Full Version of this article can be found here

XP SP2 Firewall warning

Anybody that thinks SP2's Windows Firewall is such a large improvement had better make sure that they know all the facts. If you believe you need a firewall you will still not want to rely upon SP2's built in Firewall. All of the hype behind Service Pack 2's Firewall may lead most people to believe that Windows Firewall is all they need to stay safe. All of the marketing buzz gives people a false sense of security. While this IS a large step in the right direction it still is nowhere near where it should be. Anybody currently using or planning on using SP2 had better read through this carefully to find out WHY it's not anywhere near as secure as the marketing team will try to make you think.

From this document:

Windows XP Service Pack 2 (SP2), currently in Beta testing, includes the Windows Firewall, a significant enhancement of the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic.

Humor: MS's Spell checker suggested the word shameful for stateful which would make it: Windows Firewall is a shameful host firewall :)

Basically it'll pass GRC's Shields up test along with any other program that scans for open ports. What I first noticed in my RC1 Preview and a bit more detail in my RC2 Preview was that applications that are run on your system will connect to the internet and THEN give you a notice that looks like this:

Click image for larger version

Name:  firewall.PNG
Views: 135
Size:  14.2 KB

This box leads me to believe that if I choose to Keep Blocking this application that it won't be able to access the internet anymore. What I'm finding out is this simply doesn't do what it leads me to believe. What this box makes me believe is it will actually prevent the application from accessing the internet. It does NOT do this. Most firewall programs allow you to set allow/disallow settings per application (or .exe) Windows Firewall will only set the allow part. By giving a box like this it leads me to believe that it will also black list applications (which it does not).

Any kind of program will be able to access the internet. These applications will be able to both upload and download files. This is something that is absolutely horrible due to what can be done with viruses, spyware or any other programs that may slip through and access the internet. Any program being executed on your system has FULL upload and download capabilities. The only thing blocked is the ability for a person to connect to your system and give the program instructions. This is easily bypassed by setting an internal timer in the application that connects to a web address and downloads something like a .txt file which contains instructions.

The last part of that opening quote states this: Windows Firewall does not drop outgoing traffic. Everything DOS based I've tried will not even show one of those boxes prompting to block or unlock it. It simply allows it. All a person will have to do is create a DOS based application that will open (whitelist) certain ports and this Firewall is completely worthless. They'll whitelist certain programs/ports only if they want the firewall to still appear to be properly functioning. Most people would simply turn the firewall off.

This will greatly slow down virus makers how?

Well, the dumber ones will code into the program an address to connect to for instructions... What that will do is create a nice trail for the feds to follow and apprehend the virus developer. That's what Microsoft is hoping for at least.... In the real world nobody will be stupid enough to do it that way. What they would do is simply turn the firewall OFF and be back to business as usual.

Microsoft even provides a DOS based administration to this (only exploitable if user is logged in with admin rights). If you'd like to disable the Firewall do this from the command prompt:

netsh firewall ipv4 set opmode mode=disable

An alternate route is through vbscript

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

A great place for information on bypassing this firewall can be found in its MSDN pages. It's open for discussion in our software forum too. I'm very interested in windows exploits.

Another place I was reading was here.

Application white list. Prior to SP2, applications needed to call the ICF APIs to enable the necessary listening ports to be open to send and receive messages. This proved difficult in peer-to-peer situations when the port was not known in advance. Further, it was up to the application to close the hole in the firewall, which could lead to unnecessary openings in the firewall should the application terminate unexpectedly. Additionally, these holes could only be opened by applications running in the security context of a local administrator. In SP2, an application that needs to listen to the network can be added to the Application White List. An application on the white list will have the necessary listening hole created automatically. By having an application on the white list, only necessary ports are opened, and they are only opened for the duration that the application is listening on it. This prevents an application from opening up a port it's not using and either deliberately or inadvertently exposing another application or service to network traffic from that port. Further, this also allows applications listening to the network to run as a regular user. Applications that work with stateful filtering do not need to be placed on the white list. Only administrators can add an application to the white list.

This explains what that box above is for. It is for setting the White list. However there is NOT an application black list. That is something that is a part of any decent firewall program and it's what we're whining about.

Other than stealthing all of your ports the boot time security is something that they DID do right. I don't believe I've seen a third party application capable of allowing this.

Boot time security. In earlier versions of Windows there is a window of time between when the network stack started and when ICF provided protection. Consequently, a packet could have been received and delivered to a service without ICF filtering it, potentially exposing the computer to vulnerabilities. In SP2, the firewall driver has a static rule called a boot-time policy to perform stateful filtering. This will allow the computer to perform basic networking tasks such as DNS and DHCP and communicate with a Domain Controller to obtain policy. Once the firewall service is running, it will load and apply the run-time ICF policy and remove the boot-time filters. This change should increase system security without affecting applications.

For a peak at the Firewall configuration:

Here's a few screenshots of the Firewall configuration.
[1][2][3][4]

(Numbers 1,3 and 4 have changed slightly since RC1)

#1 is the basic on/off screen
#2 is the program exceptions list. You can manually add programs to your allowed or not allowed list. You can also modify what ports the various applications are allowed to use. From this screen is how you reach #3
#3 you can see the screen where you can block/unblock any port you want.
#4 used to be several tabs that they've combined and labeled advanced now. The network connections box is where you allow various services to access the internet such as IIS. The next box is the firewall log. If you ever mess anything up they now have a restore defaults button!

Outro:

I must go curl up in the corner with my blanky and tinfoil hat now. Nothing is as it seems. Don't place your trust in anything or anyone without doing the proper research first.

I've already cried to one Microsoft employee about this. Please contact any Microsoft representative you can get your hands on! Let them know that this is a sad excuse for a firewall. It will truly make alot of people especially the corporate world believe that they have a firewall in place when they're nowhere near as safe as they may think. If it means delaying SP2 even further they absolute MUST include an application black list AND prevent applications from accessing the internet until you approve them. Being able to set something in the group policies about ONLY allowing this list of applications access to the internet.... Will bring security levels on corporate networks to a level that gives me a boner just thinking about it.....

Maybe I'm living in a fantasy world where every girl is a C cup and THE mainstream OS is secure. In that same world athletes wouldn't use steroids (Barry Bonds) and it was the uglier they are the crazier they are instead of the VERY true "the hotter they are the crazier they are..." Unfortunately I've known too many crazy ugly girls :( yes ladies I'm single.... You know you can't resist