WinXP SP2 Firewall ??? Serious!

Discussion in 'Computer Security' started by johns, Sep 25, 2004.

  1. johns

    johns Guest

    An interesting comparison: I have about 1200 users I
    support, and most of the problems have been hacked
    systems. We run f-secure, WinXP Pro SP2, on all
    systems, and for the most part, the student labs are
    locked down with browsing in the local domain only,
    or an "allow list" for research. Staff, on the other hand,
    can browse freely. All email is filtered at two levels ..
    the servers, and finally each station. Still I get the call,
    "My PC is running very slow, and I can't access ...."
    I look on the system, and invariably it is commercial
    scumware like Gator, Gain, Precision Time, etc with
    as many as 10 local "servers" yakking away and
    dragging the cpu up to 100%. I've known for years
    that Adaware or Spybot will not remove this crap. It
    is too well defended. Generally I reimage and recover.
    What is frustrating, and also TRUTH telling in a big
    way, is !!!! the WinXP firewall has not said a word
    about any of this. It just ALLOWS it. I finally turned
    the stupid thing off ... because it trashes network
    printing ... and installed F-secure firewall. Within
    minutes, f-secure popped up and reported all the
    internal scumware that was talking out .. and the packer
    source / programs .. and equally all external probes
    that were trying to get in to the systems ... and there
    were quite a few from Canada, Russia, and Australia
    ..... pushing keyloggers every one of them. I was
    able to get their ip-addresses, dns-addresses, and I
    was able to go in and manually delete the packers.
    We are also building a "shit list" of ip-addresses on
    our F-secure server to automatically block. I really
    have a great security tool now. So .. !! ?? ... just
    what was this SP2 firewall doing ? It never said a thing.

    johns
    johns, Sep 25, 2004
    #1
    1. Advertising

  2. johns

    Leythos Guest

    In article <cj4cc5$27nh$>, says...
    [snip]

    If you are supporting an organization, since you have 1200 users, if
    you're not doing web filtering and other blocking at the firewall then
    you need to start.

    If you enable content blocking, and run AV software (such that the users
    don't have to run updates manually, don't have the ability to stop the
    AV Scans, and run a weekly full systems can) you will have a lot less
    problems.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 25, 2004
    #2
    1. Advertising

  3. johns

    johns Guest


    > If you are supporting an organization, since you have 1200 users, if
    > you're not doing web filtering and other blocking at the firewall then
    > you need to start.


    We do in the student labs. No problem at all there. So far, we are
    not allowed ( or at least can't get away with ) doing if for the staff
    and professors. Oh boy, do I wish we could. At least we have 2
    levels of email filtering with McCaffee at the servers, and heavy
    spam filtering. On each local machine, AV updates are done
    automatically every few hours, and f-secure runs there. Here's
    the problem too. No firewall is running at the first layer of servers.
    Only f-secure is running on our subnet ... and it is showing me
    bigtime just what a good firewall can tell us. It is solving problems
    that I was never able to touch before. Now I know who is
    "doing it", and just what they are doing. The biggest problem
    is coming from unrestricted browsing and hacked chat groups
    like Yahoo, and hacked messenger services. Those are straight
    shots into our local PCs, but now F-secure is kicking their butts.
    I cannot praise this piece of software enough. It is just super.

    > If you enable content blocking, and run AV software (such that the users
    > don't have to run updates manually, don't have the ability to stop the
    > AV Scans, and run a weekly full systems can) you will have a lot less
    > problems.


    Right. The old F-secure could be turned off easily. The new one
    is far more difficult. Never the less, if I am called to a PC where the
    user has deleted F-secure, or turned it off intentionally, and then
    got hacked, I pull his network access until He and his dept head
    have come to understand that it AIN'T gonna happen again, and
    I am not kidding one bit. Now, I'm just at the bottom level of
    defense. These clowns get to discuss it with IT too, and they
    are just as tired of it as I am. And they need to come watch
    F-secure firewall do its thing !!!!!!!!!!!!!!!!!!!!!!!!!

    johns
    johns, Sep 25, 2004
    #3
  4. johns

    Leythos Guest

    In article <cj4rmv$2i4q$>, says...
    >
    > > If you are supporting an organization, since you have 1200 users, if
    > > you're not doing web filtering and other blocking at the firewall then
    > > you need to start.

