Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Interesting thing about ICF and SP2

from [Thor] Network Security [Permanent Link]
Subject: Re: Interesting thing about ICF and SP2
Date: Sun, 17 Oct 2004 14:27:04 -0700
And just to add to this thought, Group Policy allows you to prevent even local administrators from changing WF settings...

t

----- Original Message ----- From: "Jim Harrison (ISA)" <jmharr@microsoft.com>
To: <focus-ms@securityfocus.com>; <ntbugtraq@listserv.ntbugtraq.com>
Sent: Friday, October 15, 2004 10:15 AM
Subject: RE: Interesting thing about ICF and SP2


Easy; stop running on the machine as an administrator.
I realize that this is the default for WinXP, but it's not carved in
stone, either.
Users outside of the Power Users and Administrators can't change ICF
settings.

Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"The last 10 years of Internet usage has disproven
the theory that a million monkeys typing on a million
typewriters would eventually produce the complete
works of Shakespeare.  ..or maybe it only works for
typewriters..."
(unclaimed)

-----Original Message-----
From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com]
Sent: Thursday, October 14, 2004 12:04 PM
To: focus-ms@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com
Cc: Erik Pace Birkholz
Subject: Interesting thing about ICF and SP2
Importance: High

I wrote a script back in 2002 for Internet Connection Firewall (ICF)
called
toggleICF.vbs. The purpose of the script was to turn ICF on and off via
command line. It saved time (fighting through the GUI) when using port
scanners and other security tools. FYI, the script is still available
from
www.SpecialOpsSecurity.com under the Resources, Scripts section.

http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html

The only bummer was WMI prompted the user via Win32 popup and asked for
permission before it would activate/deactivate. This made it less useful
for
scripting purposes, but more secure. Here is a reference from a MSDN
page
about the ICF disable method and it clearly states (in the remarks) that
the
user makes the final disabling decision.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics
/inetsharingconfiguration_disableinternetfirewall.asp

Here is the new problem I just found today after finally installing SP2
on
my XP system. I noticed that if you run the toggleICF.vbs script, it no
longer prompts the user via that annoying popup. Albeit annoying, that
little popup did buy some mitigation against the bad guys trying to turn
off
ICF with a script.

Microsoft's new ICF activation/deactivation "process" change has
introduced
a new attack vector for malicious scripts. If my script can be used to
turn
ICF on and off for "good" without requiring user-intervention, then it
can
certainly be done for "evil".


Erik Pace Birkholz, CISSP
Special Ops Security, Inc.
[Cell]      323.252.5916
[SOPS]  888.RU.OWNED
[Email]    erik@SpecialOpsSecurity.com

Read Special Ops and mount an assault to eradicate network negligence
today.
www.SpecialOpsSecurity.com


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: Can we really block users from installing applications through Group policy?, Laura Robinson
Next by Date:  Re: Re: Remote connections, Laura Robinson
Previous by Thread:  RE: Interesting thing about ICF and SP2, Jim Harrison (ISA)
Next by Thread:  Re: Interesting thing about ICF and SP2, Thor
Indexes:  [Date] [Thread] [Top] [All Lists]