PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP
MICROSOFT FINALLY GETS IT!!
Three cheers for Microsoft. They have finally addressed security issues with some decent product included within the XP OS. Of course if you are running Win98, ME, Win2K, you are left out. There is probably no hope of backing this technology into these products. So if you don't want to switch to XP, just make sure you have third party firewall product on your PC, and you follow all the safe computing practices discussed elsewhere here.
I hope to develop this page a little more fully, but initial impressions about the security additions to XP SP2:
1. The "firewall" default setting is "on" to automatically block incoming TCP connections and unsolicited inbound UDP. I think there are a few exceptions, which are set based on your existing running services - I need to study this further. There is quite a bit of fine tuning which can be done on the "Windows Firewall," but alas, it can be very confusing!!
2. The Security center attempts to verify that you have antivirus product running. It will monitor the fact that you do have a product, or that you do not have a product, and continually pester you until you tell it to go away, or you get an antivirus product. It does not appear to work very well with Norton antivirus, at this writing. You have to go into the preferences and tell it you have an antivirus.
3. The security center alerts you to the importance of updating Microsoft Windows and tries to get you to setup automatic updates.
4. ICMP echo response is automatically disabled. That means that nobody can actually ping you from the Internet, or from your local home network for hat matter. Now this is actually a good thing if you want to be "stealth" on the Internet. See the troubleshooting section for some guidance.... See below for why this could be annoying as well.
5. IE automatically blocks popups, and provides a utility for managing them. I suspect vendors will be figuring out ways around this - I already see it happening for a few sites.
6. There is a "don't allow exceptions" in the firewall tab, which is very useful to enable in very untrustworthy environments, like using wireless in public settings. Every incoming TCP connect attempt is simply silently blocked. This is the equivalent to turning on ICF, prior to XP SP2, if this was the only firewall on the PC.
7. Whenever you attempt to open a file, the security center pops up a window [XP doesn't block their own popups..... :-)] and warns you against doing this. I guess this is a good thing, in the grand scheme of things, if you don't know what the hell you are doing.
8. In OE, html email gets sent as an attachment also, wherein the user can open the attachment if he trusts the sender. "OE will now automatically block images from people not in your address book."
9. There is actually a wireless "wizard" which will step you through the proper procedures to setup a secure wireless network, including WPA!!
1. Microsoft still abuses the term "firewall," because this "firewall is only a simple incoming port blocker, although it has much more control than the former "ICF." The control of the Windows firewall is actually very confusing. The clueless user will now have to worry about different network conenctions, "local (home or trusted)" networks as well as Internet (untrusted) networks. There is no use of the terms "trusted" and "untrusted", used by ZA, which may have helped. See the discussion here for some clarification on this issue. Microsoft's attempt to explain is here.
2. The "firewall" of course does not monitor outbound TCP connection attempts. Because of this, you may want to seriously consider disabling the Windows firewall and relying on your trusty ZoneAlarm, or other similar product. You should really be watching for outbound TCP connection attempts which indicate the presence of trojans, etc.
3. Spyware seems not to be addressed anywhere. You will still need to do your antispyware techniques.
4. Response to Ping [ICMP echo response] is blocked by default. This can be a pain if you need it for debugging. In the presence of a good firewall, and a dynamic IP address service, ping response should probably be enabled just for the myriad debugging chores you may be doing.
5. Antivirus measures are still left up to you, and too often you just ignore this vital chore! One of these days the antivirus technology will be included with the OS technology, with an on-line technique to keep up with the latest virus outbreaks and the accompanying Windows vulnerabilities which they are usually trying to exploit
6. There doesn't seem to be any way to set up trusted zones [this is not the trusted hosts you set up in IE], like you can do with most of the popular third party firewalls. I do see that there is a way to turn on individual services like FTP, HTTP on each of the adapters. But I don't see a "blanket trust" capability on an adapter or a IP address range.
7. Until I understand it better, I will warn that the firewall seems to make certain exceptions to turning on the firewall. I am not sure when the security decides to enable these exceptions. I need to understand this further! I see that UPnP is one of the exceptions one on of my PCs in which UPnP is enabled, as well as Windows messenger and remote assistance. I am not sure why these are listed yet, because these programs tend to be clients and not services which are listening on ports.
If you are already operating behind a NAT/router and you have antivirus and antispyware techniques installed, and are running a third party firewall, the benefits of going to SP2 and its security additions are questionable. But it looks like you will have to go ahead with this SP2 update and just turn off those portions you deem unnecessary or redundant. You should probably install it just to get acquainted with its capabilities so you can help all your friends and neighbors who will be bugging you!
Go ahead and turn the firewall off to start with (as long as you are protected otherwise), and then when you feel more confident, turn it on, and start to fine tune it. Believe me, you will have to do this.....
If you are not operating behind a NAT/router, you should be ashamed, especially if you do not have ICF enabled. But in this case you certainly want all the security features found in SP2. If you have just acquired your new PC with XP, you should definitely download the SP2 and enable the security measures, especially if you are on simple dialup, or behind a cable modem [make sure ICF is on before you go onto the Internet!].
If you already have a network environment in your home, you may find that you have to disable the firewall in order to do all the normal Windows file sharing. The Windows firewall does not seem to have the ability to set trusted zones, which come in very handy for your home network, or if you are using the PC on the Internet, but you still want to open the PC up to a subnet you trust.
You might want to turn off your antivirus, your third party firewall, and any other extra goodie you have running at startup. I have personally experienced on my laptop a personal hell trying to get XP SP2 to install. The easiest way is to run "msconfig" and uncheck everything under the startup tab. Once SP2 is all installed you can go back in and turn everything on .......hopefully.
And if you are on dialup, for heavens sake go to microsoft and order the CD!
Microsoft reference for XP SP2:
Great Reference for XP SP2:
XP SP2 problem solver:
Copyright John D Loop Saturday June 25, 2005