    >
    > We do in the student labs. No problem at all there. So far, we are
    > not allowed ( or at least can't get away with ) doing if for the staff
    > and professors. Oh boy, do I wish we could. At least we have 2
    > levels of email filtering with McCaffee at the servers, and heavy
    > spam filtering.


    I just cleaned a house at a local campus - they brought their systems to
    us before we let them connected them in the network. The machines were
    running everything from Win98, ME, XP, 2000, and MAC OS/X.

    The ones with McAfee products were more infected than the ones running
    Norton products. Even though the University provides free CA AV to all
    students, those that had it didn't update it. The ones that had Norton
    had expired subscriptions.

    Order of worst to best was:

    Worst: McAfee
    Almost as bad: CA
    Best: Norton 2003 or 2004

    > On each local machine, AV updates are done
    > automatically every few hours, and f-secure runs there. Here's
    > the problem too. No firewall is running at the first layer of servers.
    > Only f-secure is running on our subnet ... and it is showing me
    > bigtime just what a good firewall can tell us. It is solving problems
    > that I was never able to touch before. Now I know who is
    > "doing it", and just what they are doing. The biggest problem


    I found that the computers brought from the kids homes were the least
    infected, the ones returning that had them in the Dorms were the most
    infected.

    > is coming from unrestricted browsing and hacked chat groups
    > like Yahoo, and hacked messenger services. Those are straight
    > shots into our local PCs, but now F-secure is kicking their butts.
    > I cannot praise this piece of software enough. It is just super.
    >
    > > If you enable content blocking, and run AV software (such that the users
    > > don't have to run updates manually, don't have the ability to stop the
    > > AV Scans, and run a weekly full systems can) you will have a lot less
    > > problems.

    >
    > Right. The old F-secure could be turned off easily. The new one
    > is far more difficult. Never the less, if I am called to a PC where the
    > user has deleted F-secure, or turned it off intentionally, and then
    > got hacked, I pull his network access until He and his dept head
    > have come to understand that it AIN'T gonna happen again, and
    > I am not kidding one bit. Now, I'm just at the bottom level of
    > defense. These clowns get to discuss it with IT too, and they
    > are just as tired of it as I am. And they need to come watch
    > F-secure firewall do its thing !!!!!!!!!!!!!!!!!!!!!!!!!


    We ran all Windows Updates, including SP2 for XP, and forced the MAC
    OS/X user to update for the hacks that are out for OS/X. We installed
    AGV Free for all people that had McAfee or expired licenses.

    In almost 40 machines we removed over 3000 known viruses and 8000+
    spyware tools. Only 3 machines were clean when brought to us.

    Additionally, every computer had file/printer sharing disabled, under
    XP, SP2 and firewall were enabled, AV set to update every 24 hours and
    full scans to run once per day at 5AM.

    Since the house could not afford a real firewall, we set the NAT device
    to block outbound 135 through 139, 445, 1433-1434, and 2500 both TCP and
    UDP. The router passes all traffic logs to a secured W2K server running
    WallWatcher and emails them to our monitoring site once a day. We also
    setup a secure HTTP service to allow remote access to the logs.

    So far, we've not detected any problem, but those kids sure love AIM :)

    It was interesting to note the levels of infection based on the products
    the kids used - NOT ONE that was using McAfee was registered, so they
    could not get AV Updates. One student had purchased the full suite of
    McAfee tools on-line and failed to understand how to install it - so,
    for 4 months they thought they were protected and in reality had not
    actually installed the update. It took the student more than an hour
    with tech support / customer service to get access to the update and get
    it installed (found 8 viruses after that).

