XP's build-in Firewall review

Discussion in 'other firewalls' started by Paul Wilders, Aug 23, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Windows ICF (Internet Connection Firewall) is the built-in firewall in Windows XP, both the Home and Professional editions. ICF is an excellent personal firewall and will prevent most attacks from the Internet. However, the lack of granular control makes ICF much too restrictive for power users. So, as they say, you can’t live with it, you can’t live without it. For this article, we put ICF into the lab and set our hackers (well, security penetration testers) loose at it to see how good it is. In this article, we will give an overview of ICF, see how ICF performs under a simulated attack, and discuss the pros and cons of ICF.

    full article
  2. How to Manually Open Ports in Internet Connection Firewall in Windows XP (Q308127)
    This article contains the steps to manually open ports in Internet Connection Firewall (ICF) in Windows XP.

    Programs may potentially require ports to be manually opened so that they function properly when ICF is in use either on the local computer or on the gateway computer. You may have to use this procedure if there is a service that is running on a computer that has ICF enabled that you want to make available to users on the Internet.


    Programs Require Manual Port Configurations with Internet Connection Firewall (Q307554)
    This article lists some programs that require you to manually open ports so that the programs can work correctly. To work correctly, some programs need to have specific ports open so that traffic can pass through the Internet Connection Firewall.


    WinXP Internet Connection Firewall

    Windows XP's new Internet Connection Firewall feature lets you protect your machine from malicious users on the Internet.
    This Week's Win2K Guest Columnist
    Will Schmied

  3. Checkout

    Checkout Security Rhinoceros

    Feb 11, 2002
    The average home user will likely say, "Huh?" and turn the damn thing off.
  4. Most of them have it on by default and do not even know it ;) ;)

    That said...many are now going back and taking a look at it and those links will show them how to do many things with it that others did not think possible.

    We even have some who have found out they can still run the ICF and other firewalls at the same time for an extra layer of protection.

    In my opinion this stateful package is not a complete write off..in fact there are system that would be better off with it if they also had IDS and some other tools in place to manage the system..

  5. JacK

    JacK Registered Member

    Jun 20, 2002
    Belgium -Li?ge

    You does not have any extra layer protection when running ICF with another decent FW:)

    ICF only filter IN no OUT filtering : will not prevent any Trojan, spyware, webbugs in HTLM mails or other malwares already installed to do their nasty job nor preventing windows or installed progies to phone home....

    It's impossible to set a range allowed/disallowed ports for definite applications, like a FTP server, for instance in you are using PASV you have to enter each port one by one, just a pain in the a**.

  6. controler

    controler Guest

    Nope most puters ship by default with the firewall off. I been using it for along time now. Hey it don't block outgoing but it does have a log file LOL
    I haven't had any conflits with Outpost and a number of different AV's
    I am betting the next version a XP will have a much better firewall atached... crossing fingies
  7. Never said shipped out of the box..just by default..although have seen some Dells and others shiped with it installed.

    Other here have stated what it will not do..and suggested does not have any extra layer protection when running ICF with another decent FW:)

    Most likely you mean another software firewall solution. I dont. First of all ICF is not a true firewall...I am sure we will agree on that...second...most of the software firewalls that sit in your OS are junk..I will point no fingers..and the solution all should be looking at if they can afford it and the have broadband,,would be a hardware solution in a router and hopefully with a built in firewall..

    All that said..I am not a guy to sell the M$ ICF to anyone..but it will give an extra layer of protection..if you know how to use it and why...

    I also think M$ intends to improve on it in the future..and you might be pleasantly surprised what they will come up with now that they are..shall we say :D :D :D Security Conscious.

    But for now it is just an easy Target..but will tell you many professional have it installs and running in many Companies..but they also have other solutions running the same time at the Corporate level...the home user does not have many options. :rolleyes: :rolleyes:.

    But they sure have lots of Marketing Hype to weed through in the process... in the Battle of the Firewalls. I still feel sorry for all those old Black Ice guys getting beat up. :'( :'( :'( :'(

    Smiles to ya guys,

  8. Checkout

    Checkout Security Rhinoceros

    Feb 11, 2002
    John, you really need to substantiate this rather extreme statement.
  9. What do you want subtantiated..which ones can be tunneled..which ones can be disabled with a blink of the eye and are now a favorite target of every badboys out there...which ones half the people that use them..must turn them off in order to chat or download peer to peer or play games over the interent..o_O?

    I will not get into a firewall war with anyone..systems most of my friends who professional build systems for other's,have that ICF running from the get go..so the people who buy them can last 20 min..on broad band...without getting wacked and they do not end up with extra work themselves.

