Maybe. But there will be ports open - 8080 or 1080 commonly used for the proxies, 80 for a web server (ISPs often run a proxy on the same server that runs at least one of their websites), 53 for DNS (they also use them as DNS servers), and maybe a few other ports (25 for SMTP or SMTP Relay, 110 for POP3, 22 for SSH, 21 for FTP, etc). All of these ports are open because the server is doing multiple jobs. It might not be ideal, but many ISPs cut corners to save costs.
But many ISPs are smart enough to restrict access to those ports to IP addresses belonging to their own network, so that only their own customers can use them.
And yet others are not. DNS tends not be restricted because it's used for resolving ISPs hosts. And proxies are often not locked down so that roaming users don't have problems when using a different ISP on the move - however, these normally require authorisation in the form of username + password, but this will still show the port as open in a "security test" because the service has to respond so the remote user's PC then knows to send the authorisation info.
I know of at least one major UK ISP that even has all of it's PIX firewalls at it's head office allowing everything in and out (so it's basically acting as a router with no restrictions) because they consider it too much hassle to have to open ports when they add new services, even to the point of developers there running test web servers on their own PCs and them being accessible to the internet. They had a hell of a time clearing up when someone used one of their FTP servers to host GBs of p*rn and games and had changed the passwords on the server, but it didn't change their security policies - they just rebuilt the server and gave it a different password!
There are plenty of ISPs who are loathe to implement decent security because of the additional cost involved, both in hardware and in man hours maintaining it. They seem to think it's cheaper to clean up after there's a problem - in this day though it only takes one serious breach to bring an end to a company, or at least seriously cripple it, but many either don't care or are too blinkered to realise.
Nice list. But when I'm reading it, I notice, that this list contains completely other topics than Torsten's list. And some of them are not OK; here are a few of them:
They're recommending "Personal Firewalls" because of stopping outbound connections. They're ignoring the fact, that there is a simple proof, that this does not work.
For stopping simple file sharing on Windows XP HE, they have no solution, while Torsten explains, how to stop file sharing at all.
What they're writing about passwords, is doubtable. It seems, that they did not understand the problem. BTW: the basic goal in choosing a password must be and only must be to have enough entropy in the password, so that it's very unlikely to guess it right, and it's impossible to brute force it in a realistic time frame. Also passwords with lesser entropy, which are eight characters long or even longer, are not secure. And no cracking program starts at eight characters, because this would be sensible in any way. The shorter passwords usually can be brute forced any way, because they cannot contain enough entropy to deny that.
They're suggesting the reader, that SRP could stop Viruses and Trojan Horses from running, which is misleading.
With disabling the default shares, no-one is gaining extra security. In the text we're told, that IPC$ keeps working.
Instead of doing that, one could stop SMB/CIFS/NetBIOS services, like Torsten's script. Then there are no shares left. In a network, where those services should be offered, offering standard shares also makes no security problems, because they only can be used by administrators.
The advice, to consider biometric devices instead of passwords, is just misleading. Most of the finger print devices for example can be fooled with just a gummi bear. And in the same category they're sorting smart- cards in, which can be highly secure. But the reason, with which they're recommending SmartCards, is strange: because users write their passwors on sheets of paper. And their SmartCard pins? And what's with the SmartCards themselves?
I have the feeling, that this text is the usual colletion of factoids, sorry.
I cannot disagree I don't have too much faith in them either and most home users use them like crutches with the Application Control and whatnot that can be beaten at boot before the 3rd party solutions can even get to the TCP/IP connections and stop anything, which is one thing the XP FW will do is protect the TCP/IP at boot.
However, the solutions are out there and they provide some protection at the machine level for what it's worth . :)
I'll have to look into the solution for SFS on XP Home.
Hey most users don't do anything in this area period but at least they are being made aware that they should do something and most users flat-out don't do anything.
I don't use it and that's why I use something like Active Ports to watch connections along with Process Explorer and look around for myself from time to time when I was into using something like BlackIce. I don't like any tools such as SRP to stop anything at the machine level and will go to the O/S to stop execution on the NT based O/S using NTFS.
BTW, Active Ports was the application that showed me that Application Control in PFW solutions was being beat at the boot and logon as AP was in the Start Folder and was clearly showing that connections were being made and it was over before the PFW solution could get there and I tested most of the solutions and none of them could do it.
I don't do it and the only thing I do is use Authenticated Users on shares that I create and remove all other accounts off the share.
I'll have to look into it.
I don't know I don't mess with such things.
The link may not be the best but it's better than nothing and most home users don't know any of it. It's just an informational link as far as I am concerned and to me that's what counts information being passed.
I had another link that was better out of England but it went off the air for some reason awhile back
However, when I wanted to know more about securing a machine using the Windows NT platform along with what was happening with the XP O/S, I purchased the MS Windows Security Resource Kit and Windows XP Professional Resource Kit books, which had lots of scripts on CD(s). :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.