If Microsoft set the 'deny by default, allow by exception' rule, idiot users would scream bloody murder when they installed the firewall and nothing worked by default.
Same problem they had with file sharing -- which is probably why they originally set the default share permissions to "Everyone - Full Control" and then to "Everyone - Read" to make it easy for idiots to share a folder.
Nothing new in this logic -- some organizations make everyone a member of the "Administrators" (or heaven forbid, "Domain Administrators") group to give them easy access to everything. Usually the trick of a lazy or ignorant admin.
In any case -- it is a no-win situation for them. If they made things too tight out of the box, they'd have tens of millions of complaints because nothing works -- if they do it as they have done -- they get millions of complaints because it is insecure by default. No way to make everyone happy.
Windows Vista's Firewall offers false sense of security
by ZDNet Author | February 5, 2007 2:49pm PST | Image 1 of 23
Previous | Next
The most natural starting point for firewall configuration?
Knowing that Windows Vista's firewall is capable of outbound blocking, but that it wrongfully defaults to let all programs access the Internet when it should let none, we were looking for an intuitive way to correct the problem. After going into Windows Vista's Control Panel, the link that said "Allow a program through Windows Firewall" made the most sense to us. As a side note, we were logged in with administrator privileges during this test.
For David Berlind's write-up on Vista's inadequate personal firewall, see his blog post in ZDNet's TestBed blog.
For David Berlind's write-up on Vista's inadequate personal firewall, see his blog post in ZDNet's TestBed blog.
Just In
They should provide good security out of the box. And then they should provide information and wizards that are good enough to make it simple even for those without knowhow.
From my own experience the "help" in Windows have always been a laugh -- it says nothing you didn't already know, and there is no reliable way to get more verbose information. Or even worse it is ambiguous and counterintuitive. In 95%+ of the cases you're better off googling for the answer.
From my own experience the "help" in Windows have always been a laugh -- it says nothing you didn't already know, and there is no reliable way to get more verbose information. Or even worse it is ambiguous and counterintuitive. In 95%+ of the cases you're better off googling for the answer.
If Microsoft set the 'deny by default, allow by exception' rule, idiot users would scream bloody murder when they installed the firewall and nothing worked by default.
That task would be the job of administrators in a business, and residential home users who don't want to learn the work of sysadmin to send our emails to relatives and buy airline tickets. "Idiot" users, in a business environment, would not be responsible for such configuration problems, so I guess you're not talking about business users at all here.
Nothing new in this logic -- some organizations make everyone a member of the "Administrators" (or heaven forbid, "Domain Administrators") group to give them easy access to everything. Usually the trick of a lazy or ignorant admin.
I agree. Why is Microsoft programming to make their jobs easier at the expense of safety, instead of programming on the assumption that admins are informed & industrious, ie that the person logged in as admin is legitimate, either as the administrator of the computer in a business, or the owner of it in a home?
In any case -- it is a no-win situation for them. If they made things too tight out of the box, they'd have tens of millions of complaints because nothing works -- if they do it as they have done -- they get millions of complaints because it is insecure by default. No way to make everyone happy.
I disagree. I think catering to lazy & ignorant sysadmins is Microsoft's #1 user satisfaction problem. For legitimate home users, "hiding" important configuration options in the labyrinthine registry defeats the purpose of a GUI. Your point about lazy & ignorant admins is accurate, but Microsoft's workaround extends to legitimate purchasers of Windows the assumption that the person using the software is a disgruntled cubicle zombie and shouldn't have control over our own computers. As a former customer of Microsoft products in my home, I found that offensive enough to learn my way around Linux. If the prices were comparable I'd have just bought a Mac, but by the time Apple's prices dropped to the range of Microsoft, I had already invested so much time learning Linux that now the cost of an Apple will also not be attractive to me any time soon.
That task would be the job of administrators in a business, and residential home users who don't want to learn the work of sysadmin to send our emails to relatives and buy airline tickets. "Idiot" users, in a business environment, would not be responsible for such configuration problems, so I guess you're not talking about business users at all here.
Nothing new in this logic -- some organizations make everyone a member of the "Administrators" (or heaven forbid, "Domain Administrators") group to give them easy access to everything. Usually the trick of a lazy or ignorant admin.
I agree. Why is Microsoft programming to make their jobs easier at the expense of safety, instead of programming on the assumption that admins are informed & industrious, ie that the person logged in as admin is legitimate, either as the administrator of the computer in a business, or the owner of it in a home?
In any case -- it is a no-win situation for them. If they made things too tight out of the box, they'd have tens of millions of complaints because nothing works -- if they do it as they have done -- they get millions of complaints because it is insecure by default. No way to make everyone happy.
I disagree. I think catering to lazy & ignorant sysadmins is Microsoft's #1 user satisfaction problem. For legitimate home users, "hiding" important configuration options in the labyrinthine registry defeats the purpose of a GUI. Your point about lazy & ignorant admins is accurate, but Microsoft's workaround extends to legitimate purchasers of Windows the assumption that the person using the software is a disgruntled cubicle zombie and shouldn't have control over our own computers. As a former customer of Microsoft products in my home, I found that offensive enough to learn my way around Linux. If the prices were comparable I'd have just bought a Mac, but by the time Apple's prices dropped to the range of Microsoft, I had already invested so much time learning Linux that now the cost of an Apple will also not be attractive to me any time soon.
It appears to be impossible, IMPOSSIBLE to absolutely configure Vista as "Allow none except". This means that someone who spent 45 hours manually blocking every program currently installed, manages to get spyware installed and since there is no rule, it is allowed access.
How hard could it have been to add a first run wizard that asks "Would you like the firewall to be permissive or restrictive, click here for more information" that leads to a choice where the user selects "Allow all unless..." or "Allow none unless...".
MS needs to rework the firewall to make it possible to make a block all unless I specifically allow it option. Ironically, you can't really rely on ZoneAlarm now either since it has MS exceptions to the rules for it's phone home services. Anyone know of a software based Vista firewall that does ONLY what you tell it to do, that might be good info for a new story, "Firewalls that do what you need and what you tell it to do" which INLCUDES blocking WGA if you actually wanted to.
Thank goodness they at least kept the deny all except on the incoming side. In defense of MS however, if they had made a complete firewall that was easy to use on the outbound side and had the block all with easy pop ups asking, do you want to allow XYZ to access the internet, then Firewall Software Suppliers would scream. As it stands now, the only ones affected are customers.
TripleII
How hard could it have been to add a first run wizard that asks "Would you like the firewall to be permissive or restrictive, click here for more information" that leads to a choice where the user selects "Allow all unless..." or "Allow none unless...".
MS needs to rework the firewall to make it possible to make a block all unless I specifically allow it option. Ironically, you can't really rely on ZoneAlarm now either since it has MS exceptions to the rules for it's phone home services. Anyone know of a software based Vista firewall that does ONLY what you tell it to do, that might be good info for a new story, "Firewalls that do what you need and what you tell it to do" which INLCUDES blocking WGA if you actually wanted to.
Thank goodness they at least kept the deny all except on the incoming side. In defense of MS however, if they had made a complete firewall that was easy to use on the outbound side and had the block all with easy pop ups asking, do you want to allow XYZ to access the internet, then Firewall Software Suppliers would scream. As it stands now, the only ones affected are customers.
TripleII
I know a few things in life so I'm ready to take on an operating system install in my one thousand dollar computer?At Super Bowl they ask somebody to step forward from the stands and install Windows Vista.You wouldn't do it there but in the privacy of your own home or worse yet in your corporate headquarters you insist that you can do it.
Let's see now. The "compelling" reasons MicroSoft give to pay $200 for Vista are:
1/ It'more secure. Right, that is now obvious.
2/ It's easier to use. Clearly the story shows that to be true...
3/ Oh yeah, and the poor Google knock-off desktop search with gadgets. (Try using that "easy" program
It took 5 years for this? I have a better idea. Get a Mac.
1/ It'more secure. Right, that is now obvious.
2/ It's easier to use. Clearly the story shows that to be true...
3/ Oh yeah, and the poor Google knock-off desktop search with gadgets. (Try using that "easy" program
It took 5 years for this? I have a better idea. Get a Mac.
