I wouldn't mess with the services start codes; those directly relate to how the services start up (automatic, manual, disabled). changing that data will have very unpredictable effects. As far as dependencies, ISA still depends on the bas TCP/IP services; that's why the dependencies exist as they do. The thing to bear in mind here, is that until Windows is finished its startup, no services are answering even if the TCP/IP ports are showing "active". Those are two different issues. If you can actually obtain more data than OS fingerprinting, I'd love to know what you get. That would certainly be something to pass on to the ISA and/or Windows teams. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Dar Scott" <dsc@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, January 01, 2002 07:43 Subject: [isalist] RE: Security hole at boot http://www.ISAserver.org I'm still concerned about the lack of IP filtering at startup. On typical machines this can be a minute, from the end of the blue progress bar until about 10 or 20 seconds after the login screen. Vulnerability seems to depend on which services are started automatically and in what order. I'm worried that by enabling or disabling a service I might increase my exposure. During this window, my server spills its guts; the system and some add-on services start broadcasting. LanGuard is able to get system info from ports 135 and (if I "accidently" forget to disable NetBIOS on the TCP/IP properties) 139. If I enable simple TCP and simple TCP starts up and I can get time and date. I can FTP. I would guess that a system with Terminal Services or pcAnywhere might have these exposed if they end up being loaded early. A minute might be too short of a time to crack these, but might expose they exist or expose them to those who have pw some other way. I found this same problem with another firewall and with IPSec. Anybody familiar with system startup? Taking Jim's lead I looked at the registry. TCP/IP and NetBIOS over TCP have start codes of 1. IP Filter (IpFilterDriver), ISA IP Filter (MspFltEx), Firewall and so on have start codes of 2. So do lots of things that use TCP/IP. Dependencies: Firewall --> IP Filtering Extension --> IP Filter --> TCP/IP Could start codes for IP Filtering and IP Filtering Extension be safely changed to 1? Would that even take care of the problem? The firewall service depends on several services so moving that to 1 would move several. Could NetBIOS over TCP be moved to 2? Or maybe somebody can convince me this is not a problem. Dar Scott ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')