What system components NEED to have server access?

It seems pretty common for applications to seem to need server access. In particular, I must say Microsoft has got to have some sort of record for the most varried array of program components that want web access. What gets me is that I'm sure out of all those attempts to connect, surely at least one or two must be legitimate?

Just know installing a firewall and
-LSA outbound version
-Winlogon
-Userinit logon
-Generic host service fow win32 services
-Microsoft file and printer sharing
-windows explorer (every time I right click something)

In the past I think I've just denied everything except when the need is obvious, but I want to be sure there really isn't some part of XP that really does need to connect. (I don't use automatic updates,MSN, messenger, IE, or outlook/express, Timeserver, WMP (only use v6, "classic), MSWord /offices /works or their online games). So...Can I just Block em all?


-HandsOff


P.S. - I like to thumb my nose at Microsoft, but I am too fond of it to want to cut it off, just yet!

 

i dont know much about those services, but this is what i do:

of those, i only svchost.exe and explorer.exe have prompted for internet access. i blocked explorer and allowed svchost. i allowed svchost for dns and dhcp purposes. i never tried blocking it, but better safe than sorry.

lastly, the question is not if the traffic is legitimate but if its necessary. for example, i dont need "Microsoft file and printer sharing" connecting because i dont have LAN and thus cant share any files or printers with other computers.

 

Hi WFUser-

"the question is not if the traffic is legitimate but if its necessary"


I like that. Good one! Obviously if it is not legitimate it is not necessary, but necessary is a condition much easier to verify. So the forensic term will shall use will be necessary.

I like the network controls over applications. It's like having X-Ray eyes. I saw Jusched.exe running and recalled that it was the Java automatic updater. Since I just updated two days ago I figured why have it sitting here burning 2 mb, doing nothing so I switched the auto update off. It instantly wants to phone home. This does seem curious. I had always imagined that the update worked this way: Every so often my computer checks with Java's home and maybe says 'this is what we use, is it still current?' Then Java's computer checks and says 'It look good', or 'it's out of date'. Considering the facts, it would almost seem like it's the other way around. My point being, from a security stand point, wouldn't my way be much more secure? It's also vaugly troubling that I tell java no automatic updates, which I think anyone who was not a moron would reasonably conclude that I was instructing the program not to connect. Granted there is no check box next to automatic updates that says "Allow connection for mysterious unspecified reasons". I'm quite sure the people at Java would say that my issue with automatic updates may not mean that I want to restrict internet traffic, it may just be concern over memory consumed...

But Why? why, why, why, why? That is the question that no longer has to be dealt with! But, just the same aren't you just the tiniest bit curious about it?

I wonder if the requests for DNS and DHCP under "svchost.exe -k net services" might be viewed as a distinct separate entitiy from your garden variety "svchost.exe" I would like to think the firewall could make that distinction. But I appreciate the suggestion because it caused me to notice that I have DNS disabled. I'm wondering is this for a reason, or am I just a cross-eyed spaz who clicks the wrong thing by mistake?


-HandsOff

 

Hi HandsOff,
There are NO system components that NEED server rights (inbound connections) for the internet.



note:
The only programs that I allow outbound connections to the internet (for day to day internet use) are my browser and mail client. (I change my firewall / windows settings for win updates).

 

How about AV updates? I went for a long time doing them manually, but now with hourly updates I have a choice of comprimising on having the latest, or putting up with auto updates which, I'm surprised to say, don't annoy me as much as I had guessed they would. The last time I used them until recently was so long ago that the computer slowed down drastically while the updates took place!


-HandsOff

 

Hi HandsOff,
I perform only manual updates of my AV, and allow access then. (I have nothing set to auto update, I feel no need for this)

 

Re: What does svchost do?

What does Svchost do? I am using Kerio 4 and have set it to deny loading others. Cannot see any immediate effect. Am I missing something?

 

It was a combination of things that made me change my mind. Along with the more current updates, I labored under the wrong assumption that I could disable the task scheduler service, and I love nothing better than to disable a service. As it turns out disabling the task scheduler also disables the Prefetch function. I don't consider that to be a good idea. prefetch does more than prefetch too...

anyway, I do understand your position but thought I'd through that out there if it is of any interest to anyone.


