locked
Limited User Unable to Change Oncare Firewall Settings on a system with Windows XP SP3 RRS feed

  • Question

  • All,

     

    I discovered a serious flaw in Windows Onecare when I installed it for the first time after de-installing Symantec Norton Internet Security after 5 years of use of that software.

     

    The flaw is as follows:

     

    I installed Oncare using an account on my Windows XP SP3 system that has administrator priveleges. Then I logged out of that account and logged back in with my normal account that does NOT have administrator priveleges. I then attempted to use the software products that I normally use such as Thunderbird, Firefox, IE, etc and I started getting warnings from Onecare that I had to have administrator priveleges in order to unblock TCP/UDP ports that these applications were attempting to use.

     

    However, in order to get administrator privelege, I have to switch context to an account with administrator privelege in order to effect the change.

     

    The net effect of this flaw will be that users will set their normal user accounts to have administrator priveleges  in order to work around this flaw and, consequently, their systems will be much more vulnerable in case there is a successful malicious code exploit of thier system.

     

    By way of comparisonm the Symantec product which is 5 years old(I had the 2003 version) did not require me to have administrator priveleges in order to make such Firewall adjustments.

     

    When you think about it this is a flaw that should have never got out of product development because its consequences defeat the whole principle least privelege.

     

    Is there some way to solve this problem without having to run with administrator priveleges?

     

     

    Wednesday, August 27, 2008 12:24 PM

Answers

  • No, I disagree. It is not a flaw, it is by design. A limited user should *not* have the ability to allow unknown programs through the firewall. I agree that it is a pain to deal with when encountered. In Vista this is less painful due to UAC. User Account control does not exist in XP, so you're stuck with the simplistic solution. Note that you normally would not be prompted for permission for most digitially signed, recognized programs. OneCare maintains an extensive list of trusted programs in the firewall rules to prevent being prompted for the typical programs.

    -steve

     

    Friday, August 29, 2008 12:39 PM
    Moderator

All replies

  • In OneCare, what level of prompting have you set for the firewall on that account? If you have set it to prompt for all requests, you'll be facing this problem. Otherwise, you would only encounter it with an unknown program. The list of recognized programs is quite extensive and prompts should be minimal with the default settings. To allow a program or modify the firewall settings, you will need to make the account an admin temporarily, log into that account, change the settings, log out, then change this account back to a limited user.

    If you are being prompted to allow access for IE, Thunderbird, Firefox and the like, *and* you have left the firewall settings to the default, prompting only for unknown programs, you have another problem and it may be that your previous product has not been fully removed from the PC.

    -steve

     

    Wednesday, August 27, 2008 12:31 PM
    Moderator
  • Steve,

     

    thanks for your insights. However

     

    As you say. 

     "..........To allow a program or modify the firewall settings, you will need to make the account an admin temporarily, log into that account, change the settings, log out, then change this account back to a limited user."

     

    is itself a serious flaw. Just by implying that it is a "feature" does not make it any less a flaw. Switching context in Windows XP SP3 is too time consuming for the average user and this will lead users to maintain admin priveleges which represents a larger attack surface.

     

     For the time being, I have elevated my normal account from Power User to Admin. that the Oncare software engineers/architects have made me do this  is Very Very Lame (VVL).

     

    I should add that there are a number of "unknown" Microsoft programs that are getting caught by the firewall, again this is VVL.

     

    Best Regards

     

    John Holmblad

     

    Friday, August 29, 2008 2:05 AM
  • No, I disagree. It is not a flaw, it is by design. A limited user should *not* have the ability to allow unknown programs through the firewall. I agree that it is a pain to deal with when encountered. In Vista this is less painful due to UAC. User Account control does not exist in XP, so you're stuck with the simplistic solution. Note that you normally would not be prompted for permission for most digitially signed, recognized programs. OneCare maintains an extensive list of trusted programs in the firewall rules to prevent being prompted for the typical programs.

