Microsoft new policy, XP to ship with firewall switched on

Discussion in 'NZ Computing' started by Howard Johnson, Aug 16, 2003.

  1. http://news.bbc.co.uk/2/hi/technology/3153229.stm

    <quote>
    The news that Microsoft is going to start shipping Windows XP with its
    various security features enabled by default should be welcomed, even if it
    is does not solve the bigger problem.

    After all, it still leaves tens of millions of users with an operating
    system that was set up to make it easy for them to play online games and use
    e-commerce websites, and at the same time giving virus and worm writers lots
    of ways to attack their computers.

    And that is to say nothing of the Windows 98, NT and 2000 installed base,
    where security is more a matter of hoping and installing third-party
    software than using anything provided by Microsoft.

    But it is a start.

    The decision to change the standard installation of XP is a result of this
    week's fuss about the MSBlast worm, which has infected hundreds of thousands
    of internet-connected computers and continues to cause problems on the net.

    This could get significantly worse on Saturday when infected computers are
    programmed to send fake requests to the Microsoft website and try to make it
    inaccessible.

    Firewall trouble

    MSBlast is another embarrassment for Microsoft, but it could mark a turning
    point in how we think about online security.

    At last ordinary Windows users will have to do something - actually turn off
    their firewall - if they want to expose themselves to risk.

    So far everyone has been so focused on ease of use and not getting in the
    way that they have designed and built systems which are intrinsically
    insecure.

    Then it is been left to untrained, unskilled and unaware users to make the
    changes which limit risks. Few of us, even the technically skilled among us,
    bother to do this. And few of us do it all the time.

    </quote>
     
    Howard Johnson, Aug 16, 2003
    #1
    1. Advertising

  2. Howard Johnson

    anon Guest

    Who would want to use XP ICF anyway? It lacks many features a normal free
    software firewall has.


    "Howard Johnson" <> wrote in message
    news:A_x%a.11878$...
    > http://news.bbc.co.uk/2/hi/technology/3153229.stm
    >
    > <quote>
    > The news that Microsoft is going to start shipping Windows XP with its
    > various security features enabled by default should be welcomed, even if

    it
    > is does not solve the bigger problem.
    >
    > After all, it still leaves tens of millions of users with an operating
    > system that was set up to make it easy for them to play online games and

    use
    > e-commerce websites, and at the same time giving virus and worm writers

    lots
    > of ways to attack their computers.
    >
    > And that is to say nothing of the Windows 98, NT and 2000 installed base,
    > where security is more a matter of hoping and installing third-party
    > software than using anything provided by Microsoft.
    >
    > But it is a start.
    >
    > The decision to change the standard installation of XP is a result of this
    > week's fuss about the MSBlast worm, which has infected hundreds of

    thousands
    > of internet-connected computers and continues to cause problems on the

    net.
    >
    > This could get significantly worse on Saturday when infected computers are
    > programmed to send fake requests to the Microsoft website and try to make

    it
    > inaccessible.
    >
    > Firewall trouble
    >
    > MSBlast is another embarrassment for Microsoft, but it could mark a

    turning
    > point in how we think about online security.
    >
    > At last ordinary Windows users will have to do something - actually turn

    off
    > their firewall - if they want to expose themselves to risk.
    >
    > So far everyone has been so focused on ease of use and not getting in the
    > way that they have designed and built systems which are intrinsically
    > insecure.
    >
    > Then it is been left to untrained, unskilled and unaware users to make the
    > changes which limit risks. Few of us, even the technically skilled among

    us,
    > bother to do this. And few of us do it all the time.
    >
    > </quote>
    >
    >
    >
     
    anon, Aug 17, 2003
    #2
    1. Advertising

  3. Howard Johnson

    T.N.O Guest

    "anon" wrote
    > Who would want to use XP ICF anyway? It lacks many features a normal free
    > software firewall has.


