Win xp sp2 firewall

Comapred to Zone Alarm, it is.

Yours, VB.

Protect your computer against *what*? It will protect your computer just fine against attempts to exploit vulnerable services. It won't protect your computer at all against being dumped into a river.

cu

It's no worst than the other ones as long as you understand its limitations. It doesn't have a lot of snake-oil in it trying to protect you from you.

That's why I make my laptop wear a life jacket at all times!

Is your life jacket protecting the river against your laptop, too? By filtering outbound water? ;-)

Yours, VB.

Windows XP SP2 fireall is the last resort - it has one serious flaw - if you run as a local administrator, and most people do, it allows programs and services to create holes (exceptions) in it. Also, if you normally share files/printers, it will default to allowing File/Printer sharing, which also greatly exposes you.

I consider XP Sp2 firewall to be about worthless in most settings unless you run as a limited user, check for exceptions and remove all of them, and check this daily.

I've seen machines where the users have been compromised many times using XP SP2 firewall that switched to ZAP and were not compromised again.

Microsoft would have a lot less security problems if people would stop running as admins. I really doubt if that is going to happen anytime soon. People tend to be resistant to change unless change is forced on them.

This "flaw" is shared by each and every software in existence.

Wow, if you expose services these services will be ... exposed. Thank you for clearing that up.

Running with LUA is *the* single most important precondition to achieve computer security.

Yeah, right.

cu

Beside that all "Leythos" said is nonsense (as usual from him), the best way Microsoft could stop people to work as Administrator would be not to have this as a default.

Well, they're doing something like this now with Vista: the user is administrator, but administrator's don't have every right any more :-/ (try to open a SYSTEM shell on Vista)

Yours, VB.

Are you speculating about "Leythos'" fantasies here, Ansgar? ;-)

VB.

Well, it's not and there is no sense crying over it. The XP FW does have some issues in it that it will allow FW rules to be set for an application that the end-user has no clue about upon installation of the application. I have seen this with some .NET Windows applications that were using .NET remoting that I have developed and installed on XP with the FW active.

There is no way that the XP O/S or the XP FW knew the intent of that application good or bad as a client or server. And yet rules were set for the applications to punch through the FW. You name another PFW that allows this kind of rule setting, which is ridiculous.

I guess they listened to someone after many years of not listening.

LOL - Nonsense, yea, that explains why AOL and Yahoo IM and many others can punch holes while installing in the XP firewall, but, they have to get permission to do it in ZAP.

So, VB, are you stating that NO APPLICATION or MALWARE can make adjustments to the Windows XP SP2 firewall when the user is running as an administrator without the admin knowing?

Nows your chance, show everyone just how wrong I am by making a clear statement that "No application/malware can enter exceptions in the XP firewall while running as an administrator".

And it can be turned off.

It's a shame you two pretend to have experience when almost everything you say about firewalls and security is full of so many holes and misinformation that it only impresses the noobs.

Nitpick: Administrators don't have every privilege. They just have the privilege to aqquire every privilege.

And Windows Vista can't change that. However, Windows Vista actually makes the users being non-administrators by default, and they really are required to enter the administrator's credentials.

That's easy. The 'AT' command still does the job, especially since its implicit trick was made explicit in Windows Server 2003 and continued as such.

This requires Administrator rights. And then it applies to any Personal "Firewall".

Yeah, actually one should be happy that Microsoft offers an explicit interface for adding appropriate rules. For typical PFWs you either have to use some dirty tricks (while risking that some idiots will scream "HACK ATTEMPT !!!11") or you'll have to ask the user to add the rules (which they're usually incapable of).

Any does. By design.

Well, when Windows XP was out there, they couldn't change it. Thus, they really had to wait a long time for actually getting a new chance for pushing a big change on the user.

Unfortunately, Windows Vista makes it worse on total.

Like what?

cu

And once again Leythos spectacularly fails to understand that a) noone ever claimed that, and b) an administrator cannot be prevented from doing whatever he pleases without restricting his privileges (which actually makes him a non-administrator).

cu

I am suppose to have some kind if warm and fuzzy felling about that, with MS track record? I don't think so.

At most, the application would say that an unauthorized program was trying to access the Internet, that you the user didn't approve. I am not a proponent of Application Control in PFW(s) but at least ask me.

If I don't want to be asked, then I'll disable it. But don't *you* the PFW start making rules, because I installed an application on the computer.

And MS and its PFW somehow knows the intent and knows the correct decision to make? MS has no business making any rules that the user doesn't know about, period. PFW, will you please prompt someone about what you're about to do?

I don't want MS with some FW to be making any rules without user permission about anything. I would say I don't want this and I would say that most wouldn't want it either.

We are not talking about any. We are talking about the XP FW that will set rules dead in your face, if one knew to go check.

That's what I read.

I'm talking about the application on its own adding a rule to the PFW for allowing appropriate access. You won't get any queries then.

Of course the application would have to implement this for every single PFW, and since most don't offer any interface they'd have to use their own dirty tricks (f.e. sending Windows messages, hijacking a kernel driver, ...), but it's generally no problem.

Considering an explicit interface being offered by Windows Firewall therefore is no security problem, but rather a sign of sanity.

At first, it's no PFW. And no, they don't have to know any intent, because they delegate this task to the respective software itself.

Well, then why are you running with admin rights? With admin rights, this would hold for any PFW. And without admin rights, it won't hold for Windows Firewall.

The same is true for all other PFWs any would be true for any implementation. Where's your argument? You're complaining about a trivial and unavoidable fact.