I was able to reproduce the bug and things are a bit different, so I
must disagree.
>I think the contention is that when file/printer sharing is enabled,
and
>the firewalls is activated, SMB ports are open on the dial-up interface
>without having been explicitly opened via the firewall policy (unlike
>the network interface). So in a sense, yes, there is a bug. The
implicit
>allow is probably not a good thing, but the main issue seems to be that
>while SMB ports are closed on exiting interfaces (like network cards),
>the policy setting is not applied to inactive, dynamic interfaces --
the
>RAS interface in essence. Once you dial-up, and thus activate the
>interface, the ports are open even though that is not specified in the
>firewall policy.
Correct, but the real bad news is that this happens on machines that had
an enabled Internet Connection Firewall before applying SP-2! This
indeed opens "new" holes (at least on RAS-Interfaces).
Furthermore this is not limited to RAS-Interfaces. All Interface types I
tested (RAS via DSL and LAN) have been affected as long as "local
subnet" was allowed access to file an printer sharing.
I also do not like PC Welt, but this is not a small issue. The problem
possibly affects all Windows XP Systems with enabled ICF and disabled
ICS that are upgraded to SP-2. I guess that approx. 80% of these Systems
are using weak or no passwords on admin-accounts, so you can imagine
what might happen.
I was able to reproduce the bug and things are a bit different, so I
must disagree.
>I think the contention is that when file/printer sharing is enabled,
and
>the firewalls is activated, SMB ports are open on the dial-up interface
>without having been explicitly opened via the firewall policy (unlike
>the network interface). So in a sense, yes, there is a bug. The
implicit
>allow is probably not a good thing, but the main issue seems to be that
>while SMB ports are closed on exiting interfaces (like network cards),
>the policy setting is not applied to inactive, dynamic interfaces --
the
>RAS interface in essence. Once you dial-up, and thus activate the
>interface, the ports are open even though that is not specified in the
>firewall policy.
Correct, but the real bad news is that this happens on machines that had
an enabled Internet Connection Firewall before applying SP-2! This
indeed opens "new" holes (at least on RAS-Interfaces).
Furthermore this is not limited to RAS-Interfaces. All Interface types I
tested (RAS via DSL and LAN) have been affected as long as "local
subnet" was allowed access to file an printer sharing.
I also do not like PC Welt, but this is not a small issue. The problem
possibly affects all Windows XP Systems with enabled ICF and disabled
ICS that are upgraded to SP-2. I guess that approx. 80% of these Systems
are using weak or no passwords on admin-accounts, so you can imagine
what might happen.
Regards,
Jens
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]