That's good to know. I mainly run in a non-admin account most of the time and no one has physical access to the computer unless I allow it. Kerio is a good rules-based firewall, but IMO needs help from other security software. I have used HIPS before, but it requires the time , effort & knowledge to setup properly to benefit from using it. Of course with any good security/ privacy program that may indeed be what is required to achieve that goal.
There are additional measures that one can take to protect the firewalls components and configuration files. The permissions for the firewalls folder and the files it contains can be tightened to further restrict who or what can access them. The specific registry keys you mentioned can be added to those monitored by a HIPS. An integrity checker can be used to monitor everything in the folder and alert you to changes. A batch file that runs at bootup (or sooner with a bootloader) can be used to overwrite any or all of the files in the Kerio directory with copies stored elsewhere on the hard drive. The link in my signature, "Registry Protection for 9X Systems" explains the basic idea. It would need to be modified for bootloader use on NT systems. Some classic HIPS, including both versions of SSM have a window filter module. You specify the file name that you want to protect as it would appear in an editor or Windows Explorer, adding it to the watch list. When SSM detects a window with that name in the title bar, it will close either the window or kill the process, your choice. The system scheduler that I use also has a similar ability, but with more options for the action it takes. See http://www.splinterware.com/products/wincron.htm for more info. Look for info on the Window Watcher feature. This is by far one of the most versatile task schedulers I've ever seen. Even the free version puts Windows built in scheduler to shame.
Any suggestions on a good file integrity checker/monitor? Years ago I used FileMapp by BB which IIRC falls into that category. Also on Kerio I'm still making changes to the rules. I put my DHCP server address into remote endpoint of DHCP rule. Have IP blocklist rule using single and Network range. Disabled all settings in Microsoft Networking. Do I then need to add MS rules manually for Net Bios or Windows services? I also block explorer, but not sure if that goes high on the rule list.
Regarding integrity checkers, see this post. I haven't looked for more current checkers for NT systems. If I recall, there were several at SourceForge. DHCP is performed by svchost.exe. In addition to the IP, you can also restrict it to the specific ports it uses. As for other Windows services or NetBIOS, allow only what you specifically need. If Kerio is set to "ask me first", you'll be prompted if more is needed. If you don't want to be prompted, put a blocking rule for all other svchost.exe traffic after its last permit rule. Rules that block all traffic to specific executables like windows explorer should be at or near the top of the list. Just make sure that there's no global permit rules (rules for any or all applications) above it that would allow specific types of traffic.
@noone_particular Okay disabled all default install Windows listed (.exe) that hopefully are not needed. Put svchost.exe in DHCP rule with ports 68 & 67. (local & remote) Set deny rule for svchost.exe below above rule, but will probably need changing. Browser doesn't need Inbound local port connections (1024-5000) so can be set to deny. Checked "Don't show port names" & "Don't Resolve Domain Names" in firewall status settings. IP address blocking rule (adding IP's) is probably a waste of time because they change often unless you use something like "PeerBlock" which updates IP lists on regular basis. Block Explorer rule went to top of list. HostMan app will automatically download and install several popular host files if one chooses to do that. Host lists are automatically updated when they become available. Have to add more rules (probably DNS and other apps) when they connect out. Are you talking about using 'Group Policy Editor' to modify user policies on local system - changing file/registry permissions for Kerio folder/files?
The browser doesn't need to receive inbound connections at all. A rule permitting outbound connections is all a browser should need. Those are a matter of personal preference. Not resolving domain names might slightly reduce the demands the firewall makes on the system but the difference will be minor. That will depend on what you're using such a blocking rule for. It's quite useless against malicious sites and other fast moving adversaries. I use such a blocking rule for Facebook and Google IP ranges.
Had one firewall in the past ask for TCP inbound connections from the browser, but I had to put rule for blocking ports 1024-5000 so not to be bombarded with popups. Was able to connect so don't know why firewall was asking for these inbound connections. You might want to check Facebook IP's from your earlier posting in this thread as they have changed.
What was the remote address? IE does need inbound for loopback from the localhost, I believe for its cache, not sure. I think it's always on the same port in and out, but haven't used IE so long, I don't remember. SeaMonkey may also need inbound for loopback from localhost. It happened to me when I was uploading some pictures someplace. SM uses two adjacent ports when it must. But none should allow any inbound from any other address, especially internet. And in SSM or in Sunbelt rules only windows explorer allowed to start a browser.
I have explorer not allowed out anywhere, but I have it listed with applications, actually under "W". Why should it be up high?
That was never intended to be a complete list. It's the IP ranges that I knew of at the time. That list will grow and change over time. It's quite possible that additional IP ranges are used in other countries that I'll never see. Regarding the browser connections, they were probably loopback/localhost connections. Was the IP 127.0.0.1? Most browsers request these connections, including SeaMonkey, but don't actually need them to function. What you need to make sure of is that there are no "allow for any" rules above the blocking rule. If there is, that type of traffic would be allowed for Windows explorer. Rules that allow DNS for all applications would be one type that often end up at or near the top. With Kerio and most other Windows firewalls, only one rule will be applied to a connection. Once a rule allows or blocks a specific connection, all the rules below that won't be applied.
From what I recall was just connecting out to my search engine provider over port 443 and also received popup on port 80. Don't use IE , but a loopback block rule from localhost (127.0.0.1) port 1050- UDP. Not sure if that changes. I'll post some screenshots of the firewall connections later today.
Have Kerio set with Facebook block in that IP range and getting mixed results. Sometimes blocks, sometimes not. Also would it be good idea to set ' Stop All Traffic ' on bootup and then reset when your ready to go online?
I do it. I also do it as standard practice when I go away from the computer. What I have noticed occasionally is when I Stop all Traffic, the little red circle with the dash in it has disappeared when I come back to the computer even though the traffic is still disabled. I haven't figured out why, but maybe it just disappears after a certain length of time. Interesting comments you've brought up about accessing Kerios files. I spent a good time doing a search about SSM at Wilders and further afield. Is it still possible to get this anywhere?
I have copies of the free and the last pro versions, along with a lifetime key for the pro version. The free version works on 98FE through XP-SP2. The pro version is for Win 2K through XP-SP3. The last pro version is labelled as a beta release due to developing Vista compatibility. On XP it can be considered stable.
The other svchost.exe popup from Kerio. I take it this would be the TCP/IP Bootstrap Protocol (BOOTP) when computer boots up and I set to permit.
Are you using the custom address group for the IPs that you're blocking? Is the blocking rule that uses this list above all of the other rules that would permit traffic to the browser or any other internet application that you don't want connecting there. I use 2 utilities to get the IP ranges that I block. The first is Sysinternals TCPView. It displays the IPs that the browser (and every other application and system component) connects to. I then enter the IP address into a Whois utility to get the IP block that the address is part of. I prefer Sam Spade, one of the best internet utilities I've ever used for these types of tasks.
I believe the screenshot you've posted is a DHCP broadcast. I assume that you're seeing this shortly after bootup. It's your PC looking for a router or other device to establish a connecting to. See https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol for more (very dry) information.
My IP blocking list rule is using the custom address group which consists of single and range IP addresses. The list is positioned below the DNS servers (for browser) but above for outbound connections for the browser. All default ping & ICMP rules are above IP blocklist rule. Currently using Flagfox extension which includes Whois and bunch of other informative tools. Whois reports facebook IP address of 173.252.74.22 also which is blocked by rule. I do have filter which can be switched on/off for blocking websites including Facebook.
Yes, seeing it shortly after bootup if not set. I also have DHCP rule: ( order is above screenshot rule posted) Protocol: UDP Both directions Local port (68 ) Application (svchost.exe) Remote address (DHCP Server) Remote port (67) Action: Permit
Unless you have other applications that you allow to connect to IPs in that list, I'd make it the top rule. I'd also apply it to both inbound and outbound traffic, both TCP and UDP. I'm not familiar with the Flagfox extension. IMO, it's better to investigate sites, IPs etc with a utility that's designed strictly for that purpose. Such a utility doesn't store usage tracks and can't be used against you as easily as these spyware packages they call modern browsers. As a separate utility, your firewall rules can permit it to connect anywhere while restricting where your browser and other applications can connect.
The Group Policy Editor, the permissions for registry keys, folder, files, etc, all these apply. I don't normally run an NT system so I'm not that good at its usage. If I recall, there's a very comprehensive thread on this subject in this forum. I don't have a link to it and I don't remember who wrote it. It mentioned among other things creating a new group and altering permissions so that only that group could perform certain tasks.
I didn't think to ask this when you mentioned altering and deleting the Kerio configuration file and others in the folder. Was Kerio running and active during these tests?
Yes thanks. That seemed to work by placing it up on top. Encrypted google site was allowed through since address wasn't in Google IP ranges. Easier for me just to use domain blocking filter instead of adding IP's or maybe use both, but limit IP's in Kerio.
On testing I used both accounts. (Admin & LUA) Kerio was running and active with password applied to Administration in Kerio settings. In the restricted account I wasn't able to delete any executables or config file which is how it should work. In the admin account I was able to delete the config file and PFWADMIN.exe, but not the PERSPW.exe. Didn't however try modifying any files in either account.