    My mom... she doesn't need the advanced features, and just needs a simple
    Firewall, nothing too hard.
     
    T.N.O, Aug 17, 2003
    #3
  4. Howard Johnson

    Enkidu Guest

    On Sun, 17 Aug 2003 10:11:33 +1200, "Howard Johnson" <>
    wrote:

    >http://news.bbc.co.uk/2/hi/technology/3153229.stm
    >
    ><quote>
    >The news that Microsoft is going to start shipping Windows XP with its
    >various security features enabled by default should be welcomed, even if it
    >is does not solve the bigger problem.
    >

    <snip />
    </quote>

    This is silly. All the naive Windows XP users are now going to think
    that they are protected. What a shock for them when a) they receive a
    virus in email b) they can't f'rinstance run ftp or use kazaa or
    netmeeting, or MSN Messenger.....

    Of course, the first thing any future email virus is going to do is to
    switch off the ICF.

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 17, 2003
    #4
  5. "Enkidu" <> wrote in message
    news:...
    > On Sun, 17 Aug 2003 10:11:33 +1200, "Howard Johnson" <>
    > wrote:
    >
    > >http://news.bbc.co.uk/2/hi/technology/3153229.stm
    > >
    > ><quote>
    > >The news that Microsoft is going to start shipping Windows XP with its
    > >various security features enabled by default should be welcomed, even if

    it
    > >is does not solve the bigger problem.
    > >

    > <snip />
    > </quote>
    >
    > This is silly. All the naive Windows XP users are now going to think
    > that they are protected.


    They already did.
     
    Howard Johnson, Aug 17, 2003
    #5
  6. "anon" <> wrote in message
    news:...
    > Who would want to use XP ICF anyway? It lacks many features a normal free
    > software firewall has.


    Between 300,000 and 1.5 million infected victims of the DCOM exploit.
     
    Howard Johnson, Aug 17, 2003
    #6
  7. > This is silly. All the naive Windows XP users are now going to think
    > that they are protected. What a shock for them when a) they receive a
    > virus in email b) they can't f'rinstance run ftp or use kazaa or
    > netmeeting, or MSN Messenger.....


    Messenger should still work, as it uses upnp calls to get a port opened, so that
    it works behind ICS, from what someone at microsoft was telling me some time
    ago, upnp is the only way to get ports past the firewall, he lead me to believe
    that there was no way to open them manually.
     
    Richard Malcolm-Smith, Aug 17, 2003
    #7
  8. On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith <>
    wrote:

    >> This is silly. All the naive Windows XP users are now going to think
    >> that they are protected. What a shock for them when a) they receive a
    >> virus in email b) they can't f'rinstance run ftp or use kazaa or
    >> netmeeting, or MSN Messenger.....

    >
    >Messenger should still work, as it uses upnp calls to get a port opened, so that
    >it works behind ICS, from what someone at microsoft was telling me some time
    >ago, upnp is the only way to get ports past the firewall, he lead me to believe
    >that there was no way to open them manually.




    Please tell my Why these people did not bother to get the XP Updates, as that
    is on by default..?
     
    Robert Mathews, Aug 17, 2003
    #8
  9. Howard Johnson

    Enkidu Guest

    On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith
    <> wrote:

    >> This is silly. All the naive Windows XP users are now going to think
    >> that they are protected. What a shock for them when a) they receive a
    >> virus in email b) they can't f'rinstance run ftp or use kazaa or
    >> netmeeting, or MSN Messenger.....

    >
    >Messenger should still work, as it uses upnp calls to get a port opened, so that
    >it works behind ICS, from what someone at microsoft was telling me some time
    >ago, upnp is the only way to get ports past the firewall, he lead me to believe
    >that there was no way to open them manually.
    >

    Urgh! I disabled uPnP when the first exploit arrived and haven't
    restarted it since. I haven't checked whether there have been any
    exploits recently.

