Can anyone advise me how to configure either ZoneAlarm or Windows Firewall to allow my 2 PCs to share files without compromising security. With Firewall off - no problem. Firewall on - can't share files. In Zone Alarm I have gone to 'Firewall/Zones' and added my other PC's IP Address as 'Trusted' but it doesn't help. With Windows Firewall I don't know how to do this. The upshot of all this is that I can't safely have shares working if connected to the net PC1: Windows XP Home PC2 Windows XP Pro Router/ADSL Modem: Dynamode R-ADSL-C4S
to include a firewall. Whether or not it's a real firewall may be debatable but it is sufficient to make sure that your network shares are not accessible from outside. So my advice would be to remove the useless firewall software (ZoneAlarm) and make sure you've done all the other things you should do with a Windows PC before use on a network. The things which have nothing to do with firewall software.
It's not important to me whether you want to learn or not. It only takes a quick visit to a group like microsoft.public.security.homelosers to see what happens to people who didn't want to learn about the innards. This is not to say that you shouldn't be able to buy a system which is secure by default and doesn't need detailed knowledge of the innards to keep it secure.
But you did have to learn to drive it, no? Maybe you bought the wrong car
formatting link
don't necessarily agree with that page but XP was going to be the most secure system yet. 5 years ago.
Rightout, a secure system should be simple, both technically and for the user. This is where Unix rules, but most problems can be carefully addressed on Windows.
F.e. ACLs on user data are usually pretty simple: Admin Full-Access, System Full-Access, MyUser Full-Access, nothing else.
In any case, trying to use a host-based packet filter as a serious security measure requires a lot of in-depth knowledge about TCP/IP and networking, and especially that he has been using ZoneAlarm clearly shows that he didn't even bother to check how vulnerable his system actually is.
It still is, well, short behind WinSrv03. Since NT 5.0 the system is pretty solid, most issues arise from running many unnecessary services by default and totally crappy user programs (f.e. MSIE). Local privilege escalations are rare and usually only introduced by crappy third-party programs. Cryptography and management tools have been carefully integrated.
My wife is a tutor. She teaches total beginners how to do basic stuff with PCs such use word processing, spreadsheets, Internet etc. If she was to tell her students at the the outset, that in order to use a computer securely and effectively they would need to have in depth knowledge of TCP/IP, MRU, NAT, PING, FTP, DHCP etc etc they would walk out. XP is far from any pretense of a secure OS - you only have to count the number of Critical Security updates required since it was released (several hundred?) to realize that at the outset is was akin to a naked woman walking through a city at night carrying a bag of gold!!! The vast majority of computer users don't wanna know all that tech stuff and they shouldn't have to. Back to the car analogy - yes you have to learn to drive a car as you do a computer but most drivers are not rally car or network technicians, don't want to be and shouldn't have to.
Actually, I have bothered quite a bit with virus/spyware/adware precautions and having been using the Net quite heavily for many years I can say that I've had only a very few minor problems. What is a non-technician supposed to do apart from regularly update anti-virus software, download yet more 'fixes' from MS, take care with email, visit numerous websites purporting to test your firewall and learn as much as time allows. Is computing these days about noodling endlessly with the PCs innards or getting some work done?
What are you talking about here, the machines are behind a NAT router? They are protected on the networking ports for each machine from the Internet. So, you're free to network with the machines being behind the router on the LAN, and you cannot be attacked over the Internet, unless you port forward the Windows networking ports on the router to a LAN IP/machine.
For doing networking with the XP FW, you simply enable the File and Pinter Sharing Exception on the XP FW, and the FW will allow the traffic.
For ZA, I don't know but it too should have a single setting to do this as well. You should find a ZA forum and ask there.
On XP Pro, you disable Simple File Sharing and you setup a share and remove all accounts off the share (all of them). You then add the Authenticated User on the share that's being explained in the link. With Authenticated User, you must set up an account on the machine for the user to use from his or her remote machine. If the account is not on the machine that's to be accessed, the access is denied to the share.
formatting link
For XP Home, I understand you can go into Safe Mode and disable Simple File Sharing. That's what I hear. I don't use Home.
Common "Personal Firewalls" like Zone Alarm implement provisions like an host based packet filter with the goal to improve security.
The problem with "Personal Firewalls" is, that they usually don't implement such provisions in a sensible way, and they additionally implement provisions, which are useless or even counterproductive.
