Microsoft Windows Vista includes a two-way firewall. TO THE TOP

Discussion in 'Windows Vista Security' started by I.C. Greenfields, Feb 14, 2009.

  1. Some of us want to choose what "gets out" and what doesn't. And this info
    doesn't work since there is nowhere to make such a change in the Windows
    Firewall window that comes up. Configure it - HOW? Can someone explain how
    it's configured to actually work without being a programmer writing strange
    unknown confusing rules for everything that wants to connect to the net? If
    not, can someone recommend a good free easy to use two-way FireWall like
    ZoneAlarm that's compatible with Vista? Thanks.


    http://www.vistastic.com/2007/03/09/windows-firewall-enable-outbound-filtering/
    I bet you didn't know that Microsoft Windows Vista includes a two-way
    firewall.

    Unfortunately, the outbound filtering has been disabled. I'm not quite sure
    why Microsoft made this decision but from a security point of view it would
    have made perfect sense to have it enabled by default. I suspect it's due to
    Microsoft not wanting to frustrate customers when their internet dependent
    applications suddenly stopped working.
    Windows Vista Firewall: How To Turn On Outbound Filtering

    * Click the Start Button (Windows Orb)
    * In the search bar type "wf.msc" and press the Enter key
    * Click the Windows Firewall Properties link
    * Change Outbound connections from Allow (default) to Block

    From the Windows Firewall with Advanced Security properties you can also
    configure additional rules for incoming as well as outbound connections.
     
    I.C. Greenfields, Feb 14, 2009
    #1
    1. Advertisements

  2. I.C. Greenfields

    Kayman Guest

    You are not going to find anything better than the Vista FW and Vista in
    itself due to the advanced features the FW and Vista are using.

    Vista by default contains 82 default filters that prevent 34 services from
    communicating out other than on a very narrow set of defined ports.

    PFW Criticism.
    http://en.wikipedia.org/wiki/Personal_firewall#Criticisms

    Jesper's Blogs-
    At Least This Snake Oil Is Free.
    http://msinfluentials.com/blogs/jesper/archive/2007/07/19/at-least-this-snake-oil-is-free.aspx

    Exploring The Windows Firewall.
    http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx

    Tap into the Vista firewall's advanced configuration features
    http://articles.techrepublic.com.com/5100-10877-6098592.html

    Configure Vista Firewall to support outbound packet filtering
    http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1247138,00.html

    Easy guide to make Windows Firewall better in Windows Vista.
    http://www.expertvista.com/2009/01/08/tweak-windows-firewall/

    SolutionBase: Take a look at the Windows Vista Firewall
    http://articles.techrepublic.com.com/5100-10877_11-6171339.html?tag=rbxccnbtr1

    Windows Firewall: the best new security feature in Vista?
    http://blogs.technet.com/jesper_johansson/archive/2006/05/01/426921.aspx

    Managing the Windows Vista Firewall
    http://technet.microsoft.com/en-us/magazine/cc510323.aspx
    *(read twice!)*

    Vista Firewall Control (Free versions available).
    Protects your applications from undesirable network incoming and outgoing
    activity, controls applications internet access.
    http://sphinx-soft.com/Vista/
    The free version may be all you need, check the comparisons under
    the "Download and Buy" link.
     
    Kayman, Feb 14, 2009
    #2
    1. Advertisements

  3. I.C. Greenfields

    Poutnik Guest

    Who need and want to turn it on will also know how to do it.

    The opposite would make trouble to huge number of nontech people.
    Clicking allow/deny while having no idea what I exactly did
    is not more secure and can mess windows alot.
     
    Poutnik, Feb 14, 2009
    #3
  4. I.C. Greenfields

    Q Guest

    Check this
    http://www.sphinx-soft.com/Vista/index.html
    Q
     
    Q, Feb 14, 2009
    #4
  5. Windows Firewall with Advanced Security includes an API that allows
    services, applications, and installers to write their own ticket through the
    firewall. In other words, they can add themselves to the exclusions list.

    http://msdn.microsoft.com/en-us/library/aa366453(VS.85).aspx

    So, it doesn't really do what most people think it does.

    The key to not having programs make outbound connections, or opening up
    ports for receiving unsolicited inbound traffic, is to not run those
    programs on
    the machine.

    Third party firewalls don't make it *that* easy - but they don't make it
    much
    harder either. They provide the illusion that they can stop outbound
    traffic.
     
    FromTheRafters, Feb 14, 2009
    #5
  6. MS does not want you to stop them from phoning home. Yet another way
    for them to prevent you from having control over your own computer.

    --
    "Software is like sex, it's better when it's free."
    - Linus Torvalds

    DRM and unintended consequences:
    http://blogs.techrepublic.com.com/security/?p=435&tag=nl.e101
     
    The poster formerly known as 'The Poster Formerly , Feb 14, 2009
    #6
  7. I.C. Greenfields

    mayayana Guest

    Please don't post to
    microsoft.public.vb.vista.compatibility

    That group is for programming issues with VB on Vista,
    not for discussion of Vista from an end-user point of view.
     
    mayayana, Feb 14, 2009
    #7
  8. Which is why I never use the Windows firewall. Every app thinks they are
    special and should be able to contact big brother with news about me and
    retrieve info on things they feel I need. Some companies are especially bad.
    I know because I don't use Windows firewall so I see the requests and deny
    them. Over the years it seems to have gotten much worse.
     
    Richard Mueller [MVP], Feb 14, 2009
    #8

  9. This is very old "news." For instance, from a post of my own, back in
    June of 2007:

    Vista's built-in Windows Firewall is adequate for most users, but
    not particularly easy to configure. Vista's built-in firewall, although
    superior to that of WinXP, is of a rudimentary nature, intended to meet
    the simpler needs of most home consumers (or business/enterprise clients
    already ensconced behind more advanced perimeter defenses).

    One 3rd-party add-on (Sphinx's Vista Firewall Control
    http://sphinx-soft.com/Vista/) might make the Vista Firewall a bit more
    useful to you, but nothing but a completely independent product will be
    able to provide the detailed control you want.

    There are two interfaces for Vistas built-in firewall:

    1) A simplified one accessed through the Control Panel that is the only
    one most people see.

    2) And the more advanced "Windows Firewall with Advanced Security
    (WF.msc)," accessed via the Start Menu's Administrative Tools folder,
    for the experienced user who wants better control.


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Feb 14, 2009
    #9
  10. I.C. Greenfields

    Mr. Arnold Guest

    And this person is an MVP? He should not speak of FW technology that's
    for sure. He must have been on Gibson's site all of this time and became
    paranoid.
     
    Mr. Arnold, Feb 14, 2009
    #10
  11. I.C. Greenfields

    mayayana Guest

    Why are people who want more privacy than you
    do by definition paranoid and unbalanced? A PC is
    private property. Why should any Tom, Dick, or Microsoft
    be allowed to disrespect that boundary?

    And what about the malware problem? How do you
    think "bot herders" manage to maintain herds in the
    hundreds of thousands? IE holes might get them onto
    a PC, but the malware still has to call out if it's going
    to follow the bot herder's orders. It's a safe bet that
    those zombie boxes are not running 2-way firewalls.

    For another angle, some might find this
    recent Wired article interesting:
    http://blog.wired.com/business/2009/02/why-googles-sof.html

    Appparently Google has decided it's not enough to
    install "crapware-trackware" to anyone who's fool enough
    to take it. Now they're installing their alleged software
    updater as an always-running service ... without permission.
     
    mayayana, Feb 15, 2009
    #11
  12. I think it comes down to trust. If you don't trust a program - don't execute
    it.
    If you *do* trust it, let it do whatever it is programmed to do. By all
    means,
    traffic should be logged - audit trails are good to have. Maybe an alert
    from
    a daemon, or even outright blocking of attempts to 'phone home' are a good
    thing too. But this isn't really how one should judge the value of a
    software
    firewall.
     
    FromTheRafters, Feb 15, 2009
    #12
  13. I.C. Greenfields

    Kayman Guest

    Managing the Windows Vista Firewall
    http://technet.microsoft.com/en-us/magazine/cc510323.aspx
    *(read twice!)*
    You are either misinformed or don't fully understand the issue.
    Prior installing a program read the EULA and if you don't trust a
    particular program than don't install it! Simple, really.
     
    Kayman, Feb 15, 2009
    #13
  14. I.C. Greenfields

    Poutnik Guest

    Kayman have said in previous article, that...
    Not sure, if mentioned in thread,
    but there also non security reasons,
    why one can want to manage outgoing connections.
     
    Poutnik, Feb 15, 2009
    #14
  15. I.C. Greenfields

    mayayana Guest

    You can get the story by reading the article and
    decide for yourself. But talking about reading the
    EULA is ridiculous. If I publish software with an EULA
    stating that I intend to install always-running software
    that makes online contact, and that I intend to track
    your movements online, that doesn't make my actions
    acceptable!
    The EULA is usually a longwinded piece of
    confusing legalese that's not easy to understand, and is
    expected to cover only limitations and liability. Sneaking in
    the "rights" of the software publisher on your machine is
    pure flim-flam.

    According to the Vista EULA, Microsoft has a "right" to
    call home without asking you, and they have a right to
    disable your Windows install if, after rummaging around on
    your PC, they think that you may have got your copy of
    Vista illegally. (section 5) They also claim the "right" to
    uninstall software on your machine at their discretion,
    without asking you. (section 6)

    So you buy a PC, you bring it home, and out of curiosity
    you decide to read the EULA. (Imagine that you've tired of
    reading last years tax forms and you were looking for a new
    and exciting read. :) You realize that Microsoft has provided
    a Mickey Mouse EULA that's unfair and probably illegal. What
    do you do? Take the PC back and buy a Mac, along with
    all new software that can run on the Mac? Or do you decide
    to use the PC, not take the EULA seriously, and maybe install a
    2-way firewall to block Microsoft's intrusions?

    Most people don't even get to that point. Most people
    have no idea what is or isn't going online from their PC.
    Those same people are being tracked around the Internet by
    Google/Doubleclick and would have a difficult time even
    understanding the technical explanation of how that's possible.
    The fact that Google may have a relevant clause somewhere
    in a Terms of Service page on their site is neither here nor there.
    They can't impose a contract with a second party unilaterally,
    which is what they're claiming to do. Even more laughable
    is that nearly all online EULAs are rendered pointless by the
    clause saying that they may be changed at any time and that
    you agree to such changes.

    I remember seeing a cartoon when I was young, where
    Elmer Fudd gets duped into buying an insurance policy by
    the duck (whose name I forget). When it comes time to
    collect, poor Elmer finds that his policy is only in effect on
    July 4, between 4:05 and 4:09 PM, during a halistorm and
    in the middle of an elephant stampede. Unfortunately, Elmer
    can't meet one of those requirements. :) But even in that
    cartoon Elmer had to sign the contract with the duck before
    it took effect. ... So Google/Doubleclick's EULA probably can't
    even pass the Looney Tunes test. :)
     
    mayayana, Feb 15, 2009
    #15
  16. I.C. Greenfields

    John Doe Guest

    Thanks for the information.

    Apparently the makers of ZoneAlarm fixed such a problem by
    preventing ZoneAlarm from being shut down. After that , I have never
    heard an authoritative claim that an application snuck through
    ZoneAlarm.
    Sounds like a symptom of the ones and zeros disease.
     
    John Doe, Feb 18, 2009
    #16
  17. I.C. Greenfields

    Root Kit Guest

    "news about you" - got any evidence of that or are you just being
    paranoid?
    Like product updates that might be security related? You're just
    shooting yourself in the foot.
    Then why do you use their products?
    Stop whining, please.
     
    Root Kit, Feb 18, 2009
    #17
  18. I.C. Greenfields

    Root Kit Guest

    What makes you believe shutting it down is the only possible way to
    circumvent it? And why would malware writers choose a method which
    makes you as a user suspicious to what is going on. No, no. They will
    of course just circumvent your illusionware why letting you continue
    to believe all is fine and well.
    LOL. Better check your "authoritative" sources then.
    No. Sounds like a well considered response to a problem you don't seem
    to fully understand.
     
    Root Kit, Feb 18, 2009
    #18
  19. I.C. Greenfields

    Root Kit Guest

    Who wrote this crap in the first place? That outbound filtering is
    completely disabled by default in Vista is one of those lies that
    continue to spread unhindered because of ignorance and "common
    knowledge". Truth is, several outbound rules are enabled already by
    default. Unfortunately, the fact that it doesn't pop up silly messages
    like the ones people are getting used to from the usual PFW
    illusionwares helps spreading that wrong impression.
     
    Root Kit, Feb 18, 2009
    #19
  20. I.C. Greenfields

    mayayana Guest

    That's quite a strong statement to make, implying
    that 2-way firewalls are basically useless. If you're
    going to claim that you should provide some evidence
    and explanation. Otherwise you're just adding confusion.

    In my experience, ZA has no trouble blocking unauthorized
    software from going online. There is a wrinkle, though,
    with XP. XP, and NT systems in general, are a security risk
    in that they're designed as corporate workstations, with
    various vulnerable network-related services that are
    unnecessary on Win9x but are typically running, and may
    even be critical, on NT (RPC, for example.)

    Complicating matters, Microsoft shrouds a number of
    services in the svchost.exe process, which can run in
    multiple instances. So if you allow svchost through the
    firewall it's not so easy to know exactly what you're
    allowing. And ZA can't differentiate between the actual
    processes running under the svchost "hat".

    That wouldn't be a problem if you just block svchost altogether,
    except that if you block svchost and use highspeed then you
    may block a service critical to your connection! So in most
    cases it's difficult to really block Microsoft's stuff and control what
    goes out on NT systems. (NT4,2000,XP,Vista.)

    Another complication involving different ZA versions:

    If you use the earlier ZA versions that were compatible
    with XP (v. 2.6.x) you can block svchost, but as noted above,
    that might be a problem on highspeed.

    With later versions of ZA, ZoneLabs apparently cooperated
    with Microsoft and will override your settings. Later versions will
    put svchost into the allowed list without telling you, and
    put it back again if you remove it. However, I think that someone
    using dial-up, and using ZA 2.6 could block all outgoing MS
    processes. (Though I don't know whether v. 2.6 runs on Vista.)

    I haven't tried more recent versions of ZA. It bloated from
    a 2 MB program to a monstrosity of 50 MB in recent versions.
    Personally I'd look elsewhere these days if I felt a need for a
    new firewall and for some reason didn't think ZA 2.6 was
    adequate.
     
    mayayana, Feb 18, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.