Win xp sp2 firewall

The problem with all the PFWs I have seen: they don't really want the user to learn. The messages are far too short with far too little explanation that you cannot really understand them. Usually you will not find a applicable tutorial with the message... This makes even many of those you are willing to learn think they will never be able to comprehend what is going on nor be able to protect the computer or themselves. Therefore they will soon believe that PFWs are mandatory on a computer...

The Microsoft wizards as well as the software I have installed always mentioned during the setup that ports will be opened in the firewall. I would say if people "never know" about this they either did not read the texts on the screen or they installed questionable software which does not warn them about this. If they install questionable software all security is relative anyway...

You should visit me. Strange enough, all the people I have visited using the XP firewall never got compromised. But that's maybe because they were brainless before using the PFW and never got a clue what was going on. After I have removed the garbage from their computer (formatting...) which got through despite all PFWs I explained them how PFW works and how effective they are and about the XP firewall. Now they use the XP firewall only and they are fine and careful. But, O.K., I suppose it helped to loose all data for once and to have someone explain it to them (which only took 30 minutes or so...)

You and I know very different people...

Gerald

Reply to
Gerald Vogt
Loading thread data ...

What I have just forgotten: How do you actually know that the computers where uncompromised? The PFW stops the dumb malware which is easy to detect. The good malware is much harder to find and sits there with or without the PFW...

Gerald

Reply to
Gerald Vogt

Well check again. I have just done it. Remove my sip phone from the XP SP2 firewall. Started the program as limited user. It pops up a warning that traffic is blocked and that an administrator is able to unblock it. No way to change that without being administrator.

What does this have to do with the fact that 99% of Windows home users on the NT based O/S ARE running with admen rights?

As far as I am concerned, your point is moot about the Limited user as opposed the Admin user rights and some kind of example that you're trying to show here, that I don't care about.

Reply to
Mr. Arnold

This is to ridiculous. It's as if this person is under the assumption that he is the only one that knows anything.

How does anyone know anything about possible malware running on the machine that's undetected? Well, they use other tools and don't lean on a PFW and Application Control in them like a crutch and he or she looks from time to time.

Reply to
Mr. Arnold

YARLY!

What exactly gives you the idea that I'd actually like or even prefer the Windows Firewall? I'd just recommend it over the usual PFW junk.

Well, and I'd recommend you to find out when using the medium "E-Mail" is much more appropriate.

Reply to
Sebastian Gottschalk

Any messages from an application/program to a end-user are not meant to hold the user's hand.

You do know that there is more to a PFW or a personal packet filter other than application control. Yeah know, it's most important job is to stop unsolicited inbound traffic/packets from reaching the machine. It's a machine level packet filter.

A computer with a direct connection to the Internet (no router between the computer and the modem) for the average job blow home user running a NT based O/S is imperative.

If they installed questionable software and not know what it's doing, then it's their fault. The buck stops with them.

They were lucky.

What did you explain that a firewall or packet filter's main job is to stop unsolicited inbound traffic from reaching the machine? That's its job. Its job is not to be stopping malware. A FW is not a malware solution, although its in the solution for PFW(s).

Being fine and careful applies to anything. It doesn't make a difference as to what solution is being used.

There just *clueless* home users that will mess-up, if given the chance and at the drop of a hat. Nothing is going to save them no matter what they got running.

Reply to
Mr. Arnold

That's one argument I don't understand. Don't people install security software for the exact purpose of being protected when doing something stupid?

Reply to
B. Nice

For the average job blow user, they should install non-questionable software as much as possible, stop going to dubious sites and downloading and installing software, stop clicking on unknown attachments in emails that can install dubious software etc, etc, as measures they can use to protect themselves.

Software can't stop anyone from doing something stupid, when it comes to some kind of detection and prevention. In all cases when a computer has been compromised, the user has had involvement. On the other hand, detection solutions are better than nothing for some users

There is only one piece of software I will look at that's doing some kind of detection that's worth while and that's an AV application. I don't even trust that and will look around on the machine with other tools from time to time.

However, it's a hard line in the sand with various users on detection and prevention solutions. Some believe in them and some don't. And no amount of jibber and jabber arguments are going to do solve or do anything, but what you see here about this.

It was that way 7 years ago when I joined this NG and it's going to be the same with I no longer come to the NG, particularly on the MS platform.

Reply to
Mr. Arnold

So? - Not being able to run a simple app as a restricted user violates security concepts.

by using the wrong means.

No. Do you?

Yes. We only disagree on the means.

Yes, I fully understand what your standpoint is. You prefer stop-gap solutions to concept based solutions.

Actually you do.

You do. Because PFW's help promote the illusion that you can control it.

The arguments have been repeatedly posted in here.

Reply to
B. Nice

Recitating from my own posting in _this_ thread:

| Mr. Arnold wrote: | > > All "Personal Firewalls" I know are completely ridiculous. | > That also includes the XP FW. | I'd not call the Windows-Firewall a "Personal Firewall". It's just a | host based packet filter, unfortenately necessary, because of the design | flaw in Windows to offer network services as a default.

