firewall not warning me?

[djc]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

what am I missing here? I have an xp pro sp2 machine with the firewall
turned on and only the remote assistance exception active. The check box IS
check to "Display a notification when windows firewall blocks a program".
However I can port scan this box using very 'loud' methods and it does not
notify me at all? I tried to connect to it via several ways and although all
failed, as they should have, I was never notified?

what am I missing?

1) is thie 'notify' feature not for inbound traffic? maybe only outbound?
2) Does the xp sp2 firewall even block any outbound traffic?

any input would be greatly appreciated. Thanks.

 

[Rich]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

that feature only warns of out-bound connections and silently blocks
unauthorized inbound. What do you want for free?! There is no active
intrusion detection feature.

"djc" wrote:

> what am I missing here? I have an xp pro sp2 machine with the firewall
> turned on and only the remote assistance exception active. The check box IS
> check to "Display a notification when windows firewall blocks a program".
> However I can port scan this box using very 'loud' methods and it does not
> notify me at all? I tried to connect to it via several ways and although all
> failed, as they should have, I was never notified?
>
> what am I missing?
>
> 1) is thie 'notify' feature not for inbound traffic? maybe only outbound?
> 2) Does the xp sp2 firewall even block any outbound traffic?
>
> any input would be greatly appreciated. Thanks.
>
>
>

 

[djc]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

ok. good to know. Thank you.

"rich" <rich@discussions.microsoft.com> wrote in message
news:807386CD-926D-47DF-BB1A-F0D379B9506E@microsoft.com...
> that feature only warns of out-bound connections and silently blocks
> unauthorized inbound. What do you want for free?! There is no active
> intrusion detection feature.
>
> "djc" wrote:
>
> > what am I missing here? I have an xp pro sp2 machine with the firewall
> > turned on and only the remote assistance exception active. The check box
IS
> > check to "Display a notification when windows firewall blocks a
program".
> > However I can port scan this box using very 'loud' methods and it does
not
> > notify me at all? I tried to connect to it via several ways and although
all
> > failed, as they should have, I was never notified?
> >
> > what am I missing?
> >
> > 1) is thie 'notify' feature not for inbound traffic? maybe only
outbound?
> > 2) Does the xp sp2 firewall even block any outbound traffic?
> >
> > any input would be greatly appreciated. Thanks.
> >
> >
> >

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> that feature only warns of out-bound connections

No, it does not. The Windows firewall allows all outbound connections without
any prompts. We have found in some pretty extensive testing that outbound
protection is not a security feature. Users will always answer "yes" and
pay no attention to what the firewall is asking. Furthermore, it's trivial
for a trojan to simply wait for an authorized outbound connection and ride
atop it.

Windows Firewall will raise a dialog when a program on your PC wants to *listen*
on a port for incoming connections. When it sees this happen, the firewall
will ask if you want to let this program accept incoming connections.

Steve Riley
steriley@microsoft.com



> that feature only warns of out-bound connections and silently blocks
> unauthorized inbound. What do you want for free?! There is no active
> intrusion detection feature.
>
> "djc" wrote:
>
>> what am I missing here? I have an xp pro sp2 machine with the
>> firewall turned on and only the remote assistance exception active.
>> The check box IS check to "Display a notification when windows
>> firewall blocks a program". However I can port scan this box using
>> very 'loud' methods and it does not notify me at all? I tried to
>> connect to it via several ways and although all failed, as they
>> should have, I was never notified?
>>
>> what am I missing?
>>
>> 1) is thie 'notify' feature not for inbound traffic? maybe only
>> outbound? 2) Does the xp sp2 firewall even block any outbound
>> traffic?
>>
>> any input would be greatly appreciated. Thanks.
>>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Steve Riley [MSFT] wrote:


> We have found in some pretty extensive testing that
> outbound protection is not a security feature.


You can't possibly be serious! That has got to be one of the stupidest
ideas I've ever heard.



> Users will always answer
> "yes" and pay no attention to what the firewall is asking.


Not so. Only the most foolish and/or uninformed of users (I'll grant
that there are a great many of them, though) would do this. Witness the
number of people who post to these newsgroups asking if they should
allow various applications to transmit.



> Furthermore,
> it's trivial for a trojan to simply wait for an authorized outbound
> connection and ride atop it.
>


So Microsoft's official position is that it's impossible to secure a
computer, so there's no point in trying? I don't believe this.



--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

>> We have found in some pretty extensive testing that outbound
>> protection is not a security feature.
>>
> You can't possibly be serious! That has got to be one of the
> stupidest ideas I've ever heard.

There is a difference between a security mitigation and policy enforcement.
Policy enforcement -- preventing traffic -- is better handled elsewhere,
with ACLs or SRPs.

>> Users will always answer "yes" and pay no attention to what the
>> firewall is asking.
>>
> Not so. Only the most foolish and/or uninformed of users (I'll grant
> that there are a great many of them, though) would do this. Witness
> the number of people who post to these newsgroups asking if they
> should allow various applications to transmit.

The number of people who post to this newsgroup is an extremely small subset
of the total number of people on the planet who use Windows -- indeed it's
even smaller than our user sample size. Do you seriously believe I would
make this up? The vast majority of people will behave exactly as I've described.
When the choice is between watching DancingPigs.exe or being secure, people
will choose the dancing pigs every time.

>> Furthermore, it's trivial for a trojan to simply wait for an
>> authorized outbound connection and ride atop it.
>>
> So Microsoft's official position is that it's impossible to secure a
> computer, so there's no point in trying? I don't believe this.

Neither I nor Microsoft have ever made such an assertion. Outbound blocking
on a firewall is not a security feature because it is easy for users or trojans
to bypass. The lack of outbound protection on a firewall does not mean that
we don't care about securing a computer -- on the contrary, it means we care
about the *right* way to secure a computer, and in our view there are more
appropriate ways of preventing malware from wreaking havoc.


Steve Riley
steriley@microsoft.com