On GameSpot: $299 PS3 Slim and price cut announced!
BNET Business Network:
BNET
TechRepublic
ZDNet

July 19th, 2005

Is the XP SP2 firewall getting a raw deal?

Posted by George Ou @ 12:10 pm

Categories: Security

Tags:

A recent report on a new denial of service vulnerability involving Windows RDP (Remote Desktop Protocol) blaming the Windows XP SP2 (Service Pack 2) firewall has touched off a rash of sensationalism from other media outlets that gets blindly regurgitated in the forums.  This has caused some unwarranted confusion and fear in the IT industry.  The original story incorrectly blamed the XP SP2 firewall for failing to protect against the RDP flaw.  This was a false characterization of the XP SP2 firewall which has a history of being mischaracterized as something that breaks a lot of applications or is somehow unreliable.  This has resulted in some harm to the general public because too many windows users are refusing to protect themselves with Windows XP SP2.  Larry Seltzer did a wonderfully accurate and educational assessment on XP SP2 but is drowned out by all the doom and gloom sensationalism.

When Microsoft first came out with XP SP2 last year, its new firewall feature was incorrectly blamed for breaking hundreds of applications when in fact any personal firewall installed without the proper holes drilled would have caused the exact same issues.  This latest story on the RDP vulnerability seems to be yet another slam on the SP2 firewall with the incorrect accusation that it fails to protect against this new RDP denial of service vulnerability.  While it’s technically true that a SP2 firewall with port TCP 3389 (used by RDP) opened to anyone will result in a successful denial of service attack to an unpatched windows machine, this is the normal behavior of any stateful packet inspection firewall.  The results would have been the same if it had been a $50,000 Cisco or Checkpoint firewall that had TCP 3389 open to the same Windows machine.  Anyone who attempts to blame the firewall for this particular attack simply doesn’t understand what a stateful packet inspection firewall can and can’t do.  Rather than sensationalize the story with inaccurate characterizations of the unrelated firewall, it would have been much more beneficial to the public to correctly point out the actual vulnerability and perhaps tell the public how they can protect themselves.

You can protect all the PCs in your office or home by simply implementing a router with a basic firewall or just NAT (Network Address Translation) capability.  A router for the home with a built-in switch can be purchased for less than $40.  Not only does the router protect you from a vast array of attacks, it also acts as an Internet sharing device.  Another easy thing to do is to turn on the Windows XP SP2 firewall make sure that the RDP service is either entirely blocked or only permitted to enter from trusted network sources.  You can find more in-depth information here to turn off the RDP service entirely or configure the XP SP2 firewall.  One of the nicest features of the XP SP2 firewall besides the fact that it’s free with Windows is that it can easily be managed from a central location.  This can be done from a legacy Windows NT 4.0 domain environment using a script or better yet from a group policy in a Windows 2000/2003 Active Directory.  This allows a Microsoft network administrator to quickly configure every single windows XP computer in the company with a single login script or a single group policy.  While there are third part firewalls that can do a more thorough job of protecting your PC and have their own centralized management tools, they aren’t free and they can have their own serious vulnerabilities that require patching.  The XP SP2 firewall provides a decent and manageable baseline solution for those who don’t have anything else.

Next month on the second Tuesday, Microsoft will release their monthly batch of patches that will fix this RDP vulnerability.  There are no known instances of this denial of service attack and you would definitely know if it had actually hit you.  Now that you’re armed with the facts and know how to mitigate the risks, just let the monthly patch process do its job in an orderly manner.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 46 Talkback(s)
While simple is nice..
you also make it simple for people to get themselves in trouble. That is what makes ActiveX such a nitemare. It is simple to click "yes" and have a load of junk loaded on your computer. Some things... (Read the rest)
Posted by: Patrick Jones Posted on: 07/21/05 You are currently: a Guest | | Terms of Use
Facts  rapson | 07/19/05
it's a no win situation anyways...  Monkey_MCSE | 07/19/05
Facts still matter to some of us  george_ou | 07/19/05
A question of  xstep | 07/19/05
They are trying to do a good job  george_ou | 07/19/05
It is what it is  Otto_Delete | 07/19/05
Reckless advice  george_ou | 07/19/05
Outbound blocking not a good idea  toadlife | 07/19/05
The XP firewall has gotten a bad rap since day one  toadlife | 07/19/05
I am nost sure that it is XP SP2 firewall gettig a raw deal.  B.O.F.H. | 07/19/05
Absolute nonsense  george_ou | 07/19/05
So neither the hacker community nor the US gov't ...  B.O.F.H. | 07/19/05
Not interested in hearsay  george_ou | 07/19/05
if all ports are closed...  B.O.F.H. | 07/19/05
You just showed the true level of your ignorance  george_ou | 07/20/05
Perhaps it is my low standards in security...  B.O.F.H. | 07/20/05
BOFH, you are skirting the issue now  toadlife | 07/20/05
Is that why the U.S. military uses....  toadlife | 07/19/05
IPSec is VPN  B.O.F.H. | 07/19/05
(nt)And?  toadlife | 07/19/05
learn the difference between a firewall and VPN!  B.O.F.H. | 07/19/05
(nt)Learn the difference between a protocol and an implimetation  toadlife | 07/19/05
(nt)IPSEC is an IP security protocol, not a "VPN Protocol"  toadlife | 07/19/05
IPSEC is IP Security  B.O.F.H. | 07/19/05
IPSEC is a security protocol  toadlife | 07/19/05
IPSec is not a VPN  DevinAt3Sharp | 07/20/05
correction  toadlife | 07/19/05
any marginally competent kid...  toadlife | 07/19/05
Good one  george_ou | 07/19/05
Don't need to be logged in locally.  B.O.F.H. | 07/19/05
Back door? Do tell  george_ou | 07/19/05
The patch level would be irrelevant  toadlife | 07/19/05
You're right, and third party firewalls had some serious problems  george_ou | 07/20/05
Suuuuuuure  toadlife | 07/19/05
Riddle me this..  Patrick Jones | 07/20/05
I tend to agree  rapson | 07/20/05
Yep...  Patrick Jones | 07/20/05
The problem  Real World | 07/20/05
TCP 3389 and RDP are disabled by default  george_ou | 07/20/05
I didn't have any facts.  Patrick Jones | 07/20/05
It is the facts  george_ou | 07/21/05
Thanks  Patrick Jones | 07/21/05
RDP out of the box? Nope!  DevinAt3Sharp | 07/20/05
It certainly does break things, just one example.  paris@... | 07/20/05
Ease of Use  alan@... | 07/21/05
While simple is nice..  Patrick Jones | 07/21/05

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    Enterprise Applications

    • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
    • New Online Dashboard
    • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline