SP1 to SP2: Firewall Benefits?

[Ken]

Hi. I've been an XP Home SP1 user for quite a while now. I've been
hesitant to upgrade to SP2, because I've heard that some common
software does not work properly on SP2. Is there any truth to this?
Should I stop worrying and just upgrade?

Note that my typical usage includes Eudora email, Mozilla web browser,
MS Office Pro 2003, some rudementary Eclipse/Java and Visual C++
programming, Norton AV 2005, and Adaware.

I'm posting on this newsgroup, because I am about to change my Internet
service from dial-up to DSL, so perhaps there are some
security/firewall considerations.

Thanks!

Ken

 

[Karl Levinson, mvp]

Hi. I've been an XP Home SP1 user for quite a while now. I've been
hesitant to upgrade to SP2, because I've heard that some common
software does not work properly on SP2. Is there any truth to this?
Should I stop worrying and just upgrade?

Yes. The media and so-called experts said lots of bogus things about XP SP2
breaking things. Plenty of people are on XP SP2 with no problems. If XP
SP2 is going to break things on your computer, it isn't going to get fixed
at this point until you install it and look into how to fix it.

Most of the things that SP2 supposedly "breaks" are really just things that
the firewall blocks until you tell the firewall not to block it. This is
pretty much true of any firewall out there and is not proof that SP2 is
dangerous.

Note that my typical usage includes Eudora email, Mozilla web browser,
MS Office Pro 2003, some rudementary Eclipse/Java and Visual C++
programming, Norton AV 2005, and Adaware.

These apps should be fine.

I'm posting on this newsgroup, because I am about to change my Internet
service from dial-up to DSL, so perhaps there are some
security/firewall considerations.

No, I would say the security considerations are pretty similar. dial-up
gets scanned and compromised at a similar rate as DSL.

 

[Ken]

Karl Levinson, mvp wrote:

No, I would say the security considerations are pretty similar. dial-up
gets scanned and compromised at a similar rate as DSL.

I thought the big difference there is that DSL is "always on", so the
window of opportunity for nastiness is much greater, thus I need to
have more rigorous security set up. Does that sound correct?

 

[Ron Martell]

Karl Levinson, mvp wrote:



I thought the big difference there is that DSL is "always on", so the
window of opportunity for nastiness is much greater, thus I need to
have more rigorous security set up. Does that sound correct?

Yes. The longer you are exposed the greater the probability of
getting hit.


Ron Martell Duncan B.C. Canada
--
Microsoft MVP
On-Line Help Computer Service
http://onlinehelp.bc.ca

In memory of a dear friend Alex Nichol MVP
http://aumha.org/alex.htm

 

[cquirke (MVP Windows shell/user)]

Yes. The media and so-called experts said lots of bogus things about XP SP2
breaking things. Plenty of people are on XP SP2 with no problems.

This is true. I'd be cautious if...

1) You have an early Prescott (recent Intel P4 generation PC)

http://cquirke.mvps.org/sp2intel.htm

....or...

2) You have some custom network-aware application

Most of the things that SP2 supposedly "breaks" are really just things that
the firewall blocks until you tell the firewall not to block it.

I use Eudora, and confirm that's fine. What I always fix:
- add back Explorer's Status bar, as SP2 disables it
- curb automatic installing of patches (but do install patches!)
I also have to fix these:
- ERUNT; needs new version
- Licenturion's XP Info needs new version
- MultiRes needs new version, else CPU goes to 99% busy
- TweakUI for XP may need new version

No, I would say the security considerations are pretty similar. dial-up
gets scanned and compromised at a similar rate as DSL.

What can be challenging with DSL is that you often have the same LAN
card connecting both LAN (which needs file and print sharing, etc.)
and Internet via the router (which needs hard firewalling). So the
practice of "no firewall on LAN, hard firewall on dial-up" has to be
modified to something less simple, and less solid.

For those who abandon all system maintenance or troubleshooting in
favor of "just" re-installing Windows, SP2 brings major benefits -
patched against RPC and LSASS attacks out of the box, and firewall is
enabled by default. Without that, the mean time to being clobbered
online is around 20 minutes.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[cquirke (MVP Windows shell/user)]

Karl Levinson, mvp wrote:

I thought the big difference there is that DSL is "always on", so the
window of opportunity for nastiness is much greater, thus I need to
have more rigorous security set up. Does that sound correct?

It does, but if you're shot 5 times instead of 2000 times, you're just
as dead. It's riskier in some other ways, e.g. if some really dumbo
malware used to poop up an unexpected dial-up prompt and thus tip you
off it was there, on DSL it will connect automatically and invisably.

What's more of a new risk is WiFi. I would avoid that altogether,
because that bypasses the router etc. to enter the LAN directly.

--------------- ----- ---- --- -- - - -

Never turn your back on an installer program

 

[Karl Levinson, mvp]

It does, but if you're shot 5 times instead of 2000 times, you're just
as dead.

Agreed. In study after study over the past four years or so, an unpatched
or otherwise vulnerable system is typically compromised or infected within
15 minutes of getting on the Internet, regardless of whether DSL versus
dial-up is used. Viruses don't check whether you're using DSL or not, and
there are millions of infected computers out there scanning every IP address
continuously. Regardless of which internet connection you're using, you're
either already protected, or you may already be infected. [If you're not
infected, you're doing something right that will still be just as right and
probably just as effective when you're on DSL.]

 

[cquirke (MVP Windows shell/user)]

On Tue, 12 Jul 2005 02:45:00 -0400, "Karl Levinson, mvp"

Agreed. In study after study over the past four years or so, an unpatched
or otherwise vulnerable system is typically compromised or infected within
15 minutes of getting on the Internet, regardless of whether DSL versus
dial-up is used. Viruses don't check whether you're using DSL or not, and
there are millions of infected computers out there scanning every IP address
continuously. Regardless of which internet connection you're using, you're
either already protected, or you may already be infected. [If you're not
infected, you're doing something right that will still be just as right and
probably just as effective when you're on DSL.]

The part I have difficulty with, is maintaining internal firewall
status when moving from separate Internet and LAN connections, to the
same network connection for both LAN and Internet - as is the case
when one adds an ADSL NAT router as an extra network device.

Normally, I'd do that by raising the firewall on all PCs, with no
exceptions opened, and then use a different network protocol to carry
the LAN traffic (i.e. File and Print Sharing aka F&PS).

This works fine when there are no NT systems involved, i.e. a pure
Win9x LAN. All F&PS is on NetBEUI, which cannot be routed and
therefore can't "leak" outside the (wired) LAN. Firewalls are up, and
F&PS is not affected. Sweet.

But XP (in my experience) can't do NetBEUI to Win9x, even if you do
find and apply the "unsupported" NetBEUI for XP. I've been told
adding the NetBEUI files from Win2000 works, but I don't want to
version-soup a subsystem I understand as poorly as I do networking. I
also find that IPX doesn't work, between Win9x and XP.

So if I do use the software firewall, I'm forced to open it up so that
F&PS can get through. That's not as easy as it could be; the UI
varies between XP SP level, and what you see when you look at the main
page of firewall properties is not what you see if you selectively
apply settings on a per connection basis.

For example, on SP2, Control Panel Windows Firewall shows me:
Exceptions, File and Print Sharing. That's easy enough, but let's say
I want to apply different settings to FireWire than what I apply to
the LAN adapter. I go Advanced, highlight the adapter I want to
affect, and the list of things to work with bears absolutrely no
relationship to the list I saw earlier - and File and Print Sharing is
nowhere to be found. Maybe I'm supposed to "Add" something as rare
and arcane as File and Print Sharing, which I might do if I could
smell (or in my case, remember) what ports it uses.

This may not be rocket science for network gurus, but the rest of us
are going to turn the firewall off, and hope NAT stops the bullets.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"