Why using Windows Firewall ONLY is a bad idea?

The part about the registry is new, what can be done when running as Admin is not. As noted earlier in the thread when running with Admin account any program, including malware, can make changes to the Windows Firewall.

Regards,

CrazyM

 

Bit of a moot point I think as any software firewall is going to require additional services/processes.

The Windows firewalls is dependant on a few services as well as starting it's own. Most will be included in one the svchost entries, others like the Application Layer Gateway (alg.exe) will show on their own in Task Manager. This should provide you with a little more detail: Windows Firewall Technical Reference - How Windows Firewall Works. With SP2 the Security Center and/or control panel are the easiest ways to monitor the firewall.

MS recommends not running the Windows Firewall if using a third party one.

Regards,

CrazyM

 

Working sort of backwords,

Crazy-M, first of all thanks for the information, and while it may seem trivial to you those details are bringing me important insight. I can recall many instances of having seen alg.exe running on machines with 3rd party firewalls and it never clicked that they might have the ICF firewall running concurrently.

secondly, and with all due respect the point is not moot to me regarding the extra services versus the extra services of another firewall. Again, it may be trivial to you, but from my vantage there is a clear difference between the two scenarios. In instance two, the commercial program is running services that are easily identifyable and are specific to the application. In instance one you are talking about having Microsoft services where the implications of them running as far as I know can effect entirely different and have unrelated (to the running of the firewall) effects.

I have studied, at great length, the Microsoft services that are necesarry to operate my computer and I must admit, that aside from some of the most notorious (UPnP, ect...) about all I can say is: I need this one or program x won't run, or, shutting this down does seem to have any negative effects. Within that framework, possibly you can understand my (and I clearly am not alone in this) determination to have as few of those services running as possible. However, I am not saying that any or all of the processes related to the firewall are bad. I am saying that some of them I can deactivate without the firewall running.

To Mem1-
Good link...now I don't feel quite so bad as apparently a lot of people were missing how easily this is implimented!

To BlueZannetti-
I am surprised at your position on this a little. While the firewall router has some very strong points, it does not go very far towards diagnosing and monitoring what is going on on your computer. Of course, if we roll back the firewall definition to what window's firewall does...than neither does the software firewall. Still, I was so pleased with my firewall router that I took advantage of a special rebate and got another one for my sister. Last I knew it was still in the box . I ask about it often, the way I would a dear friend I havent seen in ages. She has no guilt at all about relegating it to the closet.

To Notok-
Well lets face it, you are a paid professional working in a clearly related field. More importantly your advice seems to be pretty consistantly sound and I can't recall you going into a rampage. I should probably work on sticking to the issues but it does concern me that my dissent not be taken as disrespect.


- HandsOff

 

HandsOff,

I guess that, in a way, makes my point. With a separate piece of hardware, once it is installed, that is it. Have a problem with the install? No problem, just unplug the components, reconnect, and restart. The installation instructions can be understood by anyone. There is no issue with software compatibility, no issue of system load, no updates unless you want to reflash the firmware, and as wireless becomes more prevalent, it will be the norm for any home installation anyway.

I simply can't imagine a casual user pulling firewall logs to monitor and/or diagnose what is happening on their PC. I've never felt the need to do that myself either. They can be useful, but let's revisit the topic here. We're talking about the native Windows firewall - almost by default that puts up in the domain of the casual user.

Although there are numerous applications which provide information of your system operations in exquisite detail and provide notifications for nearly every byte passing through the CPU, I sit on the opposite end of the spectrum. I search out options that are powerful, but do not weigh you down with notification, that don't require extensive setup/configuration/learning to use, that are as set-and-forget as possible, but at the same time provide comprehensive coverage. I then trust these applications to work as they are designed and only infrequently check their status. With 5 PC's at home spread among 4 of us, I simply don't want to spend my time as the local support guru.

My experience is that I don't need to spend a lot of time monitoring and diagnosing what's going on with the other PC's, since I've done that wring out and stress testing on my own PC and configured the other installs with that information in mind.

There are lots of ways to approach the diagnostic/monitoring question, for example, each of my home PC's has Port Explorer installed (well, it didn't start that way - these are TDS3 conversions....). If I want to look at connections, I can use that, but I typically approach things from a process perspective. Worried about network traffic going through the roof due to one machine being hijacked? Well, my own PC runs a process which periodically polls the network router and downloads traffic load statistics once a minute or so. I'll know if something is seriously out of whack on the infrequent times I check aggregate traffic, but well before that time I would expect a comment on system responsiveness. I end up with a similar end result, but my path is different than the one followed by those focused on firewalls. Both paths work, but I feel the one I've taken is more suited to the casual user.

