Of course there is. Not using an account with admin privileges for day-to-day work for instance.
No.
Besides, if you can get them to install %SOFTWARE%, why do you believe you couldn't get them to use restricted accounts?
So you were lucky. Big whoop.
cu
59cobalt
I understand that, but, unless you've been asleep for the last 10 years, most every home user running Windows is running as a local admin, not to mention all the small businesses that are also running as either a domain admin or a local admin on a workstation.
You can try and keep running in circles, but, under a default installation, Windows users are local admins and the Windows firewall provides little hope of protection - even AOL installs punch exceptions into it without the user knowing about it.
Because they will have problems running applications as limited users - QuickBooks, POGO games, some reporting tools, many online FPS games...
The simple fact is that as long as Microsoft installs with users as admins, with the inability to run common apps unless an administrator level account, etc... users are going to be exposed to all sorts of threats.
Windows Firewall COULD have been a proper firewall, blocking in/outbound PORTS, ignoring applications, and providing a real-time interface to show traffic, but, as it is, it fails to protect user at anything other than a very basic level, and is less protection than most of the major PFW solutions on the market.
It's not luck, it's knowing the threat base and how to minimize exposure. Only those that don't understand the OS and Security would assume Luck to protect them.
Which is exactly what needs to be changed.
You DID notice the boatloads of people popping up here and elsewhere having problems caused by running personal firewalls, didn't you?
Most applications can be run as normal user nowadays. Most applications that can't can be configured to run as normal user by minor changes to file or registry ACLs. All you need to do is create a freakin' normal user-account.
*sigh*One more time: as long as an application is run by an admin user there is NO way ANY software (not the Windows Firewall and not any personal firewall) could enforce control over that application.
cu
59cobalt
Um, did you miss that it's been this way for almost as long as Microsoft has been around. Not one of their version of any OS they've produced as defaulted to protected mode.
Sure, I see it all the time. I've also seen people run with PFW solutions, for years at a time, without ANY problems with any of their applications.
If a user is smart enough to change the permissions in the registry they are smart enough to keep their computer safe, in most all cases.
Now, since we're taking about most users, as most users don't even know there is a registry, the point is lost.
Take my mother-inlaw - she can't run QuickBooks as a limited user, and she's got no idea how to change that. I made the changes, but, if I had not been aware of what to change she would have kept running it under the Administrator account, which would also lead to her surfing at some point under the account (just human nature)....
And what part of the real world are you missing - as MS is the largest target, has no warning about changes to the firewall, at the very least, the malware that works against windows firewall may not also be coded to work against ZA or Outpost or Tiny or other firewalls, which makes using them a better option - not to mention that each of those can show you traffic and rules.
Yes, I clearly understand that an admin user could modify any setting, and now you need to ask yourself, if you have an option to protect your computer, while running as an Admin, are you more likely to be compromised while only using Windows Firewall or more likely to be compromised while using ZoneAlarm?
So, answer that question, without any conditional crap, running as an Administrator, in a default installation of Windows XP, with Windows Firewall on one computer, ZoneAlarm on a second computer, which one is more likely to be compromised first if you do the same things on both computers?
And this is a reason NOT to change anything about it, because ...?
Just like I have seen people work with reduced privileges for years without problems. So you do agree then that running into problems at times is neither an argument against running with normal user rights nor is it an argument for using personal firewalls.
[...]Because of that "running as an administrator"-part they're equally likely to get compromised. I already have said that above. You even quoted that part.
Anyway, you'll obviously rather target the symptoms by adding more layers of software (and complexity) than fix the underlying problem, so we'll probably have to agree to disagree.
cu
59cobalt
Did I say it was not a reason to change it - are you unable to read? Understand this, "The default installation leaves users as an Administrator, that is the default, that is the reason we have as many compromised machines, until MS changes that, we need to find a way to protect users running as Administrators."
Account level was never a part of this discussion, you brought it into this. I'm talking about the merit of Windows Firewall on a DEFAULT WINDOWS XP BOX vs some other major firewall product. So, as the default is to run (as it's been in every version of Windows) as an Administrator, the account type is a non-issue and should be left at Administrator for this discussion - this way we cover most typical users.
The underlying problem is this:
Most users don't have a clue, don't know the difference between Admin and User level accounts.
For most users, a box on a shelf that claims to protect them is a solution they can understand enough to install and most of those products also give the simple user a chance to learn.
There are no products which IMPROVE the flaws in Windows Firewall, no products in a box that move a users account from a Admin level to a User level and then make all the adjustments to allow them to run properly as a limited user.
There are products which work better than Windows Firewall and provide the user with some level of hope, although not entirely perfect, they are much better than Windows Firewall.
Since we can't target the users, as there have been newspaper articles, websites, infomercials, friends, etc... telling people that they need to secure their machines and how to do it, and they still remain ignorant, by choice, of any of this. Those same people will see a product on the shelf of the local computer shop and purchase/install it, and have more protection and information than the Windows Firewall provides.
Yes, I don't like either path they take, but, ask yourself this: If you could not change the account type, could not get the user to secure their machine with changes to permissions, what would you do? I would tell them to install ZAP or other product as WF is worthless in most cases.
Now, forget everything else and look at just this part:
If you are running as a Administrator on a default Windows box, is Windows Firewall going to provide AS MUCH protection as ZAP or another major player? Don't say if, well, only, under, ONLY ANSWER YES OR NO.
*sigh*
There is no way to protect a machine from its admin other than not having him be the admin.
Yes, I did, because it's a prerequisite for any reliable measure against malware. As long as an application is running with admin privileges you can only hope for it not having disabled your measures in the first place. Meaning that all of your measures are based on luck, whether you'd like to admit that or not.
So instead of comparing one security measure to another security measure you're trying to compare a default Windows XP to a non-default Windows XP. The latter is like comparing apples to coconuts. Of course you can make that comparison, however, it'll be entirely pointless.
Contrary to your belief the account type is the main issue at hand here.
As long as they're running with admin privileges: no, they won't. And as for your "level of hope": this is comp.security.firewalls, not comp.security.hope. Security measures need to be reliable instead of being based on something like hope or luck.
I would tell them to do whatever they think they have to and not bother me with it ever again. I will never recommend snake-oil.
*sigh*Are you retarded or what? I already gave you the answer twice, and I'm not going to repeat it a third time. Read it up. It's even quoted in this posting.
cu
59cobalt
I guess that explains it - you see the issue as something that you can't handle without requiring everyone to change their computers. While I don't care if they change, as I know it's not going to happen unless MS Forces it to happen, I know enough to see that Windows XP Firewall offers less total protection than does many of the third party apps under the same settings.
So do you. Or what else would you call requiring everyone to install addional software on their computers? The point is not whether or not a change is required. A change IS required in any case. The point is that the change I'm suggesting will work reliably, whereas the change you're suggesting won't.
Unfortunately you don't seem to know enough to understand how unreliable (and thus pointless) this "total protection" is.
cu
59cobalt
The difference, as we agree on principal, is on what the users are willing to do and put up with. Most users are not willing to go to the trouble to run as a local user, they are not going to put up with all the problems they will have with apps/sites, etc...
Oh, but I do, but I also understand how many users are going to switch to a Limited User account, which is not all it takes, and then be frustrated when many of their applications don't run properly, and after learning how to change registry permissions, how to change file/folder permissions, etc... they will just drop the idea and go back to an administrator level account. This is the single flaw in the idea, users just won't do it in-mass, they already don't want to be bothered by it, as you can see for yourself, that's why what use ZAP and others - because they don't want to face the problems that MS created with it's programming model and it's security model.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.