Please post comments in regard to this thread (http://www.wilderssecurity.com/showthread.php?t=3899) over here, to avoid pollution.

Thanks in advance! ;)

paul

LWM,

Great tutorial, however, I don't have a standard OE setup. Outlook Express is set up to poll for email on two ISP's (one using SSL protocal), Hotmail, and "MyRealBox." To add to the mess, I have newsgroups set up through the SSL protocal and others (such as GRC and microsoft).

I have been able to restrict the ports that OE can access, but OE I can't poll "everything" without OE accessing the internet.

One of these days, I'll try to configure it as you described, but not today. :D :D :D

Great Contribution LowWaterMark.

I will be bookmarking that one.

Thank you,

John

LowWaterMark,
very good post !!

bill :)

LWM, you've earned yourself a Karma Cookie!

Er...I'll have to owe you one, since you haven't made one hundred posts yet...

HeHeHe. I did it. Outlook Express does not access the internet anymore.

-{ Quote: " quoting: marti link=board=23;threadid=3900;start=0#27900 date=1034971876]HeHeHe. I did it. Outlook Express does not access the internet anymore.
" }-

That's great. I really like to see programs limited to using just what is absolutely necessary in order to run. (A kind of "least privilege" thing.) It's a reason why I also run a sandbox application on my system (Tiny Trojan Trap).

Another thing I'm trying out is I've made a second copy of Internet Explorer on my system. (I use IE as my default browser.) Then, in ZA Plus, I've restricted the original copy of IE (iexplorer.exe) to having only Trusted Zone access and a limited set of ports and protocols. (Specifically it gets DNS; HTTP-80, 443 & 8080; and UDP 1024-5000.)

If any malicious program fires up a default IE session, it ends up with very limited network access. Meanwhile, another version of IE, under a different name, gets more open access in ZA+, so that I can actually surf. ;) It's been an interesting experiment, so far.

I don't think Win98SE is going to let me have another copy of IE.

I'm going to work on other programs next, such as the various "auto update" programs for AV, AT, spy checkers, etc.

Hi LowWaterMark,

I am using W98SE with Outlook Express 6. I tried to configure as you recommended:

1. Allow access only for :
DNS servers (TCP and UDP 53)
Mail servers POP (TCP port 110)
Mail servers SMTP (TCP port 25)
New servers (TCP port 119)

2. Put the mail server pop.freesbee.fr in the Trusted zone

3. Block Internet access to OE.

Each time Windows is restarted, OE displays the error message (translation) :
"Impossible to find the host pop.freesbee.fr. Verify that you have correctly entered the server name. Account : 'Mail of ...', Server : 'pop.freesbee.fr', Protocole : POP3, Port : 110, Secure (SSL) : No, socket error : 11001, Error number : 0x800CCC0D"

If I allow Internet access, then OE is ok. Then I block Internet access again and OE remains ok !

Do you see something wrong ?

Regards,

Yinda

Hi Yinda,

Can you clarify this for me a bit? When you state: "Each time Windows is restarted, OE displays the error message..." do you literally mean that during or at the end of booting up, this OE error message pops up? Or do you simply mean that the first time you run OE after a boot, whether a minute after booting or hours later, you get this error?

It is an important distinction because the first case implies that OE is running in the boot process, and perhaps it's attempting to get out before ZA is ready to allow it. Basically, a timing issue. The second case could show a very different problem. If ZA does not handle an access right the first time you do something to trigger it, but, after making an adjustment, running it, and setting ZA back, it works correctly from then on, that could show that your ZA true vector database might have an inconsistency and need rebuilding.

Hi LWM,

The error occurs when I start manually OE, generally a few minutes after booting. The error also occurs the first time OE sends a message.

How to rebuild the ZA true vector database please ?

Regards,

Yinda

If you need to refresh (rebuild) the ZA True Vector database because it is not saving settings or because it appears to "get confused" with settings, then you can follow the instructions at this page (item #10):

http://www.zonelabs.com/store/content/support/zapIssuesFAQ.jsp#10issues

But, be aware that the True Vector database stores all of Zone Alarm's custom settings. All the trusted sites, the program permissions, the specific firewall block and allow settings, everything. You'll need to redo these after refreshing the database. Once you've done it a few times, it's not hard, but, make sure you know what settings you've made before you wipe out the database. When they are gone, they are gone.

It may not fix your problem, but, it's one of the first recommendatioms whenever ZA starts acting oddly, such as how you described. Read the link over and if you have questions, ask them here before trying it.

Edit - typos

Ok LWM,

I'll read the instructions carefully. Thanks.

Yinda

The problem has not been fixed after the True Vector database is rebuilt according to their procedure :(
The positive point is that now I know when and how to rebuild the database :)
Yinda

Well this is the very first thing I did when I installed Zone Alarm Pro.

I setup everything manually.

