Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Interesting thing about ICF and SP2

from [Jim Harrison (ISA)] Network Security [Permanent Link]
Subject: RE: Interesting thing about ICF and SP2
Date: Fri, 15 Oct 2004 10:15:12 -0700 
Easy; stop running on the machine as an administrator.
I realize that this is the default for WinXP, but it's not carved in
stone, either.
Users outside of the Power Users and Administrators can't change ICF
settings.

Jim Harrison 
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"The last 10 years of Internet usage has disproven 
the theory that a million monkeys typing on a million
typewriters would eventually produce the complete
works of Shakespeare.  ..or maybe it only works for
typewriters..."
(unclaimed)

-----Original Message-----
From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com] 
Sent: Thursday, October 14, 2004 12:04 PM
To: focus-ms@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com
Cc: Erik Pace Birkholz
Subject: Interesting thing about ICF and SP2
Importance: High

I wrote a script back in 2002 for Internet Connection Firewall (ICF)
called 
toggleICF.vbs. The purpose of the script was to turn ICF on and off via 
command line. It saved time (fighting through the GUI) when using port 
scanners and other security tools. FYI, the script is still available
from 
www.SpecialOpsSecurity.com under the Resources, Scripts section.

http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html

The only bummer was WMI prompted the user via Win32 popup and asked for 
permission before it would activate/deactivate. This made it less useful
for 
scripting purposes, but more secure. Here is a reference from a MSDN
page 
about the ICF disable method and it clearly states (in the remarks) that
the 
user makes the final disabling decision.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics
/inetsharingconfiguration_disableinternetfirewall.asp

Here is the new problem I just found today after finally installing SP2
on 
my XP system. I noticed that if you run the toggleICF.vbs script, it no 
longer prompts the user via that annoying popup. Albeit annoying, that 
little popup did buy some mitigation against the bad guys trying to turn
off 
ICF with a script.

Microsoft's new ICF activation/deactivation "process" change has
introduced 
a new attack vector for malicious scripts. If my script can be used to
turn 
ICF on and off for "good" without requiring user-intervention, then it
can 
certainly be done for "evil".


Erik Pace Birkholz, CISSP
Special Ops Security, Inc.
[Cell]      323.252.5916
[SOPS]  888.RU.OWNED
[Email]    erik@SpecialOpsSecurity.com

Read Special Ops and mount an assault to eradicate network negligence
today. 
www.SpecialOpsSecurity.com 


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Remove domain user from local administrators group, Free, Bob
Next by Date:  Re: RE: Can we really block users from installing applications through Group policy?, Laura Robinson
Previous by Thread:  Re: Interesting thing about ICF and SP2, Matt Ostiguy
Next by Thread:  Re: Interesting thing about ICF and SP2, Thor
Indexes:  [Date] [Thread] [Top] [All Lists]