Blue

 

Actually, our philosophies are almost identicle. And i'm sure most casual users don't. The thing is my firewall logs are tied into the same viewer as the antivirus and the adblocking. It just sort of evolved that since I would want to read any detail about a virus, I would glance at the other logs while I was there. Later I got interested in identifying the remote sources of possible attacks. This was sort of a waste of time but I did notice that you could tell by the address what countries they were from which i found interesting. I dispise advertizers so I found myself trying to identify adds that I couldnt block to see if I could block them through some rule. another waste of time, but i did notice some stuff...and on and on.

Now I don't pour over them to study anything but it no longer seems odd to go to the firewall logs first when I think some malware has installed just to look quickly for activity. I don't claim to solve problems with the logs. I just like to know what's going on.

I would think you would use at least some logs like I do. Just to see if something is their...a few seconds at the most. Anyway, I do, and I am nowhere near a sophisticated user.


-HandsOff

 

Yes, I agree with what you say.

By the way, let me tell you the purpose of the above post & my article as well. The points are:
- if you read carefully, I have stated this (...it may not hold true for security experts. In thier cases, some of them may even claim anti-virus is not fundamental)
- the whole article is not intended to cover the rare/extreme cases or for experts. It is for beginners and advanced users.

- My 2 cents: In this regard, I think it is unwise to keep stressing on the fact that outbound protection can be NOT fundamental in some cases. This will give newbies/beginners a illusion or misunderstanding that it is not needed.

- By the way, it seems we all make these kinds of misunderstanding. When we see someone says "XX has Function A, b and C. In conclusion, it is very useful." We tend to feel that the author wrongly thought that XX is flawless, and argue that, "Youa re wrong! XX is not 100% useful, and blah blah blah...
From the statements alone, the author doesn't ever claim XX is flawless.


After all, thanks for pointing this out.
The info is useful.

 

Good points. I completely agree with you.

By the way, let me tell you the purpose of the above post. Let's try to explain by analogy:
- Someone asks me if a student can score highly in maths test.
I told someone, "Hey man! The student was lazy. See how it performed at English and Biology - all failed!! I don't expect it is going to perform well at Math."
Someone, "That's completely wrong, buddy! Math is completely different from English and Biology. They are different subjects which require different knowledge. Your claim definitely wrong!"

- I reach my hypothesis by indirect inference. What I would like to say is, based on the facts that the student performed poorly at English and Biology, the likelihood is it's going to perform poorly again at Math. The relationship is indirect, but it is still one kind of reasoning, which has its advantages and disadvantages.

- By the way, although the someone made a good point that they are different subjects. It made a mistake to jump into conclusion immediately that my estimation is definitely wrong. The correct answer is my estimation can be correct or wrong, but there is higher likelihood for it to be correct.

===============

- I do wish to read some in-depth tests on inbound protection, so I can have direct proof/reference to this hypothesis. Currently, it seems testers focus on outbond protection of firewall ONLY (since I can't find even 1 test about inbound protection). But I could be wrong.

- After all, I would like to apologise that this post appears to be very misleading, leading people all on the wrong track (the EDIT won't work to make my purpose of this post clear). It seems the word "indicator" doesn't carry enough meaning to mean it is just a performance guess on another aspect by method of probability.

After all, thanks for your points and info.
They are very useful.

 

Interesting find.
It is found at Sep 2., 2005. Very new.

According to what it says, an exception could be created that would open a hole in the Windows Firewall, allowing an attacker access to the computer. But in order to exploit this hole, administrator privileges are required so that one can access to the target portion of Windows Registry.

The hole is recently found, so it is still open and valid (I haven't notiiced of Windows Update in Sept, I dont think it has been fixed).

As to the question whether it is a security flaw, it is up to you to decide. The fact is there's a flaw that will open up a hole which allow hackers to exploit freely on conditon that you are run as an admin account.

If you use Windows Firewall, the best workaround is not to use admin account. Although this will eliminate the exploit of the hole (the hole is still there, but hackers most probably cannot exploit it), it doesn't mean using a limited account will eliminate the possiblity of ALL exploits. [Don't make me wrong or misinterpret this statement.]

By the way, I find the following post interesting:

 

-----------------------------------

I also have some doubts about what at first blush looks like a really easy method to live with a limited access acount. It is another instance of what I was talking about when I said that when you run a service that requires that other services run then you may be introducing consequences the risks of which might not be easy to asses.

case in point, the article from about temps us with the prospect of both enabling Fast User Switching, and the convenience of no password. The think you may want to consider is that fast user switching runs as a dependancy to terminal services. In an uncharacteristally candid description of terminal services from the services.msc dialogues it describes it, among other things as the underpinnings of remoted desktop...Well I don't control my computer remotely, and I'd just as soon this feature was not enabled.

BTW, has anyone noticed (how could you not) some of the really stupid names that malware authors used to give there tools. I say stupid because when you notice a file called something like the black plauge death bomb or something...it does sort of draw attention to itself. unfortunately they are slowly becomeing more subtle...however...not before i have developed the habit of analysing the names of processes, services, and such to look for clues of evil intent. common TERMINAL services? sounds pretty fatal to me! I think I will stick to logging off the old fashioned way.

HandsOff