COMMAND

	Tiny personal firewall permits bypass when accessing  console,  even  if
	locked

SYSTEMS AFFECTED

	2.0.15a

PROBLEM

	Andrew Barkley reported following about Tiny Personal Firewall :
	

	The popup alert/dialogue jumps to the foreground, thus  open  to  accept
	permit/deny input from the local console,  even  when  the  workstations
	are locked (ctl + alt + del). Thus  an  untrusted  individual  whom  has
	local    access    to    individuals    workstations    can    scan    a
	workstation/network,  wait  for  the  popup  alert  dialogue  and  enter
	\"permit\"  on  unattended  (locked  workstations)  without  the  owners
	permission/knowledge, No need to first unlock (ctl + alt + del)
	

	 Update (6 march 2002)

	 =====================

	

	elfs added :
	

	If we take a look to WinAPI help for, i.e. MessageBox, we see,  that  it
	has a flag (WindowsNT only), called MB_SERVICE_NOTIFICATION:
	

	(..) The caller is a service notifying the user  of  an  event.  The  function
	displays a message box on the current active desktop, even if  there  is
	no user logged on to the computer (..)
	

	So we can write a small test program:
	

	

	---[ test.c ]---

	#include <windows>

	void main()

	{

	  Sleep(3000);                      // Pause, to give you time to lock

	                                    // the computer

	  MessageBox(

	    NULL,                           // HWND, should be NULL

	    \"Who cares if we are locked?\",  // Messagebox text

	    \"Test\",                         // Messagebox caption

	    MB_OK | MB_SERVICE_NOTIFICATION // Flags

	  );

	}

	

	

	and this gives a chance for almost any appl to communicate with user  on
	WinNT, even if the computer is locked.

SOLUTION

	Tom Geldner suggests :
	

	Unchecking \"Ask for action when no rule is found\" on the Advanced  tab
	will effectively stop the popups. You can also force TPF  to  require  a
	password for any activity.