Anywhere from Icq to kazza lite. :)

thanks anyways,
will

ps: i checked to see if we had the same settings...yeap...:)

-{ Quote: " quoting: Yinda link=board=23;threadid=3900;start=0#34101 date=1038824900]The problem has not been fixed after the True Vector database is rebuilt..." }-

Yinda, what other hosts / servers are in your Trusted Zone, as seen in the ZA > Firewall > Zones screen? Do you have your ISP's DNS servers in the Trusted Zone? If not, you will need to add them. Since OE will only be able to access Trusted hosts in this configuration, the DNS servers must be in the ZA Trusted Zone. (I'll have to edit the original config post to reflect this.)

Let me know if this fixes it.

Thanks,
LowWaterMark

Hi LWM,

I added 3 Hosts/Sites in the Trusted zone myself : pop.freesbee.fr, pop.wanadoo.fr and smtp.wanadoo.fr (freesbee is my usual mail server, wanadoo is my ISP)

The IP Address / Site 80.0.0.0/255.0.0.0 has been added by ZA as Network (I would not know how to specify the address myself)

Is that correct ?

Regards,

Yinda

PS. The name of Network added by ZA in the Trusted zone is Wanadoo.
Yinda

Yinda,

It's sounds like you have your email servers covered well, but, you need to add your two DNS servers to the ZA Trusted Zone. You don't add those by name, (since DNS servers are needed to resolve names), you add them by address or range. I can not say that the "network" that was added covers your DNS, usually it doesn't, and most times the "networks" are added as "internet" zone not "trusted", for security reasons.

Do you know the IP addresses of your ISP's DNS servers? You can just look on your system when you are connected and it'll tell you your current DNS servers. If you are on NT/2K/XP, go to a CMD window (Start menu > Run... > CMD) and type: ipconfig /all
- It will list DNS servers there.

If you are on Windows 9x or ME - goto Start menu > Run... > winipcfg
- In that screen, hit the "More Info>>" button and look for DNS servers line and notice there is a little box next to it with a "..." - you hit that to see other DNS server(s).

Add these as separate trusted addresses into ZA and try OE again.

Hi LWM,

I have just added the two DNS servers as you told me and OE works fine now. THANKS !!!

I have also switched Wanadoo from Trusted into Internet Zone.

Regards,

Yinda

-{ Quote: " quoting: Yinda link=board=23;threadid=3900;start=15#34365 date=1038998611]I have also switched Wanadoo from Trusted into Internet Zone." }-

Very good. This way your PC won't be "trusting" all the other users on your ISP. I'm really glad this worked for you. I'll be updating the other thread to make note of this. Thanks for helping to make it better!! :)

Best Wishes,
LowWaterMark

8) you the man

;D some one get that man a beer and some chetoes cause it was all that and very new frindly

Hey I have oone suggeston ...



Maybe you could also write some similar tutorial how to set permittions for Internet Explorer (for normal browsing). I am a little confused which ports to allow. I have some difficulties setting permittions for Internet Explorer.

I noticed, that giving permittion for TCP protocol isn't enough. It require UDP on lots of ocassions.

So I made rules (in the end it looks like ...):

Allow/Block Source Destination Protocol Port Time
Rank 1: Allow My Computer Internet, Trusted Zone TCP, UDP http(80), https (443), DNS (53) Any
Rank 2: Block Any Any Any Any Any

... but after making this rule, I can't browse any web page. The strange thing is, that I get alert message saying that "The firewall rules for Internet Explorer allow an outgoing UDP connection to this and this IP, this and this port". And right that alert, web page I was going to visit, becomes "Server was not found". But strange, there is NO Block alert. So something must be blocked "silently" ...

Right after changing the "first rank" rule, under "Modify - Protocol - Ports" to allow any port (in the end it looks like ...):


Allow/Block Source Destination Protocol Port Time
Rank 1: Allow My Computer Internet, Trusted Zone TCP, UDP Any Any
Rank 2: Block Any Any Any Any Any


... everything works normal again !!!



thanks for any help people

I thought about providing a configuration for Internet Explorer, but it's rather more complicated for people than Outlook Express simply because IE is IE, the "everything" program from Microsoft. It does too much and everyone uses it a little differently.

But, let's look at a simple set of IE rules, from a generic firewall perspective...

Access Type Source Destination Description
Allow UDP MyComputer:Any DNSservers:53 DNS
Allow TCP MyComputer:1024-5000 InternetZone:WebPorts Webservers
Allow UDP MyComputer:1024-5000 MyComputer:1024-5000 Loopback
Block Any Any Any Block the restDNSservers is a Group setup in Firewall panel > Expert tab > Groups button. It is simply a list of all my ISP's DNS server (added by hard-coded IP address). My ISP provides 4 DNS servers.

WebPorts is another defined group except this one is a protocol group not a locations group. In there I have TCP ports: 80, 443, 8000 and 8080.

