Home & Office

Screen Gallery: When is a firewall not a firewall? When it's Vista's built-in firewall

Configuring Vista's firewall isn't easy. In fact, it's so difficult that the Windows Firewall is actually worse than having no firewall at all. Mere mortals shouldn't bother configuring it.
Written by David Berlind, Inactive

 Screen Gallery: See the screen gallery that demonstrates all that went wrong with David's attempt to configure Vista's firewall.  

Whereas one job of a personal firewall is to block potentially malicious inbound connections to your machine, another is to block potentially malicious outbound connections. For example, if some malware does find its way onto your system and then it attempts to "phone home" with whatever sensitive data it may have found, a good personal firewall should stop most outbound communications dead in their tracks until the end-user explicitly allows it (one problem with such conditional blocking is that end-users are rarely presented with enough information on which to base a decision).

An old theme with the personal firewall that Microsoft offered for Windows XP (Service Pack 2) is how it was pretty useless given the way it only offered inbound blocking. In fact, back when that firewall first came out, I pointed out how it was worse than having no firewall at all. With no firewall, at least you know you have no firewall. But, with a firewall that doesn't work, you're led into having a false sense of security. 

So, while Microsoft's anemic firewalls are an old them, you'd think the problem would have been corrected in Microsoft's Windows Vista. According to CNET's Robert Vamosi, perhaps you should think again. Writes Vamosi:

In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that's hardly worth the upgrade.

Vamosi goes onto describe how Vista's personal firewall has the blocking and tackling of outbound connections backwards.

With most personal firewalls (and network firewalls), an outbound connection is only allowed when the firewall wall has been programmed with a rule that allows it. That's good. From the moment such a firewall is installed, nothing is allowed until a user (or network administrator) says it's allowed. The first time after most personal firewalls are installed, those firewalls present users with a rules wizard each time an application on their PC tries to connect to the Internet. In most cases, the wizard makes it pretty easy for users to make one of  four choices:

  • Block the type of outbound communication (specific application accessing a specific network port) this time.
  • Block the type of outbound communication permanently.
  • Allow the type of outbound communication this time.
  • Allow it permanently

But, with Windows Vista's firewall, it works the other way around. All outbound communications are allowed permanently until a rule has been created to explicitly block it. Despite Vamosi having routinely voiced his concerns about Vista's firewall before Vista shipped, Microsoft moved forward with what he believes to be a "half-cocked" design anyway. According to Vamosi, Microsoft's explanation for its decision has been that having to walk through the many wizard-driven pop-ups that would occur shortly after the first time Vista gets installed would be a poor out-of-the-box experience and that users would become de-sensitized to the prompts. Vamosi disagrees and so do I. Offering an outbound-blocking that, out-of-the-box blocks nothing until an end-user or network administrator takes explicit and deliberate steps to block it.

But it gets worse.

Vamosi goes on to note the difficulty in taking those deliberate steps and to validate his findings, I tried it myself and created an image gallery so you can trace my steps. But first, here's what Vamosi said:

Writing exceptions is fine, except if you are a solo home user with no idea what to block or even how to block it. Home users of Windows Vista are again paying the price for having a stripped-down operating system designed for a corporate enterprise running on their PC. Unless you are an IT administrator, unless you know where to look, you're unlikely to tweak the advanced firewall settings.

And, as you will see from my image gallery, adding outbound blocking rules to Vista's personal firewall couldn't be more unintuitive. Even for experienced users. For starters, after I installed Firefox, nothing stopped it from accessing the Web (confirming that applications are, by default, allowed outbound access). Looking to disallow Firefox from accessing the Internet, I clicked on what, to me, was the most obvious thing to click on in order to engage the "block": a link in Vista's  Control Panel that says "Allow a program through the Windows Firewall" that appears under some big bold text that says "Windows Firewall." Seems obvious enough, right? But, as you will see from the the various firewall configuration dialogs I encountered, not only won't intuition get you nowhere, the dialogs are actually counter-intuitive. For example, when one goes down this rather obvious path to configure the firewall, there is no context whatsoever when it comes to distinguishing between inbound and outbound blocking. Vista users can expect to encounter advanced terminology like "exceptions" and "ports" which is doubly confusing because of the following explanation:

Exceptions control how programs communicate through Windows Firewall. Add a program or port exception to allow communications through the firewall.

