Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Interesting thing about ICF and SP2

from [Moser, Scott] Network Security [Permanent Link]
Subject: RE: Interesting thing about ICF and SP2
Date: Fri, 15 Oct 2004 10:46:04 -0500 
I noticed the same thing.  The solution is to enable/disable the
firewall with Group Policy (local or domain).  This removes the local
admin right to turn it on and off, and the script doesn't work based on
my testing. 

Scott
 

-----Original Message-----
From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com] 
Sent: Thursday, October 14, 2004 2:04 PM
To: focus-ms@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com
Cc: Erik Pace Birkholz
Subject: Interesting thing about ICF and SP2
Importance: High

I wrote a script back in 2002 for Internet Connection Firewall (ICF)
called 
toggleICF.vbs. The purpose of the script was to turn ICF on and off via 
command line. It saved time (fighting through the GUI) when using port 
scanners and other security tools. FYI, the script is still available
from 
www.SpecialOpsSecurity.com under the Resources, Scripts section.

http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html

The only bummer was WMI prompted the user via Win32 popup and asked for 
permission before it would activate/deactivate. This made it less useful
for 
scripting purposes, but more secure. Here is a reference from a MSDN
page 
about the ICF disable method and it clearly states (in the remarks) that
the 
user makes the final disabling decision.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics
/inetsharingconfiguration_disableinternetfirewall.asp

Here is the new problem I just found today after finally installing SP2
on 
my XP system. I noticed that if you run the toggleICF.vbs script, it no 
longer prompts the user via that annoying popup. Albeit annoying, that 
little popup did buy some mitigation against the bad guys trying to turn
off 
ICF with a script.

Microsoft's new ICF activation/deactivation "process" change has
introduced 
a new attack vector for malicious scripts. If my script can be used to
turn 
ICF on and off for "good" without requiring user-intervention, then it
can 
certainly be done for "evil".


Erik Pace Birkholz, CISSP
Special Ops Security, Inc.
[Cell]      323.252.5916
[SOPS]  888.RU.OWNED
[Email]    erik@SpecialOpsSecurity.com

Read Special Ops and mount an assault to eradicate network negligence
today. 
www.SpecialOpsSecurity.com 


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Microsoft Security Bulletin MS04-038 - Cumulative Security Update for Internet Explorer (834707), Russ
Next by Date:  Re: Interesting thing about ICF and SP2, Matt Ostiguy
Previous by Thread:  Re: Interesting thing about ICF and SP2, Matt Ostiguy
Next by Thread:  RE: Interesting thing about ICF and SP2, Jim Harrison (ISA)
Indexes:  [Date] [Thread] [Top] [All Lists]