For those that have Windows XP SP2, what do you think about the improved XP firewall?

I shut down my regular firewall program and started the XP one. I then proceeded to load programs that I knew that would access the Internet.

Almost all of them where able to access the Internet with no problems.
I had figured that the SP2 XP firewall would ask if the program could gain access to the Internet.
Only two programs prompted the XP firewall. WinMX and Miranda IM (multi protocol instant messenger client).
When I blocked both of those programs for testing purposes, they both were still able to access the Internet.
And on top of that, after the programs were shut down and restarted, I was not prompted again. Both were still able to access the Internet.

Unless I was doing something wrong, I feel that the SP2 XP firewall didn't make the grade at all.

The only benefit I see is that once a Trojan is activated, the user will know that their system is compromised.
From what I see, the Trojan will still have access to the Internet, but the user will know what is happening and be able to disconnect their Internet connection and fix the problem (hopefully).

I started up my own firewall, Sygate, and didn't see any conflicts with the SP2 XP firewall. I'll keep them both activated for now and see how that goes.

What is your opinion of the SP2 XP firewall?

I think the SP2 firewall is better than nothing. A decent software firewall is MUCH better than nothing.

The first thing I did in the istallations I have done up until now was to turn off the Win firewall. My reluctance to trust MS with security looks to be justified unless it is a glitch on your computer John.

Also I set Windows update to notify but not do anthing else (until any feedback comes about) with any and all relevant updates. This way the user will be notified that there is a now update when it it released, and if they choose to, wait for a couple of days before installation to see if there are any hic-ups come to light..

Another matter concerning security.
Up until now it was advisable (as far as I could see on the net - see Steve Gibsons De-combilator - http://www.grc.com/dcom )) to disable DCOM.

With SP2 installed (and only security programs installed) if you check out services.msc you will see that one of the new items is as follows:
DCOM Services Processes - and this is pre-configure to run and is set to automatically. Is it safe to leave this running or should it be switched of?

Jonh
I have just been into Binks's site and saw the floowing article there.

The following is cut and pasted from Binks site - http://bink.nu -


Most commercial firewalls include a feature to stop all but authorized applications from sending data to the Internet; this stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks. Windows Firewall, however, filters only incoming traffic, allowing any application to send outbound packets, a fact which some industry observers have said makes it less useful for serious protection.

"It still isn't as robust as many third-party host-based firewalls," writes Jeff Fellinge, information security officer at media company aQuantive, in a recent analysis of the firewall.

More seriously, rival firewall makers claim that the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off. Major firewall makers, including Zone Labs, McAfee, and Symantec are preparing SP2-compatible versions of their applications which disable Windows Firewall when they are installed, and enable it again when they are uninstalled.

But if an installer can switch off Windows Firewall, so could an attacker, argues Zone Labs, maker of the popular ZoneAlarm firewall. The company says its own products are locked down in such a way that third-party applications can't disable firewall protection without uninstalling the software.

Microsoft admits that, in some cases, malicious code could indeed switch the firewall off. However, this isn't so much a flaw as a limitation on the role firewalls should play in a company's security system, according to Microsoft.

"An attacker could misuse that (administrative) capability," says David Overton, a Microsoft technical specialist. "But you're already in a compromised state, if you're at that point." He says Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it's been infected.
Full story at source (See Binks sit for furhther link)

With SP2 installed (and only security programs installed) if you check out services.msc you will see that one of the new items is as follows:
DCOM Services Processes - and this is pre-configure to run and is set to automatically. Is it safe to leave this running or should it be switched of?

I think you will find if you do disable this service, that you will be unable to run disk defragmenter, system information, use the windows update button to launch IE to the update site, etc. And you may have problems installing some software.


I have uninstalled File and Printer Sharing, and the Microsoft Client for networks (not running a network on this machine). I have also shut down port 445 (netbt), disabled netbios in my advanced lan settings. With the DCOM service process launcher set to auto, task scheduler set to auto, I have no open ports at all, even locally (loopback).

Thank Malcore
I now know what areas to check out. I will get back and let you know the results.

With the links that Ernie provided, it seems as though the SP2 XP firewall is pretty much as it was before SP2... useless.

"An attacker could misuse that (administrative) capability," says David Overton, a Microsoft technical specialist. "But you're already in a compromised state, if you're at that point." He says Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it's been infected.

From what I have tested, it does not stop the transmissions at all. I'm not sure if that is a flaw on Microsoft's part or if I am doing something wrong.

All in all, I'm still going to recommend a 3rd party firewall over the XP firewall.

