Windows Firewall
Windows Firewall was previously called Internet Connection Firewall (ICF) is a software-based, stateful filtering firewall for Microsoft Windows XP. Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited incoming traffic through TCP / IP version 4 (IPv4) and TCP / IP version 6 (IPv6). Configuration options include: Configuring and enabling port-based exceptions, Configuring and enabling program-based exceptions, Configuring basic ICMP options and Logging dropped packets and successful connections.
Windows Firewall is turned on by default for all network interfaces. This provides more network protection by default for Windows XP on new installations and upgrades. On-by-Default also protects new network connections as they are added to the system. This applies to both IPv4 and IPv6 traffic, and is enabled even if there is another firewall already present on the system.
The IPv4 and IPv6 firewall drivers have a static rule to perform stateful filtering. This static rule is called a boot-time policy. This allows the computer to perform basic networking tasks such as DNS and DHCP and communicate with a domain controller to obtain policy. Once the Windows Firewall service is running, it loads and applies the run-time policy and removes the boot-time filters. The boot-time policy cannot be configured.
Windows Firewall Command-line support
With the Netsh Helper, you can fully configure Windows Firewall, including Configure the default state of Windows Firewall (Off, On, On with no exceptions), Configure and enable port-based exceptions, Configure the logging options, Configure the Internet Control Message Protocol (ICMP) handling options and enable program-based exceptions.
NETSH HELP
The following commands are available:
Commands in this context:
? - Displays a list of commands.
add - Adds a configuration entry to a list of entries.
bridge - Changes to the `netsh bridge´ context.
delete - Deletes a configuration entry from a list of entries.
diag - Changes to the `netsh diag´ context.
dump - Displays a configuration script.
exec - Runs a script file.
firewall - Changes to the `netsh firewall´ context.
help - Displays a list of commands.
interface - Changes to the `netsh interface´ context.
ras - Changes to the `netsh ras´ context.
routing - Changes to the `netsh routing´ context.
set - Updates configuration settings.
show - Displays information.
winsock - Changes to the `netsh winsock´ context.
The following sub-contexts are available:
bridge diag firewall interface ras routing winsock
To view help for a command, type the command, followed by a space, and then type ?.
  Post your comment
WebDAV Redirector
The WebDAV Redirector (DAVRdr) allows computers running Windows XP to use WebDAV (Web-based Distributed Authoring and Versioning) servers, such as Windows SharePoint Services and MSN Communities, as if they were standard file servers. It consists of a kernel component that connects to a Windows NT remote file system stack, and a user-level component (Web client service) that translates file system requests into WebDAV requests.
WebDAV Redirector feature is used by people who access WebDAV servers through the remote file system. WebDAV Redirector is implemented in the remote file system stack. Client administrators, and users who are concerned with the security of their computer credentials, need to be aware that every access to remote files on a WebDAV server by Universal Naming Convention (UNC) (for example, \ \ ServerName \ ShareName \ File.txt) will be processed by WebDAV Redirector.
WebDAV is an extension of Hypertext Transfer Protocol (HTTP), and as such includes the use of Basic Authentication (BasicAuth). BasicAuth is one form of user authentication, or means by which a user is securely identified to the server. With BasicAuth, the client transmits the user’s credentials (user name and password) to the server. If the channel is unencrypted, such as with normal HTTP traffic, any computer on the network can see the user’s user name and password and therefore steal their identity. The DAVRdr does not support encrypted HTTP (HTTPS or SSL), and will transmit the user’s credentials in the clear (or, without encryption) if the server supports basic authentication. Although a server most likely would not be configured to use basic authentication, it would be possible to set up the server expressly to obtain users’ credentials.
Imagine a corporate user at AB Corporation who routinely accesses the file share \ \ ABC_Server \ Sales outside the corporation on a public network, and uses an application which attempts to access that share as part of normal background activity. Since the user’s portable computer is outside the corporate network, the request should fail. However, the DAVRdr will transmit a request to see if there is a DAV server named ABC_Server, even though the actual server that the portable computer is attempting to access is an SMB server.
An attacker can be operating on that same public network with a computer that spoofs WINS requests, returning a pointer to itself in response to any WINS request. The portable computer will then try to access a DAV share on that rogue server. If the rogue server responds with BasicAuth as the authentication method, a dialog box appears that asks for the user’s credentials. The dialog box identifies the server as ABC_Server, leading the user to believe the request is legitimate. If the user enters their user name and password, the client transmits that information in the clear and the attacker thus gains access to that user’s login information. There is no indication to the user that the channel is not secure, that the request is being handled by the DAVRdr, or that the portable computer will transmit the user name and password in the clear. Note that the current default Windows authentication methods never transmit a user’s password in the clear.
Post your comment
RPC Interface Restriction
A number of changes have been made in the Remote Procedure Call (RPC) service for Windows XP Service Pack 2 that help make RPC interfaces secure by default and reduce the attack surface of Windows XP. The most significant change is the addition of the RestrictRemoteClients registry key. This key modifies the behavior of all RPC interfaces on the system and will, by default, eliminate remote anonymous access to RPC interfaces on the system, with some exceptions. Additional changes include the EnableAuthEpResolution registry key and three new interface registration flags.
When an interface is registered using RpcServerRegisterIf, RPC allows the server application to restrict access to the interface, typically through a security callback. The RestrictRemoteClients registry key forces RPC to perform additional security checks for all interfaces, even if the interface has no registered security callback.
RPC clients that use the named pipe protocol sequence (ncacn_np) are exempt from all restrictions discussed in this section. The named pipe protocol sequence cannot be restricted by default, due to several significant backwards compatibility issues.
The RestrictRemoteClients registry key can have one of three DWORD values that can also be controlled programmatically in rpcdce.h. If the key is not present, it is equivalent to setting the DWORD=1 value (RPC_RESTRICT_REMOTE_CLIENT_DEFAULT).
Post your comment
Limited number of simultaneous incomplete outbound TCP connection
The TCP / IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.
Post your comment
| 