    -steve

     

    Friday, August 29, 2008 12:39 PM
    Moderator
  • Oh, and I'll state once again that if you are being prompted to allow known common Microsoft programs such as IE and you have not set the firewall to prompt for all access requests, then you've got a problem that needs to be investigated.

    -steve

     

    Friday, August 29, 2008 12:41 PM
    Moderator
  • Steve,

    I am not sure how you define "unknown programs". If the user is running a program that they have installed and used many times prior to the installation of Onecare, then  such a program does not meet my definition of "unknown program".

    A smarter design would have taken this into account in the design of Onecare Firewall for Windows XP. Security features that are complex or tedious for the user to implement have been proven to be ineffective time and again.

    No doubt you are aware of the Administrator's Hall of Shame which enumerates those products that require admin privileges in order to operate correctly.

    Here is the url to the www page for that www site in case you are not already aware:

    http://www.threatcode.com/admin_rights.htm
    Best Regards

    John Holmblad






    Friday, August 29, 2008 7:38 PM
  • An unknown program is defined as a program that does not exist in the allow list within OneCare - placed there by the user in response to a prompt for access, manually by configuring and adding, or (most common) because the program is digitally signed and has been included in the rules list within OneCare which is deployed as part of the install and updated along with definitions for the malware detection engine.

    -steve

     

    Tuesday, September 2, 2008 6:13 PM
    Moderator
  • John,

     

    You either have archaic or insecure applications on your PC, all major current software is either digitally signed or included within the OneCare firewall policy and has been for well over a year.

     

    I have been running a PC with OneCare and limited accounts with Windows XP for the regular users for over two years and haven't had such issues since shortly after 1.0 released. Even before this, I merely had to run a new program once as an administrator to 'teach' the OneCare firewall what to allow, which took less than 30 seconds typically. At this point though, I can't even remember the last time I had to do this.

     

    Allowing a Limited User to modify firewall access is obviously a breach of security and only an archaic security application would allow it. You are describing the situation from the dark ages of Windows computing that existed in the early years of Windows XP and is exactly why Microsoft created OneCare, since none of the then existing security applications could seem to get anything right.

     

    If this is your idea of security then you are looking in the wrong place, since OneCare is designed to actually protect the user and the PC, not pay lip service to the idea. This level of security will necessarily require the upgrade of some application software, since much of that was also badly designed during that same era and must simply be replaced to resolve the inherent problems it contains.

     

    The malware world has moved on and so must the security applications that protect you from it.

     

    OneCareBear

    Wednesday, September 3, 2008 5:29 AM
    Moderator
  • Carebear,

    please be careful not to jump to conclusions in the absence of facts. And please don't think like a developer concerning this software design flaw, think like a user/customer.

    In fact the Microsoft Windows XP SP3 system that is the subject of this discussion thread is absolutely up to date with the latest service packs (SP3) and patches for the OS, for Microsoft Apps and for Non-Microsoft apps, of which there are many (e.g. Firefox, Safari, Itunes, Quicktime, Google Earth, Vmware Player and Server, etc. etc.

    Now this system IS running some very new/recent applications from Microsoft and others that the Onecare firewall is not yet aware of such as Livestation, the client components of Windows Home Server, Google Chrome, etc. whose execution subsequent to installing Oncare DID cause the firewall warning to fire off, and which I could, given that I was running as administrator, confirm to the firewall that these are, in fact, legitimate applications. Having said that, the firewall is also firing off on Microsoft products such as Office 2007 and others that cannot be considered brand new.

    If Microsoft intends to supply Onecare for Windows XP customers it must change this product's behavior in order to make it useable, effective, and safe for the XP user. As of right not it is not safe because to be useful it requires the user to upgrade their account to administrator priveleges in order for the firewall to be useable without being a major inconvenience to the user.

     Here is one way that the Onecare software developers could achieve that.