I also checked on that DCOM Server Process Launcher. There is no Start/Stop feature. At least on my computer there wasn't. It might be best to leave that on automatic or the very least manual.

The Windows Firewall/Internet Connection Sharing (ICS) Process has a Start/Stop feature though. If someone has a 3rd party firewall and not using ICS, should be safe to set that to manual or disable.

I was wondering something a long these lines also.
I have a router between my computer and modem, does this protect from things going out or is the same as the software firewall in sp2.
I am of course also running a software firewall now also.
What I am trying to figure out [since I would like to have a few less things running] if with the harware firewall, would the sp2 firewall be good enough?
Mark

Depends on the router. The one I have now, does have a built in firewall. Problem is, I would have to configure it for each program. :)

does this protect from things going out or is the same as the software firewall in sp2
Routers only block incoming packets. I think the SP2 XP firewall is pretty inadequate. A 3rd party firewall will block incoming as well as outgoing.

The SP2 XP firewall will still transmit outgoing even when blocked. I have tested this with 2 programs. I blocked both, but they were still able to access the Internet.

Don't depend on the XP firewall. Use a 3rd party one instead. Even the freeware versions are tons better.

Thanks,
That's what I thought
I just checked my router and the firewall is turned on automatically
Mark:)

I kind of see what you were askng.

Myself, I'd rather depend on a 3rd party firewall just because if any program tries to access the Internet, the 3rd party firewall will warn me and I can then accept or decline at that point.

The router firewall "can" work in theory, but it would have to be tightly configured. But if a Trojan used any ports that you have accepted in the router and without a 3rd party firewall and an outdated AV, the Trojan would run free.

I think the router firewall is more used as a LAN chokepoint.

Originally posted by ErnieK

Also I set Windows update to notify but not do anthing else (until any feedback comes about) with any and all relevant updates. This way the user will be notified that there is a now update when it it released, and if they choose to, wait for a couple of days before installation to see if there are any hic-ups come to light.


Good idea. Both major headaches I have had with my Compaq Win Me came immediately following a windows update: last winter I had to wipe the disk, and just recently a registry problem that prevented me from using my e-mail and other functions.

Pasted from Binks site http://bink.nu


People are wondering how to use firewalls on their WinXP sp2 system, since SP2 comes with its own firewall. In a recent discussion, Microsofts Michael Surkan gave some advise.

Microsoft strongly recommends that users only run one host firewall on their system. "Yes, the XP SP2 Windows Firewall can co-exist with 3rd party firewalls, but multiple firewalls don’t make you safer. Running multiple firewalls just means you have to configure the settings in multiple places (e.g. opening ports for each firewall you run)."

If you want to keep your 3rd party firewall, switch of the Windows built in Firewall. "We have already advised third party firewall vendors to programmatically turn off the Windows Firewall in their future releases, so this will eventually be automatic." Michael said.

Make sure if you don't use a 3rd party firewall, you should use the built in winXP sp2 firewall. "The Windows Firewall focuses on preventing attacks from successfully penetrating a system, but it doesn’t do anything to protect systems once bad software is locally installed. The Windows Firewall, for example, doesn’t do any alerting or intrusion detection. Neither does it offer outbound filtering capabilities or reporting" Micheal said. So if you want / need those features get a 3rd party firewall.

I think the world is a much better place if all XP pc's have SP2 installed and its firewall on, want more control get 3rd party.

I relooked at the SP2 XP firewall again.

The Exception rules only block incoming packets, and not outgoing packets. That is the reason those 2 programs I stated before were able to connect successfully.
When blocked they will still send out packets, but won't receive packets.
I was in a mind-set that it would block both incoming and outgoing packets. :p

So in essence, it is as before but more control/ease on which programs you can or can't receive packets.

With that, I suppose it would be better to have the SP2 XP firewall over nothing.

But with numerous freeware firewalls, why would someone use SP2 XP firewall over a 3rd party firewall?

It will be good for the people who don't know or want to know about security.
Even though I won't use it, I think it's a great feature built in.
Think of it like some of the safety features in cars. Some you might not get through not knowing, but if there included and on automatically they help save lives.
IMHO
Mark

Originally posted by PrntRhd
I think the SP2 firewall is better than nothing. A decent software firewall is MUCH better than nothing.
I think that pretty well sums it up for me. If you don't have a firewall, then by all means, use the one in XP. I've always used ZoneAlarm and it's worked fine for me. When tested for leaks, there is no problem. If I go to Steve Gibson's web site and check my ports, they are all stealth. So, unless I hear something a lot better about XP's firewall, I'm sticking with what I have.