    The CA version of virus scanner is also something that was not setup to
    auto-update, not one of them (about 6) had current updates.

    All but two of the Norton's were running on 1 year old licenses and not
    getting updates, but the kids were aware of it - it was clear to see and
    they told us they were not updating.

    I've always found the Corporate Edition of Symantec AV to be the best in
    our testing. I've always found McAfee to be the worst, and this
    experience just confirms it.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 26, 2004
    #4
  5. johns

    J.S. Jackson Guest

    On Sun, 26 Sep 2004 03:05:56 GMT, Leythos wrote:

    [...]

    > I've always found the Corporate Edition of Symantec AV to be the best in
    > our testing. I've always found McAfee to be the worst, and this
    > experience just confirms it.


    [...]


    Interesting read, especially since the majority of posters seem to be
    really down talking Symantec products, in general. Thanks for all that
    info.


    ----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
    http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
    ---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---
    J.S. Jackson, Sep 26, 2004
    #5
  6. johns

    andy smart Guest

    johns wrote:


    > We do in the student labs. No problem at all there. So far, we are
    > not allowed ( or at least can't get away with ) doing if for the staff
    > and professors. Oh boy, do I wish we could.


    Go and explain the problems and the possible consequences to the school
    authorities. We make ALL our staff (right up the to the headteacher)
    sign a use agreement and we filter their access. We've had no problems.

    Think in the wider context; explain to the school what the consequences
    will be TO THEM if one of their staff does something illegal that they
    forbad to you take action to prevent ................
    andy smart, Sep 26, 2004
    #6
  7. johns

    Leythos Guest

    In article <>,
    ks says...
    > On Sun, 26 Sep 2004 03:05:56 GMT, Leythos wrote:
    >
    > [...]
    >
    > > I've always found the Corporate Edition of Symantec AV to be the best in
    > > our testing. I've always found McAfee to be the worst, and this
    > > experience just confirms it.

    >
    > [...]
    >
    > Interesting read, especially since the majority of posters seem to be
    > really down talking Symantec products, in general. Thanks for all that
    > info.


    Like most things in Usenet you generally only see posts from people that
    have a problem with something. Most of the people we've run across using
    McAfee products don't even know they are installed on their systems,
    don't think there is more to the Internet than the web, and none of them
    know what Usenet is.

    I myself can understand the displeasure with Symantec, actually Norton
    products - they started doing suites instead of sticking with something
    they do well. I see people having problems with NIS all the time, but
    it's usually because they don't understand the product, already had a
    problem with their system or are running a half-baked system on Windows
    XP with 128MB of RAM (any XP system should have a Min of 256MB
    installed, and a min of 512MB for heavy system users).

    It really was an eye-opener for us. Next year we get to do the same
    place, only 90+ systems. We're already getting calls from places that
    the ISP is threatening to shut them down due to virus activity (which is
    how we got this job last year).

    It's interesting to see how few organizations install some form of
    monitor, don't disable file/printer sharing, don't mandate updated (with
    a current license) AV software, don't run PFW's on their local
    computers, etc... Sure, in a corp environment we could mandate this and
    have the IT staff to force it, but you would think that with all the
    news about viruses and spyware that organizations would be looking at it
    too.


    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 26, 2004
    #7
  8. johns

    johns Guest


    > Think in the wider context; explain to the school what the consequences
    > will be TO THEM


    My favorite one of the year was the FBI at that school in Colorado.
    2nd was that judge who ordered all the Indian rez servers to
    be turned off .. period!

    johns
    johns, Sep 26, 2004
    #8
  9. Having read this whole thread it strikes me that you consider a firewall the
    core of your defence. I have news for you - that only works if you don't
    actually have any users ;-(. You have what is known as 'brittle' security,
    in your case 'hard shell, soft centre'. Or, to close the text book, you
    lack defence in depth and are exosed to insider threat (your users ;-).