    1. Upon install/config of Onecare, make the person/installer aware that the firewall is going to have to go through a "learning process" which may take several days, as common apps are executed in the course of  normal system usage.

    2. Give the installer the option of selecting user accounts that are permitted to make modifications to the firewall based on first usage.

    3. Give the installer the option to disable such permissions after a period of time (e.g. after the first week).

    In fact, the firewall incorporated in Symantec Norton Internet Security (NIS) 2003 (that is, the version from 5 years ago) supports #2 above. Now, I would think that 5 years later the Onecare development team could do better than a product, sucha as Symanted NIS  that was probably designed in ~2000.

    The software architects and deveropers on the Onecare team must understand that security that is either

    a) complex, or

    b) inconvenient for the AVERAGE user is not security at all, it is simply more useless technology.

    Best Regards

    John Holmblad
    Sunday, September 7, 2008 2:50 PM
  • As I stated above I haven't seen a firewall warning that I was required to answer, just notifications that it had automatically made some change, in over a year. This includes applications like Microsoft Office and iTunes/Quicktime which you mentioned above. I don't know what's happening in your case, though I've personally [left] disabled just about everything that displays an unnecessary warning, since the primary users of the PC in question would only be confused by them.

     

    My guess would be that something isn't working correctly on your PC, possibly some remnants of that ancient version of NIS still left on the system? We regularly recommend that the Symantec AV cleaner programs be run to remove such remnants, since they are well known to create problems for any future AV product installation. I'm not following all of your threads, so I don't know if this has already benn mentioned.

     

    The fact that we've seen virtually no complaints here since about the time OneCare v1.5 released makes me think that few are having the troubles you are with these notifications. Though quite a few probably have legacy Windows XP accounts which operate as an Administrator, I've personally recommended OneCare to many here attempting to operate with Limited Accounts and none have returned to complain. In fact, this is precisely why I chose to try OneCare myself, since virtually no other product at the time was operating properly on a Windows XP system with Limited Accounts.

     

    You've spent a significant amount of time here complaining about the firewall in a forum which is not manned directly by Microsoft Support personel. Have you attempted to communicate directly with OneCare Support to determine if your issues are really a technical problem on your PC rather than the design flaw you wish to assume?

     

    OneCareBear

    Monday, September 8, 2008 3:46 PM
    Moderator
  • steve: " ...you are being prompted to allow known common Microsoft programs such as IE and you have not set the firewall to prompt for all access requests, then you've got a problem that needs to be investigated. "

     

    Hi, Steve ... this has me a little concerned. I installed Microsoft Equipt this morning and had some problems but the installation of OneCare seems stable. However, I have had two program access alerts today. One of them was for wermgr.exe with Microsoft as the publisher. I thought it strange that this program was not recognized ... I think this is Windows Error Reporting or something like that, right? ... but then thought that, since I had just loaded from CD, that the time/date stamp (or hash, or whatever) might have been updated since the CD was pressed and clicked on Allow.

     

    In your experience, with a fresh install from CD, would it be more likely that I would see system files or files legitimately digitally signed by Microsoft come up as unknown?

     

    Thanks for any reply ... berry

     

    Monday, September 22, 2008 2:32 AM
  • Sorry for the late reply, berryjuice. Yes, it is not uncommon for some programs to cause a prompt, even ones from Microsoft. If the specific version is not in the allow list, you'll be prompted.

    -steve

     

    Monday, September 29, 2008 7:06 PM
    Moderator
  • This is not a flaw  how ever u have ur settings messed up     u need to change the firewall from asking for all programs  and just ask about the new ones        the reason this isnt a flaw  is if i was a limmited user on ur computer  and started downloading or running computer programs that would harm ur computer  and crash it    but sence i have not admin privilages then i could do no such thing and ur computer is safe that way

    good luck with your firewall settings :)
    Saturday, September 19, 2009 10:08 AM