O'Reilly Book Excerpts: Windows XP Pro: The Missing Manual, 2nd Edition
Security Centers and Firewallsby David Pogue
Editor's note: In the introduction to Chapter 10, from which this excerpt is taken, David Pogue writes, "If it weren’t for that darned Internet, personal computing would be a lot of fun. After all, it’s the Internet that lets all those socially stunted hackers enter our machines, unleashing their viruses, setting up remote hacking tools, feeding us spyware, and otherwise making our lives an endless troubleshooting session. It sure would be nice if they’d cultivate some other hobbies." With the release of Windows XP Service Pack 2 (SP2), Microsoft's latest and most reliable corporate desktop operating system now provides better protection against viruses, worms, and malicious hackers. David Pogue, creator of the Missing Manuals series, offers an excerpt from his newest book, Windows XP Pro: The Missing Manual, 2E, which covers all the intricacies of SP2. The excerpt deals more specifically with the Security Center and the Windows Firewall. Knowledge is power; protect your system.
Once you've installed Service Pack 2, your Control Panel contains a new icon called Security Center. It's an easy-to-understand status report on three important security features: Firewall, Automatic Update, and Virus Protection. If any of these are turned off, dire messages appear on your screen at startup and as balloons in your notiﬁcation area (Figure 10-2a).
Note: So why isn't there a Spyware panel in the Security Center? Excellent question. Unfortunately, only the engineers at Microsoft know the answer.
As you can see by Figure 10-2b, the Security Center is primarily just a status dashboard; the big ON or OFF "lights" are just indicators, not clickable buttons. But it does contain links to numerous help screens, online resources, and other parts of Windows that let you control its three central functions.
Note: If you're using Windows XP Pro in a corporation where a highly trained network administrator is in charge, you may ﬁnd that you can't make any changes in the Security Center or Windows ﬁrewall. Protecting your PC, in this case, is somebody else's job.
Figure 10-2a. On an SP2 computer, balloons like this sprout instantly if Windows considers your PC insufﬁciently protected--or if Windows XP doesn't recognize the antivirus or ﬁrewall software you're using. When you click the balloon, the Security Center (bottom) appears.
Figure 10-2b. Click one of the headings (Firewall, Automatic Updates, Virus Protection) to expand that section of the dialog box. In this case, you have a ﬁrewall in place (the built-in Windows one), Automatic Updates is turned on, but you haven't installed antivirus software. (Or maybe you have antivirus software, but the Security Center doesn't recognize it. This could be true if it's some obscure brand, or, more likely, if your antivirus version was released before Service Pack 2.)
The Windows Firewall (and Others)
If your machine connects to the Internet, it really should have a ﬁrewall. If it's connected to the Internet full-time, as with a cable modem or DSL, it really really should have a ﬁrewall. Most of the people who have fallen victim to snooping attacks from the Internet are people without a ﬁrewall.
Here are three ways to get yourself a ﬁrewall:
A Hardware Firewall (Router)
A router is an inexpensive box that distributes the signal from a single cable modem (or DSL) to one, four, eight, twelve, or more computers on your network. As a delicious beneﬁt, most routers these days contain a built-in ﬁrewall. The beauty of a hardware ﬁrewall like this is that ﬁrst of all, it's always on, and second of all, it protects the entire computer simultaneously.
In the following paragraphs, you'll be reading about software ﬁrewalls. But a hardware ﬁrewall is even better. Some people, in fact, buy a router even if they don't intend to share the cable modem's signal with other PCs--they get it just for its ﬁrewall protection.
In general, in fact, you can pretty much tune out of the following ﬁrewall discussion if you're protected by a hardware ﬁrewall. That is, unless:
- You're on a small-ofﬁce or home network. In this case, your router will protect your network from nastiness coming in from the Internet--but a software ﬁrewall can protect your PC from other PCs on your network. If little Timmy up in his bedroom downloads some virus-infested bit of ﬁle-swapware, your machine will still be safe.
- You use a laptop, and you travel with it. If you carry your machine around, it may be worth using a software ﬁrewall, because when you're away from your home, you'll no longer be protected by your router.
If you're conﬁdent that your hardware router is all you need, then you'll have to turn off the Windows ﬁrewall, which means whistling past a warning that says, "Turning off Windows ﬁrewall may make this computer more vulnerable to viruses and intruders." Thanks to your router, that's not actually true.
The Windows Firewall
Windows XP has included ﬁrewall software from the very beginning (it used to be called Internet Connection Firewall). Unfortunately, in the original Windows XP, the ﬁrewall's factory setting was Off, and ﬁnding its deeply buried On switch required three weeks and the assistance of a sherpa. ("It's like we gave you a car with seat belts that were really well hidden," admits a Windows product manager. "You had to open a secret panel and press three buttons to make them appear.")
In SP2, you can't miss the presence of the ﬁrewall. It comes already turned on, and, if it somehow gets turned off, the Security Center offers a direct link to the Windows Firewall control panel. (Of course, you can also open it at any time by choosing Start--> Control Panel-->Windows Firewall.)
All about ports
Now, if you really wanted complete protection from the Internet, you could always just disconnect your PC from the modem. Of course, that might be a little too much protection; you'd be depriving yourself of the entire Internet.
Instead, you can open individual ports as necessary. Ports are authorized tunnels in the ﬁrewall that permit certain kinds of Internet trafﬁc to pass through: one apiece for email, instant messages, streaming music, printer sharing, and so on. (Part of what made the original Windows XP so insecure was that Microsoft left a lot of these ports open, to the delight of evildoers online.)
On a computer with Service Pack 2 installed, far more of these ports are left open and exposed to the Internet than before. (Microsoft has equipped the ﬁrewall with ready-to-use tunnels for several exceptions: the Files and Settings Transfer Wizard; File and Printer Sharing; your local, in-house network; America Online; EarthLink; and your computer's FireWire connector, if it has one.)
The Windows ﬁrewall works like this: Each time a piece of software tries to get onto the Internet, the Windows ﬁrewall will pop up a dialog box that lets you know. As shown in Figure 10-3, Windows wants to know if it's OK for this piece of software to burrow through the ﬁrewall to go about its business. The golden rule: If you recognize the name of the software (for example, an online game), go ahead and grant permission by clicking Unblock. If you don't (for example, PsatNetQuery.exe), click one of the other two buttons.
Note: If you're an online gamer, you'll be seeing a lot of this dialog box. Internet attackers were especially fond of using the ports that interactive online games open.
On the other hand, if you're using a public PC (in a library, say), you might never be asked permission. That's because some administrator has turned on the "Don't allow exceptions" option shown in Figure 10-4a. That means, "No holes in the ﬁrewall, ever. This is a public terminal, and we can't permit God-knows-what activity to corrupt our system."
Figure 10-3. When a new program wants to get online, this box appears. Click Unblock to open a port through the ﬁrewall, which will close each time you finish using the program. Click Keep Blocking if you don't even know which program is doing the asking. And click Ask Me Later if you want to deny permission this time, but you want to be asked again the next time you run the program.
If you grant permission, then each time you use that software, Windows will brieﬂy open up a special port for that kind of activity, and then seal the port closed again when you're ﬁnished.
The exceptions list
When that little Security Alert box opens up, there will be times when you make the wrong decision. You'll deny permission to something that looks ﬁshy, and then ﬁnd out that one of your programs no longer works. On the other hand, maybe you'll approve something that has a recognizable name, and then you'll later ﬁnd out that it was actually a trick--an evil program deliberately named in order to get your approval. That, unfortunately, is life in the Windows fast lane.
Fortunately, you have a second chance. At any time, you can take a look at the list of authorized holes in your Windows ﬁrewall, using the Windows Firewall control panel (Start-->Control Panel-->Windows Firewall). When you click the Exceptions tab, you see something like Figure 10-4b: a list of every program that has been granted an open port in the ﬁrewall.
10-4a. Here, in the new Windows Firewall control
panel, you can turn the Windows ﬁrewall on
or off. You should turn it off (despite the stern
warning) if you’re using a non-Microsoft ﬁrewall
(like Zone Alarm).
Figure 10-4b. The Exceptions tab and the Advanced tab list all of the programs and ports that Windows Firewall is permitted to open—but only when these programs are actually requesting Internet access. These are holes in your ﬁrewall that you or Microsoft has deemed to be safe. Use the checkboxes to temporarily turn exceptions on or off; use the Delete button to get rid of them entirely.
Using this list, you can also add a program manually (rather than waiting for it to ask permission at the time of launching). To do so, click the Add Program button, and choose the program's name from the list that appears.
Similarly, you can open individual ports by number. Click Add Port; you'll be asked to type in a name for this exception (anything you want) and to type in the port number. In this situation, Microsoft assumes that you know the port number, either because somebody gave it to you, because the manual for some piece of software provides it, or because you're just a super-smart geek.
Other Software Firewalls
For all its convenience and its excellent price ($free), the Windows ﬁrewall has a signi ﬁcant drawback: It's only one-way protection. It blocks attacks from the outside, but doesn't stop spyware (once your PC has been infected) from sending data out. That's why many PC fans opt for a sturdier ﬁrewall, like the equally free but far superior Zone Alarm. Zone Alarm protects your PC from both incoming and outgoing data.
Unfortunately, installing a non-Microsoft ﬁrewall creates a few complications of its own. If you're using a big-name ﬁrewall program like Zone Alarm, Windows is smart enough to take notice, turn off its own built-in ﬁrewall, and step out of the way. (Having two software ﬁrewalls is asking for trouble, as your programs may not be able to get online at all.)
But if you're using a lesser-known ﬁrewall program, or one that you got before SP2 came out, the Security Center might not recognize it. In that case, it's your responsibility to manually turn off the Windows ﬁrewall so it doesn't conﬂict--or to update your ﬁrewall software to a version that's Security Center-savvy.
David Pogue , Yale '85, is the weekly personal-technology columnist for the New York Times and an Emmy award-winning tech correspondent for CBS News. His funny tech videos appear weekly on CNBC. And with 3 million books in print, he is also one of the world's bestselling how- to authors. In 1999, he launched his own series of amusing, practical, and user-friendly computer books called Missing Manuals, which now includes 100 titles.
View catalog information for Windows XP Pro: The Missing Manual, 2nd Edition
Return to the Windows DevCenter.