This is not strictly a firewall issue, but I found this resource and it is one of the best around for running LUA: http://nonadmin.editme.com/HowDoI As most of you know, my approach is to use a router with SPI (with a few ports shut off), a strong AV (KAV, NOD, McAfee, or Bitdefender), limited user account, an alternative browser with Java disabled (Firefox or Opera), and a few sysinternals utilities to check on things, very few running services, and nothing else. [If I had a laptop (wish), I would use CHX-1 instead of the router, when using it off my home network.] I do this because it is far more important to me to keep the baddies off my computer in the first place, than to hope to find them after the fact with an application aware software firewall, much less by hoping to detect malware that impersonates "trusted" applications. Besides, the whole thing can be bypassed with a driver. The LUA prevents the accidental installation of most malware. It allows one to run programs that are not supposed to install anything with relative safety. It especially prevents the installation of hidden program elements. Remember the No. 1 rule, know what you run. More problems have been caused by free screen savers, or other strange free stuff than all the drive-by downloads in the world. If it is not on souceforge, its probably be no good.
Diver - When I click on that link, it asks for a username and password... you might want to fix that somehow... I am currently doing the UNTHINKABLE here.. I am running with NO firewall and NO router. Nothing. Bare naked, with a cable connection to the internet 24 hours a day. Here's what I did. I disabled netbios and file and printer sharing completely. I also disabled DCOM and stopped port 445 listening via a registry entry. I then turned off all unnecessary services. I then looked in Active Ports and there is NOTHING listening at all. No open ports. I scanned at grc.com and scan.sygate.com and all ports are either stealth or closed. mostly closed. My ISP blocks 135-139, 80, 445, so those show up as stealth. So, if I am offering no services to the internet, and all ports are basically closed, there is absolutely nothing that anyone can do to me. I also ran HardenIt to harden the OS against certain DOS and flood situations. That's it. I'm using Avast AV with it's Web Shield, free version. Who needs a firewall? So far no problems whatsoever after 24 hours. I don't expect any either. And browsing and everything else is as fast as I've ever seen it here. We shall see how it goes..
Hi Kerodo, If you click on Index to the right of that page it will bring up an index to the complete site, but you probably already know that. Interesting experiment you're doing there, I especially like the fact that your running with a free AV! Can we also assume you're not running an admin... account? You may be bursting a lot of bubbles here at Wilders. Are you still running the most unsecure (lol) browser in the world? Keep us posted on how it goes. Verrrry Interesting, Jaws
Thanks Jaws.. I see the index now.. Yes, right now I am also running the infamous IE for a browser too. Living dangerously... Typically I would use Firefox or Opera, but have not installed them yet after a fresh reformat here last night... Ordinarily, I wouldn't recommend no firewall to anyone, but it's interesting to note that one may not actually be needed under certain circumstances. I am running Win2k here and have disabled everything so there's no open/listening ports. Seems pretty tight right now. We'll see soon enough I guess..
Hi CrazyM, Thanks for another useful site. I'm trying to get people I know to not use Admin... account but they have hard heads. Funny thing is there are security program that make you run as administrator. But a question though, is the RUN-AS service as bad as running an admin... account? I have my RUN-AS service disabled for this reason but I'm not sure if it's also a danger. Thanks, Jaws
But what happens if your machine becomes compromised? The idea of running using a limited account has a lot of merit, but even with a limited account, the number of flaws etc in windows, means a machine can still be compromised. Closed ports are just as secure as stealthed ports, it's just they respond to indicate they are closed. Although I'm not sure I sign up to everything regarding stealth ports though, since it won't stop your machine being located, and it certainly doesn't stop an attack.
With no open/listening ports, I will not be compromised inbound. And I do not install crapware or anything that would have malware in it, so how will I ever be compromised? My assumption is that I can't be touched from the outside with ports closed. Sure, someone could bombard me with pings or TCP packets and perhaps slow my machine down to a crawl, but I have the feeling that would also happen even with a firewall installed under those conditions. I have run HardenIt with this problem in mind though... My other assumption is that I am an intelligent user and will not install malware. I have a good AV that also filters web traffic and will stop it before it even hits my HD. So, as far as I can tell (so far anyway), I am secure. If I do stupid things and download or install malware/spyware, then all bets are off.. But I trust myself not to do that. Haven't so far in many years anyway...
If you use "Run As" then the program (and any process it invokes) will run with those privileges (typically used to run as Admin from a limited account). The secondary logon service is what provides this functionality, stopping or disabling it will not allow the use of RunAs. Regards, CrazyM
I've been running this for three years with DrWeb AV and alternative browser, until I moved and had to install a wireless router (with WPA). Edit: I'm was in hurry and didn't read you already implemented stack hardening. Removed the suggestion to implement it.
Thanks for posting. I'm working on a project to harden Windows XP SP2 using a scripted unattend installation and the more resources on LUA the better
Granted even a good firewall, software or router based can suffer under a DoS attack, just I guess your machine would go down sooner You say all bets are off, but surely if you were unfortunate to fall vicitm then you'll machine will haplessly spread any virus/trojan until you clean your machine. At least with a firewall then if your lucky, you may be able to block it. Although I'm not discounting that firewalls can be bypassed. I like what you've done though, it's bold and challenges theories on best practice, I couldn't do it as I use inbound connections for games etc.
Try it this way: http://nonadmin.editme.com/ They changed it. K, I really think it is easier and better to run something like CHX-1 or a router. But, some of the things you are doing might be nice along with a firewall. Of course, using Run As, allows administrative access. I have it enabled, along with the makemeadmin.cmd batch file. That is why you have to know what your run. Ultimately you are going to have to drop your defenses and allow administrative access. You also have to do that with stuff like process guard, if you want to install anything. There is no reason to not know what you run. Google is your friend. That is where awareness comes in. None the less, the are many aplets you might want to run, and running in a LUA greatly reduces your risks. There is a a secretary I know that has her machine full of spyware. She just could not resist every free screen saver, celebrity toolbar and daily horoscope program that came by. Aside: Diver spent 7 days diving way out in the middle of nowhere at Cocos island. I saw, literally, thousands of sharks close up and nothing happened. Some poor teenager goes to the beach in Florida and gets killed by one. There is no explaining some things. Know when you are lucky.
I have to rely on my own wits and trust that I won't install anything bad or do foolish things to compromise my system. I have been connected to the internet for about 10 years I guess, and never once have I had any malware or spyware here, and only a few viruses in that entire time. Hopefully that record won't change..
Yep, no doubt just running CHX would be easy and best. I'm kinda doing this as an experiment mostly I guess. It does feel a little weird, but I am starting to trust it more now. I will most likely slip back into CHX-I at some point though...
Hi Kerodo, After removing ZA from a friends PC, because his family would freak out when a popup would show up and they always clicked no (even for AV updates), I setup IPSec with the AnalogX downloaded registry files as the only “firewall” on his PC. In the mean time I've been playing around with CHX-1 on my PC to try to get a handle on setting it up. Its been 2 weeks that IPSec has been on his PC and I can't get over there for another 2 weeks so it will be interesting to see if anything gets on his PC. They're not as savvy as you when it comes to using the internet but they don't do a lot of downloading or p2p. Just basic browsing and e-mail. Regards, Jaws
One of the nice things about CHX-1 is that it can be deployed for a completely non technical user. With a good set of rules you will never need to touch it, unless an application is added that requires a server port, such as a new P2P program. Even in that case the port could be added to a list of ports rather than in one of the main rules. That would be easier to talk the user through over the phone.
Hi Diver, Yea, that's the plan. These people are completely non technical users even for ZA. Even had a hard time convincing them to use a LUA. Regards, Jaws
Jaws & Diver - Yep, CHX-I can't be beat for ease of use and simplicity. If I run anything at all, it's CHX...
I have used IPSec as a firewall before and it works pretty well. It's fairly crude though. You can't do things like set specific icmp types and such, it's all or nothing with icmp. But it does work well as a basic firewall of sorts when you have nothing else. CHX-I is much nicer and full featured, yet still extremely light. I think you'll like it.
Yea, this is the cats meow. I got it set up on my w2k machine, unplugged my router, rebooted and everything is fast and smooth. Kind of like when your just behind your router. Reminds me of ACLs that you set up for a router. Went to GRC & Sygate and did their ports tests and everything is stealthed. You got to love its full fledged logging and Active Network Processes (ANP) page that remains unchanged until you refresh ANP. Thanks for turning me on to CHX-1. And thanks to Stefan and the crew at IDRCI. Jaws
