• Please review our updated Terms and Rules here

Windows 2000: software firewall recommendations wanted

P

Pepinno

Veteran Member
Joined
Apr 16, 2007
Messages
625
Location
Barcelona
OK, I know Windows 2000 is not vintage, but it is unsupported by its vendor, which is something. :lookroun:

I happen to use Windows 2000 as my main OS in my main home PC workstation, and I am happy with it. I use the server version, which I run as a standard non-privileged user, and I RDP to localhost as Administrator whenever some administrative task is required -- by that precaution alone I'm already opting-out of 90% of Windows viruses and malware.

The problem, in my view, is that Windows 2000 is no longer receiving security patches from Microsoft, so I am vulnerable through the LAN connection (not that there is malware in my LAN that I know of, but a guest with a laptop could ruin my W2k machine, and that would be bad).

So I think it's time for me to install a software firewall in my Windows 2000 machine, to protect it from eventual threats which may pop up in my local ethernet network. In my XP laptop I use the built-in Windows firewall, which I find to be exactly what I need and I like it (it's light on resources, non-obtrusive, maintenance-free, and it just works).

However, a software firewall needs to install a packet filter in the form of a windows driver, running in kernel space, and it is therefore a "delicate" piece of software which can potentially destabilize the whole system. So I need advise and I would like to hear people's experiences with software firewall products compatible with W2K, to choose wisely.

My preference would be a firewall-only product (no antivirus or extra functionality), which is light in resources and the more stable the better.

For Windows 2000, I know of ZoneAlarm, which has a mixed reputation: it works, but it is also known to cause BSOD sometimes. I use this machine daily and I have not had a BSOD since about 2005 (and then I exchanged the stock PSU for a expensive brand one, and no BSODs since then).

What do you, fellow forum members, recommend as a software firewall for Windows 2000? :cool:
 
Last edited:
Well, I have been using Tiny Personal Firewall for years with no ill effects. You can find the last freeware vesion here

At that link is a comment about Kerio and Tiny being one and the same, with a link to a later last free version of Kerio. I think the free version of Tiny is 2.0.15 and the Kerio says it's 2.15 so they may be the same.
 
ZoneAlarm used to be good but in the later versions I used it screwed up so many things my tech friends and I all stopped using it. Just became bloated and unstable. I'm heard good things about Tiny Personal Firewall. I actually liked BlackIce back in the day but that wasn't free.

What are you trying to stop though? Is your system connected directly to the internet and hosting things/open or is it just a workstation behind another firewall/router and mostly protected anyway? The average true firewall only protects you from the network traffic connections, not necessarily the content. That's a some what large misunderstanding of what they do and a false sense of security. A firewall configured to allow server traffic through (whether http, ftp, etc) just allows it no matter the content or attack inside. If you're looking for a content based firewall then you're really looking for more of an IDS/Intrusion Detect (or Prevention) System. That will scan the packets for known signatures of attacks or malicious payloads and either alert you iDs or drop the packet iPs.

For the most part just having one of the all in one routers (firewall, switch, router combo) between your system and your modem/high speed internet is good enough for a firewall for port blocking/masking your internal systems.

The more advanced and better option but more resources intensive would be building yourself a nice router/firewall computer to filter the traffic.

The software you might be able to use also to detect packets could be Snort, there's also a product/port (this has been years ago .. I don't know the latest development status) called snort in-line which is the IPS version (actively blocks things it thinks are attacks).

I guess the main thing to remember (and you're probably a tech so my apologies for probably preaching to the choir) but you can't secure a system from the user. No matter how good your security applications are, it won't protect someone that connects to a website or clicks "yes" on any software pop-ups on the net ;-) It's tough to figure out how a good product for something like say a grandmother on the internet.
 
One of the problems with Windows/2000 is that you don't know what the security holes are.

For example there is a disclosed security hole in the RDP protocol (which you use) in almost all later versions of Windows. As Microsoft no longer publish details of security holes in Windows/2000 you don't know if its there or not. I would assume it is, so how is your fire wall going to help as you have the RDP ports open.
 
Actually barythrin hit the nail on the head. If you're sitting behind a router that has NAT turned on (which 99.999% of them do), then you don't need a firewall on your local PC to protect you from the internet. A firewall in that situation would only be pertinent if you're afraid of other devices/people on YOUR network trying to get into the PC or if you're trying to control outbound connection.
 
arrow_runner said:
Actually barythrin hit the nail on the head. If you're sitting behind a router that has NAT turned on (which 99.999% of them do), then you don't need a firewall on your local PC to protect you from the internet. A firewall in that situation would only be pertinent if you're afraid of other devices/people on YOUR network trying to get into the PC or if you're trying to control outbound connection.
Click to expand...

