Suggest changes to my firewall permissions.

I have installed WinXP Home SP2 and Office 2000. They are fully updated. I am using Panda Titanium 2006. These are Panda's firewall permission settings. I have changed Telnet, Messenger, NetMeeting and NetBios to No connection. Could you suggest any other changes I should make. I don't use IM programs, I am not on a network and have no use for remotely connecting to another computer (RDP). Thanks.

WinZip WINZIP32.EXE Outbound
Windows NetMeeting conf.exe No connection
Windows NT Logon Application winlogon.exe Outbound
Windows NT Base API Client DLL Kernel32.dll Outbound
Windows Movie Maker moviemk.exe Outbound
Windows Messenger msmsgs.exe No connection
Windows Explorer explorer.exe Outbound
Trivial File Transfer Protocol App tftp.exe Outbound
TCPIP Finger Command finger.exe Outbound
TCP/IP Traceroute Commnd tracert.exe Outbound
TCP/IP Route Command route.exe Outbound
TCP/IP Remote Shell Command rsh.exe Outbound
TCP/IP Remote Exec Command rexec.exe Outbound
TCP/IP Remote Copy Command rcp.exe Outbound
TCP/IP Ping Command ping.exe Outbound
TCP/IP NetBios Information nbstat.exe No connection
TCP/IP Arp Command arp.exe Outbound
TAPI 3.0 Dialer and IP Multicast Conference dialer.exe Outbound
Spooler SubSystem App SPOOLSV.EXE Inbound and Outbound
Services and Controller app SERVICES.EXE Inbound and Outbound
Schedule service command line interface at.exe Outbound
POWERPNT.EXE Outbound
NT Kernel System ntoskrnl.exe Outbound
nslookup APP NSLOOKUP.EXE Outbound
NetFlt NETFLT.SYS Inbound and Outbound
Net Command net.exe Outbound
Net Command net1.exe Outbound
Mutlicast Information mrinfo.exe Outbound
Microsoft Publisher 2000 Version 6.0 MSPUB.EXE Outbound
Microsoft Word for Windows WINWORD.EXE Outbound
Microsoft Telnet Client telnet.exe No connection
Microsoft Synchronization Manager Outbound
Microsoft RSVP rsvp.exe Inbound and Outbound
Microsoft Excel for Windows EXCEL.EXE Outbound
Microsoft Connection Manager Auto-Download cmdl32.exe Outbound
Microsoft Access for Windows MSACCESS.EXE Outbound
LSA Shell (Export Version) LSASS>EXE Inbound and Outbound
Internet Explorer IEXPLORE.EXE Inbound and Outbound
Hyper Terminal Applet hypertem.exe Outbound
Hostname hostname.exe Outbound
Generic Host Process for Win32 Services svhost.exe Outbound
File Transfer Program FTP.EXE Inbound and Outbound
Client Server Runtime Process Outbound

Other programs on the list are for my anti-virus (Panda) and Opera. All Outbound.

 

Whiskeyman--Your list and mine are very dissimilar, so I doubt I can give you specific advice. (For example, I cannot think why I would want WinZip, MovieMaker, PowerPoint, etc. to have permanent access, even though I know they are perfectly legitimate programs. Perhaps for Updates? They send me emails.)
I created my firewall list a bit by logic and a bit by trial and error.
The logic was for programs like Outlook Express, Internet Explorer, etc., which I knew needed access.
My firewall (Zone Alarm) produced a popup the first time any program asked for permission to access the Internet. When that request was made, I often "denied" if I was not sure and saw what happened (and/or checked Google to see what the requesting app was). If a desired action was blocked, then I knew I must either allow (some times just for that request; sometime permanently) or decide if I felt the app really needed to have access. If not, I would block it and often permanently. In the latter case I, of course, got no more requests from that app.
With time I built up a list of permissions and denials that seem to cause minimum problems or requests.
In your case, you could start from scratch by setting everything except the obvious to force a request. Then with time you could redecide whether to allow or deny and whether to make it permanent or not.
Sorry for being so longwinded.

 

I had Panda set to automatically decide. I usually switch it so I can manually set permissions. I can't see why Office programs need permission to access the net either. My biggest confusion is the WinXP applications. I have been Googling some of these programs but MS in their infinite wisdom have worded the descriptions quite vaguely. I have also searched for a guide such as Startup lists with no luck. 98SE didn't have all of these seemingly unnecessary programs. Thanks for the insight.

 

My permissions are now set as the following. Can anyone see further changes that should be made?

