Home / ZDNet Photo Galleries

Windows Vista's Firewall offers false sense of security

by ZDNet Author  |  February 5, 2007 2:49pm PST  |  Image 14 of 23

Previous  |  Next

The right place to go to configure outbound blocking

Although the standard configuration interface for Vista's firewall offers no obvious clues as to where to go in order to configure outbound blocking, it actually appears in a different part of Windows Vista (we're still not sure why we didn't intuitively know that the configuration dialogs for the outbound firewall wouldn't be under the standard entry point for the firewall). Anyway to get to the more granular controls for the firewall, you first go to Vista's Control Panel and then you click on "System and Management"....

For David Berlind's write-up on Vista's inadequate personal firewall, see his blog post in ZDNet's TestBed blog.

Talkback Most Recent of 15 Talkback(s)

  • Users would gripe...
    If Microsoft set the 'deny by default, allow by exception' rule, idiot users would scream bloody murder when they installed the firewall and nothing worked by default.

    Same problem they had with file sharing -- which is probably why they originally set the default share permissions to "Everyone - Full Control" and then to "Everyone - Read" to make it easy for idiots to share a folder.

    Nothing new in this logic -- some organizations make everyone a member of the "Administrators" (or heaven forbid, "Domain Administrators") group to give them easy access to everything. Usually the trick of a lazy or ignorant admin.

    In any case -- it is a no-win situation for them. If they made things too tight out of the box, they'd have tens of millions of complaints because nothing works -- if they do it as they have done -- they get millions of complaints because it is insecure by default. No way to make everyone happy.
    ZDNet Gravatar
    Marty R. Milette
    6th Feb 2007
  • I guess the thing to do is
    They should provide good security out of the box. And then they should provide information and wizards that are good enough to make it simple even for those without knowhow.

    From my own experience the "help" in Windows have always been a laugh -- it says nothing you didn't already know, and there is no reliable way to get more verbose information. Or even worse it is ambiguous and counterintuitive. In 95%+ of the cases you're better off googling for the answer.
    ZDNet Gravatar
    M.Fridholm
    10th Feb 2007
  • Which users?
    If Microsoft set the 'deny by default, allow by exception' rule, idiot users would scream bloody murder when they installed the firewall and nothing worked by default.

    That task would be the job of administrators in a business, and residential home users who don't want to learn the work of sysadmin to send our emails to relatives and buy airline tickets. "Idiot" users, in a business environment, would not be responsible for such configuration problems, so I guess you're not talking about business users at all here.

    Nothing new in this logic -- some organizations make everyone a member of the "Administrators" (or heaven forbid, "Domain Administrators") group to give them easy access to everything. Usually the trick of a lazy or ignorant admin.

    I agree. Why is Microsoft programming to make their jobs easier at the expense of safety, instead of programming on the assumption that admins are informed & industrious, ie that the person logged in as admin is legitimate, either as the administrator of the computer in a business, or the owner of it in a home?

    In any case -- it is a no-win situation for them. If they made things too tight out of the box, they'd have tens of millions of complaints because nothing works -- if they do it as they have done -- they get millions of complaints because it is insecure by default. No way to make everyone happy.

    I disagree. I think catering to lazy & ignorant sysadmins is Microsoft's #1 user satisfaction problem. For legitimate home users, "hiding" important configuration options in the labyrinthine registry defeats the purpose of a GUI. Your point about lazy & ignorant admins is accurate, but Microsoft's workaround extends to legitimate purchasers of Windows the assumption that the person using the software is a disgruntled cubicle zombie and shouldn't have control over our own computers. As a former customer of Microsoft products in my home, I found that offensive enough to learn my way around Linux. If the prices were comparable I'd have just bought a Mac, but by the time Apple's prices dropped to the range of Microsoft, I had already invested so much time learning Linux that now the cost of an Apple will also not be attractive to me any time soon.
    ZDNet Gravatar
    Absolutely
    10th Jul 2007
  • So, essentially, "Deny All Except" is impossible?
    It appears to be impossible, IMPOSSIBLE to absolutely configure Vista as "Allow none except". This means that someone who spent 45 hours manually blocking every program currently installed, manages to get spyware installed and since there is no rule, it is allowed access.

    How hard could it have been to add a first run wizard that asks "Would you like the firewall to be permissive or restrictive, click here for more information" that leads to a choice where the user selects "Allow all unless..." or "Allow none unless...".

    MS needs to rework the firewall to make it possible to make a block all unless I specifically allow it option. Ironically, you can't really rely on ZoneAlarm now either since it has MS exceptions to the rules for it's phone home services. Anyone know of a software based Vista firewall that does ONLY what you tell it to do, that might be good info for a new story, "Firewalls that do what you need and what you tell it to do" which INLCUDES blocking WGA if you actually wanted to.

