Prudent or Paranoid?

[Crazy Horse]

I'll try to get right to the point...

I'm in the process of building the software platform on my new (low-end
DELL) laptop. In terms of optimizing system integrity, I've thought the
best approach in terms of order of installation would be as follows:
--------------------
1. Windows 2000 Workstation (original release version)
2. Service Pack 4 (SP4)
3. all recommended (post-SP4) security patches
4. anti-virus software
5. firewall software

Ideally, in terms of minimizing one's security exposures, it seems it
would be best to install all of the above software *before* connecting to
the 'Net. And this has been the approach I've intended to take. However,
getting to a point where I can install this software (2-5) from CD, is
proving problematic.

So... here's the question...

How much of a real-world risk am I taking by doing steps 2-5 over the
'Net? To be more precise, would I be running a substantial real-world
risk of infection by leaving my system connected to the 'Net long enough
to accomplish these steps?

Keyword here is "substantial". In other words, if the theoretical
possibility of infection is certain, but the real-world probability is
very low, then I think I'd feel comfortable with taking the risk.

Any and all feedback will be appreciated.

Many thanks.
_______
-CH
¯¯¯¯¯¯¯

 

[Dave]

yes, it is a substantial risk. it only takes a few minutes on an
unprotected dialup line to get sasser, gaobot, and msblast worms. (i just
had to clean these off a machine that was in a remote site and only
connected to the internet once a day to upload a data file then disconnect).
i would recommend installing the firewall first... the built in win2k one
'should' be adequate, just dissallow EVERYTHING from coming in until you are
completely patched and have the virus scanner running... then install your
choice of 3rd party firewalls and disable the win2k one. of course while
you are doing this be careful to only go to the windows update site and
security software sites as you will be unprotected from downloading bad
stuff from other sites.


I'll try to get right to the point...

I'm in the process of building the software platform on my new (low-end
DELL) laptop. In terms of optimizing system integrity, I've thought the
best approach in terms of order of installation would be as follows:
--------------------
1. Windows 2000 Workstation (original release version)
2. Service Pack 4 (SP4)
3. all recommended (post-SP4) security patches
4. anti-virus software
5. firewall software

Ideally, in terms of minimizing one's security exposures, it seems it
would be best to install all of the above software *before* connecting to
the 'Net. And this has been the approach I've intended to take. However,
getting to a point where I can install this software (2-5) from CD, is
proving problematic.

So... here's the question...

How much of a real-world risk am I taking by doing steps 2-5 over the
'Net? To be more precise, would I be running a substantial real-world
risk of infection by leaving my system connected to the 'Net long enough
to accomplish these steps?

Keyword here is "substantial". In other words, if the theoretical
possibility of infection is certain, but the real-world probability is
very low, then I think I'd feel comfortable with taking the risk.

Any and all feedback will be appreciated.

Many thanks.
_______
-CH
¯¯¯¯¯¯¯

 

[Lanwench [MVP - Exchange]]

I'll try to get right to the point...

I'm in the process of building the software platform on my new
(low-end DELL) laptop. In terms of optimizing system integrity, I've
thought the best approach in terms of order of installation would be
as follows:
--------------------
1. Windows 2000 Workstation (original release version)
2. Service Pack 4 (SP4)
3. all recommended (post-SP4) security patches
4. anti-virus software
5. firewall software

Ideally, in terms of minimizing one's security exposures, it seems it
would be best to install all of the above software *before*
connecting to the 'Net. And this has been the approach I've intended
to take. However, getting to a point where I can install this
software (2-5) from CD, is proving problematic.

So... here's the question...

How much of a real-world risk am I taking by doing steps 2-5 over the
'Net? To be more precise, would I be running a substantial real-world
risk of infection by leaving my system connected to the 'Net long
enough to accomplish these steps?

Keyword here is "substantial". In other words, if the theoretical
possibility of infection is certain, but the real-world probability is
very low, then I think I'd feel comfortable with taking the risk.

Do not [1] connect to the Internet without a firewall protecting your
computer/network. You can get a Sasser, Blaster, variant, infection in
nanoseconds.

Any and all feedback will be appreciated.

Many thanks.
_______
-CH
¯¯¯¯¯¯¯

[1] ever, ever ever!

 

[Crazy Horse]

Dave-

Thanks for your reply.

i would recommend installing the firewall first... the built in win2k one
'should' be adequate, just dissallow EVERYTHING from coming in until you are
completely patched and have the virus scanner running... then install your
choice of 3rd party firewalls and disable the win2k one.