-HandsOff

 

I disabled Prefetch some time ago, after finding a lot of "nasties" in the prefetch folder on another users PC.

 

Re: What does svchost do?

svchost does many things. it checks ur dns/dhcp, its used for updating system time, its necessary when visiting windows update, and it functions for many other things as well. if u check task manager, u may find more than one entry for svchost.

 

If you have DNS Service enabled, svchost is used as WSFuser mentioned (DNS, system time).
Svchost is also needed to get Windows Updates, not only automatic, but also via Windows updates webpage. But if you download updates manually (redistributable), you can block it.
Explorer uses net to get info about certificates or something like that, you can block it.
Just for the info, I have explorer and svchost blocked, I have only 12 aplications allowed.

 

(on prefetch) I guess malware might like that spot since it is accessed during start-up. Still, it's a performance issue as well, so I have to strike a balance.

Yeah, I normally have 2 to 4 svchost's. So none of you think a firewall can tell the the difference between the system's network services and some flunkie third party program? You may be right. My task manager used to use two designations svchost.exe -k, and svchost.exe (or something like that). now they are all just svchost.exe. I remain unconvinced! It may matter which one you block first. You never know...unless you know.

Tom, at the moment I have only 5 with permission! (Well, it's a fresh install, so I haven't allowed much yet).

DNS...I think this has a possibility of being a necessary evil. I'm not sure, because I've had some isolated instances of nothing happening when I click a link. But this is odd: when I look at the web page's html code and then cut and past the actual site name into the browser window, then it did work. So I was thinking it was some mistake on the part of the web page's html, but, as I like to say, Who knows!


-HandsOff

 

By the way, you can use What's Running to see, what services belong to each svchost.

 

I've never tried that. I use the boring tasklist, command line routine. A lot of the time a bunch of stuff is lumped into one, so its not quite the same as knowing. I've always wished for a better way so I will take a look at it


-HandsOff

- OK, I'm back! That looks like its far better than tasklist, only it would appear to be commercial, or is there a free version?

- Ok, Back for the third time. It is free for non-commercial use! I am supprised! Thanks, this promises to be quite a find!

 

The DNS service is not really needed --> http://www.mvps.org/winhelp2002/hosts.htm#Note

hth,

...screamer

 

Another good (free) program to look at, from Sysinternals is Processexplorer

 

Stem - I know everyone raves about process explore, but it is a bit too hard for me to follow. I end up on wild goose chases, and unfortunately I don't remember my mistakes and "go back jack, do it again."

whats running puts a lot of information right in front of you on one screen! I did have one dissapointment. they have a column labeled "comments". the columns are all empty. Are they for putting my own notes? I've always wanted to do that! I've got several "task managers" but none seem to allow it. Anyway, I did not see how to add a comment....Oh, I take it back, Wintasks lets you do it, only my comments usually end up being erased, so I gave up. actually it writes them to a text file in the app folder (which is the LAST place I'd want it - when the application gets re-installed your notes are history! (yeah, yeah, I could manually back them up, but that should not be necessary---if i wanted to do that, i might as well just write a separate document!)).


-HandsOff

 

HandsOff,
To add comments in Process explorer
Once you have set your columns (view/select columns) and added the "comments column", double left click on the program to bring up the properties window:-

 

Thanks for the info, but here's another question you may have guessed was coming....Does it allow you to specify where it stores your comments. I was really annoyed when I went to all the trouble to annotate all the processesses in wintasks only to be back to square one during the next install. For processes only, its not such a big deal, but if you include comments on all the services and components and dlls, and so on...well, i'd just not like to have to do it more than once.


-HandsOff

 

HandsOff,
Saving the info (comments) is not somthing I have tried to do, so I have had a quick look, but cannot find where the comments are saved (I did at first think that the info would be saved with the actual file/dll (properties / summary)... , but no change to the file is made. ( "whats running" reads the comments (properties/version/comments)
Dont forget, processexplorer is not installed, it is just run from a folder (and just creates a couple of reg entries). and nothing is saved in this folder.
There is a forum for processexplorer at Sysinternals, so you could have a look there to see if this as been asked.