spoolsv.exe:- phone home

Discussion in 'other security issues & news' started by Jo M, Nov 11, 2004.

Thread Status:
Not open for further replies.
  1. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    For some time I've been aware of windows services that don't need to be run and windows services which don't need internet access! I use a combination of the windows "services" dialogue on XPpro, to stop various services, and Xplite, to actually remove quite a few, and Zone Alarm Security Suite to deny access to any others that I can't do the first two to!

    I had Zone Alarm set up to deny spoolsv.exe (printer spool system server) any internet access as I don't share my printer even on a home network and certainly don't want it being shared over the net!!!

    I notice that the requests for access go to several "cache.*" where * seems to relate to my ISP?

    Zone Alarm in its most recent incarnation has regretably removed spoolsv.exe from my Program contol tab! However as I did an upgrade it seems to be respecting my previous setting as far as the log shows. It does not seem possible to manually add spoolsv.exe back to the program control list. Very Regretable!!!

    I am wondering whether to see what happens if I block spoolsv.exe from running (in Process Guard) to see whether I will still be able to print. I will post back if I find this successful.

    Regretably XPlite doesn't have it as a removable part of windows, perhaps it can't be removed without seriously stopping things working! Why did Microsoft have to tie the PC working to something that keeps on asking for internet access, when I don't require it to, and specifically don't want it to for security reasons!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    As well as the potential security risks of stupid stupid stupid microsoft file and printer sharing! I resent the clock cycles which are being taken up with the repeated requests and the denial processes! And potentially slowing down my internet access! And all this while I havn't even got my printer switched on!!!!

    As far as I am aware spoolsv.exe does this even if you don't share your printer, even if you havn't got your printer switched on, even if you havn't INSTALLED a printer! What L......c (clever person!) at Microsoft thought that one up.

    o_O Does this still happen under service pack 2? Anyone? o_O I havn't upgraded to that yet as I reckon I don't need patches for Programs that arn't there or programs that are disabled or denied all internet access.

    Regards Jo M
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Jo M, i think if you disable that spooling service you'll all your printers are offline. though i'm not sure but i think you can disable that service and still use your printer if you bypass the spooler by "printing directly to the printer". this is not recommended though as you'll have no control over those pesky printjobs.
     
  3. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Here's a link for that...
    http://www.pcwelt.de/know-how/extras/103039/
    IF you were to believe their pitch, it becomes worse with SP2
     
  4. Lurkerella

    Lurkerella Guest

    So nice to read the article in German, is it? Good Day to You!
     
  5. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    I copy/pasted the article. Reads like English to me. I could be wrong about my copy though.... Comments anyone? Is this German or English?

    PC-WELT discovers and fixes serious security issue in Windows XP SP2

    "Windows XP Service Pack 2 with Advanced Security Technologies helps you protect your PC against viruses, hackers, and worms." - this is how Microsoft promotes its Service Pack 2 on its website. What the company does not say: Instead of viruses, worms, and hackers, the supposedly safe SP2 for Windows XP invites any Internet user to have a look around your PC.

    As soon as you install SP2 on a Windows XP PC with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall. This also applies to all other services. The PC only has to provide sharing for an internal local network and connect to the Internet via dial-up or ISDN. Users of DSL services are also affected, if a firewall is not integrated into the DSL modem or a common modem instead of a DSL router is used. Additionally, Internet Connection Sharing of the PC has to be disabled.

    A number of test scans run by PC-Welt revealed that this in fact is a common configuration and not a rare sight. Without great effort, we were able to discover private documents on easily accessible computers on the Internet. It must be assumed, that these users wrongly believe they are safe and that their sharing configurations are only visible in their network at home: Often, we did not even encounter password protection.

    Already Windows 95 affected by a similar problem

    Experienced Windows users may remember that there was a similar problem in the past, specifically with Windows 95. Back then, Microsoft forgot to separate file and printer sharing from the dial-up network adapter when such a connection was configured.

