Back in June 2004, I wrote about Microsoft’s introduction to viruses, worms, and Trojan horses. A more detailed document is the Antivirus Defense-in-Depth Guide, which has recently been updated to include the new technologies introduced in Windows XP service pack 2.
Should you run the Windows Firewall, a third party firewall, or both?
“Which firewall should I use?” – it’s an interesting question. Microsoft are positioning the Windows Firewall (part of Windows XP service pack 2) as a major leap forward in terms of network protection, and it is; but there are many good third-party firewall products out there. Should you use the Windows Firewall? Should you use your third-party product? Should you use both?
According to the Windows IT Pro magazine network (formerly the Windows and .NET magazine network) Windows Tips and Tricks Update, Microsoft issued the following statement in response to such questions from their customer base:
“We strongly recommend that users run only one host firewall on their system. Yes, the XP SP2 Windows Firewall can coexist with third-party firewalls, but multiple firewalls don’t make you safer. Running multiple firewalls just means you have to configure the settings in multiple places (e.g., opening ports for each firewall you run). For anyone who wants to keep using a third-party firewall after installing XP SP2 – for example, because they like some of the extra features – we suggest they turn off the Windows Firewall. We have already advised third-party firewall vendors to programmatically turn off the Windows Firewall in their future releases, so this will eventually be automatic.
We don’t have any specific guidance as to whether people should use the built-in XP SP2 Windows Firewall or use a third-party product. We absolutely believe that people who don’t already have host firewalls should run the Windows Firewall in XP SP2. Almost all firewalls on the market (including the Windows Firewall) provide good security; it then boils down to what features and capabilities people want. The Windows Firewall, for example, doesn’t do any alerting or intrusion detection. Neither does it offer outbound filtering capabilities. The Windows Firewall focuses on preventing attacks from successfully penetrating a system, but it doesn’t do anything to protect systems once bad software is locally installed. Some other products also have better diagnostics and centralized reporting than the Windows Firewall (which has no reporting whatsoever). I don’t believe people are “safer” running third-party firewalls, but there may be some features in these products that they would like to have.”
Whatever the answer, in today’s climate, and in line with the security principle of defence in depth, we should all seriously consider the use of a firewall on all PCs, and the Windows Firewall is a good starting point.
Useful TCP and UDP port numbers
Having spent the afternoon configuring Windows Firewall exceptions, I thought I’d post some links to useful port number information.
Of course, %systemroot%\system32\drivers\etc\services contains port numbers for well-known services defined by IANA, but this is an incomplete list and the up-to-date version is on the IANA website.
Although now out of date (superseded by the RFC 3232 online database), the missing table of contents for RFC 1700 (assigned numbers) provides links to a pile of useful information that doesn’t seem to be covered in RFC 3232. This information is not just from the RFC and includes links to items such as country codes from ISO 3166, although a more up-to-date list of country codes is available on the ISO website (note that the ISO country codes do not necessarily equate to the top level domain codes, e.g. United Kingdom is GB in ISO 3166, but both GB and UK on the IANA website).
Finally, the ISS website has details of commonly used ports (along with some descriptive information) for Microsoft services as well as other vendors.
Using group policy objects to hide specified drives in My Computer
Whilst locking down the Windows XP desktop using an Active Directory group policy object, I needed to prevent access to certain drive letters that didn’t fall within the default settings. Microsoft knowledge base article 231289 details the process for editing the system.adm file to provide more control over access to particular drives.
I chose to write my own .adm file with just the relevant settings (although it fails to load in the same policy as system.adm, due to duplicate definitions, so needs to be applied through a separate policy).
Monthly columns on the Microsoft TechNet website
Microsoft publishes a number of monthly columns on it’s TechNet website, all of which provide interesting reading, and are useful information sources:
- Cable Guy (networking);
- Hey, Scripting Guy! and Tales from the Script (scripting)
- IIS Insider;
- Professor Windows;
- Security Management.
Although not strictly a monthly column, there is also a section called the 5 Minute Security Advisor.
Unattended IIS installation after the operating system has been installed
One of my clients needed to provide an FTP server service on some of its XP PCs, but as an addition to the existing standard operating environment (i.e without altering the core build). Of course, Internet Information Services (including the FTP Publishing service) may be installed as part of an unattended Windows installation, but the problem here was installing IIS after the operating system had been installed and configured.I did some research, and discovered the system standalone optional component manager (sysocmgr.exe). This is effectively what sits behind the Add or Remove Programs Control Panel applet (appwiz.cpl), to provide the Add/Remove Windows Components functionality. Microsoft’s IIS 6.0 technical reference provided the appropriate information to write an answer file and this command file demonstrates the process, taking input from a text file.
Once IIS was installed, the next stage was to configure the FTP Publishing service (create virtual directories, set permissions, etc.). Scripting support varies across the different IIS versions with, not surprisingly, IIS 6.0 providing the most complete support for what I wanted to do (there are a number of IIS-related scripts in the %systemroot%\system32 directory). Unfortunately the IIS 6.0 scripts do not work with previous versions of IIS, the IIS 5.x administration scripts, installed by default in c:\inetpub\adminscripts) did not seem to offer what I needed, and the IIS 4.0 Resource Kit scripts do not work with IIS 5.0 or 5.1.
I was stumped until a contact at Microsoft pointed me in the direction of adsutil.vbs. This is one of the IIS 5.x administration scripts that I had overlooked because of the filename (which does not imply that it will allow you to create virtual directories etc.). In fact, adsutil.vbs is pretty comprehensive in its capabilities and allowed me to configure all the FTP site settings I wanted, as demonstrated in this command file.
The main issue (not immediately apparent from the adsutil.vbs help text) was to create the virtual directory object and then to set the path for the virtual directory as two separate commands. This wasn’t easy to track down (but can be found in a Google Groups thread) and was the final step needed to get everything working.
MsTsc.Server errors with TSAC ActiveX control
I haven’t used the Terminal Services Web Client for a few years and when I installed it on a Windows 2000 server with the latest updates applied I received an “Object doesn’t support this property or method: ‘MsTsc.Server'” error.
After a bit of research I found that the problem dates back to some security updates from 2002 (for further details, see the Remote Networking Development website and/or Microsoft knowledge base article 328002 and/or Microsoft security bulletins MS02-046 and MS02-047). Downloading the latest Remote Desktop Web Connection fixed the problem and my servers are now available from wherever I happen to be.
Script to disable password expiry for local Windows accounts
One of the shortcomings of the net user command in Windows is the inability to set the password never expires flag on an account (account expiry options can be set, but not password expiry and the full syntax is described in Microsoft knowledge base article 251394).
There are 13 flags on an NT SAM/Active Directory user account which may be manipulated using VBScript (for further details of the 13 flags, see Microsoft’s sample scripts or there is some useful information about the object model at the Motobit Software website).
This script can be used to set the password never expires flag on a specified account. I’ve tested it against the local SAM database on a Windows XP PC, but in theory it should work on all versions of Windows NT (2000, XP, 2003 Server, etc.) and also against Active Directory accounts if you run it on a domain controller.
Command line alternative to the Windows device manager
One of the Microsoft consultants that I have been working with sent me a link to a handy tool today – devcon.exe is a command line alternative to the Windows device manager and full details (including a download link) may be found in Microsoft knowledge base article 311272.
Bluetooth Drivers for Dell TrueMobile 300
Following my previous post about the trouble I have had getting the Bluetooth hardware in my Dell Latitude D600 repaired, I then had to reinstall the Dell TrueMobile 300 Bluetooth driver. During the three week wait to get the hardware repaired, I had installed Windows XP SP2 and as Stuart Preston reported on his blog, the Dell drivers do not function correctly under SP2, resulting in a requirement to use the native Microsoft drivers (which are less functional).
A hunt around the Dell Community Forum revealed many unhappy users (bizarrely mostly blaming Microsoft for releasing SP2!), but no real solution until a Google search came up with Dell support document FA1090448 (a search of the Dell website had failed to locate this), pointing to an updated driver that seems to fix the problem.