[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074368440.14001.33.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Re: January 15 is Personal Firewall Day,help
the cause
Hi Jim,
Am Sam, den 17.01.2004 schrieb Jim Race um 19:20:
> Since the ping-pong game is far past 21 points...
:-)
> How safe would you consider:
>
> A WinXP box with all current patches
There is no such thing as a WinXP box with all current patches :-) Since
installing all patches that Microsoft makes available still doesn't mean
every critical bug is fixed you should find out as much as possible
about the unfixed bugs. For example there is still a URL spoofing bug in
the Internet Explorer 6 which hasn't been fixed for more than 2 months.
I am pretty sure there are lots more. The dilemma is that MS doesn't
seem to think full-disclosure is the way to go...
Knowing about the unfixed bugs is as important as installing all the
patches that are available.
Consider using alternative software in the meantime, thus replace IE6
with Mozilla and so on.
> A properly configured HW firewall
This is pretty good. I don't like hardware firewalls since those are
less flexible than say a barebone Unix/Linux firewall, but this is
probably the most effective end user protection in front of Windows XP
boxes. Be careful though. Inside a hardware router some kind of software
is running (most often based on Linux :-)) and it can contain bugs too.
>From time to time there are firmware updates available from your
firewall vendor. Inform yourself about this by checking the vendors
website.
> ICF enabled, web services ONLY enabled and all ICMP requests disabled
You have to find out if there are any known vulnerabilities to the
services you use and if yes, how to fix them. It's a pity pivX took
their list offline. Instead they are promoting personal firewalls now in
association with MS...
> Apache (latest) installed with no add'l modules (static pages only)
Be sure to keep it patched. Static pages are good (no possibility of
injecting parameters). Check whether the cgi-bin directory is accessible
from the outside! (shouldn't be by default)
> NOT running Outlook or OE
Very good ;-) This is probably the most important measure :-)
> Mozilla with Java and JS disabled in email
If you want to protect your privacy then disable HTML displaying in your
mail client and forbid the loading of external content from within a
displayed mail.
> An "admin" who knows not to run attachments
:-)
> No add'l (hated) SW firewalls
A personal firewall is not bad. It's an addition. But it's not the cure.
If you are sure the intended users of the machine know what to do with
all the interactions that are required to run a personal firewall then
install one. It will be hard to configure your hardware router so that
it stops specific processes from connecting _to_ the Internet (in
contrast to _from_). A personal firewall can be of much use here, taken
the users know to use it.
> No AV stuff running, except when scanning known executables
Some AV software should be running at all times. There are usable
products available for free, personal use only of course. Have a look at
antivir.de.
Be sure to get rid of adware too. Use Adaware or Spybot regularly.
> I am of course, asking for a "friend".
Probably the most important thing when running Windows XP: none of the
users should work as administrator or any other account with those
rights. Windows XP Home creates only users with administrative rights by
default. Be sure to tweak this behaviour. Users should always work with
minimal rights, just as much as they need to perform their tasks. It's
not that you don't trust the users, but any malware initiated inside
their user session will run with their rights!
And last but certainly not least: make regular backups.
Additional measures: Have some sort of bootable live CD available. There
are a lot of Linux based live CD available on the Internet which contain
f-prot and lots of recovery and diagnostic tools. It's very handy to
have one of those lying around.
cheers,
Tobias
Powered by blists - more mailing lists