I am looking for replicating in Windows 2000 the built-in Windows-firewall experience of Windows XP . I don't want to scan/block incoming "content", I just want to block network access to several ports/services my Windows 2000 machine has open by default.

Yes, I'm behind a NAT router which acts as a firewall keeping my Windows 2000 machine out of reach from the public Internet. But as I said, a guest with an infected laptop hooked up to my LAN could ruin my Windows 2000 machine. As a matter of fact, I myself could prepare a "specially crafted" infected Windows laptop which I guarantee would infect any Windows machine in the same LAN segment which is six or more months behind on Windows-updates AND has the built-in Windows-firewall disabled. That is the scenario I want to be protected from (not that I expect nasty guests at home, but you know the sorry state in which non-techies keep their Windows laptops they use to carry around, don't you?).

g4ugm said:
One of the problems with Windows/2000 is that you don't know what the security holes are.

For example there is a disclosed security hole in the RDP protocol (which you use) in almost all later versions of Windows. As Microsoft no longer publish details of security holes in Windows/2000 you don't know if its there or not. I would assume it is, so how is your fire wall going to help as you have the RDP ports open.
Click to expand...
I am worried about remote root exploits in Windows 2000, that's what I want the personal software firewall for. My Windows 2000 only allows RDP connections from administrative users (it is not deployed as a full-fledged terminal server) and I very much doubt that you can exploit RDP without first successfully login in through terminal services -- the vulnerability in RDP most probably is that a sniffer could impersonate or man-in-the-middle an ongoing RDP connection; and that requires much more sophistication and determination on the part of the attacker than a casual infected laptop from a guest connected to your home LAN.
 
RJBJR said:
Well, I have been using Tiny Personal Firewall for years with no ill effects. You can find the last freeware vesion here

At that link is a comment about Kerio and Tiny being one and the same, with a link to a later last free version of Kerio. I think the free version of Tiny is 2.0.15 and the Kerio says it's 2.15 so they may be the same.
Click to expand...

Thanks a lot for the pointers. I've downloaded both Tiny 2.0 and Kerio 2.15. I will try them as soon as I have done a full system backup of my Windows 2000 machine.
 
barythrin said:
I guess the main thing to remember (and you're probably a tech so my apologies for probably preaching to the choir) but you can't secure a system from the user. No matter how good your security applications are, it won't protect someone that connects to a website or clicks "yes" on any software pop-ups on the net ;-) It's tough to figure out how a good product for something like say a grandmother on the internet.
Click to expand...

Well, if the system is up-to-date with security updates (in order to be protected against root exploits), and the user is running with least-privilege then you can secure the system from the user. You cannot secure the user's *profile* from the user, but the *system* will most likely stay secured (barring an unpatched local root exploit, of course).
 
I used ZoneAlarm with Windows 2000 from about 2004 right up until I switched to Windows 7 six months ago. I can't recall ever having a problem with it. It's simple and unobtrusive, and the way it handles per-program internet access is very nice.

Version 7.0.483 is the last one that works on Windows 2000 (download it from oldversion.com), but anything from 6.1 on is good.
 
Pepinno said:
I very much doubt that you can exploit RDP without first successfully login in through terminal services -- the vulnerability in RDP most probably is that a sniffer could impersonate or man-in-the-middle an ongoing RDP connection; and that requires much more sophistication and determination on the part of the attacker than a casual infected laptop from a guest connected to your home LAN.
Click to expand...

It looks from :-

http://thehackernews.com/2012/03/poc-windows-rdp-vulnerability-exploit.html

thats its a fully flesge gaping exploitable hole, requiring no logon or authentication...
 
g4ugm said:
It looks from :-

http://thehackernews.com/2012/03/poc-windows-rdp-vulnerability-exploit.html

thats its a fully flesge gaping exploitable hole, requiring no logon or authentication...
Click to expand...

The hacker who made the vulnerability public only managed to BSOD the vulnerable remote Windows machines. He hinted at the possibility of a remote root exploit, but his proof of concept did no such a thing, but only a Denial-Of-Service type of attack.

The words of the hacker: http://aluigi.org/adv/termdd_1-adv.txt

The DoS attack in action: http://www.youtube.com/watch?v=DjKFP9KEeUA

"We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution": http://blogs.technet.com/b/msrc/archive/2012/03/16/proof-of-concept-code-available-for-ms12-020.aspx

It's a serious problem, nonetheless, for Windows 2000.

---

Edit to add: Oh, damnit! --> "A remote code execution vulnerability exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted. An attacker who successfully exploited this vulnerability could run arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." And: "For systems running supported editions of Windows XP and Windows Server 2003, a remote unauthenticated attacker could exploit this vulnerability by sending a sequence of specially crafted RDP packets to the target system."

A truly remote root exploit, then: http://technet.microsoft.com/en-us/security/bulletin/ms12-020
 
Last edited:
The problem is that you still don't KNOW if either of the above apply to Windows/2000. Because its no longer supported Microsoft doesn't report discovered security holes, and you can't patch them. Whilst there are not many folks using Windows/2000 there are many more on XP. Ealier this year we had this from Microsoft:-

In a blog posting from Easter Monday, Microsoftie Stella Chernyak reminded everyone that in regard to Windows XP (all versions) and Office 2003 (all versions and modules), "on April 8, 2014, we will officially end support for these versions of Windows and Office."

so in under two years time on my 36th wedding aniversary Windows/XP this laptop will become totally unsupported. I wonder how many XP systems will still be in use then. I expect many more than there ever were Windows/2000 desktops....
 
g4ugm said:
The problem is that you still don't KNOW if either of the above apply to Windows/2000. Because its no longer supported Microsoft doesn't report discovered security holes, and you can't patch them.
Click to expand...
There is no official word from Microsoft linking that vulnerability to W2k, but it sure is affected.

g4ugm said:
so in under two years time on my 36th wedding aniversary Windows/XP this laptop will become totally unsupported. I wonder how many XP systems will still be in use then. I expect many more than there ever were Windows/2000 desktops....
Click to expand...

I also have WinXP/Office2003 on my work laptop, and for now I refuse to upgrade (it works quite faster than many brand new laptops with Windows 7 and Office 2007 and multigigabytes of RAM).

---

Going back to my Windows 2000 workstation, these are the ports I have open in it:

01nmap.png


(Also, I have two ports open for eMule, and one for BitTorrent (which are the only three ports open to the public Internet through NAT), but I am not running those programs right now.)

The processes which are using those ports are:

02netstat.png


tcp/21 --> I have the FTP server "ServUDaemon" running on the W2k system. This will be kept open.
tcp/22 --> I have the SSH server from Cygwin running. This will be kept open.
tcp/135 --> NetBIOS port. This one I probably want it closed.
udp/137 --> NetBIOS port. This one I probably want it closed.
udp/138 --> NetBIOS port. This one I probably want it closed.
tcp/139 --> NetBIOS port. This one I probably want it closed.
tcp/445 --> NetBIOS port. Currently in use from my Linux laptop with the "smbfs" samba client. This will be kept open.
tcp/902 --> VMware Server 1.x remote connection. This one I probably want it closed, but open on the loopback adapter.
tcp/912 --> VMware Server 1.x remote connection. This one I probably want it closed, but open on the loopback adapter.
tcp/1025 --> Microsoft Windows Task Scheduler. This one I probably want it closed, but open on the loopback adapter.
udp/1026 --> that's the SSH server from Cygwin, again. I don't know why is it messing with this port, but I will probably keep it as is.
tcp/3052 --> That's the SQL Server 2000 (MSDE) instance used by Veritas Backup Exec 9.0. This one I probably want it closed, but open on the loopback adapter.
tcp/3210 --> That's the "Poweroff" program, I used it in the past to be able to do remote shutdowns of the Windows 2000 machine from a Linux host with no GUI. I will uninstall this program, because I now have the SSH server from Cygwin running and that will do its jobs for remote shutdowns.
tcp/3389 --> Remote Desktop service. This will be kept open.
tcp/3527 --> Veritas Backup Exec Server 9.0. I may keep this open to play with it.
tcp/6101 --> Veritas Backup Exec Name Service. I may keep this open to play with it.
tcp/6106 --> Veritas Backup Exec Server 9.0. I may keep this open to play with it.
tcp/10000 --> Veritas Backup Exec Remote Agent. I may keep this open to play with it.
tcp/45925 --> The Administrative GUI console for the FTP server. It's only listening on the loopback adapter, so everything is fine as it is.
 
g4ugm said:
The problem is that you still don't KNOW if either of the above apply to Windows/2000. Because its no longer supported Microsoft doesn't report discovered security holes, and you can't patch them. Whilst there are not many folks using Windows/2000 there are many more on XP. Ealier this year we had this from Microsoft:-

In a blog posting from Easter Monday, Microsoftie Stella Chernyak reminded everyone that in regard to Windows XP (all versions) and Office 2003 (all versions and modules), "on April 8, 2014, we will officially end support for these versions of Windows and Office."

so in under two years time on my 36th wedding aniversary Windows/XP this laptop will become totally unsupported. I wonder how many XP systems will still be in use then. I expect many more than there ever were Windows/2000 desktops....
Click to expand...
And those folk will probably be using them without many issues at all. Happens with any OS. If folk find it useful and doing whats needed they generally don't just drop it because MS has officially dropped support for it. It usually puts a lively community into action.
 
You must log in or register to reply here.
Back
Top