    Sorry Checkout..I am not into naming of products..I think they are all great..I will leave that for those how keep on changing from one to the other..you have one you like..stick with it..but by all means, for anyone, learn how to set it up no matter if it is rules based or just push button.
  10. controler

    controler Guest

    In my udder posts I have mentioned I use a Linksys Router ;)

    Today I am trying out Nod32 and Kerio Firewall , on my experimental
    computer runing Intels Internal DSL Modem (Quest)
  11. Are you trying out that new NOD32 beta o_O?...looking good I hear and Kerio is a nice firewall..let me know how it all works out.
  12. controler

    controler Guest

    So far so good..

    Ya know, I was just asking about the NOD-32 Beta yesterday.
    Even though I have posted that I have tested for Symantec, Intuit,
    Executive software, I am still not good enough to test some of the software advertised here. Guessing the detest for MS, Norton ect.
    Anyway, Every once in a while Pepimk allows me to do stuff LOL
  13. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Feb 3, 2003
    on the sofa
    real old news i happen to know the truth about xp even 4 or 5 months befor it came out when it had another name.

    if i recall corectly microsoft knew about all the problems but they said if some one wants to hack you there going to basicly saying they dont care.

    picture a sphghittie strainer with quarter size holes and thats windows xp.

    it was mean many for eye candy and easability so easy that it was even easy for hackers.

    it is a system hog and a security nightmare it is the aol of windows applications lol.

    its sad when a nobody like me knew about xp vulnriabilitys and yet people insit on upgrading to it lol.

    xp is gloriffied eye candy thats it
  14. controler

    controler Guest

    Personaly, I would rather use Xp than any other Windows Operating System. I have my reasons. One being I do some multimedia stuff and wouldn't even think of ever using Windows 98 again.
    that's my story and I am sticking to it.
    Believe me, if Gates wanted a awesome firewall built in, He could do it.
    Maybe he will in the future world.
  15. I support both of you (Controller and Blaze) in your thoughts and your feelings.

    Did I hear someone say WinME? ;) ;) ;)

    To put it a little different way....and some thought on the history..Win 98 was built for the sole purpose of launching that IE browser to be a speed demon out of the OS..it was and still is a neat product and I know why Blaze would like it..I do too for many uses. :) :) :) :)

    Xp starting out as Whistler, by name..is a better product for many other reasons. Decisions to buy it or change over to it have been many..and then of course, which versions do I buy....Home or Pro.


    Many have Pro and do not know what they are sitting on in that product..and some should have really purchased the Home versions. The web would be safer that way (ok beat me up again) only for the fact that many just do not have time to learn that OS with their busy schedule like some of you do. So do not get me wrong here. I am not directing any of this to members..just a general comment and I hope that this might help others in the future........

    What's the difference between Windows XP Home and Professional editions?

    The Home and Professional editions of Windows XP are nearly identical; the only differences are additional features found in the Professional edition that most likely won't appeal to home users. The primary differences, aside from the price and the color of the packaging, are as follows:
    Windows XP Home Edition

    Contains basic support for multiple users, but all users are "Administrators," so there's no way to set up user accounts with limited privileges. Furthermore, there's no way to secure folders or files from other users on the same machine.
    Built-in support for peer-to-peer networking.

    Windows XP Professional Edition

    Includes extended support for multiple users and profiles, as well as security between users. A user can be an "Administrator" (who has full power to make any changes to the system), or a less-privileged user with a customizable level of privileges. For example, one user's folder can be protected from other users on the same system. Also, you can set up a "guest" account, allowing strangers to use a computer while limiting access to configuration tools and private files.
    Built-in support for peer-to-peer networking, plus support for joining a "Windows NT domain."
    The Professional edition includes the following components not found in the Home edition:
    Administrative Tools (in the Start Menu and Control Panel)
    Automated System Recovery (ASR)
    Boot Configuration Manager
    Group Policy Refresh Utility
    Multi-lingual User Interface (MUI) add-on
    NTFS Encryption Utilitiy
    Offline Files and Folders
    Performance Log Manager
    Remote Desktop
    Scheduled Tasks Console
    Security Template Utility
    Telnet Administrator
    Provides support for multi-processor systems (2 or 4 CPUs), Dynamic Disks, Fax.

    Which Edition Is Right for You?

    When upgrading to the Microsoft Windows XP operating system, you have a choice between Windows XP Professional and Windows XP Home Edition. Windows XP Professional contains all the features of Windows XP Home Edition, plus extra features for business and advanced home computing. Is Windows XP Professional the best choice?

    Ask yourself these five questions to find out which one is right for you:

    Do you want to remotely access your computer so you can work with all your data and applications while away from your desk?
    Remote Desktop, a feature found only in Windows XP Professional, lets you set up your computer for connection from any other Windows-based computer. Leave a file at home? Don't want to lug a laptop around? Remote Desktop gives you access to your computer from virtually anywhere. More about Remote Desktop.

    Do you connect to a large network?
    Windows XP Professional is best for people who connect to large networks, such as a school or office network, since it allows you to join and be managed by a Windows domain. More about joining networks.

