This particular implementation relies heavily upon Steve Gibson's page:
Network Bondage
and the child pages.
It is important to completely understand the theory before one attempts to utilize this method. It is also vital to understand that modifying ControlPanel/ Network settings absolutely require that either:
The remainder of this page is an email I sent to the Mentors on:
02 Nov 2001 21:57:15 -0800.
Subject: grc unbinding - was = Re: On Soliliquy 2: service and firewalls
Date: Fri, 02 Nov 2001 21:57:15 -0800
From: John Mayer
To: Foad Farid
CC: Doug Hardie
BCC: MentorsListBcc
Hi folks -
[Mr. Farid, a question for you at the end of this email, thanks. J.]
We trust those we know. I trust Mr. Farid. If he says it works, I will
not argue. And so with some trepidation I set forth to implement the
suggestions as laid out in the
http://grc.com/su-bondage.htm
site. The instructions were followed meticulously after reading through
to make sure I understood (to the best of my ability) the theory behind
the proposed actions.
(diagrams referred to are at the end of this email)
Mr. Gibson suggests the first diagram, (see diagram: grc's suggestion)
I want to keep "Client for Microsoft Networks" since that allows me to
"save my password" at the dialer ("Connect to" window).
I added the clients: NetBEUI and File/Printer sharing only to be in
concert with his diagram.
I rebelled against binding NetBEUI to the dial up adaptor since I have
an unused NIC card, so I bound NetBEUI to the card.
(see diagram: my first version)
After a bit of triple and quad and quint checking, I decided I had
everything right, and rebooted.
Upon reboot, I got an "Enter Network Password" window at boot time, with
my "machine" name and a blank password.
I tried a bunch of things to get rid of that boot-password window,
including deleting all my c:\windows\*.pwl files, fiddling around with
TweakUI, changing ControlPanel/Network/Client for MSN/Properties/Network
logon from "Logon" to "Quick"
I decided that hell, I didn't need the file and print sharing, nor the
Microsoft Family Logon anyway, so I trimmed the bindings off them for
NetBEUI.
(see diagram: my second version)
To make a long story short, the solution for password problem on my
machine was to change the ControlPanel/Network/"Primary Network Logon"
from "Client for Microsoft Networks" to "Windows Logon".
After reboot, I did have to do a blank password "OK" entry once, but
after that, I'm back to "normal" bootup sequence (no password request).
Other users may find variations of the other preceding techniques
helpful.
- - - - -
But I am still a little disconcerted:
After I unbound everything as proscribed by the grc site, I left
zoneAlarm on and connected to lafn through the MM number.
I'm still getting "hits" or "inquiries" or "interrogations", whatever
you want to call them. zoneAlarm is catching them and bringing them to
my attention.
Therefore, I must conclude that Gibson's SU-Bondage technique is not
bulletproof.
I need some feedback on this, if any of you have any insights to offer.
Mr. Farid, since I don't have any need for File or Print Sharing, nor
for Microsoft Family Logon, I trimmed (removed) those out, and made up
the third diagramatical configuration on my machine ("my second
version"). As near as I can tell from what Gibson wrote, this is really
all I need. I want to keep the "Client for Microsoft Networks" involved
somehow just so I can "Save" my password at the "Connect To" (dialup)
window.
Any thoughts?
Thanks to all of you,
John
- - - - -
Foad Farid wrote:
>
> Doug and John both deserve our compliments for their
> professional discussion of the recent developments. I
> have been too busy to share my thoughts on these
> issues with you. But, I think I should discuss one of
> them here.
>
> First, I would like to second the suggestions that
> John has made. As the mentor who originally
> "reminded" all of the grc.com site, I was hesitant to
> suggest the approach proposed in
> http://grc.com/su-bondage.htm. The reasons are the
> very issues John has raised.
>
> I have been implementing these on my client's and a
> few LAFN users for more than two years now. It has
> taken me some 45 min. at times just to explain this
> need to even high-risk DSL clients that don't like
> firewalls. Further, I have yet to see a user who is
> able to implement these layers successfully without my
> direct involvement. Thus, I think that adopting this
> will require our more knowledgeable mentors to visit
> virtually every LAFN user, if not even a few mentors,
> to implement these. Even then, I am not convinced
> that these safeguards will always be effective. For
> example, I can see cases where users may want to
> remove some restrictions for such things as networking
> and printer sharing. Even if we assume that second
> visits may not be necessary, users may open some back
> doors to hackers in the process. I have to stop here.
>
> Best wishes,
> Foad
updated 28 November 2004 1533 pst jtm
all rights reserved, John Mayer