First, as I just mentioned, it makes no reference to inbound or outbound blocking. But just the fact that it says "programs communicate through Windows Firewall" sounds "outbound" to me. It doesn't say "how remote computers and sites communicate through Windows Firewall."

So, in contrast to what Vamosi says, it sounds like in order for an application to communicate through Vista's firewall, it has to be added to the list of programs and explicitly "allowed."  How else would you interpret the above language? But, as I already told you, within seconds of installing Firefox, it was given carte blanche access to the Internet thus disproving my interpretation. My first assumption was that maybe the text has it backwards; Perhaps this exceptions list works the other way around and anything that's on it is blocked from communicating. But adding Firefox to the list had no impact. So then, what is this list for? Thinking I might be able to get my answer by studying a single entry on the exceptions list a little more closely, I went back to the exceptions list (which is pre-programmed with a bunch of stuff I don't recognize), single-clicked on the only item that was checked (Core Networking), and clicked the "Properties" button which yielded the following graphic:


As you can see it has a link that says "How do I view and edit all properties?" Eureka! I thought. That's where I'll get to see how the Windows Firewall is configured to block either in or outbound communications with the Core Networking component. 

Sadly, as you will see from my image gallery, I was taken to a list of Frequently Asked Questions and even worse, none of them were the question I clicked on. But, while I was there, one of the FAQ questions seemed to address the confounding language in the UI that I encountered earlier. It asked "What does allowing a program trough the firewall mean?" I clicked it and here's what it said:

Allowing a program through the firewall, sometimes called unblocking, is when you create an exception to enable a particular program to send information back and forth through the firewall [DB's note: There it is! Back and forth! So, is this both in and outbound?] You can also allow a program through the firewall by opening one or more ports.

Unfortunately, as my little test with Firefox revealed, this FAQ answer is pretty much useless. 

As it turns out, there is a way to configure outbound blocking in Vista's firewall. If you go to Control Panel > System and Maintenance > Administrative Tools > Windows Firewall with Advanced Security, you will see Vista's current lists of inbound and outbound and outbound rules (see graphic below, sorry about the text pixelation.. this often happens when resizing graphics).


Added bonus for me: the Firefox rule that I created earlier appeared on the inbound list. So now we know what that's for! But, there are still three major problems. First, the one Vamosi alluded to in the first place. Applications should be blocked by default. Second, when accessing the primary UI for Vista's firewall, it is there that users should have very wizard-driven access to both in and outbound rules (or, at the very least, a fast link to get to the rule authoring tool over in Control Panel's admin area). Third, the rule authoring interface is really for rocket scientists. For example, when I went to browse for an application to block, it started me in the System32 directory instead of just giving me a list of applications. Then, where I should have had the opportunity to block specific domains (something any firewall should be able to do in its sleep), I was only allowed to key in IP addresses. 

So, the bottom line is that once again (actually, nothing has changed), the Windows Firewall is actually worse than having no firewall at all since (a) its presence leads you to believe that your computer is protected by a firewall when it really isn't (a false sense of security), (b) the system offers nothing in the way of a suggestion that encourages users to establish outbound rules, and (c) is nearly impossible for mortals -- the majority of Windows users -- to configure. 

It would behoove Microsoft to follow Vamosi's advice on this by doing two things. First, engage outbound blocking by default. Second, when, through its "blocked by default" policy, a dialog box asks the user what Windows should do next, make sure it's dirt simple. Third, as a part of that dirt simplicity, allow inbound blocking by not just IP address, but by domain or subdomain as well. For example, every time a Web page (including some of ZDNet's) pulls content in from the amch.questionmarket.com subdomain (as opposed to just questionmarket.com), my browser has to think about it for well over a minute before the page finally loads, if it loads at all. The problem has me wishing that, by configuring my firewall to block certain domains, my browsers will simply overlook those domains when it hits Web pages that call upon them. Microsoft will get bonus points for adding right-click firewall rule programming from Internet Explorer.

Editorial standards