--------------------
I mean no offense here... but I'm confused...
In the m.p.w2k.general newsgroup, Lanwench said:

XP has better built in support for graphics files, wireless
networking, etc - and has a firewall.

From this statement, I inferred that Windows 2000 does *NOT* have a
firewall. Before I choose which OS to install (W2k-Pro or XP-Home), I'd
like to be certain as to whether or not W2k-Pro does, in fact, have a
built-in firewall.
¶ Assuming you're right about there being a firewall included in W2k, can
you advise me on where to look on the CD to find and install the code?

of course while
you are doing this be careful to only go to the windows update site and
security software sites as you will be unprotected from downloading bad
stuff from other sites.

--------------------
Glad you mentioned this... I might have assumed the W2k-built-in firewall
would have protected me from infection at other sites. I'll take your
advice and limit my surfing to the MS sites you mention.

Thanks again for your reply and help.
_______
-CH
¯¯¯¯¯¯¯

 

[Lanwench [MVP - Exchange]]

Dave-

Thanks for your reply.


--------------------
I mean no offense here... but I'm confused...
In the m.p.w2k.general newsgroup, Lanwench said:
From this statement, I inferred that Windows 2000 does *NOT* have a
firewall. Before I choose which OS to install (W2k-Pro or XP-Home),
I'd like to be certain as to whether or not W2k-Pro does, in fact,
have a built-in firewall.

It does not. WXP is the first desktop OS to include a firewall. You need a
third party firewall - hardware or software, as you wish.

¶ Assuming you're right about there being a firewall included in W2k,
can you advise me on where to look on the CD to find and install the
code?

It's not there.
Firewalls protect your computer in a couple of ways - they prevent *inbound*
access to your computer/network, and some can be configured to control
outbound access via ports, services, etc. Nothing will protect you from
something you initiate yourself....

 

[Eric Chamberlain, CISSP]

If your network is clean and you have something blocking inbound Internet
traffic, NAT box, firewall etc. You're ok. If the machine is directly
connected to the internet, I wouldn't do it. Our Internet exposed servers
each see, on average, one malicious connection attempt per minute. With an
older version of our host IDS software, we had a server infected while
booting, during the millisecond gap after the TCP/IP service started and
before the firewall service started. If you are going to run a host based
firewall, be sure it blocks all network traffic until the firewall service
starts.

Another option is to use IPSEC filters to block any inbound network traffic
until the machine is patched.

--
Eric Chamberlain, CISSP



I'll try to get right to the point...

I'm in the process of building the software platform on my new (low-end
DELL) laptop. In terms of optimizing system integrity, I've thought the
best approach in terms of order of installation would be as follows:
--------------------
1. Windows 2000 Workstation (original release version)
2. Service Pack 4 (SP4)
3. all recommended (post-SP4) security patches
4. anti-virus software
5. firewall software

Ideally, in terms of minimizing one's security exposures, it seems it
would be best to install all of the above software *before* connecting to
the 'Net. And this has been the approach I've intended to take. However,
getting to a point where I can install this software (2-5) from CD, is
proving problematic.

So... here's the question...

How much of a real-world risk am I taking by doing steps 2-5 over the
'Net? To be more precise, would I be running a substantial real-world
risk of infection by leaving my system connected to the 'Net long enough
to accomplish these steps?

Keyword here is "substantial". In other words, if the theoretical
possibility of infection is certain, but the real-world probability is
very low, then I think I'd feel comfortable with taking the risk.

Any and all feedback will be appreciated.

Many thanks.
_______
-CH
¯¯¯¯¯¯¯

 

[Dave]

"Lanwench [MVP - Exchange]"

It does not. WXP is the first desktop OS to include a firewall. You need a
third party firewall - hardware or software, as you wish.

then what am i seeing when i go to network connections/tcpip
properties/advanced/options/tcpip filtering???

 

[Paul Adare - MVP - Microsoft Virtual PC]

then what am i seeing when i go to network connections/tcpip
properties/advanced/options/tcpip filtering???

Exactly what it says, TCP/IP filtering, which is not, in any way shape
or form, a firewall.

 

[Dave]

Exactly what it says, TCP/IP filtering, which is not, in any way shape
or form, a firewall.

and so what is the difference between 'tcp/ip filtering' that says: "tcp/ip
filtering allows you to control the type of tcp/ip network traffic that
reaches your windows computer" and the xp internet connection firewall that
filters out specified stuff from reaching your computer??? besides that a
'real' firewall provides logging and has a nice configuration tool... if
you go into the tcp/ip filtering and select 'permit only' and don't permit
anything is that not equivalent to a firewall not permitting any incoming
connections??