WinZip WINZIP32.EXE No connection
Windows NetMeeting conf.exe No connection
Windows NT Logon Application winlogon.exe Outbound
Windows NT Base API Client DLL Kernel32.dll Outbound
Windows Movie Maker moviemk.exe No connection
Windows Messenger msmsgs.exe No connection
Windows Explorer explorer.exe Outbound
Trivial File Transfer Protocol App tftp.exe No connection
TCPIP Finger Command finger.exe Outbound
TCP/IP Traceroute Commnd tracert.exe Outbound
TCP/IP Route Command route.exe No connection
TCP/IP Remote Shell Command rsh.exe No connection
TCP/IP Remote Exec Command rexec.exe No connection
TCP/IP Remote Copy Command rcp.exe No connection
TCP/IP Ping Command ping.exe Outbound
TCP/IP NetBios Information nbstat.exe No connection
TCP/IP Arp Command arp.exe Outbound
TAPI 3.0 Dialer and IP Multicast Conference dialer.exe No connection
Spooler SubSystem App SPOOLSV.EXE No connection
Services and Controller app SERVICES.EXE No connection
Schedule service command line interface at.exe No connection
POWERPNT.EXE No connection
NT Kernel System ntoskrnl.exe Outbound
nslookup APP NSLOOKUP.EXE Outbound
NetFlt NETFLT.SYS Inbound and Outbound (Panda)
Net Command net.exe No connection
Net Command net1.exe No connection
Mutlicast Information mrinfo.exe Outbound
Microsoft Publisher 2000 Version 6.0 MSPUB.EXE No connection
Microsoft Word for Windows WINWORD.EXE No connection
Microsoft Telnet Client telnet.exe No connection
Microsoft Synchronization Manager mobsync.exe No connection
Microsoft RSVP rsvp.exe No connection
Microsoft Excel for Windows EXCEL.EXE No connection
Microsoft Connection Manager Auto-Download cmdl32.exe Outbound
Microsoft Access for Windows MSACCESS.EXE No connection
LSA Shell (Export Version) LSASS.EXE Outbound
Internet Explorer IEXPLORE.EXE Outbound
Hyper Terminal Applet hypertem.exe Outbound
Hostname hostname.exe Outbound
Generic Host Process for Win32 Services svhost.exe Outbound
File Transfer Program FTP.EXE No connection
Client Server Runtime Process Outbound

 

Whiskeyman--

Like which?
As you can see my approach was very amateurish.
Delete these WinXP applications from your list. (Not "deny access ".) That should require Panda to ask the next time they ask for permission. That will give you the chance to see how often the request is made and what the result of denying is.

 

Whiskeyman,
You're right - the Windows components are a little trickier / harder to understand what some do or if they need internet access. If you disable or disallow access for some windows XP "services" then other programs may not work correctly if they need those windows components to access the web.

As for other programs, like WinZip, Win Movie Maker, Power Point, or a host of other programs like Adobe Reader, Excel or just about any software you load nowdays, in general they don't need internet access. Exceptions to that are when you need / want updates - then you can allow it manually. Some apps have the help button on the toolbar linked to online help pages. I think it's becoming more common for the developers to use this to try and cut down on software piracy by have the program phone home.

 

This post has links to data bases on XP processes:

http://www.windowsbbs.com/showthread.php?t=39425

Regards - Charles

 

Thanks. I have look in those lists, but many of the programs listed in the firewall are not shown. It would be nice to have a guide dealing with the common programs that usually show up in the firewall to determine what the recommended settings should be. I spent most of yesterday searching the net and found little to clarify what these programs' needs are accessing the Internet. I have been setting No connection on a few at a time then checking out how my computer runs and haven't found any issues yet. I just don't want to disable something then find out later on down the road I messed up.

I have discovered that many of the programs listed are used if you are on a network which I am not. I also am not concerned with remotely connecting to another computer. I don't allow programs to automatically update. All of the sites I go to provide a decent listing of new updates for all of the programs I use. I check Windows Update at the end of every month. I wait to see if others experience problems with the newest updates before I install them.

As for Office, this is the first time I have installed 2000. I have always used Office 97 on my 98SE setup. I would only installed Excel and Word though seeing as they were the most used by me.

This is the first time that I have had Panda assign Inbound and Outbound permissions to so many programs automatically. I didn't know if this was due to install procedures. It seems like MS whats to know too much about what is going on with XP.

 

Whiskeyman--Playing with XP Services is not for the uninformed. The BlackViper site, which recommended agressive changes, is now down. The ElderGeek also has a site with some recommendations and some good information about Services
http://www.theeldergeek.com/services_guide.htm
But even he really suggests leaving the defaults alone unless you know what you are doing. With a modern PC and reasonable size hard drive, you save very little by picking and choosing among the Services unless it is clear that you do not have that function installed.
Anyway little of this will help you make decisions on what should be allowed to have internet access from your firewall. That is a different issue than what is needed to start at boot.

