The pros and cons of Windows Firewall

Windows Firewall debuted with the release of Windows XP, and Windows XP Service Pack 2 enabled this feature by default. This host-based stateful firewall replaced Windows' Internet Connection Firewall.

This feature's default configuration rejects incoming IP traffic unless you've specifically allowed it. To configure or adjust the Windows Firewall settings, go to Start | Control Panel, and double-click the Windows Firewall applet. Let's take a closer look at the various settings.

Know your options
On the General tab, you can use the On and Off radio buttons to enable or disable Windows Firewall. You can also choose to disallow exceptions.

The Exceptions tab includes a list of programs and services that you can select or deselect to allow or remove access to the network. You can also add or delete ports (both TCP and UDP).

When adding programs or ports, you also have the following options to limit the scope of access: Any Computer (Including Those On The Internet), My Network (Subnet) Only, or Custom List, which allows you to choose a mix of IP addresses and subnets.

On the Advanced tab, you can choose which connections the firewall will apply to, and you can specify logging features. You can also control, with some granularity, how the firewall handles Internet Control Message Protocol (ICMP) packets.

Finally, if you get completely lost and make changes that prevent the computer from connecting to the Internet, you can click the Restore Defaults button. This removes all of your changes, returning Windows Firewall to the Microsoft default state.

Know how to adjust the settings
You can use the method described above to manually change the Windows Firewall settings. However, you can also use a variety of methods more suited for enterprise deployments. Here are some of your options:

• Unattend.txt: You can use this text file used during unattended setup when deploying multiple systems that have similar configurations.
• Netfw.ini: You can modify and deploy this file via login scripts or a control system such as Systems Management Server (SMS). You can find this file in the %windir%\Inf folder.
• Netsh: You can execute this command at the command prompt or through a scripted batch file deployed at login.
• Group Policy: In an Active Directory environment you can use Group Policy to deploy Windows Firewall configurations. Update existing Group Policy Objects with the Windows Firewall policy settings from the updated System.adm template included with Windows XP SP2. You can find these new settings under Computer Configuration | Administrative Templates | Network | Network Connections.

Of course, all of these available configuration and deployment options beg the question: Does this firewall adequately protect your computer?

The Windows Firewall does a good job of proxying inbound responses to outbound connection requests, and it does a good job of blocking inbound connection requests for TCP or UDP conversations that you haven't initiated. It will block any connection attempts that you haven't specifically allowed in the settings. However, that's only half of what a firewall needs to do.

A firewall should also monitor, inspect, and proxy outbound communication -- and this is where Windows Firewall fails. Any program on your computer can initiate any type of connection to any IP address on the Internet, and the Windows Firewall will sit by passively and let it happen!

Don't let any prompts fool you: Even though it tells you a program has initiated a connection to the Internet and asks if you want to allow this connection, the connection has already occurred. What it's really asking is whether you want to allow the Internet to connect to this program.

Final thoughts
As far as I'm concerned, a firewall mechanism that only works one way is a security feature -- not a firewall. Thanks to viruses, worms, Trojans, and a host of other malware and spyware that arrive on your computer daily, you need to be able to control communications from both directions.

Every computer connected to any network (e.g., dial-up, Ethernet, or wireless) needs a firewall, and Windows Firewall just isn't up to the task. Find yourself a free firewall or pay for one from a reputable vendor, but don't let Windows Firewall fool you into thinking it completely protects your computer. Half a firewall is no better than no firewall at all.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2006 TechRepublic, Inc.

• Related stories

• Alerts

Add your opinion

Question Anonymous -- 22/04/06 (in reply to #120133165)

The logical in this article seeems to be flawed. How does any host firewall stop a malicious program from reconfiguring the outbound rules to just let it through?

• Reply to comment
• Report offensive content

I disagree John C -- 22/04/06

I dont agree with this article, yes windows firewall is "only half a firewall" in essence but its definetly better than no firewall at all. Windows firewall blocks illegitimate incoming requests PERIOD. If you arent dumb about what gets on your computer you shouldnt have a big problem with outgoing requests from spyware etc. For an average PC user that usually has some sort of virus scanner this type of firewall is fine; these sorts of users wont understand ZoneAlarm popping up asking if IEXPLORE.exe can access port 80 in the first place. I used to use zone alarm and I found it took up alot of memory and some of the "allow" popups annoying. Bottom line if you run a clean computer there is no reason to not use windows firewall.

• Reply to comment
• Reply to story
• Report offensive content

I disagree John C -- 22/04/06

I dont agree with this article, yes windows firewall is "only half a firewall" in essence but its definetly better than no firewall at all. Windows firewall blocks illegitimate incoming requests PERIOD. If you arent dumb about what gets on your computer you shouldnt have a big problem with outgoing requests from spyware etc. For an average PC user that usually has some sort of virus scanner this type of firewall is fine; these sorts of users wont understand ZoneAlarm popping up asking if IEXPLORE.exe can access port 80 in the first place. I used to use zone alarm and I found it took up alot of memory and some of the "allow" popups annoying. Bottom line if you run a clean computer there is no reason to not use windows firewall.

• Reply to comment
• Reply to story
• Report offensive content

I disagree John C -- 22/04/06

I dont agree with this article, yes windows firewall is "only half a firewall" in essence but its definetly better than no firewall at all. Windows firewall blocks illegitimate incoming requests PERIOD. If you arent dumb about what gets on your computer you shouldnt have a big problem with outgoing requests from spyware etc. For an average PC user that usually has some sort of virus scanner this type of firewall is fine; these sorts of users wont understand ZoneAlarm popping up asking if IEXPLORE.exe can access port 80 in the first place. I used to use zone alarm and I found it took up alot of memory and some of the "allow" popups annoying. Bottom line if you run a clean computer there is no reason to not use windows firewall.