    In other words, this caused the service to be released worldwide through the dial-up connection as soon as you were connected to the Internet. Microsoft at that time issued an update to patch the bug. The fact that file and printer sharing since then is not connected to the dial-up connection anymore, can easily be seen on your system: Right-click on the symbol "My Network Places" and select "Properties". Repeat the right-click and selection with the icon of your dial-up connection and select the tab "Settings". If there is no check at "File and Printer Sharing", it indicates that this service should not be made available through your dial-up connection.

    This in fact is true for Windows XP without Service Pack. Since SP1, this configuration is hardly more than cosmetics and does not serve any purpose anymore. This means, the file and printer sharing service is connected in general, also to the dial-up network adapter. This in itself is a serious bug, since your shared data potentially could be seen on the Internet. However, there are no catastrophic effects, as every dial-up connection is configured with an activated firewall by default.

    If you intended to deactivate this firewall, Windows displayed an easily recognizable dialog, that this choice would allow access to your computer. Despite the bug in SP1, the configuration of the firewall was worked out in a clean way: You were able to run the dial-up connection with a firewall and the internal network card without, because the latter was supposed to enable access through the Windows network.

    SP1 + SP2 leads to a catastrophic error

    Due to the bug carried over from SP1 as well as a new bug, the firewall configuration with SP2 has a catastrophic effect. The SP2 installation simply uses the previous configuration of the firewall: If it was active for the dial-up connection, now it also has been activated for the network adapter.

    At the same time, an exception is determined for file and printer sharing: For the internal network card - and astonishingly also for all adapters.

    With the first use of the dial-up connection after installing SP2, all of your shared data are available on the Internet. Now, other users can start guessing your passwords for administrator and guest and you basically are no more secure than the first Windows 95 users with an Internet connection - thanks to Service Pack 2.

    How to correct the problem

    It is not advisable to keep this defective default configuration. However, the previous environment cannot be restored: The configuration for the firewall was changed, which does not allow the setting of active or inactive conditions or exceptions for each network adapter anymore. Now this only works for network areas.



    Choose "Windows Firewall" in the in the Windows Control Panel and the there the tab "Exceptions". Select "File and Print Services" and click on "Edit". Now you can see four ports which are used by the file and print sharing service.



    To lock the service to the outside and keep it open for the internal LAN, you have to individually select and change its area with the respective button. Our reader Yves Jerschov notified us of another bug: The value for the area set by default "Only for own network (Subnet)" only works, if the Internet Connection Sharing is activated. If this is not the case, your shared data are visible worldwide. This error can be corrected by choosing "User defined List" and entering the IP addresses that are supposed to have access - the IP addresses of your LAN. A whole range of an IP area can be entered as "192.168.x.0/255.255.255.0", if the respective addresses start with 192.168.x.



    After these measures, you can be sure to be as safe as you were with SP1. Great, don't you think?
     
  6. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    spoolsv.exe:- splat the pesky bugger!

    Thanks still_longhorn,


    Very important information!! I'm glad the SP2 CD is still lying on my desk!

    Moreover I'm glad that the MS Firewall has been DISABLED on my PC, ever since... a long time ago! I'm also not sharing either files or printers and this shows under network connections for my Internet connection.

    My annoyance at the pesky, and very determined to get connected, spoolsv.exe really pales in insignificance against sharing all your computer over the net!!!!

    Thanks also AMRX,

    I think I might try out disabling spoolsv.exe if I can by "printing directly to the Printer" and see what happens! I have noticed that it IS a another service that I can stop under "services". I really don't know why I didn't try it before!

    Regards Jo M

    PS. I'm not sure that the destination the connections was my ISP. Just in case someone knows:-

    Destinations cache1.ntli.net and cache2.ntli.net
    Does anybody know? Can I trace this somehow with TDS 3, Port Explorer or Process Guard?
     
Loading...
Thread Status:
Not open for further replies.