FW: Worms versus Bots

Smith, Donald Donald.Smith at qwest.com
Tue May 4 16:20:52 UTC 2004


Sean thanks I just reread XP sp2 details and your right sp2 starts the
firewall SOONER during boot (like before it starts
most network services :-)

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnwx
p/html/securityinxpsp2.asp
Boot time security. In earlier versions of Windows there is a window of
time between when the network stack started and when ICF provided
protection. Consequently, a packet could have been received and
delivered to a service without ICF filtering it, potentially exposing
the computer to vulnerabilities. In SP2, the firewall driver has a
static rule called a boot-time policy to perform stateful filtering.
This will allow the computer to perform basic networking tasks such as
DNS and DHCP and communicate with a Domain Controller to obtain policy.
Once the firewall service is running, it will load and apply the
run-time ICF policy and remove the boot-time filters. This change should
increase system security without affecting applications. 

Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
kill -13 111.2 

> -----Original Message-----
> From: Sean Donelan [mailto:sean at donelan.com] 
> Sent: Tuesday, May 04, 2004 8:55 AM
> To: Smith, Donald
> Cc: nanog at merit.edu
> Subject: RE: FW: Worms versus Bots
> 
> 
> On Tue, 4 May 2004, Smith, Donald wrote:
> > If you follow these steps outlined by SANS you should be able to 
> > successfully update and NOT get infected. This is short, 
> easy, fully 
> > documented (with pictures :)
> > http://www.sans.org/rr/papers/index.php?id=1298
> 
> The risk is smaller, but still exists if you follow these 
> directions for XP pre-SP2.  See the Microsoft release notes 
> for XP SP2 for details about the fix.
> 
> If you do not have XP SP2, you need to disconnect your 
> computer from the network prior to every boot cycle until it 
> is fully patched.
> 
> 



More information about the NANOG mailing list