Microsoft Windows XP Power Toolkit

When you open the Settings dialog box, shown in Figure 23-11, the Firewall tab, shown by default, is a good place to begin your configuration efforts.

Figure 23-11.   Using the Firewall tab to set how BlackIce controls access to your computer.

The Protection Level setting establishes the intensity of the security settings. By default, the level is set at Cautious. You can change the setting to a more restrictive level if you think your computer is experiencing a highly unusual number of intrusion attempts. Likewise, you can reduce the standard if you think your computer is reasonably safe from intrusions during a particular session. The following is an overview of the effects of each available setting:

• Paranoid  Stops all unsolicited inbound traffic. Using this protection level might mean that you can’t do everything you want to on interactive Web sites.

• Nervous  Blocks all unsolicited inbound traffic except some traffic required for interactive Web sites, such as receiving streaming media.

• Cautious  Blocks unsolicited inbound traffic that is trying to access Windows operating system services or network services.

• Trusting  Lets all inbound traffic through.

In addition to the Protection Level settings, the Firewall tab offers several other configuration options. Select or clear the check boxes for each of the following options:

• Enable Auto-Blocking  Automatically blocks any intrusion attempt (selected by default). If you clear this check box, BlackIce reports the event in a log file but doesn’t block the traffic.

• Allow Internet File Sharing  Permits file sharing among computers, including computers on your LAN (the word Internet is a bit misleading in this option). If you’re on a network and you share files with other computers, select this check box.

• Allow NetBIOS Neighborhood  Causes this computer to show up in the Network Neighborhood of other computers on your network. If you don’t select this option, users on other computers won’t see this computer’s listing. However, this doesn’t mean that you can’t share files between this computer and other network computers; it only means that users on other computers must access your computer manually (for example, by entering the Universal Naming Convention, using the IP address, in the Run command).

After you’ve made any necessary changes on the Firewall tab, click Apply to put the changes into effect. If you’re finished with your configuration efforts, click OK to close the dialog box.

The Packet Log tab, shown in Figure 23-12, is the place to set up the logging features that BlackIce offers.

Figure 23-12.   Using the Packet Log tab to turn on logging and specify the manner in which events are logged.

Packet logging tracks all traffic, not just intrusion attempts, so your log files can become quite full of data, including a lot of information that doesn’t help you track attempted intruders.

The logs are kept in the folder into which you installed BlackIce, and the file name extension for packet logs is .enc. If you choose to turn on the logging feature, use the following guidelines to specify how logging works:

• File Prefix  Determines the prefix of the packet log file names. By default, the prefix is log, so that log files are named log0001, log0002, and so on. You can select a different prefix, perhaps using letters that refer to the name of your computer.

• Maximum Size (Kbytes)  Indicates the maximum size you want to permit a log file to be (the default maximum size is 2048 KB). When the file reaches the specified size, BlackIce starts a new log file.

• Maximum Number Of Files  Determines how many log files BlackIce retains. The default value is 10. You can rename old log files or move them to a different folder to make sure the system continues to create files.

The Evidence Log tab, shown in Figure 23-13, is where you set up the specifications for tracking suspicious behavior. When BlackIce detects that an intruder might be accessing your computer, it collects the evidence in logs.

Figure 23-13.   Specifying how you want to track the behavior of intruders.

By default, evidence logging is enabled, and it’s not a good idea to disable this feature. BlackIce captures all the network traffic packets generated by suspected intruders and keeps that information in the evidence log file. Capturing packets means the program can keep detailed information about everything an intruder tried to do.

Evidence logs are located in the folder into which you installed BlackIce, with the file name extension .enc. Use the following guidelines to configure the options available for the evidence logs:

• File Prefix  Determines the prefix for the file names of evidence logs. By default, the prefix is evd. You can add a time and date stamp to the file name by typing %d after the prefix. The time and date stamp appears in the format YYYYMMDD.

• Maximum Size (Kbytes)  Specifies the maximum size for an evidence log. The default is 1400 KB.

• Maximum Number Of Files  Determines the number of evidence files the system retains. The default is 32. You can rename or relocate old evidence files to make sure the system continues to create files.

  NOTE
  BlackIce will not create more than 32 files in any 24-hour period.

Back tracing is a BlackIce process that traces a network connection back to its origin. This process is invoked whenever BlackIce thinks an intruder is trying to access your computer. To back trace, BlackIce moves backwards through the path the external computer used to reach your computer. All Internet traffic travels through a series of servers and routers, and each of these points constitutes a hop. BlackIce identifies each one of these hops to determine where the intrusion started and how it arrived at your computer.

In effect, a back trace is the reverse of a trace route. You can perform a trace route at the command line by typing tracert target (where target is an Internet location, such as Microsoft.com, or an IP address). You can see all the hops between your computer and the target site. It’s an interesting exercise, and also a good way to tell how close your ISP is to the backbone servers on the Internet. The configuration options available on this tab, as shown in Figure 23-14, let you specify the severity level of attempted intrusion that initiates a back trace.

Figure 23-14.   Specifying the circumstances under which you want BlackIce to initiate a back trace.