    You can get *any* port past the firewall. All you have to do is open
    it. What is a little more trouble is if the internal addresses are
    NATted to an external one.

    This is the URL for uPnP.

    http://www.upnp.org/

    "The UPnP Forum is an industry initiative designed to enable simple
    and robust connectivity among stand-alone devices and PCs from many
    different vendors. As a group, we are leading the way to an
    interconnected lifestyle".

    I *think* what they are saying later in the page, is that if you are
    connected to the Internet and uPnP and the discovery service are
    activated, someone could, in theory, easily use your printer, your
    hard disk, your CD....

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 17, 2003
    #9
  10. Howard Johnson

    Enkidu Guest

    On Sun, 17 Aug 2003 18:27:27 +1200, Robert Mathews
    <> wrote:

    >On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith <>
    >wrote:
    >
    >>> This is silly. All the naive Windows XP users are now going to think
    >>> that they are protected. What a shock for them when a) they receive a
    >>> virus in email b) they can't f'rinstance run ftp or use kazaa or
    >>> netmeeting, or MSN Messenger.....

    >>
    >>Messenger should still work, as it uses upnp calls to get a port opened, so that
    >>it works behind ICS, from what someone at microsoft was telling me some time
    >>ago, upnp is the only way to get ports past the firewall, he lead me to believe
    >>that there was no way to open them manually.

    >
    >Please tell my Why these people did not bother to get the XP Updates, as that
    >is on by default..?
    >

    ....and many vendors switch it off. As I suspect they will do for the
    ICF.

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 17, 2003
    #10
  11. Howard Johnson

    Invisible Guest

    On Sun, 17 Aug 2003 18:27:27 +1200, Robert Mathews <>
    wrote:

    >On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith <>
    >wrote:
    >
    >>> This is silly. All the naive Windows XP users are now going to think
    >>> that they are protected. What a shock for them when a) they receive a
    >>> virus in email b) they can't f'rinstance run ftp or use kazaa or
    >>> netmeeting, or MSN Messenger.....

    >>
    >>Messenger should still work, as it uses upnp calls to get a port opened, so that
    >>it works behind ICS, from what someone at microsoft was telling me some time
    >>ago, upnp is the only way to get ports past the firewall, he lead me to believe
    >>that there was no way to open them manually.

    >
    >
    >
    >Please tell my Why these people did not bother to get the XP Updates, as that
    >is on by default..?
    >


    Maybe they're wary of system slowdowns, which seems to happen with a few of
    these updates. Let other suckers install them first.
     
    Invisible, Aug 17, 2003
    #11
  12. Howard Johnson

    anon Guest

    True, but XP ICF should still be configurable + have outbound filtering as
    well but only if the user enables the features.


    "T.N.O" <> wrote in message
    news:3f3ec6f7$...
    > "anon" wrote
    > > Who would want to use XP ICF anyway? It lacks many features a normal

    free
    > > software firewall has.

    >
    > My mom... she doesn't need the advanced features, and just needs a simple
    > Firewall, nothing too hard.
    >
    >
     
    anon, Aug 17, 2003
    #12
  13. Howard Johnson

    T.N.O Guest

    "Lennier" wrote
    > What I've heard of Micro$oftXP's built-in firewall is that it only filters
    > inward packets and cannot restrict outward packets.
    > This would mean that viruses can still send out their payload.


    but how would they have got the latest if they had not accepted the remote
    connection in the first place?

    I suppose it could be emailed in...
     
    T.N.O, Aug 17, 2003
    #13
  14. In article <>, Robert Mathews <> wrote:
    >On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith <>
    >wrote:

    *SNIP*
    >Please tell my Why these people did not bother to get the XP Updates, as that
    >is on by default..?
    >

    Any user with a semblance of clue (or with friends who have a semblance
    of clue) turns off AU ASAP. Nobody with a brain trusts MS patches to
    work as stated - Look at NT4 SP6, and that wasn't just a patch. There
    have been more recent instances too.
    Let the patch be released, give it a week, then install it if you've not
    heard nasty things about it. AU is dangerous, particularly on
    production systems.

