Re: Correction: XP SP2 ports open to local subnet

["Niedens, Travis" <Travis_Niedens () REDLANDS EDU>]

Honestly, I am certain with SP2 Betas being out that these guys are already
working on one that gets in and shuts down the firewall.  They have been
pretty proficient in disabling, blocking and hindering most AV products
(disabling services, adding in hosts file entries, etc.)

Obviously this can be remedied by GPOs on XP Pro by disabling permissions
for local users to change/disable the firewall however XP Home would still
be open.  My experience is that most students do not have XP Pro and they
also tend to have simple passwords on local users that have admin access, so
essentially we are back to square one.

Travis Niedens
Network Manager
University of Redlands   

-----Original Message-----
From: Brian Eckman [mailto:eckman () UMN EDU] 
Sent: Friday, June 11, 2004 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Correction: XP SP2 ports open to local subnet

John Kristoff wrote:
> I agree with some who are concerned that not filtering packets from 
> the local subnet is potentially going to be a problem.  In my 
> experience, where I've put similiar filters on router interfaces at 
> subnet edges, hosts within the unfiltered subnet(s) would eventually 
> get compromised by a host that came into the shielded network with
something bad.


Agreed. However, those who have NetReg or a similar scanning solution can
likely make the scanner appear to be coming from the local subnet, so it can
find vulnerable computers that would not have otherwise been found due to
the firewall. Some security-admin type people will perceive that as a
benefit. I personally do not like the exception either, or at least wish you
would be prompted upon the first bootup of SP2 to help it decide.

Also, remember that the local subnet filtering exception is only for the
file and print sharing ports 137/udp, 138/udp, 139/tcp and 445/tcp.
Ports like 135/tcp, 5000/tcp, 1025/tcp and all others are filtered from
everyone by default. However, as an example, hosts vulnerable to the LSASS
vulnerability in MS04-011 can be compromised by a computer on the local
subnet. Same with machines with weak/blank passwords.

Changing the default behavior is pretty easy, but people will have to know
to do so, plus be motivated to do so. That is tough as we all know.
We can still try...


> I haven't played with XP SP2 so someone please fill me in on the 
> details.
>
> If a XP SP2 host becomes compromised, will the default firewall config 
> also block packets on egress from the compromised host to hosts not on 
> the local subnet or are the filters only applied on ingress to itself?

The default firewall config would allow the compromised host to try to
spread itself. It seems that something like Sasser (Blaster, Agobot and
Polybot too) would be thwarted, as the remote host would try to establish a
new connection to the Sasser FTP server to get the worm, and would not be
able to because the firewall blocks the new ingress connection. However,
worms will probably eventually figure out how to tell the firewall to allow
access to them, or will just find ways to spread over the initial
connection. And, some worms don't require that connect-back and therefore
will spread uninhibited by the local firewall.

The default firewall config won't stop most spyware and keyboard loggers
from phoning home. The proliferation of such threats is sure to continue
increasing for the foreseeable future. Especially as long as the
ADODB.Stream ActiveX control continues to be accessible by Internet
Explorer, and continues to have unpatched vulnerabilities.

Finally, we all need to remember that SP2 is still likely two months away
from being released, and that what we see today isn't necessarily what will
be in the service pack itself. Granted, not much is going to change at this
point, but nothing is guaranteed to stay the same either.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.