[Dshield] Windoze Questions...

Corinne Cook corinnec at abdi.com
Thu Feb 12 17:14:00 GMT 2004


Hi Jon-

While not an expert myself, I can answer a few of your questions:

1)Tripwire actually does have products that run on Windows platforms(or at
least Win200x, possibly NT4 as well).

3)My Norton Corp Ed catches most keystroke loggers and the like(it even
caught one I tried to install on a test box once).  I know there are one or
two it doesn't, though.  I believe this is similar to most of the AV
programs for Windows but haven't used them all so don't know for certain.
McAfee has always caused more problems on systems with regards to conflicts
(both their AV and firewall products), etc., so I stay away from their
product line.

4)The Windows 2000 EFS works a little differently than the WinXP EFS.  On
Win2k, the Administrator account is the master.  You can backup and remove
the key to a floppy disk or network drive if you don't want someone to get
it off the computer if it is compromised.  With WinXP, you create and
specify which account/certificate is the master and then you can back up the
certificate and keys and remove the private key from the computer itself so
that an attacker couldn't gain access.  It's VERY important to have backups
of the certs and keys, though, because I know that there have been
documented problems where a person changes their password and the EFS no
longer recognizes them, and if you're on WinXP and haven't created a master
key, you're pretty much SOL.  (I'm not a PKI expert so sorry if used the
wrong terminology anywhere here)

5)Actually, both Adaware and Spybot S&D work very well.  Both of them
together could protect you just about 100%.

6)Firewalls:  Zone Alarm has a free version, which is nice for those with no
$$ to spend.  For standalone users, I actually like the Norton Internet
Security package and it seems to work as well as Zone Alarm and has all
sorts of capabilities.  Zone Alarm has worked fine for me, though, too.
McAfee's personal firewall product has failed me more than any other, just
my personal experience.  My sister had it loaded on her machine and it
didn't stop a damn thing from getting in even though it was configured fine.
The WinXP built in firewall is ok.  It is free and gets a basic job done.
It even logs events, very skeletally. You can't do egress filtering, though
and it is not interactive, like it doesn't alert you the way Norton/Zone
Alarm can (so that can be good or bad depending on your POV).



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Jon R. Kibler
Sent: Thursday, February 12, 2004 6:26 AM
To: list at dshield.org
Subject: [Dshield] Windoze Questions...


Greetings,

As I have said several times before, I am not a windows expert and we use
few windows machines in our shop. Thus, I have a few questions about Windows
security from a Unix perspective.

Questions:
  1) Are there programs equivalent to COPS and TripWire that run on Windows?
  2) Anyone running SNORT under Windows? Any comparison to how it runs under
*nix?
  3) Does the most common AV software (Symantec, NAI, etc.) catch keystroke
loggers and other spyware (not Adware!) that may be present and running or a
Windows system?
  4) About the Windows encrypted file system... if someone gets Admin
privilege on a system using the encrypted file system, can they disclose or
compromise data that would normally be protected?
  5) When I search for products that detect adware installed on a Windows
box, I get dozens of hits... is any given product better than another, or do
you really need a combination of products to detect and stop all the various
adware downloads in use?
  6) Finally, windows firewalls... Is Zone Alarm still considered the best
for Windows? What are the strengths and weaknesses of the firewall built
into Win/XP?

TIA for all answers!

-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.




More information about the list mailing list