Windows box directly on the 'net

[ddrueding]

I have a Windows 7 machine connected directly to a cable modem. The NIC on the machine has the external IP assigned by the ISP. It is fully updated, has MS Security Essentials running on it, and has all firewall rules blocked except "core networking". Any guesses as to how safe this machine is just sitting here (without any user active on it, or programs running)?

 

[BingBangBop]

Shields up

 

[ddrueding]

Shields up

[FONT=Verdana,Arial,Helvetica,Sans-Serif,MS Sans Serif][SIZE=-1]Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.[/SIZE][/FONT]

 

[Mercutio]

You have a firewall that's basically set to deny all traffic and you're impressed that it denies all traffic?

 

[Santilli]

Me too!;-)

 

[ddrueding]

You have a firewall that's basically set to deny all traffic and you're impressed that it denies all traffic?

I'm impressed that a usable windows box can be plugged straight into the internet without 3rd party tools and be reasonably secure, yes. For a long time that wasn't the case.

 

[Tannin]

I'm impressed that a usable windows box can be plugged straight into the internet without 3rd party tools and be reasonably secure, yes. For a long time that wasn't the case.

You mean like ~70% of all home computers until a year or two ago? It's routine. Has been for years.

You could plug a Windows box straight into the net safely, without third-party plug-ins, starting from the introduction of (if my memory serves) XP Service Pack 2, which was the first one with a built-in firewall.

The XP firewall is perfectly usable and always has been - if it wasn't, the whole damn planet would have melted down long before now.

(Tannin puts fingers in ears and awaits the host of brain-dead know-it-all posts from the usual suspects pointing out some trivial security issue that, in reality, has never been a factor so far as real world infections go, but which, in the hands of a brain-dead uber-geek, can be inflated into a pretend nuclear meltdown. The reality, let us remember, is that the Windows XP firewall works just fine and has done for many, many years. I have always preferred a hardware firewall in front of it, but that's just me.)

 

[time]

I'm inclined to agree with the spirit of what Tannin said, although I don't agree with abusing people in advance in case they disagree with you.

Hackers don't need to break through firewalls while there's Internet Explorer, Adobe, etc.

Cable users would be less than 10% of the internet-connected population in Australia, and quite a few of those would be using wireless routers. Most everyone else is going though some sort of DSL router, so there aren't actually all that many directly connected PCs.

 

[LunarMist]

I guess I'd be one of those 10% connected on the internet. Frankly, determined organizations can hack practically anything so I don't worry about it. I'm sure they would be terribly bored with anything they found.

 

[CougTek]

Cable users would be less than 10% of the internet-connected population in Australia,...

I guess I'd be one of those 10% connected on the internet.

You're in Australia now?

 

[LunarMist]

No, in about 7 months.

 

[Clocker]

It was pretty easy to pass the Shields Up test even on a Win2K box with printer and file sharing turned off, IIRC. Maybe I had ZoneAlarm then though...

 

[LunarMist]

Back in those days I had no security, but only a dialup ISP. Hackers were unlikely to steal much at that rate.

 

[Pradeep]

You mean like ~70% of all home computers until a year or two ago? It's routine. Has been for years.

You could plug a Windows box straight into the net safely, without third-party plug-ins, starting from the introduction of (if my memory serves) XP Service Pack 2, which was the first one with a built-in firewall.

The XP firewall is perfectly usable and always has been - if it wasn't, the whole damn planet would have melted down long before now.

(Tannin puts fingers in ears and awaits the host of brain-dead know-it-all posts from the usual suspects pointing out some trivial security issue that, in reality, has never been a factor so far as real world infections go, but which, in the hands of a brain-dead uber-geek, can be inflated into a pretend nuclear meltdown. The reality, let us remember, is that the Windows XP firewall works just fine and has done for many, many years. I have always preferred a hardware firewall in front of it, but that's just me.)

There's some flavors of Windows that need patching/service packing before being placed on the Net, I.e. zero day bugs, where if you just do a standard install and plug it in its joined into a bonnet and doing some ddos type attack.

 

[tazwegion]

(Tannin puts fingers in ears and awaits the host of brain-dead know-it-all posts from the usual suspects pointing out some trivial security issue that, in reality, has never been a factor so far as real world infections go, but which, in the hands of a brain-dead uber-geek, can be inflated into a pretend nuclear meltdown. The reality, let us remember, is that the Windows XP firewall works just fine and has done for many, many years. I have always preferred a hardware firewall in front of it, but that's just me.)

That's harsh... really harsh... so monitoring outgoing traffic isn't a real world priority?


+1 for the hardware firewall preference

 

[Tannin]

There's some flavors of Windows that need patching/service packing before being placed on the Net

Absolutely!

Indeed, my standard working assumption is that ALL versions of Windows are vulnerable until I have applied all the appropriate updates and service packs. Doubtless some are sort-of OK as is, but why take the chance? Easier just to assume that they are all broken and act accordingly.

This is why I make a point of always applying all the appropriate updates to any machine I work on myself, before I hand it back to the owner. (And obviously, I am working behind a hardware firewall. Well, several of them, usually, but I doubt that the extra firewalls serve any outside security purpose, they are just a side effect of the way my network is set up.)

 

[Tannin]

so monitoring outgoing traffic isn't a real world priority?

Nope.

Most users are utterly clueless about what traffic to allow and what not to allow, and in any case, once the infection has got to the stage of phoning home, you are already in the kakky up to your eyeballs. At this point, you (very sensibly) start wishing that you had spent all that time and energy you wasted on mucking about with outgoing traffic analysis on something more useful, such as securing the incoming side properly.

If you are in charge of a sizable organisation, sure, there is a place for outgoing traffic analysis. For home users and small business people, it's just a way to get confused, miss the point, and break stuff.

 

[Tea]

Tannin? Harsh? You ain't seen nuffin' yet!

 

[Mercutio]

I regularly tell people not to bother with third party firewall software. I uninstall that crap where ever I find it. It's too easy to mess up a machine with a stupid firewall config and it's too much work to fight with the software when you actually want to do something. Use the built in Firewall or use nothing. Either is a better option.

 

[CougTek]

Using nothing is not an option when you don't have a hardware firewall in front of it and even then, it's not a good idea.

 

[Mercutio]

That's why they should use the Windows Firewall.

 

[tazwegion]

And obviously, I am working behind a hardware firewall. Well, several of them, usually, but I doubt that the extra firewalls serve any outside security purpose, they are just a side effect of the way my network is set up.

I'm curious what type of Hardware firewall you're using (and/or recommend), the last one I built during the dial-up days was based on the small Coyote Linux "floppy" distribution and ran beautifully on a Cyrix 233/VA-502 combo, as I could be relocating to a cable Internet serviced location I might need to build/acquire another (Cisco PIX's are cheap on eBay)

 

[ddrueding]

Smoothwall