    Do you need to protect sensitive data in files and folders that are stored on your computer?
    The Encrypting File System (EFS), found only in Windows XP Professional, allows you to encrypt your files and folders for added security of sensitive data against theft or hackers. Restricted File Access, also found only in Professional, allows you to restrict access to selected files, applications, and other resources. More about EFS.

    Do you need the ability to completely restore your system in the event of a catastrophic failure?
    Windows XP Professional provides more robust options for backing up and restoring data than Home Edition. More about System Restore and other restore options.

    Would you consider yourself a "power user"?
    Windows XP Professional contains a number of incremental features too numerous to list here. Suffice it to say, users who demand the most from their computers will want to "go Pro." Some additional features found only in Windows XP Professional are:

    Support for multiple-processor systems
    Support for multiple languages
    Advanced networking for multiple PC environments

    More about Windows XP Professional features.

  16. controler

    controler Guest

    Here is Security Focus's thoughts on XP built in firewall.
    They did a great job on it.. ;)
    worth reading :D

    Starts here : http://www.net-security.org/news.php?id=862

    Then links to below..

  17. the Tester

    the Tester Registered Member

    Jul 28, 2002
    The Gateway to the Blue Hills,WI.
    I have a question about the xp firewall.Is it true that it will conflict with other software firewalls on xp?(I disabled the xp firewall this time around).The reason I'm asking is because I know someone that runs the Norton firewall and hasn't disabled the xp firewall.He hasn't had a problem yet.Any recommendations?
  18. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Feb 3, 2003
    on the sofa
    i think your right my frind brenda has nortion fire wall and it works ok but some of the bigger names like zone alarm and black ice ect had have some storys
  19. Bfarber

    Bfarber Guest

    First of all....

    I run XP Home and I love it. A few utilities (namely winipcfg) could have been kept, but the OS itself runs great on my machine.

    You DO have the ability to set up user AND administrator accounts with home edition, and you CAN determine whether the user accounts can access various folders, files, applications, etc. I have set up a user account on my machine so my mother in law can check her email at my house while babysitting for me, and she cannot get into any of my folders and she can not install or uninstall programs, she cannot modify or create any user accounts except for her own (and she doesn't have all of the options an admin has). Basically, if you think you need pro ask yourself the following:

    Do you need all of the added (little) utilities included in pro?
    For example, I can not manage my user accounts from my admin tools>services directory under control panel, whereas in pro you can.

    Do you need remote desktop (and don't want to pay for pcanywhere or other shareware remote desktop software)?

    Do you need massive encryption (and can you not download freeware programs that can do this better)?

    Do you want to spend the extra $100 or so for the minor security and usability features that pro offers?

    I have found in my experience that I do not know anyone who is running xp that actually has a need for any of these services included in pro (aside from built in remote desktop).

    As for the firewall...I do not think that any built in firewall will actually protect my computer from serious hackers should they find a desire to hack my machine. I have not studied the xp built in firewall much, but I am sure it is not as secure as some of the freeware firewalls available, and certainly not as secure as a $50-$100 router you can buy from e-bay or best buy.

    If you are concerned enough to look through all of the responses in this thread to determine if you should use the built in firewall, just go ahead and spend 5 minutes downloading spf or zone alarm or any other firewall that tickles your fancy, but don't leave it up to microsoft to protect your privacy. They are notorious for "spying" on you.
  20. controler

    controler Guest

    I use Home addition and if you look , you will see Task, Processes and
    Services with the option to kill any.
    Next, Home addition DOES have the remote Admin capabilities.
    You turn them on and you turn them off. I like to leave mine off LOL
    Oh yes and I like to use Tweak UI XP
    and of course as you all know a million other products.
  21. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    In the case of NIS, Symantec does does not recommend or support running both. The following is from the release notes of NIS2002 Pro,

    Interaction with the Windows XP firewall
    Windows XP has a basic built-in firewall which is
    superseded by Norton Internet Security Professional.
    Although it is possible to run both firewalls
    simultaneously, there will be problems with some
    protocols (including FTP). Symantec does not support
    running both firewalls simultaneously and recommends
    disabling the Windows XP firewall before installing
    Norton Internet Security Professional.

  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Can someone please tell me what the word egress means in this entence o_O :

    "the lack of egress filtering is a huge flaw in the design of ICF."

    The translations I found don´t seem to make sense.


  23. jvmorris

    jvmorris Registered Member

    Feb 9, 2002
    Substitute 'outbound' for 'egress'

    Of course, we could get obscure and talk about comesinnas and goesouttas. :D
  24. FanJ

    FanJ Guest

    LOL, never heard of this, :D
  25. jvmorris

    jvmorris Registered Member

    Feb 9, 2002
    Courtesy of my grandmother when I was about five or six and running in and out of the house all day during the summer.

    "First, you comesinna da house and den you goesoutta da house!"

    Also, a favorite expression of many electrical engineers in my experience (but they probably learned it from my grandmother). :p
Thread Status:
Not open for further replies.