【转】Raw Sockets Gone in XP SP2

Raw Sockets Gone in XP SP2 - Thursday 12 August, 2004, 2:07 PM

http://www.interact-sw.co.uk/iangblog/2004/08/12/norawsockets 

 

Well, not strictly gone, but their power has been reduced in certain respects.

While it might make Steve Gibson happy, I'm not utterly delighted by this particular change service pack 2 brings to Windows XP.

Security expert and fellow DevelopMentor instructor Dominick Baier drew my attention to the fact that Windows XP service pack 2 (which I just installed) reduces the power of raw sockets. This has had no direct impact on me, since nothing I did uses raw sockets. But there are a couple of groups of users that this will affect.

The good news (and the justification for the removal of the feature) is that this change will prevent certain network attack tools used by crackers from running on Windows XP. These tools are easier to write if you have a full raw socket facility. But it won't impede them much of course - presumably they'll just go and use some other operating system. The limitations on the raw socket facility in Windows XP don't make XP any more or less vulnerable, they just make it slightly less suitable as a platform for launching certain kind of attacks. But that really won't stop a determined hacker - it's not like it's that hard to find an OS that supports full raw sockets. Linux supports them for example. (So if Steve Gibson was right in his original rather sensationalist article, Linux will now supplant Windows XP as the "denial of service tool of choice for internet hackers everywhere" as he put it... Not that Windows XP ever fulfilled his prophecy of doom, as far as I know.)

In fact there's no reason a cracker couldn't add the functionality back into Windows if they're prepared to write a suitable device driver. I don't think there's anything stopping you writing a kernel mode device driver that plugs into the NDIS stack and communicates directly with the network card device driver. That would let you send any ethernet packet you like, which would give you at least as much power as the original unencumbered raw sockets API. (In practice they'll probably just use an OS such as Linux which still supports the feature.)

The other group this affects is security professionals - the restriction of the raw sockets API prevents certain penetration test tools from running. For example, Dominick pointed out that certain features of nmap won't work on Windows XP once you've installed service pack 2. This means you can no longer use Windows XP to discover whether a particular system on your network is vulnerable to certain kinds of attacks.

The justification for limiting raw sockets is that they provide a tool for the attackers. That sounds reasonable enough until you realise that raw sockets are also a tool for the defenders. Now that I've installed service pack 2 I'm deprived of ability to use this tool to defend myself, unless I have some other systems around that still support raw sockets. Meanwhile I can be absolutely sure that those who would attack my networks *do* have systems that support raw sockets.

So this change appears to have made Windows XP less useful for detecting security flaws without putting up any significant new barrier to determined attackers. Doesn't that make me less secure, on balance?

(Of course this is just a minor niggle - on the whole, I think the security improvements of XP SP2 are a Very Good Thing!)

时间: 2024-10-09 10:05:57

【转】Raw Sockets Gone in XP SP2的相关文章

【转】A little more info on raw sockets and Windows XP SP2

 http://blogs.msdn.com/michael_howard/archive/2004/08/12/213611.aspx There's been a little confusion about raw sockets and Windows XP SP2. Hopefully, this little entry from the "Changes in functionality..." doc (see my last blog entry for an URL

Win XP SP2安装设置实用手册(1)

由于SP2中加入了新的激活技术,如果你使用正版刻录盘来安装Windows XP,那么在安装SP2时可能出现无法安装或者安装完毕无法激活的问题.如何提前预知自己系统能否顺利安装SP2呢? 方法一:打开资源管理器,运行"帮助→这份Windows合法吗?"菜单,或者直接访问http://www.microsoft.com/resources/howtotell/ww/windows/default.mspx,在打开的页面中单击"Validate Now",稍等片刻后页面会