• Reply to comment
• Reply to story
• Report offensive content

I disagree too Anonymous -- 22/04/06

The Windows Firewall is there, it's well integrated, it's very easy to manage for the administrator through Group Policy, it's clearly better than nothing, I can't feel any performance degradation and it doesn't ask all the questions that users below system administrator level cannot answer anyway.

The last point is often missed by all us experts and the solution is not to have a firewall block everything silently because the user would just find that some application on his computer is not working and won't be able to troubleshoot the problem down to a firewall issue and solve it himself.

Perhaps he will just accept that the problem is there (users tend to accept that their computer isn't working 100 %) or he will then have to call his Helpdesk spending their time as well as his own.

Antivirus, Firewalls and Anti-spyware all slow down computers and actually often causes Windows to crash in my own experience so you really have to think twice before adding more and more security software.

• Reply to comment
• Reply to story
• Report offensive content

I have a better firewall for my family PC Juan Màrquez -- 22/04/06

I don´t use the crappy XP's built-in firewall. I have a better one that stops all sorts of spyware dead in it's tracks without annoying whoever happens to be using the family PC. It's my Mac, yes, you heard it. I put my Mac in the web link (DSL) and hook the PC to my Mac and then I share the DSL conection from my Mac to the PC. In that way the vastly superior OSX built-in firewall takes over the role of keeping the malware out and the line that the PC receives is already cleaned up by the Mac.

• Reply to comment
• Reply to story
• Report offensive content

unbelievably stupid Anonymous -- 24/04/06 (in reply to #120133176)

You don't even understand what you have done, do you?

• Reply to comment
• Report offensive content

PC as firewall... Anonymous -- 24/04/06 (in reply to #120133176)

Obviously someone didn't read that little notation Microsoft put in about connecting your home network to the internet through another computer. Although Mac OSX and Linux based computer do provide far better protection than MS Windows, and its buit in backdoor.

• Reply to comment
• Report offensive content

You idiot Anonymous -- 28/04/06 (in reply to #120133176)

What the hell are you smoking dude. That is undoubtably the most idiotic thing i will read all day.

• Reply to comment
• Report offensive content

Yes, it doesn't have outbound protection... but... fastgeek -- 22/04/06

As the subject says, while Windows Firewall doesn't have outbound protection I personally feel that IF you *need* outbound protection you have bigger problems to deal with. Further bloated programs like Symantec/Norton & McAfee seem to be causing more and more problems and bring "modest" systems to their knees under the strain of all the crap N/Mc install. Further, when McAfee "Privacy Service" prevents upgrades from MCAFEE SERVERS it just goes to show that these products often cause more problems than they solve.

IMHO Windows Firewall + AVG or NOD32 + Spyware Blaster + Spybot + MVPS Host File + Router (even for a single user) is all that's really needed to keep a computer clean. Or, more importantly, educating the user; because no amount of hardware/software is going to prevent a truly ignorant user from screwing up their computer again and again.

• Reply to comment
• Reply to story
• Report offensive content

"Half a firewall is no better than no firewall at all" Steve -- 22/04/06

I run my system with the Windows Firewall, AVG free and Spybot and have never had an infection.

On my laptop however, at one time I had disabled the Windows Firewall and took it to uni and plugged it into the network forgetting that the firewall was disabled. I had AVG on there and almost straight away I had received Blaster off the network (this was some time ago) With the Windows Firewall enabled on my LAN connection I wouldn't have picked it up.

So "half a firewall" is definitely better than none at all, and for educated users in my opinion even better, as its one less bloat for my system and doesn't require my constant attention with its annoying prompts.

• Reply to comment
• Reply to story
• Report offensive content

windows Fortress -- 04/05/06 (in reply to #120133180)

yes having half is better than nother, however it cant be said that windows firewal is secure. its only barebones you all

• Reply to comment
• Report offensive content

I disagree with all of you Anonymous -- 25/04/06

Software firewalls are worthless feelgood fluffware that make idiots feel better about their computers. In the real world all they do is slow down PCs, break applications and induce panic. Get a freaking hardware firewall and as far as outbound, if your PC is not already a zombie, who needs outbound?

• Reply to comment
• Reply to story
• Report offensive content

Re: I disagree with all of you Anonymous -- 30/04/06 (in reply to #120133324)

Not a very proactive solution when you consider all the wireless hotspots springing up around the world.

• Reply to comment
• Report offensive content

Regarding outbound connection detected prompt Anonymous -- 27/04/06

Hi, Are you sure that the winxp firewall allows the outbound packet to go thro it before it prompts you. Because at a technical level I don't see any reason as to why winxp firewall cann't block a packet from going out of the machine before getting a confirmation from the user.

• Reply to comment
• Reply to story
• Report offensive content

Yes Windows Firewall allows all outbound traffic Anonymous -- 04/05/06 (in reply to #120133448)

The article was misleading. A Windows Firewall popup asking permission is not asking after sending, it's really asking if an application can open a port to listen on for requests from other machines on the network.

• Reply to comment
• Report offensive content

Article is technically wrong! Anonymous -- 03/12/08

Start/Run/mmc.exe
add "Windows Firewall with Advanced Security..." and you can change "outbound" rules.
But I do agree that the "end user GUI" is missleading. And after enabling a "default deny" policy on outbound, be prepared to make exceptions. IE won't work without an exception rule. And any "End user GUI" requester on allowing thing still only handles inbound stuff.

Google this and you'll find very few pages on this subject, <10... but on this "won't work on outbound" subject there are many hits.... but then again... End users are usually 'users'.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials