LowWaterMark
September 28th, 2002, 05:15 PM
With the release of Zone Alarm Pro v4.0, significant changes have been made to the mechanisms used to grant and restrict individual program access rights. The first two posts in this thread remain the same, but, below are updates that show how to achieve the same controls over Outlook Express using ZAP v4.0
[hr]
Many people run Zone Alarm Plus (ZA+) or Zone Alarm Pro (ZAP) without realizing that these products will allow them to configure some fairly advanced custom settings that can further enhance their PC's networking security. While not as configurable as most of the rules based firewalls, ZA+/ZAP do provide some additional capabilities that may be worth exploring in order to override some of the basic "set it and forget it" defaults that are provided by the Zone Alarm Free (ZAF) product.
In this post, I will give an overview of some of the advanced capabilities provided within the Program Controls interface of ZA+/ZAP and try to demonstrate a practical use for these capabilities.
Adjusting the advanced options on a program can limit that program's network access permissions and either block or permit its use of specified ports and protocols. For example, you could prevent a non-browser application from ever accessing port 80 and related HTTP ports, or restrict a program into having access to only a short list of allowed ports.
One use that I've made of this functionality was to prevent Microsoft's Outlook Express* from actually using any ports other than those required to access DNS, POP, SMTP and NNTP, thus preventing it from browsing to web sites which might have email usage tracking capability or web bugs.
Here's how this was configured. The screen shots are from Zone Alarm Plus v3.1.395, but any version of Zone Alarm Plus or Zone Alarm Pro should be able to accommodate these settings. First, here is a screen shot of the Program Control window itself:
http://www.wilderssecurity.com/pics/zaplusprogramcontrol.gif
To get to the advanced options for any program listed in ZA, highlight it (OE is in this case), and press the [Options] button. This will bring up the Program Options screen:
http://www.wilderssecurity.com/pics/zaplusprogramoptions.gif
By default, the option to "Allow access to all ports and protocols" is set, however, in order to restrict OE access as noted above, select the "Allow access for ONLY the ports and protocols checked below" and then use the [Add] button to configure the necessary ports. (Note that ZA+/ZAP can also allow all ports EXCEPT for those entered in this screen, another very useful configuration option.)
http://www.wilderssecurity.com/pics/zaplusoptionsoutlook.gif
Once this screen is OK'd, all future sessions of Outlook Express will be restricted to only using the specified ports and protocols. When OE next opens an HTML based message, no links to embedded images, web bugs, or any other browser based content will be accessed.
For additional security, if your ISP's DNS, Mail and News servers are entered into the Trusted (Local) Zone via Zone Alarm's "Firewall > Zones" interface, and all access to the Internet zone is blocked in the Program Control screen, then Outlook Express will be further restricted. This will prevent OE from hitting any site not in the trusted zone, which will significantly increase its security. (Note that you must enter your ISP's DNS servers, by IP address or IP range, to the Trusted Zone in order for OE to work if Internet access is blocked.)
http://www.wilderssecurity.com/pics/zaplusoutlookblocked.gif
The red X in the Access/Internet column prevents any access to sites not entered in the Trusted Zone. Since this feature is available on Zone Alarm Free, as well, it can provide users of that product significant security enhancement capabilities. (Since OE never needs "server rights", I have also blocked those capabilities.)
Since I use both the Internet Zone and custom port option restrictions on my system, Outlook Express runs with significantly less network access capabilities than the default configuration provides. This increases its security dramatically, while allowing OE to pick up and send all email and newsgroup posts.
Using these advanced program options in ZA+/ZAP can reduce the access rights of a number of the applications on a system. If you aren't sure of all the access needs of a given a program, you can setup the basic requirements and then run the program as usual, watching the ZA alerts, (or log viewer tab), to identify the ports and protocols that are being blocked and then enter them as necessary.
If you find you need to enable a port or port range not in the predefined list, you can select the "Custom..." option from the [Add] menu which gives you this screen:
http://www.wilderssecurity.com/pics/zapluscustomportrange.gif
Here a selected range of TCP and/or UDP ports can be entered. If a program needs just a single port enabled (or blocked), such as 443, then entering 443 in both boxes defining the range, will accomplish that.
Zone Alarm Plus and Zone Alarm Pro definitely have a number of configuration options available. This is just one example. Users of these products, or potential users, should take a look through the Zone Alarm Manuals loaded on their systems, or available for download from the Zone Labs website.
ZA-Plus Manual: http://www.zonelabs.com/store/content/support/zaPlusHelpDocs.jsp
ZA-Pro Manual: http://www.zonelabs.com/store/content/support/3zapHelpDocs.jsp
If anyone has additions, questions or comments, please post them or feel free to contact me directly via PM.
Regards,
LowWaterMark
* Please note that users of Outlook Express should verify that they have tightened their security settings as advised by Microsoft, as well as keeping current with any critical security patches as provided at the Windows Update site.
