Vista firewall shackled due to customer demand: Microsoft

Vista firewall shackled due to customer demand: Microsoft

Summary: The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant.When Windows Vista is released early next year its firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic.

The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant.

When Windows Vista is released early next year its firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. According to a statement from Microsoft, the firewall's protection will be curbed in order to make life easier for the company's enterprise customers.

"Because the nature of an outbound firewall is to restrict the traffic sent to specific ports, the outgoing access in the Windows Vista firewall is open by default," a Microsoft spokesperson told ZDNet Australia. "The reason for this is Microsoft has received strong feedback from its customers, especially from large organisations and government departments, saying that they would like to manage this feature from an administrator level."

Microsoft claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements.

"Users need to understand how their applications undertake communication and connections and the associated threats and risks. This security requirement will vary amongst users and Microsoft is providing the capability to allow users to determine how they wish to leverage this security capability," the Microsoft spokesperson said.

Firewall specialist Zone Labs claims that users will require a "fairly high level of sophistication" in order to properly configure the Vista firewall. For consumers, the company said the task will be nothing less than "challenging".

"Outbound protection requires a fairly high level of sophistication to engage, and reports indicate that Microsoft expects that functionality to be used by IT professionals in a business networking environment," Laura Yecies, general manager at Zone Labs told ZDNet Australia.

"For consumers, it is challenging at best," she added.

Security specialist Michael Warrilow, director of Sydney-based analyst firm Hydrasight, believes that Microsoft has found it too difficult to create an all encompassing firewall. However, he said that by throttling the capabilities of the firewall the company is not ignoring its non-technical customer base.

"In effect, Microsoft is putting outbound [protection] in the 'too hard basket' for the time being," Warrilow told ZDNet Australia. "The firewall is to protect against inbound attacks -- instead of protecting the rest of the world from you."

The Microsoft spokesperson said that Vista's firewall is just one layer of security in the new operating system: "New features such as User Account Control (UAC), Windows Defender, and Internet Explorer Protected Mode along with improvements to Windows Firewall and Windows Update work together to help shield Windows Vista PCs from malware."

Topics: Windows, Government, Microsoft

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Warrilow is an idiot

    The point of filtering outbound connections isn't just to protect the world from spambot-infested morons, it's to protect people from spyware.

    Mind you, Windows XP itself seems like the world's biggest piece of spyware at times, so it's no real surprise that Microsoft is (again) punting on real security for the end user.
  • ^^^Typical knee-jerk, anti-MS reaction

    So, what would make you happy? Have MS disable the ability for applications to talk to the outside world at all and completely cripple Windows? Why should a typical user have to *enable* the ability to communicate? If Vista by default disabled talking to the outside world, that would have the effect of discouraging it--making it less common.

    Just as a tax discourages economic activity, making it harder to perform computer activities makes them less common.
  • TEAM 99 shill

    HOW MUCH to hype vaporware
    Hasta la Vista is not even here
  • I tend to agree

    I've been privately and publically stating since XPSP2, that there is no magic solution that will help both home users and enterprises.

    Therefore my suggestion is to have different default firewall settings based on the edition of the OS.

    WHat MS Should have done in XP SP2 is the enable the firewall if SP2 was instaleld to XP Home Edition (and/or XP Pro if not connected to a domain), and to not enable the firewall if installing to XP Pro connected to a domain.
  • Microsoft has a sound profile of legitimate applications...

    ... that are shipped with the OS so why not apply egress filtering based on such a profile by default? As part of any enterprise rollout many defaults are overridden in favor of locally-defined needs, but in the case of the individual private user, or small business who accepts most defaults an installs only a small number of third-party apps, this approach could serve to block traffic from moutains of illegitimate programs.

    If a user installs something deliberately ("click here to enhance your stamina!") they can also click, Zone Alarm style, to allow outgoing traffic from their shiny new app.

    I guess "Secure by design, secure by default, secure in deployment" only applies if it doesn't increase their support call load. Let's hear it for the status quo.
  • Sounds like handwaving to me

    It's a little weird for MS to claim that they have to preconfigure consumer versions of Vista to meet the needs of their enterprise customers, given that the enterprises are going to customize their security policies extensively before deploying the OS in the first place. Default-blocking inbound packets and default-allowing outbound packets doesn't help IT departments much -- they'll still have to configure the firewall to enable all kinds of services that are necessary inside a company firewall (messaging/alerts, collaboration apps, software deployment tools, etc.) but dangerous to expose on a box connected directly to the Internet.

    The real driver for this decision is probably that MS hasn't been able to create a consumer-friendly interface to manage outbound packet filtering, so enabling it out of the box in retail builds would be a customer-support nightmare.
  • From MS Security Summit

    I just attended the MS Security Matters Summit in Dallas, TX. You should have heard their security lead's statements on the importance (or lack thereof) of a need for an outbound firewall. His claim was that it wasn't useful until now. ROFL. His argument stated that anything that got into the machine could compromise even the firewall, and so protecting from such things was futile. Guess he never heard of Adware which generally doesn't do much more than try to call home, or all of the cases where when firewall shutdown was attempted, the firewall companies took preventative action.
    As for user technical skills - MS should visit a couple of successful vendors such as ZoneLabs or Kaspersky and see how they deal with the novice user.
    MS seems to still be thinking at the enterprise level and trying to figure out how to make every user Cisco certified. Hey, MS, the end user doesn't need to learn firewall rule making - you simply need to provide the user with application level control for 95% of the situations.
    Perhaps they should have taken a lesson from their own book and simply bought or licensed an effective firewall and adapted it for integration into their new flagship OS just as they did with Giant Anti-Spyware and/or Visio.
  • copy edit this story!

    "The firewall in Windows Vista will have half its protection turned off by default"

    half? HAVE

    Are you people high school dropouts?
  • that's it - different settings for different flavours

    I whole heartedly agree with your statement. MS has told us they are targetting different versions at different segments of the market so I'm sure as part of the install they can enable or disable the outbound blocking capabilites of the firewall.
  • Um, no

    Uh...dude. Will have half. As in will have 50 percent.
  • Corp Manage rather then playing

    I'm not a techie but... Companies can mange the settings via group policies (GPO) rather then specific MS build type settings. This of course assumes a company is large enough to implement AD and use XP Pro.
  • "Protecting the world from you is" hilarious!!!

    it's as if it's more likely that an average user is able to activate the outgoing connections control than a hacker being able to deactivate it (as if the hacker uses windows, too).

    The unsaid part of this is all the spyware/trojan stuff that will be left unmonitored on the users' computers.
  • nice

    So it's easier to end user to disable outgoing traffic on all ports except few that they really use than to have all ports closed and enable that few that they use. I think most users won't even notice that they should configure they firewalls. And all kinds of spyware, spammer bots etc will still work on new Windows. What a backward compatibillity.

    If Windows was secure there won't be need for antiviruses etc.
    Many people in anti* software companies would lost their jobs, I can bet they bosses are those big enterprise clients asking for open ports.

    sorry for my english
  • Firewall was deliberatly crippled

    Why dont people say it how it is, Microsoft deliberatly leaves security holes in its operating systems, they have always done it and will continue to do it. Just as it was no accident that netbios over tcp was enabled by default in windows 95 and 98, and took a level of tcp/ip knowledge way over and above that of most users to change it, it is also no accident that
    Microsft left this Vista firewall crippled by leaving outbound filtering switched off by default, and requiring a level of technical knowledge that most users do not have, in order to configure it .