    --
    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
     
    Matthew Poole, Aug 17, 2003
    #14
  15. In article <iU00b.120049$>, "dOTdASH" <> wrote:
    >"Matthew Poole" <> wrote in message
    >news:bhon5n$8pe$...

    *SNIP*
    >and Windows Update works fine. By the way, it's my humble opinion that
    >opinions like yours ("wait a week blah blah") are one of the reasons that
    >security is still an issue with home PC's. Did you go out and tell your

    *sigh*
    I admin computers for a living. My opinion is based on long experience
    reading about the cringe factor that numerous other people have had
    installing patches straight out of the gate.

    >friends to install the Blaster patch before the worm hit ? Or did you give
    >them your learned opinion about how they should wait a while ? If so, are

    The patch was released a month before the Blaster worm hit. A whole
    MONTH! A week wouldn't have mattered.

    >they thanking you for your insight now ? And Windows Update isn't designed
    >for "production systems", what you need is SUS.
    >

    My friends have enough clue to look after themselves, assuming they even
    run Windows.
    As for SUS, how's it any different than WindowsUpdate when it comes down
    to what is being installed? Answer: It's not. If a patch is broken,
    it's broken in SUS and in WU.

    >Ahhhh, that feels much better :)
    >

    Glad to help.

    --
    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
     
    Matthew Poole, Aug 18, 2003
    #15
  16. Howard Johnson

    dOTdASH Guest

    "Matthew Poole" <> wrote in message
    news:bhon5n$8pe$...
    > In article <>, Robert Mathews

    <> wrote:
    > >On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith

    <>
    > >wrote:

    > *SNIP*
    > >Please tell my Why these people did not bother to get the XP Updates, as

    that
    > >is on by default..?
    > >

    > Any user with a semblance of clue (or with friends who have a semblance
    > of clue) turns off AU ASAP. Nobody with a brain trusts MS patches to
    > work as stated - Look at NT4 SP6, and that wasn't just a patch. There
    > have been more recent instances too.
    > Let the patch be released, give it a week, then install it if you've not
    > heard nasty things about it. AU is dangerous, particularly on
    > production systems.
    >
    > --
    > Matthew Poole Auckland, New Zealand
    > "Veni, vidi, velcro...
    > I came, I saw, I stuck around"
    >
    > My real e-mail is mattATp00leDOTnet


    So the fact that I have installed every update as soon as the popup appears
    without a single issue EVER is pure fluke ? What about the 3 or 4
    non-PC-savvy friends I know of who have had exactly the same experience.
    Most of the griping I hear about the auto update thing is from people who
    are PC tinkerers. Mechanics' cars etc etc. My PC doesn't get tinkered with
    and Windows Update works fine. By the way, it's my humble opinion that
    opinions like yours ("wait a week blah blah") are one of the reasons that
    security is still an issue with home PC's. Did you go out and tell your
    friends to install the Blaster patch before the worm hit ? Or did you give
    them your learned opinion about how they should wait a while ? If so, are
    they thanking you for your insight now ? And Windows Update isn't designed
    for "production systems", what you need is SUS.

    Ahhhh, that feels much better :)
     
    dOTdASH, Aug 18, 2003
    #16
  17. Enkidu <> wrote in message news:<>...
    > >Messenger should still work, as it uses upnp calls to get a port opened, so that
    > >it works behind ICS, from what someone at microsoft was telling me some time
    > >ago, upnp is the only way to get ports past the firewall, he lead me to believe
    > >that there was no way to open them manually.
    > >

    > Urgh! I disabled uPnP when the first exploit arrived and haven't
    > restarted it since. I haven't checked whether there have been any
    > exploits recently.


    UPnP discovery control is not installed by default, and besides you
    can use UPnP apps without this installed anyway.

    > You can get *any* port past the firewall. All you have to do is open
    > it. What is a little more trouble is if the internal addresses are
    > NATted to an external one.


    UPnP is designed to make this automagically work. Imagine talking
    your non tech savvy granny user through config ports on her firewall
    internet gateway device so you can use application X with her. Also
    solves the problem with nat-traversal for apps that imbed non routable
    RFC 1918 address like the commonly used 192.168.x.x address ranges in
    peoples homes. XP ICS and [some] UPnP routers have application layer
    gateways for this stuff built in.


    > This is the URL for uPnP.
    >
    > http://www.upnp.org/
    >
    > "The UPnP Forum is an industry initiative designed to enable simple
    > and robust connectivity among stand-alone devices and PCs from many
    > different vendors. As a group, we are leading the way to an
    > interconnected lifestyle".
    >
    > I *think* what they are saying later in the page, is that if you are
    > connected to the Internet and uPnP and the discovery service are
    > activated, someone could, in theory, easily use your printer, your
    > hard disk, your CD....
    >
    > Cheers,
    >
    > Cliff
    > --
    >
    > Signed and sealed with Great Seal of the Executive
    > Council of the Internet, by The Master of The Net.
     
    Nathan Mercer, Aug 18, 2003
    #17
  18. (Matthew Poole) wrote in message news:<bhon5n$8pe$>...
    > In article <>, Robert Mathews <> wrote:
    > >On Sun, 17 Aug 2003 17:58:55 +1200, Richard Malcolm-Smith <>
    > >wrote:

    > *SNIP*
    > >Please tell my Why these people did not bother to get the XP Updates, as that
    > >is on by default..?
    > >

    > Any user with a semblance of clue (or with friends who have a semblance
    > of clue) turns off AU ASAP. Nobody with a brain trusts MS patches to
    > work as stated - Look at NT4 SP6, and that wasn't just a patch. There
    > have been more recent instances too.
    > Let the patch be released, give it a week, then install it if you've not
    > heard nasty things about it. AU is dangerous, particularly on
    > production systems.


    Surely its all about risk. I trust MS patches, I've not often come
    unstuck. And the once or twice I have had a problem I've been able to
    uninstall. Besides most often the interaction is caused by 3rd party
    software. Hard call to know who to blame for that.

    NT4 SP6 was a long time ago, 5 years ago? Things change, Microsoft's
    reliability has got heaps better since then. Service packs go through
    the most amount of testing, followed by General Deployable Releases
    like security hotfixes, followed by hotfixes.

    AU is really targetting home users, not for automatically installing
    on Servers in the datacenter. I think AU is a great fit for its
    purpose.
     
    Nathan Mercer, Aug 18, 2003
    #18
  19. In article <>, (Nathan Mercer) wrote:
    > (Matthew Poole) wrote in message
    > news:<bhon5n$8pe$>...

    *SNIP*
    >Surely its all about risk. I trust MS patches, I've not often come
    >unstuck. And the once or twice I have had a problem I've been able to
    >uninstall. Besides most often the interaction is caused by 3rd party
    >software. Hard call to know who to blame for that.
    >

    The problems occur when you strike trouble and need to go back, but the
    patch is for something that's absolutely critical. Rock-you-hardplace

    >NT4 SP6 was a long time ago, 5 years ago? Things change, Microsoft's
    >reliability has got heaps better since then. Service packs go through
    >the most amount of testing, followed by General Deployable Releases
    >like security hotfixes, followed by hotfixes.
    >

    Which is great when MS releases a patch a long period of time before a
    'sploit is available. As happened with Blaster. But that's the
    exception. For all their trumpeting of "Trustworthy Computing", I still
    don't trust Redmond to actually release code for a bug that they were
    informed about in anything like a proactive manner. There are recent
    (last 12 months) reports of bugs being given to Redmond, with
    demonstration code, and not heard about again until someone malicious
    releases a 'sploit and suddenly Redmond are wailing about the evil
    hackers.
    I don't think that a fix for the RPC hole would be available today if it
    weren't for the fact that MS were shown exploit code and told "This will
    be released in a month, whether or not you have a patch." Their
    reputation for sitting on bug reports is long established, and it
    doesn't seem to be something that's changing in a hurry.

