I started a thread many months ago and learned a great deal about Firewall security regarding threats *Outside of the network.
http://www.wilderssecurity.com/showthread.php?t=209913



I then came across this thread / post that raised a few new questions:
http://www.wilderssecurity.com/showpost.php?p=1120662&postcount=7


-{ Quote: "

Why? Well lets take Comodo Firewall Pro, the most leaktest obsessed firewall on the planet. Yet if you go to Security>Define a new trusted network, all traffic from the ip range specified will be allowed! Yet for a home network you only need ports 135,137,138, 139 and 445 open. What this means is that if another computer on your network is compromised with a worm it can easily compromise any computer running Comodo as it allows any traffic (good/bad) from a trusted network.

" }-


I then realized I still had no clue when it came to network security.

So from this post Dmenace says that if you are on a Network, and one of the computers is infected, you can become infected from that computer without proper firewall settings.


Question #1: How exactly would malware on a separate computer affect *your computer that is connected to the same network?

I've learned in my earlier thread that *vulnerabilities (ports) are only in the programs/services that use them. So I'm assuming that the only way malware can infect your computer is exploiting a vulnerable program/system/application that uses a certain port # for file sharing or network use.


Question #2: So how could I protect myself from this vulnerability besides using a software firewall:

Is their a way to configure my network setting that would protect my computer from "network malware"?


Question #3: What about file sharing?

Does File sharing have anything to do with this security vulnerability? I wouldn't want to turn off this feature because it's very useful. However, I wouldn't mind making the setting more secure if its possible.


Question #4: Would running a Limited User Account "protect me" from that sort of network threat?
http://www.wilderssecurity.com/showthread.php?t=196737



I'd really appreciate if anyone can help answer some of my questions! and that includes you Dmenace, thanks :)

The problem highlighted is that most firewalls treat ethernet and wireless lan as trusted networks. This means that if you have file and printer sharing, the firewall will have the relevent ports open to the local Lan.

Regarding question 1, because these ports are open to the local lan and there is an unpatched vulnerability for the services on the open ports, a compromised computer on the lan will be able to infect you where a comprimised computer on the internet wouldnt.

Regarding question 2, disable printer and file sharing and network discovery

Not sure about 3 and 4.

-{ Quote: "The problem highlighted is that most firewalls treat ethernet and wireless lan as trusted networks. This means that if you have file and printer sharing, the firewall will have the relevent ports open to the local Lan.

Regarding question 1, because these ports are open to the local lan and there is an unpatched vulnerability for the services on the open ports, a compromised computer on the lan will be able to infect you where a comprimised computer on the internet wouldnt.

Regarding question 2, disable printer and file sharing and network discovery

Not sure about 3 and 4." }-

Would being behind a Router/Hardware firewall stop this vulnerability ?

because it would never go farther then your router.so you could have file and printer sharing on with out any worry because it stops at the router. if I'm correct.

-{ Quote: "Would being behind a Router/Hardware firewall stop this vulnerability ?

because it would never go farther then your router.so you could have file and printer sharing on with out any worry because it stops at the router. if I'm correct." }-

The premise of the original question is that you have an infected computer behind a router with the computer you are using.
Let me take an example. You are using ZA. Have a look at the Zones. Your lan (wired or wireless) will be automatically trusted. If
a) on your computer, file/printer sharing and network discovery is allowed by default in the trusted network/zone
b) you have another computer in the trusted network/zone that has a worm that exploits vulnerabilities in file/printer sharing and network discovery and
c) your computer has a vulnerable version of file/printer sharing and network discovery services turned on
Your computer will be infected by the worm.
Note that if the worm is on a computer on the internet (which defaults to an untrusted zone/network in most firewalls), it won’t infect you because the firewall will block it.

So basically the home network should be as unstrusted as the web.
LAN features that you plan to use should be allowed on a per-feature basis on both machines.

I have been thinking about this over at Comodo.

Combined rules defence+/firewall could:
1.Allow shared network use.
2.Prevent possible exploits from being used

Thanks for the response Huangker!


