Re: Correction: XP SP2 ports open to local subnet

[Jeff Bollinger <jeff01 () EMAIL UNC EDU>]

On Fri, 11 Jun 2004, John Kristoff wrote:

> If a XP SP2 host becomes compromised, will the default firewall config
> also block packets on egress from the compromised host to hosts not on
> the local subnet or are the filters only applied on ingress to itself?
>
> John

No.  The XP SP2 Firewall is stateful, so as long as the connection (SYN or
otherwise) originates from the compromised host, the connection should
remain open.  From
http://www.microsoft.com/technet/community/columns/cableguy/cg0104.mspx

"Windows XP Service Pack 2 (SP2) includes the new Windows Firewall,
previously known as the Internet Connection Firewall (ICF). Windows
Firewall is a stateful firewall that drops all unsolicited incoming
traffic that does not correspond to either traffic sent in response to a
request of the computer (solicited traffic) or unsolicited traffic that
has been specified as allowed (excepted traffic). Windows Firewall
provides a level of protection from malicious users and programs that rely
on unsolicited incoming traffic to attack computers."

It doesn't really mention anything subnet specific, but for proper
functionality for most programs that the user intends to run, it would
likely allow all outbound connections.

Jeff
--
Jeff Bollinger, CISSP
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff@unc dot edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.