You could use other implementations of such an host based packet filter, too, like this one, if you want to:

formatting link
A home user cannot control this, unfortunately. So the Windows-Firewall is the simplest choice for her/him.

What I find much better, is this:

formatting link
That is the reason, why I hacked this one for Windows 2000 and Windows XP before SP2:

formatting link
I wanted to offer the work of Torsten (and others) in a way, that users can benefit of it. That's all, what
formatting link
is about. Before Windows XP SP2, this was badly necessary. Since then, maybe it is the second best choice to have a packet filter like the Windows-Firewall, which is filtering out traffic. Because this is default since then, I didn't update
formatting link
anymore.

I really don't understand, why Microsoft refuses to fix this b0rken default configuration, so we all don't need any filtering at all as a default, just like it is with a Macintosh.

The Windows-Firewall is not "the best thing since hot and cold running water". Quite the contrary, it's just the least catastrophic compromise of simple usage and a minimum of stopping endangering the home user by Windows' own network services.

All "Personal Firewalls" I saw were completely ridiculous crap.

Clear now?

Yours, VB.

Reply to
Volker Birk

If this would be all what "Personal Firewalls" would implement, then I would not argue against them. Unfortunately, all of them I saw are implementing futile crap and counter-productive nonsense, too. This is the reason, why I'm usually recommending not to use such software.

Yours, VB.

Reply to
Volker Birk

I told you once before, and I'm telling you again: Microsoft writes software for making money. That's they official company motto. And they're a corporation, thus by law their primary objective must be making money.

Compare the costs of implementing such a lame treatment of symptoms and bad publicity from security incidents against the costs of testing such big changes and support calls for the secure configuration blocking wanted features.

Reply to
Sebastian Gottschalk

I don't see anything wrong with this.

I cannot see such exorbitant costs compared to what they're investing in Windows XP SP2 and even Vista.

Yours, VB.

Reply to
Volker Birk

Well, the one I do you use when my laptop is not connected to my FW appliance does just that. It does have app control that can be disabled, but it has none of the other snake-oil in it. I have used it for 7 years.

It does what I need it to do, which is stop unsolicited inbound traffic from reaching the machine. Not unlike the XP FW, which is not a FW either in my opinion but is a machine level packet filter as well, it cannot stop outbound packets either.

That's why I supplement the personal packet filter with IPsec that's on the XP O/S, which I would use to supplement XP's PFW/personal packet filter if I was ever in that situation, to stop outbound packets if need be.

Reply to
Mr. Arnold

I don't need your recommendations about anything.

And you are wrong, because the one I use gives me the protection that I need on this laptop to protect the Windows services, when it's not behind my FW appliance.

And without the app control in it that can be disabled and I do disable app control in it, which makes it not unlike the XP FW/personal packet filter, it cannot stop outbound packets either. It's doing the one thing and its most important job that I need it to do, which is to STOP UNSOLICITED INBOUND TRAFFIC FROM REACHING THE MACHINE.

Using that PFW/personal packet filter along with IPsec that's on the XP O/S that can act in a FW like manner to stop outbound packets in a supplemental role to the PFW/personal packet filter do their job.

The combination of the two give the protection that is needed on the laptop running XP to protect IIS, SQL server etc, etc, because of my .Net development needs, that's running on this laptop.

And I don't have a problem in using either one of them to provide the solution of protecting this machine.

There is nothing else that needs to be said here.

But observing someone like you and SG and your previous posts on this matter, you'll post again, because it's not good enough in your opinions, because you two try to preach the *security gospel* to each other, according to you two.

Not only are you tiresome with this, you're boring as well with it.

Are we clear now?

Reply to
Maximum Dog8

You'd wish. Protection usually requires a not totally broken implementation like letting SMB traffic bypass (ZoneAlarm), insanely stupid default configuration (was it Outpost or Kerio?) or being trivially bypassed with IP fragmentation (Sygate). Not to mention the DoS vulnerabilities you're introducing.

And what exactly is wrong with Windows Firewall in this scenario?

Maybe you should really try harder to make a reasonable choice for the solution to your problem.

You mean: It would be the same useless attempt. Actually, with using the IPsec service you introduce a new, non-protected service.

Read: You're not competent enough to bound these services to localhost?

Reply to
Sebastian Gottschalk

Do me a favor and shut the Hell-up, if that's possible for you.

You're no one in this NG in the first place, but a lip driveling specialist.

How you have crowed yourself to be some authority on something, when you're not an authority on anything is fabulous.

Reply to
Maximum Dog8

Maximum Dog8 wrote: [indignities]

Yes. *plonk*

VB.

Reply to
Volker Birk

Sounds good. What is it?

Yours, VB.

Reply to
Volker Birk

You know where you can stick your *indignities*.

That's an equal opportunity ditto on the .

Reply to
Maximum Dog9

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.