Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


O'Reilly Book Excerpts: Windows XP Pro: The Missing Manual, 2nd Edition

Security Centers and Firewalls

by David Pogue

Editor's note: In the introduction to Chapter 10, from which this excerpt is taken, David Pogue writes, "If it weren’t for that darned Internet, personal computing would be a lot of fun. After all, it’s the Internet that lets all those socially stunted hackers enter our machines, unleashing their viruses, setting up remote hacking tools, feeding us spyware, and otherwise making our lives an endless troubleshooting session. It sure would be nice if they’d cultivate some other hobbies." With the release of Windows XP Service Pack 2 (SP2), Microsoft's latest and most reliable corporate desktop operating system now provides better protection against viruses, worms, and malicious hackers. David Pogue, creator of the Missing Manuals series, offers an excerpt from his newest book, Windows XP Pro: The Missing Manual, 2E, which covers all the intricacies of SP2. The excerpt deals more specifically with the Security Center and the Windows Firewall. Knowledge is power; protect your system.

Related Reading

Windows XP Pro: The Missing Manual
By David Pogue, Craig Zacker, L.J. Zacker

Security Center

Once you've installed Service Pack 2, your Control Panel contains a new icon called Security Center. It's an easy-to-understand status report on three important security features: Firewall, Automatic Update, and Virus Protection. If any of these are turned off, dire messages appear on your screen at startup and as balloons in your notification area (Figure 10-2a).


Note: So why isn't there a Spyware panel in the Security Center? Excellent question. Unfortunately, only the engineers at Microsoft know the answer.


As you can see by Figure 10-2b, the Security Center is primarily just a status dashboard; the big ON or OFF "lights" are just indicators, not clickable buttons. But it does contain links to numerous help screens, online resources, and other parts of Windows that let you control its three central functions.

UP TO SPEED

Spyware Defined

Spyware is a program that you don't know you have. You usually get it in one of two ways: First, a Web site may try to trick you into downloading it. You'll see what looks like an innocent button in what's actually a phony Windows dialog box; or maybe you'll get an empty dialog box--and clicking the Close box actually triggers the installation.

Second, you may get spyware by downloading a program that you do want--the free Kazaa file-swapping program is a classic example--without realizing that a secret program is piggybacking on the download.

Once installed, the spyware may surreptitiously hijack your browser start or search page, make changes to important system files, install ads on your desktop (even when you're not online) or report back to the spyware's creators, letting them know what you're doing online.

As noted later in this chapter, there are both free and commercial programs that can clean your system out after a spyware installation.

But if you'd rather avoid getting spyware in the first place, use a pop-up blocker like the one that's now in Internet Explorer, so you won't fall victim to the fake-dialog-box trick. If you're tempted to download a piece of free software, do a quick search of its name at http://groups.google.com to see if other people are reporting it as a spyware container.


Note: If you're using Windows XP Pro in a corporation where a highly trained network administrator is in charge, you may find that you can't make any changes in the Security Center or Windows firewall. Protecting your PC, in this case, is somebody else's job.


Figure 10-2a. On an SP2 computer, balloons like this sprout instantly if Windows considers your PC insufficiently protected--or if Windows XP doesn't recognize the antivirus or firewall software you're using. Figure 10-2a. On an SP2 computer, balloons like this sprout instantly if Windows considers your PC insufficiently protected--or if Windows XP doesn't recognize the antivirus or firewall software you're using. When you click the balloon, the Security Center (bottom) appears.

Figure 10-2b. Click one of the headings (Firewall, Automatic Updates, Virus Protection) to expand that section of the dialog box. Figure 10-2b. Click one of the headings (Firewall, Automatic Updates, Virus Protection) to expand that section of the dialog box. In this case, you have a firewall in place (the built-in Windows one), Automatic Updates is turned on, but you haven't installed antivirus software. (Or maybe you have antivirus software, but the Security Center doesn't recognize it. This could be true if it's some obscure brand, or, more likely, if your antivirus version was released before Service Pack 2.)

The Windows Firewall (and Others)

If your machine connects to the Internet, it really should have a firewall. If it's connected to the Internet full-time, as with a cable modem or DSL, it really really should have a firewall. Most of the people who have fallen victim to snooping attacks from the Internet are people without a firewall.

Here are three ways to get yourself a firewall:

A Hardware Firewall (Router)

A router is an inexpensive box that distributes the signal from a single cable modem (or DSL) to one, four, eight, twelve, or more computers on your network. As a delicious benefit, most routers these days contain a built-in firewall. The beauty of a hardware firewall like this is that first of all, it's always on, and second of all, it protects the entire computer simultaneously.

In the following paragraphs, you'll be reading about software firewalls. But a hardware firewall is even better. Some people, in fact, buy a router even if they don't intend to share the cable modem's signal with other PCs--they get it just for its firewall protection.

In general, in fact, you can pretty much tune out of the following firewall discussion if you're protected by a hardware firewall. That is, unless:

If you're confident that your hardware router is all you need, then you'll have to turn off the Windows firewall, which means whistling past a warning that says, "Turning off Windows firewall may make this computer more vulnerable to viruses and intruders." Thanks to your router, that's not actually true.

The Windows Firewall

Windows XP has included firewall software from the very beginning (it used to be called Internet Connection Firewall). Unfortunately, in the original Windows XP, the firewall's factory setting was Off, and finding its deeply buried On switch required three weeks and the assistance of a sherpa. ("It's like we gave you a car with seat belts that were really well hidden," admits a Windows product manager. "You had to open a secret panel and press three buttons to make them appear.")

