Vista firewall shackled due to customer demand: Microsoft

The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant.

When Windows Vista is released early next year its firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. According to a statement from Microsoft, the firewall's protection will be curbed in order to make life easier for the company's enterprise customers.

"Because the nature of an outbound firewall is to restrict the traffic sent to specific ports, the outgoing access in the Windows Vista firewall is open by default," a Microsoft spokesperson told ZDNet Australia. "The reason for this is Microsoft has received strong feedback from its customers, especially from large organisations and government departments, saying that they would like to manage this feature from an administrator level."

Microsoft claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements.

"Users need to understand how their applications undertake communication and connections and the associated threats and risks. This security requirement will vary amongst users and Microsoft is providing the capability to allow users to determine how they wish to leverage this security capability," the Microsoft spokesperson said.

Firewall specialist Zone Labs claims that users will require a "fairly high level of sophistication" in order to properly configure the Vista firewall. For consumers, the company said the task will be nothing less than "challenging".

"Outbound protection requires a fairly high level of sophistication to engage, and reports indicate that Microsoft expects that functionality to be used by IT professionals in a business networking environment," Laura Yecies, general manager at Zone Labs told ZDNet Australia.

"For consumers, it is challenging at best," she added.

Security specialist Michael Warrilow, director of Sydney-based analyst firm Hydrasight, believes that Microsoft has found it too difficult to create an all encompassing firewall. However, he said that by throttling the capabilities of the firewall the company is not ignoring its non-technical customer base.

"In effect, Microsoft is putting outbound [protection] in the 'too hard basket' for the time being," Warrilow told ZDNet Australia. "The firewall is to protect against inbound attacks -- instead of protecting the rest of the world from you."

The Microsoft spokesperson said that Vista's firewall is just one layer of security in the new operating system: "New features such as User Account Control (UAC), Windows Defender, and Internet Explorer Protected Mode along with improvements to Windows Firewall and Windows Update work together to help shield Windows Vista PCs from malware."

Advertisement

Print feature brought to you by Adobe

Talkback 14 comments

    Warrilow is an idiot Anonymous -- 26/04/06 (in reply to #120133412)

    The point of filtering outbound connections isn't just to protect the world from spambot-infested morons, it's to protect people from spyware.

    Mind you, Windows XP itself seems like the world's biggest piece of spyware at times, so it's no real surprise that Microsoft is (again) punting on real security for the end user.

    ^^^Typical knee-jerk, anti-MS reaction Anonymous -- 27/04/06 (in reply to #120133413)

    So, what would make you happy? Have MS disable the ability for applications to talk to the outside world at all and completely cripple Windows? Why should a typical user have to *enable* the ability to communicate? If Vista by default disabled talking to the outside world, that would have the effect of discouraging it--making it less common.

    Just as a tax discourages economic activity, making it harder to perform computer activities makes them less common.

    TEAM 99 shill Anonymous -- 27/04/06 (in reply to #120133416)

    HOW MUCH to hype vaporware
    Hasta la Vista is not even here

    nice Anonymous -- 07/05/06 (in reply to #120133416)

    So it's easier to end user to disable outgoing traffic on all ports except few that they really use than to have all ports closed and enable that few that they use. I think most users won't even notice that they should configure they firewalls. And all kinds of spyware, spammer bots etc will still work on new Windows. What a backward compatibillity.

    If Windows was secure there won't be need for antiviruses etc.
    Many people in anti* software companies would lost their jobs, I can bet they bosses are those big enterprise clients asking for open ports.

    PS.
    sorry for my english

    I tend to agree Anonymous -- 27/04/06

    I've been privately and publically stating since XPSP2, that there is no magic solution that will help both home users and enterprises.

    Therefore my suggestion is to have different default firewall settings based on the edition of the OS.

    WHat MS Should have done in XP SP2 is the enable the firewall if SP2 was instaleld to XP Home Edition (and/or XP Pro if not connected to a domain), and to not enable the firewall if installing to XP Pro connected to a domain.

    that's it - different settings for different flavours Anonymous -- 28/04/06 (in reply to #120133420)

    I whole heartedly agree with your statement. MS has told us they are targetting different versions at different segments of the market so I'm sure as part of the install they can enable or disable the outbound blocking capabilites of the firewall.

    Corp Manage rather then playing Ando -- 28/04/06 (in reply to #120133420)

    I'm not a techie but... Companies can mange the settings via group policies (GPO) rather then specific MS build type settings. This of course assumes a company is large enough to implement AD and use XP Pro.

    Microsoft has a sound profile of legitimate applications... George -- 27/04/06

    ... that are shipped with the OS so why not apply egress filtering based on such a profile by default? As part of any enterprise rollout many defaults are overridden in favor of locally-defined needs, but in the case of the individual private user, or small business who accepts most defaults an installs only a small number of third-party apps, this approach could serve to block traffic from moutains of illegitimate programs.

    If a user installs something deliberately ("click here to enhance your stamina!") they can also click, Zone Alarm style, to allow outgoing traffic from their shiny new app.

    I guess "Secure by design, secure by default, secure in deployment" only applies if it doesn't increase their support call load. Let's hear it for the status quo.

    Sounds like handwaving to me Lazlo Nibble -- 27/04/06

    It's a little weird for MS to claim that they have to preconfigure consumer versions of Vista to meet the needs of their enterprise customers, given that the enterprises are going to customize their security policies extensively before deploying the OS in the first place. Default-blocking inbound packets and default-allowing outbound packets doesn't help IT departments much -- they'll still have to configure the firewall to enable all kinds of services that are necessary inside a company firewall (messaging/alerts, collaboration apps, software deployment tools, etc.) but dangerous to expose on a box connected directly to the Internet.