- MS link regarding OE: http://support.microsoft.com/support/kb/articles/q291/3/87.asp
[hr]
Many people run Zone Alarm Plus (ZA+) or Zone Alarm Pro (ZAP) without realizing that these products will allow them to configure some fairly advanced custom settings that can further enhance their PC's networking security. While not as configurable as most of the rules based firewalls, ZA+/ZAP do provide some additional capabilities that may be worth exploring in order to override some of the basic "set it and forget it" defaults that are provided by the Zone Alarm Free (ZAF) product.
In this post, I will give an overview of some of the advanced capabilities provided within the Program Controls interface of ZA+/ZAP and try to demonstrate a practical use for these capabilities.
Adjusting the advanced options on a program can limit that program's network access permissions and either block or permit its use of specified ports and protocols. For example, you could prevent a non-browser application from ever accessing port 80 and related HTTP ports, or restrict a program into having access to only a short list of allowed ports.
One use that I've made of this functionality was to prevent Microsoft's Outlook Express* from actually using any ports other than those required to access DNS, POP, SMTP and NNTP, thus preventing it from browsing to web sites which might have email usage tracking capability or web bugs.
Here's how this was configured. The screen shots are from Zone Alarm Plus v3.1.395, but any version of Zone Alarm Plus or Zone Alarm Pro should be able to accommodate these settings. First, here is a screen shot of the Program Control window itself:
http://www.wilderssecurity.com/pics/zaplusprogramcontrol.gif
To get to the advanced options for any program listed in ZA, highlight it (OE is in this case), and press the [Options] button. This will bring up the Program Options screen:
http://www.wilderssecurity.com/pics/zaplusprogramoptions.gif
By default, the option to "Allow access to all ports and protocols" is set, however, in order to restrict OE access as noted above, select the "Allow access for ONLY the ports and protocols checked below" and then use the [Add] button to configure the necessary ports. (Note that ZA+/ZAP can also allow all ports EXCEPT for those entered in this screen, another very useful configuration option.)
http://www.wilderssecurity.com/pics/zaplusoptionsoutlook.gif
Once this screen is OK'd, all future sessions of Outlook Express will be restricted to only using the specified ports and protocols. When OE next opens an HTML based message, no links to embedded images, web bugs, or any other browser based content will be accessed.
For additional security, if your ISP's DNS, Mail and News servers are entered into the Trusted (Local) Zone via Zone Alarm's "Firewall > Zones" interface, and all access to the Internet zone is blocked in the Program Control screen, then Outlook Express will be further restricted. This will prevent OE from hitting any site not in the trusted zone, which will significantly increase its security. (Note that you must enter your ISP's DNS servers, by IP address or IP range, to the Trusted Zone in order for OE to work if Internet access is blocked.)
http://www.wilderssecurity.com/pics/zaplusoutlookblocked.gif
The red X in the Access/Internet column prevents any access to sites not entered in the Trusted Zone. Since this feature is available on Zone Alarm Free, as well, it can provide users of that product significant security enhancement capabilities. (Since OE never needs "server rights", I have also blocked those capabilities.)
Since I use both the Internet Zone and custom port option restrictions on my system, Outlook Express runs with significantly less network access capabilities than the default configuration provides. This increases its security dramatically, while allowing OE to pick up and send all email and newsgroup posts.
Using these advanced program options in ZA+/ZAP can reduce the access rights of a number of the applications on a system. If you aren't sure of all the access needs of a given a program, you can setup the basic requirements and then run the program as usual, watching the ZA alerts, (or log viewer tab), to identify the ports and protocols that are being blocked and then enter them as necessary.
If you find you need to enable a port or port range not in the predefined list, you can select the "Custom..." option from the [Add] menu which gives you this screen:
http://www.wilderssecurity.com/pics/zapluscustomportrange.gif
Here a selected range of TCP and/or UDP ports can be entered. If a program needs just a single port enabled (or blocked), such as 443, then entering 443 in both boxes defining the range, will accomplish that.
Zone Alarm Plus and Zone Alarm Pro definitely have a number of configuration options available. This is just one example. Users of these products, or potential users, should take a look through the Zone Alarm Manuals loaded on their systems, or available for download from the Zone Labs website.
ZA-Plus Manual: http://www.zonelabs.com/store/content/support/zaPlusHelpDocs.jsp
ZA-Pro Manual: http://www.zonelabs.com/store/content/support/3zapHelpDocs.jsp
If anyone has additions, questions or comments, please post them or feel free to contact me directly via PM.
Regards,
LowWaterMark
* Please note that users of Outlook Express should verify that they have tightened their security settings as advised by Microsoft, as well as keeping current with any critical security patches as provided at the Windows Update site.
- MS link regarding OE: http://support.microsoft.com/support/kb/articles/q291/3/87.asp