    >AU is really targetting home users, not for automatically installing
    >on Servers in the datacenter. I think AU is a great fit for its
    >purpose.


    It's good for taking the complexity away from installing security fixes.
    However, because of the number of releases that come out it's daunting
    trying to keep track. I came across a managed environment recently that
    was one SP and 29 security fixes behind, and that was just for XP.
    That's an insane number of security holes for the average user to be
    concerned about - Most of them, let's face it, will NOT be going to WU
    every other day just to see if their system needs patches.

    --
    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
     
    Matthew Poole, Aug 18, 2003
    #19
  20. In article <QSi0b.120738$>, "dOTdASH" <> wrote:
    >"Matthew Poole" <> wrote in message
    >news:bhrb43$go4$...

    *SNIP*
    >> I don't think that a fix for the RPC hole would be available today if it
    >> weren't for the fact that MS were shown exploit code and told "This will
    >> be released in a month, whether or not you have a patch." Their
    >> reputation for sitting on bug reports is long established, and it
    >> doesn't seem to be something that's changing in a hurry.
    >>

    *SNIP*
    >Actually I'm 99% sure that the Blaster exploit was released after the patch

    I'm 100% sure it was. But the code was shown to MS _BEFORE_ the patch
    was released. Read what I said.

    >but don't let that get in the way of your conspiracy theories. Do you have

    It's not a conspiracy theory, it's a simple fact. MS were shown exploit
    code, told about the vulnerability, and told "You have a month." Why do
    you think people knew that Blaster was going to hit before it actually
    did?

    >any hard evidence to back your accusations about MS 'sitting on bug reports'

    Not at hand. There's plenty of anecdotal stuff on the 'net. I've read
    stuff on BugTraq where people have said "We raised this with MS <x
    weeks/months> ago, and nothing's been done in public, so here's the
    exploit code to kick their butts into action."
    MS have lobbied long and hard for people who practice total disclosure
    bug reporting to be criminally liable. How does that fit with your
    apaprent belief that MS jump on all bugs immediately and fix them with
    utmost priority?

    >? I'd be interested to see it posted here. As I noted previously it's
    >attitudes and biases like yours that contribute towards making security the
    >continuing issue it is today.
    >

    Excuse me? How does me lambasting MS for their awful security record
    contribute to the state of security today? If more people took my
    attitude they might have come up with the "Trustworth Computing" concept
    several years ago.

    What is YOUR security administration background? Aren't you the one who
    admitted to being barely computer literate?.

    --
    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
     
    Matthew Poole, Aug 19, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris
    Replies:
    8
    Views:
    698
    shope
    Apr 15, 2004
  2. Tyler Cobb
    Replies:
    6
    Views:
    18,631
    Tyler Cobb
    Oct 19, 2005
  3. Kevin Panzke

    Did Microsoft use USPS (Snail Mail) to ship TAP?

    Kevin Panzke, Jul 16, 2005, in forum: Windows 64bit
    Replies:
    13
    Views:
    741
    =?Utf-8?B?U3RldmUxMDc3?=
    Jul 17, 2005
  4. Tyler Cobb
    Replies:
    1
    Views:
    734
    dawnad
    Oct 9, 2005
  5. Lawrence D'Oliveiro

    Circuit-Switched vs Packet-Switched

    Lawrence D'Oliveiro, Jan 16, 2009, in forum: NZ Computing
    Replies:
    7
    Views:
    673
    Lawrence D'Oliveiro
    Jan 19, 2009
Loading...

Share This Page