The only very useful provision "Personal Firewalls" are implementing usually is such an host based packet filter. All other common provisions like "outbound filtering", "stealthing" or "secret filtering" are very doubtful.
The point is, that Windows XP itself provides a well implemented host based packet filter, the Windows-Firewall. So "Personal Firewalls" usually are useless if not dangerous.
Yes. And this is the reason for many security problems. Microsoft Internet Explorer is terrible broken, already in concepts beside its bad implementation.
Other browsers usually are much more secure, even though I have to say, that other browsers are not totally secure, too, and have to be kept up to date, too.
Don't use Internet Explorer or Outlook Express in the Internet. Use some alternative. Activate the Windows-Firewall or shutdown the programs which are offering network services to the world:
formatting link
or
formatting link
if you have an older version of Windows.
Activate Windows-Update and all other automatic update services for your programs. Don't bother with "phoning home" nonsense.
And keep your eyes open: there is no technical provision against phishing or other social engineering attacks:
Not to defend Sebastian (don't agree with a lot of what he has to say...), but... he *did* say "misusing" MSIE. Not MSIE itself. To that I would agree. In other words, setting MSIE to allow any and all services would be misusing it. Setting IE to tighter security using its own internal settings would be using it correctly.
This is no such thing like a non-vulnerable MSIE configuration. Heck, one cannot even deactive ActiveX at all, just the trial and failure of invoking an ActiveX control can have dramatic side effects (f.e. starting the Telnet server service on Win2K SP3).
Jason advises to remove "the useless" ZoneAlarm. This qualification is rather rude and untrue. First I would advise not to use more than one firewall, so that you know who is blocking what. The elegance of ZoneAlarm (ZA) is that you get insight in what you do when ZA is asking your permission (or denyal) when an unconfigured connection is trying to be established (an alert). Within the alert there is a possibility given to get more information about the possible 'intrusion'. By always reading this information, in which suggestions are given by ZoneLabs, one gets gradually acquainted with all sorts of situations. In Ben's case, he could learn from this information and thus get his safety within his own hands. (By the way: I'm not connected with ZoneLabs, whatsoever, but a happy user of ZA, although the latest upgrade to version 6.5.722 was a mess: I would recommend to download version
6.1.744 or earlier: they work fine). To be more specific to Ben's question: As soon as you installed ZA on both PC's, any attempt by one PC to get info from the other would result in an ZA alert. Since this alert occurs at the very moment of the action of the first PC, you know it should be allowed by you. You have the opportunity to tell ZA to remembe your decision, so that the next attempt will be granted automatically. Also, by opening the ZA Control Center after such a situation, one can learn about what's happening to the configuration of ZA by comparing each new rule ZA has added to the configuration. Gradually one will be able to construct his/her own rules. This is useful if one does quite a lot of installations or upgrades, where the installer wants to communicate with some source, either your PC, or a location on intenet to get things right. In the very case of connection between LAN PC's one gets insight in locally used IP numbers and ranges by PC's and router. It's well spent time to learn about your LAN in this way!
There's a difference between random programming errors (which makes every software vulnerable) and errors by design (which makes software vulnerable even if there were no random errors). The latter cannot be fixed without redesign.
This reminds me of all the hoopla about MS not adhearing to "standards" of all sorts over the years. In the end, MS has set the defacto standards (and International standards) in many areas.
Private industry drives the adoption of standards.
"Defacto" = ACTUAL; being such in effect though not formally recognized
Remember the HPIB "standard" from Hewlett Packard (now formally adopted as IEEE-488)?
How 'bout US Robotics 9600bps?
How 'bout GIF developed by Compuserve?
How 'bout TIF created by Aldus and Microsoft?
How 'bout PDF, by Adobe?
How 'bout the "Hayes" character set?
The list goes on.
Popular defacto standards become International standards.
Windows FW doesn't require any TCP/IP knowledge Neither does ZA or other PFWs , they just asks some silly qs on first use.
I can't really see HBPF defined anywhere. I see PF defined here on duane's link
formatting link
PF is just the most basic function of a FW. looks at only - NW layer - src ip,dest ip T layer - src port,dest port nothing at app layer. I guess a HBPF is just a PF on a host ;-)
Googling HBPF picks up nothing for definitions. Where are ppl getting these terms from?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.