In SP2, you can't miss the presence of the firewall. It comes already turned on, and, if it somehow gets turned off, the Security Center offers a direct link to the Windows Firewall control panel. (Of course, you can also open it at any time by choosing Start--> Control Panel-->Windows Firewall.)

All about ports
Now, if you really wanted complete protection from the Internet, you could always just disconnect your PC from the modem. Of course, that might be a little too much protection; you'd be depriving yourself of the entire Internet.

Instead, you can open individual ports as necessary. Ports are authorized tunnels in the firewall that permit certain kinds of Internet traffic to pass through: one apiece for email, instant messages, streaming music, printer sharing, and so on. (Part of what made the original Windows XP so insecure was that Microsoft left a lot of these ports open, to the delight of evildoers online.)

On a computer with Service Pack 2 installed, far more of these ports are left open and exposed to the Internet than before. (Microsoft has equipped the firewall with ready-to-use tunnels for several exceptions: the Files and Settings Transfer Wizard; File and Printer Sharing; your local, in-house network; America Online; EarthLink; and your computer's FireWire connector, if it has one.)

The Windows firewall works like this: Each time a piece of software tries to get onto the Internet, the Windows firewall will pop up a dialog box that lets you know. As shown in Figure 10-3, Windows wants to know if it's OK for this piece of software to burrow through the firewall to go about its business. The golden rule: If you recognize the name of the software (for example, an online game), go ahead and grant permission by clicking Unblock. If you don't (for example, PsatNetQuery.exe), click one of the other two buttons.


Note: If you're an online gamer, you'll be seeing a lot of this dialog box. Internet attackers were especially fond of using the ports that interactive online games open.

On the other hand, if you're using a public PC (in a library, say), you might never be asked permission. That's because some administrator has turned on the "Don't allow exceptions" option shown in Figure 10-4a. That means, "No holes in the firewall, ever. This is a public terminal, and we can't permit God-knows-what activity to corrupt our system."


Figure 10-3. When a new program wants to get online, this box appears. Figure 10-3. When a new program wants to get online, this box appears. Click Unblock to open a port through the firewall, which will close each time you finish using the program. Click Keep Blocking if you don't even know which program is doing the asking. And click Ask Me Later if you want to deny permission this time, but you want to be asked again the next time you run the program.

If you grant permission, then each time you use that software, Windows will briefly open up a special port for that kind of activity, and then seal the port closed again when you're finished.

The exceptions list
When that little Security Alert box opens up, there will be times when you make the wrong decision. You'll deny permission to something that looks fishy, and then find out that one of your programs no longer works. On the other hand, maybe you'll approve something that has a recognizable name, and then you'll later find out that it was actually a trick--an evil program deliberately named in order to get your approval. That, unfortunately, is life in the Windows fast lane.

Fortunately, you have a second chance. At any time, you can take a look at the list of authorized holes in your Windows firewall, using the Windows Firewall control panel (Start-->Control Panel-->Windows Firewall). When you click the Exceptions tab, you see something like Figure 10-4b: a list of every program that has been granted an open port in the firewall.

Figure 10-4a. Here, in the new Windows Firewall control panel, you can turn the Windows firewall on or off. You should turn it off (despite the stern warning) if you’re using a non-Microsoft firewall (like Zone Alarm). Figure 10-4a. Here, in the new Windows Firewall control panel, you can turn the Windows firewall on or off. You should turn it off (despite the stern warning) if you’re using a non-Microsoft firewall (like Zone Alarm).

Figure 10-4b. The Exceptions tab and the Advanced tab list all of the programs and ports that Windows Firewall is permitted to open—but only when these programs are actually requesting Internet access. Figure 10-4b. The Exceptions tab and the Advanced tab list all of the programs and ports that Windows Firewall is permitted to open—but only when these programs are actually requesting Internet access. These are holes in your firewall that you or Microsoft has deemed to be safe. Use the checkboxes to temporarily turn exceptions on or off; use the Delete button to get rid of them entirely.

Using this list, you can also add a program manually (rather than waiting for it to ask permission at the time of launching). To do so, click the Add Program button, and choose the program's name from the list that appears.

Similarly, you can open individual ports by number. Click Add Port; you'll be asked to type in a name for this exception (anything you want) and to type in the port number. In this situation, Microsoft assumes that you know the port number, either because somebody gave it to you, because the manual for some piece of software provides it, or because you're just a super-smart geek.

Other Software Firewalls

For all its convenience and its excellent price ($free), the Windows firewall has a signi ficant drawback: It's only one-way protection. It blocks attacks from the outside, but doesn't stop spyware (once your PC has been infected) from sending data out. That's why many PC fans opt for a sturdier firewall, like the equally free but far superior Zone Alarm. Zone Alarm protects your PC from both incoming and outgoing data.

Unfortunately, installing a non-Microsoft firewall creates a few complications of its own. If you're using a big-name firewall program like Zone Alarm, Windows is smart enough to take notice, turn off its own built-in firewall, and step out of the way. (Having two software firewalls is asking for trouble, as your programs may not be able to get online at all.)

But if you're using a lesser-known firewall program, or one that you got before SP2 came out, the Security Center might not recognize it. In that case, it's your responsibility to manually turn off the Windows firewall so it doesn't conflict--or to update your firewall software to a version that's Security Center-savvy.

David Pogue , Yale '85, is the weekly personal-technology columnist for the New York Times and an Emmy award-winning tech correspondent for CBS News. His funny tech videos appear weekly on CNBC. And with 3 million books in print, he is also one of the world's bestselling how- to authors. In 1999, he launched his own series of amusing, practical, and user-friendly computer books called Missing Manuals, which now includes 100 titles.


View catalog information for Windows XP Pro: The Missing Manual, 2nd Edition

Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.