wrong, jaded, miscommunicated, or otherwise full of shite, haha...please correct if I'm wrong (anyone).

[Maverick811]

Okay, I'll add what I know to this conversation - your 9x box, when sitting at the logon, is sharing and acting just like it was on a network. You can leave that machine on the login, go to another and pull files, share, etc. Since you have a cable connection you should be concerned about this. But Vorlin mentioned the use of a router - are you currently using a router for your home network? If so, then the router is probably performing at a minimum NAT. If so, the router would be the only device visible to the outside world; i.e. the outside world can't see that 9x box that is not logged into Windows.

Okay, back on track now - as far as ZA running before you log into Windows, I don't know for sure; I really don't even want to take a guess at it - I'm not running ZA anymore but when I get home tonight I'll reinstall it and try to check it out to see when it loads.

Good question...

[VictorKaum]

Vorlin is right

You can access a Win box when it's still at the log on screen.
ping, finger, Dos, DDoS...
shares are processed.

Try it at home... share a drive on a Win box, log off
try - with another pc in your LAN - to 'ping' to the box or 'net use' to the drive it will work. You can access any shared device on this box when the pc is still at the log on screen.

I'am testing it right now to be sure:

ping is possible (ZA does not block until it has been loaded, after logon)
DoS and DDoS are possible

-> conclusion this is a security risk.