    The real driver for this decision is probably that MS hasn't been able to create a consumer-friendly interface to manage outbound packet filtering, so enabling it out of the box in retail builds would be a customer-support nightmare.

    From MS Security Summit 2kmaro of DSLReports -- 27/04/06

    I just attended the MS Security Matters Summit in Dallas, TX. You should have heard their security lead's statements on the importance (or lack thereof) of a need for an outbound firewall. His claim was that it wasn't useful until now. ROFL. His argument stated that anything that got into the machine could compromise even the firewall, and so protecting from such things was futile. Guess he never heard of Adware which generally doesn't do much more than try to call home, or all of the cases where when firewall shutdown was attempted, the firewall companies took preventative action.
    As for user technical skills - MS should visit a couple of successful vendors such as ZoneLabs or Kaspersky and see how they deal with the novice user.
    MS seems to still be thinking at the enterprise level and trying to figure out how to make every user Cisco certified. Hey, MS, the end user doesn't need to learn firewall rule making - you simply need to provide the user with application level control for 95% of the situations.
    Perhaps they should have taken a lesson from their own book and simply bought or licensed an effective firewall and adapted it for integration into their new flagship OS just as they did with Giant Anti-Spyware and/or Visio.

    copy edit this story! Anonymous -- 28/04/06

    "The firewall in Windows Vista will have half its protection turned off by default"

    half? HAVE

    Are you people high school dropouts?

    Um, no High school graduate -- 28/04/06 (in reply to #120133485)

    Uh...dude. Will have half. As in will have 50 percent.

    "Protecting the world from you is" hilarious!!! Anonymous -- 05/05/06

    it's as if it's more likely that an average user is able to activate the outgoing connections control than a hacker being able to deactivate it (as if the hacker uses windows, too).

    The unsaid part of this is all the spyware/trojan stuff that will be left unmonitored on the users' computers.

    Firewall was deliberatly crippled Anonymous -- 25/06/08

    Why dont people say it how it is, Microsoft deliberatly leaves security holes in its operating systems, they have always done it and will continue to do it. Just as it was no accident that netbios over tcp was enabled by default in windows 95 and 98, and took a level of tcp/ip knowledge way over and above that of most users to change it, it is also no accident that
    Microsft left this Vista firewall crippled by leaving outbound filtering switched off by default, and requiring a level of technical knowledge that most users do not have, in order to configure it .

Add your opinion

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • David Braue Forget the NBN, 100Mbps is already here
    Telstra and TransACT will shortly begin offering 100Mbps broadband to many customers. By moving early, the companies have not only raised the bar for Australia's broadband services, but thrown down a challenge to a government that now faces increased pressure to deliver the NBN as promised.
  • Array IT: Govt's cost-cutting bitch
    The government needs to stop looking at IT as a necessary evil or the place to remove costs when the Treasurer comes calling.
  • Array Can complaints on mobile content be cut?
    On 1 July this year the new Mobile Premium Services Code was introduced. It sounds like it's had a good impact, but is it enough?
  • More blogs »

Tags

  1. 489 articles are tagged with 3g
  2. 41 articles are tagged with afact
  3. 83 articles are tagged with asic
  4. 141 articles are tagged with ato
  5. 1306 articles are tagged with broadband
  6. 69 articles are tagged with cba
  7. 14 articles are tagged with cenitex
  8. 670 articles are tagged with cio
  9. 253 articles are tagged with conroy
  10. 132 articles are tagged with contract
  11. 47 articles are tagged with david thodey
  12. 155 articles are tagged with exchange
  13. 152 articles are tagged with firewall
  14. 129 articles are tagged with fujitsu
  15. 53 articles are tagged with gnome
  16. 1033 articles are tagged with government
  17. 22 articles are tagged with hfc
  18. 790 articles are tagged with hp
  19. 1304 articles are tagged with ibm
  20. 222 articles are tagged with iinet
  21. 289 articles are tagged with isp
  22. 7 articles are tagged with jodee rich
  23. 13 articles are tagged with longhaus
  24. 35 articles are tagged with michael malone
  25. 1481 articles are tagged with microsoft
  26. 35 articles are tagged with mike quigley
  27. 51 articles are tagged with minchin
  28. 1127 articles are tagged with mobile
  29. 218 articles are tagged with national broadband network
  30. 396 articles are tagged with nbn
  31. 201 articles are tagged with new zealand
  32. 195 articles are tagged with nsw
  33. 61 articles are tagged with one.tel
  34. 929 articles are tagged with open source
  35. 885 articles are tagged with optus
  36. 20 articles are tagged with pipe networks
  37. 171 articles are tagged with queensland
  38. 2650 articles are tagged with security
  39. 53 articles are tagged with senate
  40. 69 articles are tagged with separation
  41. 9 articles are tagged with sp telemedia
  42. 176 articles are tagged with sydney
  43. 232 articles are tagged with telco
  44. 61 articles are tagged with telecom nz
  45. 2441 articles are tagged with telstra
  46. 138 articles are tagged with tender
  47. 25 articles are tagged with thodey
  48. 31 articles are tagged with tpg
  49. 176 articles are tagged with victoria
  50. 79 articles are tagged with wholesale

Back to top

Featured