Now this generic setup when entered as ZAP expert rules applied to Internet Explorer works on my system for basic browsing. In fact, I use a version of this that targets (destination) just the webservers of my Trusted Zone, rather than the Internet Zone as shown above. By doing that, I can browse trusted webservers and even if there are images, web bugs or other things on the webpages I'm viewing, I only end up accessing the trusted sites. All else is blocked.

There are times when I want this, for example, I use such a browser configuration when reading my ISP provided web-based email with IE. It ensures I don't fire off any webbugs out somewhere on the Internet, and blocks any other object sources not in the trusted zone.

However, the downside of the IE configuration described above is that it is restrictive. For example, normally IE can do FTP access directly. These rules prevent that because there are no FTP ports being allowed here. I'm sure there are other protocols that IE can run embedded that these rules would also prevent. But for me and what I use this for, it works great.

In any case, I rarely advise people to do this because it takes some effort on their part to figure out exactly what they need, in their specific circumstances.

Hi ...

I was having some problems configuring IE to connect www. last few days, so I am posting this topic a little late.

I noticed three important things.


1.) Outlook Express in order to get/send e-mails with my HOTMAIL account, require (in my case) also two outgoing connections:

Protocol: TCP
Destination: go.msn.com = 207.68.172.249
Port: HTTP(80)

I added that IP in Expert Rules ...


HOTMAIL account, require also various other hosts from IP Range: dav.bay0.hotmail.com = 64.4.0.0 - 64.4.63.255



2.) Then, I constantly get this error message:

Protocol: HTTPmail (as it says in Otrlook error screen)
Destination: Unknown
Port: Port: 0 Secure (SSL)

- don't know, how to "fix" that. In some other similar "Client Host" error message for my ISP account (on another, smtp port), it says that Secure (SSL) is Port: 25



3.) Internet Explorer in order to browse, sometimes require (in my case) this connection:

Protocol: UDP
Destination: 127.0.0.1
Port: 3320

It is strange, cause I made rule to allow outgoing UDP connections to My Computer (LowWaterMark - Loopback Rule)

Do I need to grant this one also ??



Thank you all for your friendly effort

-{ Quote: "1.) Outlook Express in order to get/send e-mails with my HOTMAIL account, require (in my case) also two outgoing connections:
" }-

Yes, the more you ask OE to access, the more complex the rules and permission lists will get. The main configuration in my OE thread is for the more basic POP, SMTP and News protocols only. A few people have commented in the past that they have done as you have, and added the needed permissions for things like Hotmail.

Just make sure that your TCP Port 80 rule is limited to hitting the server or servers needed and not everywhere on the Internet, otherwise you'll reduce the effectiveness of the added rules dramatically.

-{ Quote: "Then, I constantly get this error message: ..." }-

Hmm, that might require broader research on the exact error message to see if it's a known one, with a simple cause... For example, this one is similar:

http://support.microsoft.com/?kbid=252840

You may have to go through various Hotmail / Microsoft pages to ensure you have the exact configuration settings required.

-{ Quote: "3.) Internet Explorer in order to browse, sometimes require (in my case) this connection:" }-

That's the problem with "generic rule descriptions" like those above. The Loopback rule there was meant to be specifically applied on 127.0.0.1, which in ZAP is not contained within the "destination" called "My Computer". You have a couple choices on this. You can specifically put 127.0.0.1 (or localhost) in the "loopback" expert rule itself, you can put 127.0.0.1 in the Trusted Zone and use that, or create your own "group" that defines aliases for "yourcomputer" and include 127.0.0.1 there.

Yes, 127.0.0.1 is where IE's loopback UDP connections go. In my case, I put 127.0.0.1 in the Trusted Zone and just use that for my rules.

Hi,

-{ Quote: "
Yes, 127.0.0.1 is where IE's loopback UDP connections go. In my case, I put 127.0.0.1 in the Trusted Zone and just use that for my rules.
" }-


Or you could just put it under IE Expert Rules --> Destination, this is more restrictive !!

But maybe also other programs needs UDP connection to local host. Maybe this one is a good rule for Firewall Zone Expert Rules ?!?



O.K. I really make "deep" rules regarding Internet Explorer, so only the most "needed" stuff (communications through certain ports, as LowWaterMark suggested, and few additional, which I needed to figure out by myself), but I just find out, I have one more problem left. I can not download files.


IE becomes "Server Not Found", and in body of IE, it says:


Adress: http://www.sysinternals.com/files/winobj.zip

You are not authorized to view this page

You might not have permission to view this directory or page using the credentials you supplied.

If you believe you should be able to view this directory or page, please try to contact the Web site by using any e-mail address or phone number that may be listed on the www.sysinternals.com <http://www.sysinternals.com> home page.

You can click <javascript:doSearch()>Search <javascript:doSearch()> to look for information on the Internet.

HTTP Error 403 - Forbidden
Internet Explorer



- Any clue, which permittions (specific ports, etc.) should I add to be able to normally download with Internet Explorer ??



Thanks, and best regards