You need to configure the options for both an indirect trace and a direct trace. An indirect trace collects information without accessing the source of the intrusion, which means the intruder can’t detect the fact that a trace is in progress. A direct trace gathers information by accessing the source of the intrusion, which might be detected by the intruder. Some hackers block direct traces. Indirect traces don’t provide as much information as direct traces.

The severity threshold specification is a number assigned by BlackIce to determine how serious a threat is. BlackIce uses the following threshold definitions:

• 0 (Informational)  This means an event has occurred that does not seem threatening. No action results.

• 1–3 (Suspicious)  This means an event has occurred that is suspicious, but not threatening. For example, an intruder might be searching for open ports or other security weaknesses, but has not yet attempted to access the computer.

• 4–6 (Serious)  This means an attempt has been made to access information on your computer.

• 7–10 (Critical)  This means an intruder has made an attack and tried to damage a data file, tried to extract data from your computer files, or tried to crash the computer.

In addition to specifying the threshold, two other options are available for back tracing:

• For an indirect back trace, select the DNS Lookup check box to have BlackIce query Internet DNS servers for information about the intruder’s point of origin.

• For a direct back trace, select the NetBIOS Nodestatus check box to have BlackIce perform a NetBIOS lookup on the intruder’s system. If successful, this provides specific information about the source computer.

This tab, shown in Figure 23-15, is where to specify the computers and application events that BlackIce should trust or ignore. If your computer is part of a network, this is the place to indicate which network computers can access your system.

Figure 23-15.   Naming the application and computer access events BlackIce should trust or ignore.

In the BlackIce lexicon, trusting means that the program excludes an IP address from its list of things to “watch.” Ignoring means that certain events (such as port scans or queries) from trusted sources don’t have to be investigated, nor do they trigger a log entry.

Click Add to open the Exclude From Reporting dialog box, and then type the addresses of the computers on your network. By default, BlackIce ignores all events from these computers. It would be unusual (and probably harmful) to change this setting.

The Notifications tab, shown in Figure 23-16, lets you specify how you want BlackIce to alert you about events that it deems important.

Figure 23-16.   Configuring how and when BlackIce should alert you when a significant event occurs.

For event notification, you can specify the circumstances under which you want to receive a video and/or audio alert. The icons on the tab indicate the level of severity, and you can assume that the more icons there are, the more severe the event. By default, the system issues a video notification (pop-up message) when the most serious event occurs. You can lower the urgency level at which you want to see a notification, and you can also add an audio notification for any urgency level.

At the bottom of this window is an option to check the BlackIce Web site to see if any updates or fixes are available. If you select the Enable Checking check box, you must then specify how often you want to check the Web site.

Use the Prompts tab to specify whether or not you want to be prompted for confirmation when you perform certain actions in BlackIce. For example, you might want to turn off the confirmation dialog box that appears when you clear the event list or when you are notified of a blocked intrusion.

The Prompts tab also lets you configure the way tooltips are displayed when you’re using BlackIce.

The settings in the Application Control tab go beyond simple firewall protection. They are aimed at controlling the applications and its processes that are allowed to run on this computer (as shown in Figure 23-17).

Figure 23-17.   Specifying the action BlackIce should take when an unknown or changed application tries to run.

When you installed BlackIce, it took the time (in fact, a lot of time) to make a list of all the applications installed on your computer. Those applications are allowed to run without interference, unless they’ve been changed since the original installation.

For any application that’s not on the list (including applications you install after you install BlackIce), you can specify what you want BlackIce to do when that application attempts to run.

The Communications Control tab, shown in Figure 23-18, specifies the circumstances under which this computer can send outbound data.

The Enable Application Protection check box, which is selected by default, tells BlackIce to monitor your computer for unauthorized outbound transmissions of local data.

When an unauthorized application attempts to access the network, BlackIce performs the action you select in this configuration tab. The choices are self-explanatory.

Figure 23-18.   Protecting your computer from applications and processes that attempt to obtain local data.

BlackIce provides configuration options for its firewall activities, and you can view or change the options by selecting Advanced Firewall Settings on the Tools menu. As you can see in Figure 23-19, BlackIce can block or allow access from certain ports or addresses.

Figure 23-19.   Configuring BlackIce advanced firewall settings.

If you’re on a network, you should add the addresses of computers on the network by clicking Add to open the Add Firewall Entry dialog box, shown in Figure 23-20.

Figure 23-20.   The Add Firewall Entry dialog box.

Enter a name for the entity (for example, MyNetwork) and then enter the IP address or multiple addresses. For networks, be sure to select Accept in the Mode frame. On the other hand, if you’re trying to stop a particular IP address from accessing your computer, select Reject.

You can apply the Accept/Reject mode setting to all ports accessed by this IP address, or clear the All Ports check box and specify particular ports. You can also specify the duration of this Accept/Reject condition.

When you’ve finished the entry, click Add to return to the Advanced Firewall Settings dialog box, where your new entry appears in the list. You can modify the configuration of any entry in that list by selecting its listing and clicking Modify to open the Modify Firewall Entry dialog box, which offers the same options as the Add Firewall Entry dialog box, although some might be dimmed.