Originally Posted by crashsystems
I've never been very impressed with the built in sp2 firewall. For the gateway, we have a netgear proSafe VPN firewall, and based upon the tests I've done, it does quite well in protecting against outside attacks. What I'm worried about though is someone getting a trojan on one of the xp boxes (it definitely has happened before, though we use AVG antivirus network addition), and the writer of the trojan using that to bypass the netgear firewall, and attack the file server from the inside. Pljvaldez I've checked out the two non-free programs you sugested, and they look quite expensive. If I were to just use the free zone alarm (which I've been thinking of already), do you think it would do the trick? I was really hoping that I could find something open-source for xp. Thanks for your help.
SP2 firewall is adequate as long as unsolicited programs are unable to run. You can solve this simply by using limited user acounts. If you're running in administrator mode all bets are off. You don't really stand much of a chance against any virus thats clever enough to bypass firewalls. Even if you do purchase Zone alarm. As you mentioned SP2 has no outbound blocking. And weak application based blocking. Application masquerading is still a threat, and one the many holes in the SP2 firewall. Even with Zone Alarm, there still virii designed specifically to bypass it.
However there is the one method which dominates. It obviates the need for any expensive third-party, firewall or virus scanner. And is much more guarrunteed.
Software Restriction Policies.
Its usually impractical because of the amount of time it takes to set up and for programs that constantly update. But if you're an IT-pro you can easily develop a macro to ease these things along I'm assumming.
You create a limited user account.
In the administrive account you execute local security settings, found in administrive tools in control panel.
You right click on software restricion policies click create policies.
Under security levels check disallowed as the default security level.
For all the additional programs you need to run. Right click on additionals rules and add new hash. Looking at the limited number of programs you need to this should be relatively quick. It might also interesting to know, that by default any program files placed within C:\windows have no restriction policies. Might be a bit of convience to install programs to a subfolder within there.
This is hammer.
Combined with tcp/ip filtering,
sp2 firewall with icmp blocked.
and write protection of all windows files, dlls and exes.
and disable viewing of cmd, regedit, and iexplore. (Theres a few I probablly missing)
and if you can use Open Office rather than MS Word(ms word can utilizie powerful vb macros that can execute external dlls or using existing windows one to potentially bypass software restrictions)
and a it-pro like you actively viewing logs.
I think you will find your systems fairly secure. The only way around this, is the way of pain. The person would have to use a bootdisk pretty much to get around this. (or exectue rundll32 and access winsock to send some outbound net traffic, watch out for rundll32) That can be remedied by changing a few bios settings and locking the computer case.
Ofcourse I have'nt covered everything. There might still be a loose ends. But its decent.
The only real threat seems to be if some advanced programmer takes over one your computers, executes a string of rundll32 command that abuse the windows api to send out private information about the computer. Such as hashes within the registry that can be used to crack user passwords. The odds of this happening to you are somewhat remote.
Ofcourse its more likely that some greedy member download a script to do this for him. Might want to add .bat and .vbs the list of disabled extensions to be on the extra safe side.