    As soon as they go and surf, email or otherwise use the Internet they will
    be exposed to all the wonderful stuff MS lets you download without the
    slightest warning (auto-install, for instance), newly developed hacks (the
    jpeg issue is but one of many) and plain vanilla social engineering ("click
    here to get <desktop gadget>").

    See if you can get them at least to accept using the web when logged in as a
    'regular' user instead of with admin rights, that will offer a small degree
    of containment. I'd also recommend avoiding IE where possible as a lot
    BHOs can offer a nice route into the users' desktop (Spybot Search &
    Destroy is your friend here). Use Firefox where possible, and while you're
    at it you ay want to rethink using Outlook (Express as well as 'regular').
    If you absolutely have to, at least make sure preview is disabled as that
    forces any HTML email to be rendered (and thus any stuff inside to be
    executed). To give you an idea how clever preview is, imagine what happens
    when you want to delete an email you KNOW has dodgy stuff in. You
    highlight it to delete it - and it then executes it. Duh.

    As for introducing a firewall, get a Linux box or something (i.e. grab an
    older desktop and add an extra network card) and sell it to your staff as a
    'proxy' - all of them looking at Dilbert means it'll only hit your
    bandwidth once. A bit of social engineering helps ;-).

    Oh, btw, if you want to spot any resident virus infections quickly, install
    a tool called 'Etherape' on a machine that runs Linux. You'll spot an
    infection as it will broadcast - it's quite well visible with Etherape (I
    used it to detox a 30k global network where nobody had ever heard about
    containment, planning and segmentation. Arrgh ;-).

    Good luck.
    --

    Regards, /// Peter ///


    (remove animals from signature fist)
    Peter Houppermans, Sep 29, 2004
    #9
  10. johns

    Leythos Guest

    In article <415ac45e$0$92131$>,
    says...
    > Having read this whole thread it strikes me that you consider a firewall the
    > core of your defence. I have news for you - that only works if you don't
    > actually have any users ;-(. You have what is known as 'brittle' security,
    > in your case 'hard shell, soft centre'. Or, to close the text book, you
    > lack defence in depth and are exosed to insider threat (your users ;-).


    It would be nice if you would at least quote part of the message you are
    replying to so that we know who "You" is.

    As for the firewall, it is the Core, but that does not mean that it's
    the only security measure, it's just the first point and the main
    entrance.

    > As soon as they go and surf, email or otherwise use the Internet they will
    > be exposed to all the wonderful stuff MS lets you download without the
    > slightest warning (auto-install, for instance), newly developed hacks (the
    > jpeg issue is but one of many) and plain vanilla social engineering ("click
    > here to get <desktop gadget>").


    Actually, a quality firewall can filter ALL of those things out of web
    pages, can remove things you don't want the users to access (within the
    page) and make life a lot safer for the entire org.

    While I agree that you have to educate users, it's not going to cut it.
    The role of IT Security is to eliminate the chance that people can do
    bad things to the network and yet still remain productive - which means
    that most people don't even need access to the internet at work.


    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 29, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JD

    WinXP SP2 Firewall Question

    JD, Aug 16, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    563
    ┬░Mike┬░
    Aug 16, 2004
  2. henry
    Replies:
    1
    Views:
    505
    Michael S. Cooper
    Nov 8, 2003
  3. Manquala
    Replies:
    4
    Views:
    731
    Andre Da Costa
    Jan 15, 2006
  4. Kue2
    Replies:
    10
    Views:
    1,208
    =?Utf-8?B?U3RldmU=?=
    Mar 17, 2007
  5. Bioboffin

    Vista x64 sp2 causing serious annoyance

    Bioboffin, Jun 12, 2009, in forum: Windows 64bit
    Replies:
    9
    Views:
    398
    Rob Moir
    Jun 15, 2009
Loading...

Share This Page