 

Hi Whiskeyman,

As a general rule:

I don't allow any program - XP's or apps - server privilages which allows them to open a port and listen for communications. The only apps that I know that need that ability are IM apps.

I don't know what Panda calls that though, I run ZA pro and it is called "act as server" and in Kerio (new Sunbelt version) its "allow in" option.

If you deny out, my experience has been that if needed, you'll find out fairly quickly.

Some apps simply want to "check for updates" - one example on my system is Roxio when I use it to burn and I permantly deny that. Sonic, another burner is especially notorious - the updater is a startup

You can test whether your ports are closed/stealthed here: https://www.grc.com/x/ne.dll?bh0bkyd2

Regards - Charles

 

The GRC scan always shows True Stealthed and NetBios shows up as non-existent.

[Edit]

The GRC deal got me thinking. I searched my Security sites bookmarks and remembered that PC Flank had more robust scanning features. I decided to look at that different scanning programs and I found something that determines what firewall permissions should be assigned to differennt programs.

Recommended Firewall Rulesets

 

Whiskeyman--Looks like an interesting site. Thanks.

 

Hi Whiskeyman,

I just tested the PC Flank ruleset site.

I may be doing something wrong, but it seems incomplete. I looked for search engines and the only one it came up with is copernic - google isn't there.

Those that did come up like the ones for the Browsers show allow out and block in, blocking in is disabling the "act as server" which I referred to.

Some more about how I treat this issue:
If I would run an app like a search engine all the time, I would allow out automatically after creating the initial rule. But I don't run Google all the time, I start it when I need it, and my outbound FW rule for it is to ask; Jim alluded to this in one of his posts - wanting to know when and why an app would want internet access.

Complicating this is that I run HostIntrustionPrevention type application/FW options:

System Safety Monitor http://syssafety.com/home.html which is a software (including the OS) behavior control app and both Kerio and ZA Pro have these features.

Don't know if Panda has that kind of feature, I think it probably does.

Regards - Charles

 

Whiskeyman--I, too, have now tried the Flank RuleTest site.
I find very few entries in my Zone Alarm firewall Program Control list are recognized by the site when I enter info into the Search button line. I have tried entering both the Name of the process (as reported by ZA--like Windows Explorer) and the File involved (like explorer.exe).
Using the Show line gives more info, but seldom on the apps I am looking for.
But, as charlesvar has said, maybe I am doing something wrong.
Are you getting any good info from the Flank site to answer your original question ?
-------------------------------------------------
In ZA free, there are four columns for blocking settings. Two are for "Access" (for sites in Internet and Trusted zones) and two are to "Act as Server" ( again for sites in Internet and Trusted zones).
I have only two programs set to act as Server--Skype and svchost.exe (only for Trusted Sites). Skype will not work unless allowed to act as server.
I have about 40 programs allowed Access. Most are for various Symantec AV functions. Some of the others are IE, OE, MSAntiSpyware (Windows Defender), AdAware, tracert, ping, rundll32.exe, etc.

I use Google extensively, but it is not in my ZA Program Control list.

 

Well it wouldn't be, it was a bad example to use, there isn't anything that's running on the system, while with copornic there is. Sorry about that.

Regards - Charles

 

I only found a few entries at PC Flank. I asked someone at another site what his recommendations were. He stated that what I wanted was a list for applications filters not firewall.

 

Whiskeyman--

???
Perhaps you should reconsider my first post. I do not think any site can tell you what makes sense for you.

 

I finally got it set. I could not find one place with all of the inforamtion regarding these programs. I just kept Googling and reading then set my permissions. Any program that is considered a security risk I set to No connection and the rest except Panda were set to Outbound. Once that was done I reset Panda's firewall to automatic and my settings are staying as I want.

This morning as I went to open my favorite tech sites in Opera the computer rebooted and stated One of your disks needs to be checked for consistency. I thought one of my settings messed things up. It took 3 times with this wanting to scan before it came up with a problem with Opera and corrected it. It must have occurred when I updated to the new version.

I am finding XP to be quite different than 98SE. It's a lot of fun trying to figure it all out. I do like System Restore.

 

I like it to, once you understand it what it can do and its limits. Up until about a year ago when I got a drive imaging, SR was what I relied on and did quite well with it.

If you ever have a question about it, there are a lot of threads on it here

Regards - Charles

 

I have been setting custom restore points as I add programs. That way if an issue occurs I can go back before the install. My main custom restore points were after installing XP SP2, Windows Updates, Office 2000 plus updates and most used programs (AV, Opera, AdAware and SpywareBlaster). After those I created ones for the printer installation and batches of additional downloaded programs.