微软Windows XP SP2中的四大终极武器

window|微软     当然在这其中还是以"木马病毒"最令人头痛,而在XP SP2中自带的安全总管便可以帮您解决这一难题.由于大多数用户不知道自己的系统是否处于安全状态,这给病毒或黑客的入侵留下了可乘之机.Windows 安全中心能够监视系统安全组件是否正常工作,通过它可以在最短的时间内识别出Windows防火墙.自动更新.防病毒软是否已经正常工作. 对于状态正常的设置,安全中心将会用绿色显示出来:如果相应的选项状态异常(例如被关闭或禁用),则会标示为红色:状态未知则用黄色表示,这

安全删除Windows XP SP2 的四种方法

window|安全 WindowsXP ServicePack2 的发布引来无数人的关注,许多人也迫不及待的下载安装,然而SP2的众多新功能和许多改进也许并不会和你机器中原有的硬件或者应用程序很好的兼容,相信这也为许多人带来了麻烦.如果为此重装系统那真是得不偿失.许多人一定很关心如何能在保证系统正常运行的情况下卸载SP2.   使用控制面板中的"添加或删除程序"工具  1. 单击"开始",单击"运行",在"打开"框中键入 ap

如何解决装完Windows XP SP2之后,clienst 端无法连接Sql server ?

server|window|解决  在安装WIN XP sp2之后默认Windows Firewall是打开的,所以你的其它CLIENT是无法连接到这个SQL SERVER的,你首先要确认在本机是可以连接的,你可以参考下面的配置: 1.在Win Xp上运行Server Network Utility配置sql server的连接协议是TCL/IP,端口是1433,注意不要选中hide server.2.配置好之后要重新启动sql server服务.3.配置客户端的client network u

用XP-AntiSpy优化Windows XP SP2系统

目前,很多朋友都安装了Windows XP SP2,但是在默认情况下,Windows XP SP2会很武断地开启许多服务,对于个人用户来说,有些服务完全没必要启动,不仅浪费你的系统资源,而且它还在很多情况下会自动连接网络,虽然微软声称此举不会收集个人信息,但是总让人心里打鼓.放心不下!有什么好的办法来优化Windows XP SP2,把那些不安全的地方全部关闭呢?其实,利用XP-AntiSpy这款软件就可以帮你这个大忙! 软件名称:XP-AntiSpy 软件版本:V3.94-1简体中文版 软件大

Vista SP1、XP SP2性能全方位对比

有关Vista SP1.XP SP3的性能此前已经陆续有过很多测试,而来自Futuremark官方论坛的"Mikael"把Vista SP1和XP SP2拿来进行了一番对比. 首先看一下测试平台: 处理器:Intel Core 2 Duo E6600 @ 3.2GHz (400MHz×8) 主板:技嘉GA-P35-DS3 内存:8GB DDR2-800 4-5-4-15 显卡:NVIDIA GeForce 8800 GT 512MB 散热器:Thermalright Ultra-120

Windows XP SP2超强使用技巧3则

如何使IE允许安装使用无效签名的对象 现象 如果一个对象含有无效签名,Internet Explorer在缺省情况下将禁止它的安装.虽然这是XP SP2的一个增强的安全设定, 但如果页面需要这个对象时将发生错误.在默认设置下,即使是管理员也无法通过Internet Explorer下载和安装这类无效签名的对象. 分析/解决 打开控制面板中的 Internet Options, 进入Advanced选项卡; 选中 Allow software to run or install even if t

windows xp sp2自带防火墙设置

  目前已经发布的英文版windows xp service pack 2(sp2)包括了全新的windows防火墙,即以前所称的internet连接防火墙(icf).windows防火墙是一个基于主机的状态防火墙,它丢弃所有未请求的传入流量,即那些既没有对应于为响应计算机的某个请求而发送的流量(请求的流量),也没有对应于已指定为允许的未请求的流量(异常流量).windows防火墙提供某种程度的保护,避免那些依赖未请求的传入流量来攻击网络上的计算机的恶意用户和程序. 在windows xp sp