    Thank goodness they at least kept the deny all except on the incoming side. In defense of MS however, if they had made a complete firewall that was easy to use on the outbound side and had the block all with easy pop ups asking, do you want to allow XYZ to access the internet, then Firewall Software Suppliers would scream. As it stands now, the only ones affected are customers.

    TripleII
    ZDNet Gravatar
    TripleII-21189418044173169409978279405827
    6th Feb 2007
  • THIS IS REALLY A COMPUTER!
    I know a few things in life so I'm ready to take on an operating system install in my one thousand dollar computer?At Super Bowl they ask somebody to step forward from the stands and install Windows Vista.You wouldn't do it there but in the privacy of your own home or worse yet in your corporate headquarters you insist that you can do it.
    ZDNet Gravatar
    BALTHOR
    6th Feb 2007
  • Hmmmm... Buy Vista because...?
    Let's see now. The "compelling" reasons MicroSoft give to pay $200 for Vista are:
    1/ It'more secure. Right, that is now obvious.
    2/ It's easier to use. Clearly the story shows that to be true...
    3/ Oh yeah, and the poor Google knock-off desktop search with gadgets. (Try using that "easy" program
    It took 5 years for this? I have a better idea. Get a Mac.
    ZDNet Gravatar
    davidt@...
    6th Feb 2007
  • Hmmmm lets see . . .
    So far Vista, stripped of all the usual "Microlost" BS fails to justify its existence, let alone paying anything for an overdressed version of XP. Getting a mac or converting to ubuntu? Absolutely!
    ZDNet Gravatar
    wgraue
    6th Feb 2007
  • Keystone cops anyone?
    This is like building a house from the roof down with blueprints written in Sanskrit.
    ZDNet Gravatar
    edinnc@...
    6th Feb 2007
  • Sanskrit and bad similes
    Only to someone who doesn't know Sanskrit. Aren't you showing your ethnic preferences somewhat here? And tieing a language used for writing sacred text to the Keystone Cops is doubly so.

    Nothing in your simile has anything to do with the WVF - if we agree with the article that it is a piece of rubbish, just say that
    ZDNet Gravatar
    takas20
    7th Feb 2007
  • Relax...
    I'm sure he meant no offense to people who know Sanskrit - it was meant as a harmless joke, I certainly got it. Take a pill and call off your lawyers...

    God forbid somebody take a joke anymore...

    (I'm sure if he said "hieroglyphics" somebody from Egypt would have logged on to complain)
    ZDNet Gravatar
    scottz29
    7th Feb 2007
  • But you CAN block all outgoing....
    If you go to the Windows Firewall With Advanced Security screen (as shown in image 17) and click the clearly labelled Configure Windows Firewall you are presented with a tabbed profile dialog which enables you either block or allow all incoming or outgoing traffic for the different firewall configurations (domain/public/private).

    There, that wasn't hard was it?
    ZDNet Gravatar
    Crash2975
    7th Feb 2007
  • yiou CANNOT Block Outbound anything w/ AFW
    CRASH, you are mistaken & appeantly didn't TEST your configuration after creating it.
    Try & block IM or anything outbound and you will find that AFW Allows ALL outbound traffic regardlwess of AFW Rules!
    ZDNet Gravatar
    JorgeDW
    31st Mar 2009
  • Other Firewalls.
    That is precisely why I use Zonelabs Suite on all my machines.
    ZDNet Gravatar
    jeroldo@...
    8th Feb 2007
  • Thanks Crash2975
    From the "Windows Firewall With Advanced Security" screen

    click "Windows Firewall Properties"

    edit each tab as needed to block outbound connections

    "Domain Profile" "Private Profile" "Public Profile"

    Wow Firefox can't find the server at www.....

    Now I can start working on the exceptions for outbound, they're not proffered up for exception status when blocked, like other firewall programs we're all familial with.
    ZDNet Gravatar
    reefgroup@...
    8th Feb 2007
  • Web Page Errors winvista
    Brand New HP Pavillion notebook and win vistsa norton
    internet antvirus program already prevents web pages loading.
    Image error cannot find problem and suggested using IE 7.
    With IE 7 same problem exsited.
    many online gaming sites like aol games, pogo.com,and slingo.com will not load pages. Suggested support sites say
    to go to internet options under security click on trusted site and use https:/127.0.0.1 and this would stop the web page error.
    It didn't help at all.
    If I knew windows vista had no compatiable antivirus/firewall/spyware protection except for norton which
    I really hate by the way, anyway, I found avast was compatiable
    but no firewall,or spyware/adware protection. Aol users will
    find win vista and norton together is a real bad idea and frustrating as javasun activex and applets will make you throw
    your pc out the door.
    so, the win firewall is never going to shut down either the
    box still pops up with the close/block on it. Iv'e shut down
    the firewalls and still web pages gets error using java/flash/shockplayer/aol/IE 7. anyone got any ideas?
    ZDNet Gravatar
    vistahater63
    10th Feb 2007

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity