Is Microsoft's Firewall Secure?

[Palemoon]

And I am going to bed....have to get some sleep and what has M$ not introduced that has not become part of their OS? Remember Bill is a few years younger then me and well I think he has a thing for Console Stereo's those huge hunks of stuff that became usless if the radio quiit or worse yet the damn turntable for the LP. For the young ones an LP is a hunk of black plastic about 12 inches around and is black called vinly the old way music was played my 9 year old son had no idea the 19 year old bout an old turn table and dug out the old albums...humm Doors...Think Green House...old factories....Windows...a child can break a window...Nite everyone until next time I have time to post or read

[Negative]

What shocked the piss out of me...is when I installed sp2 on a box on a domain today..and it allowed file and print sharing through the firewall, from ANY source by default. It didn't even restrict it to the local subnet. Now that's scary.

I think I still have the RC2 and not the alfa, but it doesn't do that for me (or at least: it shouldn't). The only exception it allows by default is Remote Assistance.

[chsh]

Wow, so domain users are going to be flashed back to the Win95 era of share security issues? Dang...

Maybe the thinking was that people with domains probably know enough to shut it off or configure the firewall properly, or that primarily it will be used only in corporate settings, where someone SHOULD know better. Either way, restricting it to the local net by default would be sensible.

[hogfly]

Originally posted here by Negative
I think I still have the RC2 and not the alfa, but it doesn't do that for me (or at least: it shouldn't). The only exception it allows by default is Remote Assistance.

Shouldn't...but did. atleast in a domain setting. This was the final release. I'd paste a screenshot..but it wouldn't do much good.....

Well for shits and giggles here it is. I've just installed it, and unblocked an app that we use here called sidecar.

[hogfly]

Here's the "edit a service window" too.



Ok, so I've figured out what the hell this monstrosity is doing. It detects what is currently running on the machine, and opens the ports to accomodate windows services. Said machine had file and print sharing turned on, so windows firewall was trying to be helpful by opening the holes in the firewall. It shouldn't be opening holes to ANY source, and I don't think it's a great idea that it automatically opens the holes without so much as a prompt. I went ahead an clicked "reset defaults" and yes, it did what it is supposed to do(disable everything but remote assistance).
Stupid microsoft.

[OldRedFox]

Stupid Microsoft?

Not really. If they were to override all current machine settings utter havoc would result and people - ordinary people mind you, not folks like us who know what's going on - would not download SP2 out of fear that it would "break" their machines and home networks. Which, in spite of the issues w/SP2, is not a good situation at all. Keep in mind that SP2 is really a fix for the standard user, and in that context delivers tools that most users do not have and that will help stop home and SOHO machines from being taken over; and that's a very good thing.

Todd

[hogfly]

Yes stupid microsoft for violating a self inflicted security policy of drop everything. The firewall defaults to a "break everything" but remote assistance configuration. At the very least there should be a prompt saying "we are going to open the firewall" before they open it to the entire world, it could atleast be open to the local subnet(that I wouldn't have an issue with). Again, they are violating their own firewall policy to accomodate a stupid service that an average home user shouldn't need.
SP2 is for home users? Tell a home user what DEP is, or that the stack is now protected, or that outgoing TCP SYN connections is limited, or that DCOM permissions have been locked down and tell me how many of them can answer you intelligently. This is not for the home user. It's for Microsoft's shareholders and their corporate partners that are sick and tired of stupid microsoft'isms and those that are tired of having to deal with worms that shouldn't be allowed to have free reign on a network.

[OldRedFox]

Sorry, but I disagree. Most of my clients are SOHO, work out of the home or under 20 node small businesses. When I first walk on site the majority of these folks do not even have up to date virus definitions much less a firewall of ANY sort in place. You are right, they cannot respond to your comments, but they still need protection. By default the firewall gives them some - and that is better than the current situation. Sure, if you have services on when you install SP2 it leaves them on/open/unpotected which may not (in fact, probably is not) the right choice, but at least it does not break their current settings, whcih would create a large disincentive to upgrade. But (and here's the key point) it gives them a native to the OS tool that can quickly and easily be configured to give them needed protection. In fact, it gives them a tool that I can talk them through over the phone. Again, this is a good thing that we should not overlook. As for large business settings, the in-house IT staff can deal with the firewall in SP2 pretty easily and if not, they most likely should be looking for another job pretty quickly. In this setting there should already be a better firewall in place anyway. So, if large businesses already have a firewall, then who is SP2 aimed at? SOHO, small business and home users - where most XP installs are found anyway.

Todd

[pooh sun tzu]

hogfly: SP2 is for home users? Tell a home user what DEP is, or that the stack is now protected, or that outgoing TCP SYN connections is limited, or that DCOM permissions have been locked down and tell me how many of them can answer you intelligently. This is not for the home user. It's for Microsoft's shareholders and their corporate partners that are sick and tired of stupid microsoft'isms and those that are tired of having to deal with worms that shouldn't be allowed to have free reign on a network.

Your entire argument is flawed. Let me begin:

1. If SP2 isn't for home users just because they do not understand certain aspects of it, then I think a computer isn't for you until you understand how processor mathamatics work on the motherbored of your computer.

2. If SP2 isn't for home users just because they do not understand certain aspects of it, then I think a car isn't for you until you not only understand the basic material components that make up the chassis of the car, but also until you know the architectual mathamatics about the pressure sensitivity for "break points" on the skeleton of the car.

3. If SP2 isn't for home users just because they do not understand certain aspects of it, then I think life isn't for you. At least not until you understand how PSI affects the human heartrate and then understand how the nervous system affects not only the body temperature but the amount of alpha/beta/gama/theta waves that the brain emits. And then why the brain emits them in the first place.


Just because someone is encapsulated* doesn't mean it isn't for a target group of people. Sp2 is targeted torwards XP, it's that simple. Sure there are bugs and nothing is perfect, but you need a better argument than whining.

hogfly: Said machine had file and print sharing turned on, so windows firewall was trying to be helpful by opening the holes in the firewall. It shouldn't be opening holes to ANY source, and I don't think it's a great idea that it automatically opens the holes without so much as a prompt.

Wait, so you are complaining that you had to configure your firewall? Even though the firewall does the job it needs to do for the typical computer users, you want to complain about having to configure it? How about this: Stop whining, stop bitching, and start configuring. A firewall is just like any other firewall, and I'll be damned if people whine about it because they have to configure it. The same applies to home users. Sp2 ICF does a good job by default of fixing most problems without crippling usability, but that doesn't mean it can't be improved by manual configuration.

And yes, most non-savvy computer users know how to use google.

hogfly: At the very least there should be a prompt saying "we are going to open the firewall" before they open it to the entire world, it could atleast be open to the local subnet

Right, because we all know that typical computer users are perfectly calm and understanding when a popup shows. We all know they read and understand every word that is in front of the screen. Or better yet, maybe we don't know that, and from past tech experience we know people get overlyconfused/scared when an OS asks them a question they don't fully understand. In this case of what the user base is filled with, having it do it's best job automagically first is the best way to handle those type of people, while allowing manual configuration for those who are savvy enough to want to learn it manually.

encapsulated:1) In object-oriented programming, encapsulation is the inclusion within a program object of all the resources need for the object to function - basically, the methods and the data. The object is said to "publish its interfaces." Other objects adhere to these interfaces to use the object without having to be concerned with how the object accomplishes it. The idea is "don't tell me how you do it; just do it." An object can be thought of as a self-contained atom. The object interface consists of public methods and instance data.

[hogfly]

Let's get one thing straight here. SP2, as you said, is for windows XP. The call for SP2 was not from home users. The average user at home most likely doesn't know the difference. This is where my arguement is coming from(simply that SP2 was not home user driven, and most of the features are not directly for their benefit, except perhaps for pop-up blocking), Not that SP2 was not for use by home users. Of course it is for their use, and it serves them well in most cases. Simple case of misunderstanding

Now,
I am not complaining in the least that the firewall had to be configured. I don't mind a configuration at all, in fact it is neccessary. I am not bitching, I am not complaining, I am stating my experience with SP2. Where did you get your license to be a ********** anyways? If sharing one's experience with a firewall is complaining and bitching to you, so be it, don't read the post, **** off, and go trolling elsewhere. The issue I was stating, is the fact that microsoft claims one thing, and yet the firewall does something different than advertised, without any form of notification. It's completely misleading. The action taken by the firewall in this case(opening file and print sharing to EVERYTHING), is in complete opposition to the purpose of the firewall itself. The simple point is, that if they are going to deviate from what they claim, then I think they should notify the person at the computer. Apparently you don't, and that's fine, but users are still going to get compromised at home because of a stunt like this because most of them won't understand that file and print sharing is open to the internet.

And yes, most non-savvy computer users know how to use google.

If this were true, then there wouldn't be a need for antionline to exist.

having it do it's best job automagically first is the best way to handle those type of people, while allowing manual configuration for those who are savvy enough to want to learn it manually.

I agree with this completely, but opening file and print sharing to the entire internet is NOT the right way to handle things IMO.


Oldred:

I agree, they do need protection, but is opening file and print sharing to the internet and not the local subnet(which it has the option to do mind you) protection? It's just as bad as the AV definitions being out of date. Yes, the firewall does offer protection, and that's a great thing. I think SP2 as a whole is a great move. Explain how it would break settings to allow file and print sharing only to the local subnet? The only thing I could see it breaking is multiple subnet communication, and as pooh pointed out oh so politely, people shouldn't complain about configuring a firewall(or even simple make a statement regarding them) In fact he'll be damned about it. So, tell those morons to shut up, and configure !!
As I have stated a few times now in SP2 related threads, I think it's a great move in the right direction. I do take issue with this one item though, because it defeats everything they have worked towards (Secure by default).




have a nice day.