So far Vista, stripped of all the usual "Microlost" BS fails to justify its existence, let alone paying anything for an overdressed version of XP. Getting a mac or converting to ubuntu? Absolutely!
This is like building a house from the roof down with blueprints written in Sanskrit.
Only to someone who doesn't know Sanskrit. Aren't you showing your ethnic preferences somewhat here? And tieing a language used for writing sacred text to the Keystone Cops is doubly so.
Nothing in your simile has anything to do with the WVF - if we agree with the article that it is a piece of rubbish, just say that
Nothing in your simile has anything to do with the WVF - if we agree with the article that it is a piece of rubbish, just say that
I'm sure he meant no offense to people who know Sanskrit - it was meant as a harmless joke, I certainly got it. Take a pill and call off your lawyers...
God forbid somebody take a joke anymore...
(I'm sure if he said "hieroglyphics" somebody from Egypt would have logged on to complain)
God forbid somebody take a joke anymore...
(I'm sure if he said "hieroglyphics" somebody from Egypt would have logged on to complain)
If you go to the Windows Firewall With Advanced Security screen (as shown in image 17) and click the clearly labelled Configure Windows Firewall you are presented with a tabbed profile dialog which enables you either block or allow all incoming or outgoing traffic for the different firewall configurations (domain/public/private).
There, that wasn't hard was it?
There, that wasn't hard was it?
CRASH, you are mistaken & appeantly didn't TEST your configuration after creating it.
Try & block IM or anything outbound and you will find that AFW Allows ALL outbound traffic regardlwess of AFW Rules!
Try & block IM or anything outbound and you will find that AFW Allows ALL outbound traffic regardlwess of AFW Rules!
From the "Windows Firewall With Advanced Security" screen
click "Windows Firewall Properties"
edit each tab as needed to block outbound connections
"Domain Profile" "Private Profile" "Public Profile"
Wow Firefox can't find the server at www.....
Now I can start working on the exceptions for outbound, they're not proffered up for exception status when blocked, like other firewall programs we're all familial with.
click "Windows Firewall Properties"
edit each tab as needed to block outbound connections
"Domain Profile" "Private Profile" "Public Profile"
Wow Firefox can't find the server at www.....
Now I can start working on the exceptions for outbound, they're not proffered up for exception status when blocked, like other firewall programs we're all familial with.
Brand New HP Pavillion notebook and win vistsa norton
internet antvirus program already prevents web pages loading.
Image error cannot find problem and suggested using IE 7.
With IE 7 same problem exsited.
many online gaming sites like aol games, pogo.com,and slingo.com will not load pages. Suggested support sites say
to go to internet options under security click on trusted site and use https:/127.0.0.1 and this would stop the web page error.
It didn't help at all.
If I knew windows vista had no compatiable antivirus/firewall/spyware protection except for norton which
I really hate by the way, anyway, I found avast was compatiable
but no firewall,or spyware/adware protection. Aol users will
find win vista and norton together is a real bad idea and frustrating as javasun activex and applets will make you throw
your pc out the door.
so, the win firewall is never going to shut down either the
box still pops up with the close/block on it. Iv'e shut down
the firewalls and still web pages gets error using java/flash/shockplayer/aol/IE 7. anyone got any ideas?
internet antvirus program already prevents web pages loading.
Image error cannot find problem and suggested using IE 7.
With IE 7 same problem exsited.
many online gaming sites like aol games, pogo.com,and slingo.com will not load pages. Suggested support sites say
to go to internet options under security click on trusted site and use https:/127.0.0.1 and this would stop the web page error.
It didn't help at all.
If I knew windows vista had no compatiable antivirus/firewall/spyware protection except for norton which
I really hate by the way, anyway, I found avast was compatiable
but no firewall,or spyware/adware protection. Aol users will
find win vista and norton together is a real bad idea and frustrating as javasun activex and applets will make you throw
your pc out the door.
so, the win firewall is never going to shut down either the
box still pops up with the close/block on it. Iv'e shut down
the firewalls and still web pages gets error using java/flash/shockplayer/aol/IE 7. anyone got any ideas?
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