-{ Quote: "The problem highlighted is that most firewalls treat ethernet and wireless lan as trusted networks. This means that if you have file and printer sharing, the firewall will have the relevent ports open to the local Lan.

Regarding question 1, because these ports are open to the local lan and there is an unpatched vulnerability for the services on the open ports, a compromised computer on the lan will be able to infect you where a comprimised computer on the internet wouldnt.

Regarding question 2, disable printer and file sharing and network discovery

Not sure about 3 and 4." }-


So you're saying that the only network vulnerability is through the Microsoft File & Printer Sharing Service.

And that if I turn off File & Printer Sharing Services & Network Discovery my computer would be safe from network vulnerabilities. So this would mean that connecting to a network is safe, as long as the software is safe. And Microsoft's File & Sharing Software is vulnerable.


Questions:

Is this correct?
Are there any other significant network vulnerabilities?



If the above is correct, I can assume that the source / root of the network vulnerability is in the Microsoft File & Sharing Service & The solution is turning it off. But this leads me to ask the following question...


Sharing Files & Printer on a Network Safely & Securely, is it possible?



So I found a section on GRC's website that explains what you said about turning off file sharing. It actually explains the process in step by step details:
http://www.grc.com/su-fixit.htm


However, they also had 2 pages that explained how to *Secure your setting so that you can share Files on a network safely:
http://www.grc.com/su-bondage.htm


The problem is that the articles seems to have been written before Windows XP came out, and they only have instructions for Windows 95/98 and Windows NT:


I am using Windows XP: and I tried to use the Windows NT Instructions without success because they are very different from Windows XP.
http://www.grc.com/su-rebindingnt.htm



Questions:

Does the same security principles *still apply towards Windows XP?
Is there updated instructions for Windows XP?
Is their another way to make File Sharing safe for Windows XP?

-{ Quote: "Thanks for the response Huangker!





So you're saying that the only network vulnerability is through the Microsoft File & Printer Sharing Service.

And that if I turn off File & Printer Sharing Services & Network Discovery my computer would be safe from network vulnerabilities. So this would mean that connecting to a network is safe, as long as the software is safe. And Microsoft's File & Sharing Software is vulnerable.


Questions:

Is this correct?
Are there any other significant network vulnerabilities?



If the above is correct, I can assume that the source / root of the network vulnerability is in the Microsoft File & Sharing Service & The solution is turning it off. But this leads me to ask the following question...


Sharing Files & Printer on a Network Safely & Securely, is it possible?



So I found a section on GRC's website that explains what you said about turning off file sharing. It actually explains the process in step by step details:
http://www.grc.com/su-fixit.htm


However, they also had 2 pages that explained how to *Secure your setting so that you can share Files on a network safely:
http://www.grc.com/su-bondage.htm


The problem is that the articles seems to have been written before Windows XP came out, and they only have instructions for Windows 95/98 and Windows NT:


I am using Windows XP: and I tried to use the Windows NT Instructions without success because they are very different from Windows XP.
http://www.grc.com/su-rebindingnt.htm



Questions:

Does the same security principles *still apply towards Windows XP?
Is there updated instructions for Windows XP?
Is their another way to make File Sharing safe for Windows XP?" }-


Buy a router with a firewall/nat.. Problem solved you can share all day long and the outside world cant see anything but the router.

-{ Quote: "Buy a router with a firewall/nat.. Problem solved you can share all day long and the outside world cant see anything but the router." }-


I think we're talking about two different things. Are you talking about External Protection using a Router? I am already familiar with how using a Router will protect from external vulnerabilities. I am talking about *Internal Protection within the network.


And besides EVEN IF Using a router will help protect me from inside threats,:


I am trying to fix the *Root of the problem, which is figure out How exactly to secure my file & printer sharing configuration. And NOT Rely on Firewall protection whether it is software or physical.


For example, I'd rather "combat" Mal-Ware through setting up a Limited User Account Environment, rather than rely on commercial anti-virus software. (Although I personally use both.)


So thank you for your post Fajo, although it's not the solution I am looking for. I am looking for something that protects me by changing the File Sharing and Printer Configuration as the GRC Website explains. Except I am looking for instructions that would apply to Windows XP:
http://www.grc.com/su-bondage.htm

-{ Quote: "
So you're saying that the only network vulnerability is through the Microsoft File & Printer Sharing Service.

And that if I turn off File & Printer Sharing Services & Network Discovery my computer would be safe from network vulnerabilities. So this would mean that connecting to a network is safe, as long as the software is safe. And Microsoft's File & Sharing Software is vulnerable.


Questions:

Is this correct?
Are there any other significant network vulnerabilities?

" }-

If you aren't running any other services then yes. However if your computer is running another service like VNC and it is vulnerable and your firewall allows it by default in your trusted network then it is subject to everything else we said before about a compromised computer inside your network.

-{ Quote: "

Sharing Files & Printer on a Network Safely & Securely, is it possible?
" }-

If currently there are no unpatched vulnerabiliies with these Windows services then it is safe to run these in your lan. The only risk is zero days.

-{ Quote: "
Questions:

Does the same security principles *still apply towards Windows XP?
Is there updated instructions for Windows XP?
Is their another way to make File Sharing safe for Windows XP?" }-

http://www.ehow.com/how_2169456_off-file-sharing-windows-xp.html

-{ Quote: "Buy a router with a firewall/nat.. Problem solved you can share all day long and the outside world cant see anything but the router." }-

We are talking about internal networks ALREADY BEHIND A NAT.

-{ Quote: "I think we're talking about two different things. Are you talking about External Protection using a Router? I am already familiar with how using a Router will protect from external vulnerabilities. I am talking about *Internal Protection within the network.


And besides EVEN IF Using a router will help protect me from inside threats,:


I am trying to fix the *Root of the problem, which is figure out How exactly to secure my file & printer sharing configuration. And NOT Rely on Firewall protection whether it is software or physical.


For example, I'd rather "combat" Mal-Ware through setting up a Limited User Account Environment, rather than rely on commercial anti-virus software. (Although I personally use both.)


So thank you for your post Fajo, although it's not the solution I am looking for. I am looking for something that protects me by changing the File Sharing and Printer Configuration as the GRC Website explains. Except I am looking for instructions that would apply to Windows XP:
http://www.grc.com/su-bondage.htm" }-


One step that you could look into would be hardening your basic windows xp settings and disabling the windows services your set up doesn't need.

Check out Harden-it ( free) and Blackvipers site for secure settings for windows services. The main one to disable is the service for netbios if you do nothing else here is the service name I have under xp sp3

TCP/IP NetBIOS Helper

I hate file sharing, if you want to share a file send it to me as an attachment so I can pass it through my layered defense ( AV, ASW etc)

As to the PC's you live with behind your router, my advice is use a FW that lets you untrust or block all of them. But really if you don't trust them, eject them from that position in your set up and make them connect to the router so the router gives you coverage.

Many here might not like what I'm saying but there it is none the less, hope it helps you.

-{ Quote: "One step that you could look into would be hardening your basic windows xp settings and disabling the windows services your set up doesn't need.

Check out Harden-it ( free) and Blackvipers site for secure settings for windows services. The main one to disable is the service for netbios if you do nothing else here is the service name I have under xp sp3

TCP/IP NetBIOS Helper

" }-

Disabling TCP/IP NetBIOS Helper. Is that the equivalent of going to Network Connections => Local Area Network Properties and Uninstalling "File & Printer Sharing?"

What's the difference between the two areas?

How do I know which services are network related // network vulnerable?

-{ Quote: "If you aren't running any other services then yes. However if your computer is running another service like VNC and it is vulnerable and your firewall allows it by default in your trusted network then it is subject to everything else we said before about a compromised computer inside your network. If currently there are no unpatched vulnerabiliies with these Windows services then it is safe to run these in your lan. The only risk is zero days. " }-


Are you talking about the services listed under "Control Panel" -> "Administrative Tools" -> "Services":

What's listed there are about 50+ Services and it looks like I have about 25+ running: (For Example: Automatic Updates, Application Layer Gateway Service, etc etc.)

I don't see VNC anywhere so I'm assuming I don't have that service.




Are these the services you're talking about?
Should I Only be worried about the services that are *Related to Networking?



-{ Quote: "
http://www.ehow.com/how_2169456_off-file-sharing-windows-xp.html
" }-


Thanks for the link Huangker, although I am already familiar with how to turn off file sharing.

I was actually looking for the instructions on how to "*Rebind Windows network components" For Windows XP.
(Which is supposedly how you make file & printer sharing more secure)

The GRC ShieldsUp website article explains this process *Only for Windows 95/98 and Windows NT which doesn't work for Windows XP:
http://www.grc.com/su-bondage.htm


Are you familiar with this process?
Would you know how I can set this up for Windows XP?





And I just thought about another thing: what about...

The Reversal: Turning off File & Printer sharing *On the computer that is infected

For Example: What if you just turned off file & printer sharing *On the computer that is infected with the mal-ware / virus. *Even if this computer was connected to the network, could it still infect the other computers? (Regardless of whether the other computers have file sharing on or off)

-{ Quote: "Disabling TCP/IP NetBIOS Helper. Is that the equivalent of going to Network Connections => Local Area Network Properties and Uninstalling "File & Printer Sharing?"

What's the difference between the two areas?

How do I know which services are network related // network vulnerable?" }-


No it's not the same. You need to do both steps, windows has a nasty habit of activating services you don't want to run.

To get reliable answers on the services use:

http://www.blackviper.com/WinXP/Services

Be very carefull at first and turn services to manual first before disabling them. Then reboot ,and see after some use, if windows has started any them for your set up. If so, don't disable leave them manual or set to automatic. If they are NOT started up then disable them. The next day do another.

-{ Quote: "No it's not the same. You need to do both steps, windows has a nasty habit of activating services you don't want to run.

To get reliable answers on the services use:

http://www.blackviper.com/WinXP/Services

Be very carefull at first and turn services to manual first before disabling them. Then reboot ,and see after some use, if windows has started any them for your set up. If so, don't disable leave them manual or set to automatic. If they are NOT started up then disable them. The next day do another." }-


Thanks for the link Escalader! I've written a summary and let me know what you think and if it's accurate or not:


Summary of "In-House Network Security"

Going back to the original question regarding infected computers on a network:


Summary of ways you can protect yourself:


1. Turn off file sharing through Network Connection Properties // Local Area Network Properties

Disable:
A. Client for Microsoft Network
B. File and Printer Sharing for Microsoft Networks

Questions
Should I also disable Qos Packet Scheduler & Network Monitor Driver?

2. Turn off services through Control Panel => Admin Tools => Services (Especially TCP/IP NetBIOS Helper)

3. Turn off Automatic Network Discovery



More Questions:

Is there anything else I should disable or re-configure to protect myself from network vulnerabilities?




What if you Quarantined the infected computer?


For example what if you turned off File & Printer sharing *On the computer that is infected. Would this quarantine the infected computer from infecting the other computers on the network?

Hmmm, does anyone have any ideas?...


Escalader? Huangker?...

Maybe use 2 routers. Put all unsecure computers on your 1st router and then hook your main computer behind a 2nd router.
http://www.broadbandreports.com/forum/sharing

-{ Quote: "Maybe use 2 routers.
http://www.broadbandreports.com/forum/sharing" }-

ROFL that would solve the problem. ;D put one computer on its own and the other on its own. wala no chance of them infecting one and other. :o

-{ Quote: "ROFL that would solve the problem. ;D put one computer on its own and the other on its own. wala no chance of them infecting one and other. :o" }-



Yes I have read about this a long time ago on broadbandreports but i have never tried it. If it works it wouldn't be that expensive. Routers are so cheap now.

-{ Quote: "Yes I have read about this a long time ago on broadbandreports but i have never tried it. If it works it wouldn't be that expensive. Routers are so cheap now." }-


Most the time your ISP will send you one for free. if you just ask. I have gotten 4 form them over the past few years. lol they give them away like candy.

To be completely frank, this is probably isnt the biggest risk to your computer. The easiest solution is to just to set your lan as an untrusted network in your firewall.

-{ Quote: "The premise of the original question is that you have an infected computer behind a router with the computer you are using.
Let me take an example. You are using ZA. Have a look at the Zones. Your lan (wired or wireless) will be automatically trusted. " }-


Uhhm... Not really. ZA does not trust automatically the LAN. It will ask you (in XP) and set the LAN as internet in VISTA.

In case of infested LAN just allow single IP (e.g. printer) and not the LAN.
This should mitigate some of the attacks.

Cheers,
Fax

-{ Quote: "Uhhm... Not really. ZA does not trust automatically the LAN. It will ask you (in XP) and set the LAN as internet in VISTA.

In case of infested LAN just allow single IP (e.g. printer) and not the LAN.
This should mitigate some of the attacks.

Cheers,
Fax" }-

Oh good. That should be the default behavior of other firewalls too.

My apologises for being late to reply.

Basically the above replies are spot on - hardening and updating windows with the latest patches is the way to go to protect yourself from infected computers on a network.

Most software firewalls can be customised extensively as well using rules. This is where my original post fits in - create rules to allow only things you require and block everything else rather than trust everything on home lan by default (comodo).

Of course to stop a truly zero-day worm you will need a HIPS (that blocks unknown executables from running). But these worms are not common nowadays with the many updates and patches released by MS.

edit: typo

I was on a WAN internet for a while, all the other PCs were infected and my Avira would be doing heavy duty work to keep them at bay. I hid my PC from others on LAN with a command prompt as well as blocked all other sub nets except for mine with Windows firewall. I depended on Avira to keep me clean and thankfully it did till I could go on proper broadband behind a router.

Thanks for the replies everyone. Helpful posts.


-{ Quote: "My apologises for being late to reply.

Basically the above replies are spot on - hardening and updating windows with the latest patches is the way to go to protect yourself from infected computers on a network.

Most software firewalls can be customised extensively as well using rules. This is where my original post fits in - create rules to allow only things you require and block everything else rather than trust everything on home lan by default (comodo).

Of course to stop a truly zero-day worm you will need a HIPS (that blocks unknown executables from running). But these worms are not common nowadays with the many updates and patches released by MS.

edit: typo" }-


All good Dmenace. I am on and off myself on forums...

Okay well I'm using Online Armor and it seems that you can't setup preferences like that although I haven't really looked into the details of setting such configurations so I could be wrong.

But my favorite defense is the hardening strategy before using additional protection and layering (Such as firewall)


The thing is, I haven't been able to find detailed instructions regarding Hardening the network settings and so far this is all I have:


Hardening Network settings


1. Turn off file sharing through Network Connection Properties // Local Area Network Properties

Disable:
A. Client for Microsoft Network
B. File and Printer Sharing for Microsoft Networks

What about disabling Qos Packet Scheduler & Network Monitor Driver?


2. Turn off services through Control Panel => Admin Tools => Services (Especially TCP/IP NetBIOS Helper)


3. Turn off Automatic Network Discovery


Dmenace,
Is there anything else I should disable or re-configure to protect myself from network vulnerabilities?



Is it possible to Quarantine the infected computer?


For example what if you turned off File & Printer sharing *On the computer that is infected. Would this quarantine the infected computer from infecting the other computers on the network?

If a computer has been infected / compromised, there is little you can do to prevent it from attacking other pc's on the network.

Even if you disable services and change network settings, the malware can change it back.

Infected computers are usually on a botnet and send out spam / carry out DDOS attacks. These are difficult to block using system hardening alone. Obviously you need a software firewall and AV to detect and block the malware.

On an uninfected computer with a software firewall you can add the IP address of the infected machines on your network to the "blocked ip addresses list" or similar.

Say you have a network with IP range from 192.168.0.1 to 192.168.0.255
Your gateway is 192.168.0.1 (must NOT be blocked)
Your ip is 192.168.0.2

Hence add 192.168.0.3 - 192.168.0.255 to blocked list in firewall program.
:thumb: