Understanding the future security of Windows SP2

[pooh sun tzu]

Mittens: lol. "Read the ****ing Whitepaper"

I went back and reread your first post, I am still looking for a link to a whitepaper though, you did post a link to itright, come to think of it, I didnt even see a mention of a whitepaper in your first post? or was your post the whitepaper? I suppose I should just go "google" for windows xp service pack 2 whitepaper right?

Use google, yes, or better yet the direct link to the white paper in my white paper subpost.

There is a problem with the current version of ICF, in that when enabled, it causes issues with Outlook and Exchange. The bottom line is, unless outlook initiates a conversation with exchange, the traffic from exchange is denied, therefore users get no notification that they have new mail, nor does any new mail appear in their inbox, unless the user takes some action which causes Outlook to make a request to exchange, such as, changing folders.

The current ICF is horrible, disgusting, and limited. The ICF before SP2 was an nightmare for all admins and usually disabled with a snicker. What you will like about ICF is it now controls outbound and inbound, instead of just inbound. This means you can configure a service, a port, a protocol, or even a program name to have access in and out according to the ruleset you define. Much better than the origonal ICF, and quite literally like how Zonealarm handles their rulesets. This means too that if an app is caught trying to access the net that is not defined in the ruleset, ICF will now alert you for permission or denial. SP2 makes the most changes and upgrades to the ICF, since they knew how much people like you and me hated the crippled version.

Problem is, from past experience, there are many times when Exchange initiates communication to the client, for example, when a user recieves new mail, also, from my current experience, the ports used by exchange to do communicate with outlook is a dynamic range, it is not always the same one, like for example, everyone knows that port 25 is smtp, with the communication between exchange and an outlook client there is no one port(although a number of your standard windows type ports are used for "controll" or initiation perposes) there are lots of different ports that could be used.

See above responce. Since we can define program name, protocol, and service it allows much more control. And since ICF now does inbound and finally outbound checking, The clients connecting to the exchange server, should be a peice of cake. In theory of course, this isn't the final release of SP2 so who knows. I am hopeful though

So, I guess after all that, my question is the same as it was before I went back to re-read your post.

It is. And I thank you for reading and coming back with a learning frame of mind. Before, things seemed rather "prove it!" than question/answer, so I am glad we can take a step back to explain and understand. My thanks for your patience.

Does the new version of ICF work properly with Outlook and Exchange? Does it recognize seemingly unrelated traffic(from a tcp/ip standpoint) as being legitimate traffic going from exchange to the outlook client?

See my above responces to you on ICF outbound and inbound control. In short, yes it does work properly (tested with outlook)

If it does not recognize that traffic, that means I have to create additional rules to specificaly allow that traffic, not a problem, been there before, but, I do not seem to see a of allowing a specific IP address to access the machine which has the firewall. I see, allow access to a port, from either everywhere, or local subnet. I do not want to allow all, to the machine, nor do I want to allow local subnet too the machine, I want to allow exchangeserver.example.com to the machine, or more properly 172.X.X.X. Allowing local subnet kind of defeats the purpose of this firewall in the first place(except maybe for laptops, as I said previously) because they are already protected quite well from the outside world, the point of using this firewall would be to prevent a worm or other internal danger from accessing this users machine, assuming that someone has managed to succesfully plug an infected laptop into our internal network.

Understandable, and even if the Exchange server goes a bit nuts (which it shouldn't, testing went perfect) you can fine tune that ruleset and even put them in a profile. This means people using laptops remotely could use the laptop profile (for different security settings) than the internal nodes would use.

Since I have now made an effort to educate myself and make "informed decisions", can you please please please answer the question.

I think I pretty much answered the question in the first part of my reply here, in regards to ICF now having outbound and inbound control, on much more fine tuned rulesets. However, if any questons remain, don't hesitate to ask

[MrLinus]

Ah.. that'd be RTWP or "Dammit Jim, RTFngWP!!"

[tabich]

Ok, maybe it was I who was acting the @ss here, then again, font doesn't allow much in the way of clues to how someone really mean something, no non verbal clues here.. Havent been having the best day today, oh well.

If I may, what version or Outlook and Exchange did you succesfully test, 2003? Any idea if it will succesfully work with older versions, 2000 specifically, as circumstances outside of our/my controll prevent upgrading.

[pooh sun tzu]

No need to apologize, as it is behind us and a part of the past.

I am testing Outlook Express 6 (6.00.2900.255 xpsp_sp2_beta1.031215-1745), and emulating the connection a 2003 Exchange server would be doing. How? Asking a friend of mine to request data held by my netcat, and then vice versa. Sure it is only an emulation, but I have a good feeling that a field test would preform just as well (I don't have exchange 2003 on me). I say, test the patch yourself on your home computer. See for yourself if interaction and ruleset control is going to help or hurt the connectivity with the exchange servers. I don't see why it shouldn't work with 2000, as it is still connection based and not version based, though. PM me if you are interested in beta testing it, and tabich, I will more than happily get you setup to do a test run on your home computer if you have XP pro installed (and a legal copy of it)

Sometimes first hand experience is the best testing method.

[lessthanzero]

Thanks Pooh for posting both the whitepaper and EULA. I'm going to review them in depth later tonight.

The only additional comment i have at the moment is in response to your statement:

And even then, since I only run legit software, I don't have anything to worry about.

Whilst I agree that TCG won't be forced on us, i do disgree respectfully that we all have something to worry about in regards to NGSCB/Palladium and the legislation that a.) has already been enacted to support DRM (chiefly, the DMCA and IRP directive in the European Union) and b.) propsed bills such as the CBDTPA. Although the CBDTPA apparently has died and Hollings plans to retire this year, I think we'd be naieve in believing it won't be reborn yet again...

But i digress...I'm drifting from my point:

We should be concerned as a community i believe b/c the TCG initiative prevents interoperability between TCG-compliant and non-TCG-compliant platforms. Run all the legal software you wish, but you won't be able to open up my Dia diagrams in your TCG compliant Visio. And I agree Pooh that sp2 is opt-in patching...but what if your patched sp2 system won't interoperate with content borne from non-patched systems? I don't think such a comment is far off base either...MS has made specific statements that speak to specific apps breaking post-sp2, although I'm sure this will be corrected by "gold" release.

I'm obviously jumping forward a little, but I believe sp2 is setting the foundation (or at least a piece of the foundation) for this.

Anyway, thanks for the exchange Pooh. If anyone feels i've unintentionally hijacked this thread; apologies. I'd be happy to go U2U to continue...

Cheers,
<0

[pooh sun tzu]

I agree with lessthanzero, as this may the be starting platform for TCG. However, I welcome it. Whoa whoa, before the flames kick in allow me to explain.

Mac does not run on x86 hardware, and most likley never will. Why is that? Because they have decided to stick with that they know works, what works best for them, and to fine tune and handle with those specifics. It means less time worrying about hardware incompatabilities if you made the hardware specifically for the OS, and more time worrying about getting the most out of the OS.

So while we may loose compatability in future Windows releases, I want to accept the possibility that Microsoft may be eventually taking a OSX route, and founding their OS on their own hardware. Sure, that eliminates configurability, but in a buisness and OS perspective there are a ton of advantages. I won't list them all here for the sake of time, but just some leeway long enough to consider it. This of course doesn't mean we should boycott Microsoft if it does this, but instead applaud it.

While configurability may be the primary concept people go after, we have learned that Linux is the primary focus of that concern. I think we can see a pattern here. Once a company can fully grasp what it's primary concern is, they branch off so they can worry and deal with that alone. Mac for example, has a primary focus on being gorgeous, fast, and a primary design workstation. Microsoft has a primary concern of balancing usability with security. That focus may take them to their own hardware. Should we scream at them for it? Not unless you want to scream at Mac too.

So I agree with you, but try to see it in a different light.

[MrLinus]

Mac for example, has a primary focus on being gorgeous, fast, and a primary design workstation.

MWAHAHAHAAHHA... sorry. This statement made me chuckle given the speed issues the SO and I have had with his G4 Blue box and OS X (pre-Jaguar). Mac OS, even with it's specific hardware platform, does not always result in speed.

Anyways... carry on.

[pooh sun tzu]

-looks at Mac G5 benchmarks- Then he must have been doing something wrong.

http://www.njfcpug.org/Pages/Reviews/G5.htm

http://apple.slashdot.org/apple/03/0...id=126&tid=181

but again, no reason to make fun of an OS. "If you can not help..."

[lessthanzero]

no flames here Pooh Very well stated opinion.

I too welcome trusted computing- some of the benefits and tech. innovations could be staggering. I'm just don't particularly care for a.) the government collusion and b.) the possiblity for abuse once the power structure is in place.

Cheers,
<0

[pooh sun tzu]

Well put and agreed