Slashdot Mirror
Vista Firewall to be Crippled
UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."
Given the vast number of home users MS has, this would seem to make sense. Really, how many *average* home users know what ports their programs use? Further, how many of those customers will want to fight with their firewall to get things working before they get frustrated and just turn it off? Turning the firewall off is far worse than having a firewall that only blocks inbound connections.
I do hope that MS continues to allow you the ability to work with the firewall on an application level. It's much simpler to browse to "program xyz" and tell the firewall to allow whatever ports this program needs. Determining and then defining UPD vs TCP and ranges of ports is just not going to work for most non-technical people.
Lastly, I think the request of the larger corporate customers and government makes sense. They don't want to micro-manage their machines.
I don't understand the complaint here. MS is listening to their customers. Supposedly that is a good thing for a business to do, of course there is a limit. Secondly MS probably doesn't have a smoother way to make managing the firewall any easier than anyone else out there. It's a tough problem, especially for non-technical users.
Blocking outbound by default is mostly going to protect the rest of the internet from your owned box spamming/ddosing/etc them. (I guess you're outbound connection could get hosed too).
On a side note, from TFAYes MS, its hard to setup properly - thats why you have to have it turned on by default
At least it's better then Apple's Firewall (turned off by default, PITA to block outbound traffic).
There are shills on slashdot. Apparently, I'm one of them.
Intentionally crippling your firewall? Isn't that like taking a sledgehammer to your kid's knee caps!?!
Don't most enterprise customers use scripted installs/images? Why would the default configuration matter at that point?
because that is what enterprise customers have requested
So, if Microsoft listens to their customers, they make slashdotters angry but if they block bittorrent, they make slashdotters angry.
I think that I'm starting to get this...
More
Whenever I install a firewall that will block outgoing applications, and make sure everything needed is allowed already such as IM, email etc. The first thing a user does when they see that screen is click "Yes always allow Trojan.I.Steal.Credit.Card.Numbers.and.kick.puppie s.Trojan"
:)
Atleast the incoming is blocked like it should be, it would be nice if there was a way to flash bright red so obnoxiously, and make the user think for a second. Like how firefox makes you wait before clicking yes. Possibly by moving the yes button around and saying "YOU PROBABLY DONT WANT TO ALLOW THIS" and then repeat. "ARE YOU ABSOLUTELY POSITIVE"
then deny it regardless of what the user says
The phrase "more better" is acceptable English. suck it grammar Nazis
Crippled would be if the functionality were not present, or so badly broken that it does not work properly. Including the functionality but not enabling it by default is not crippling. Microsoft has a long history of enabling wide-open security settings by default, so this is really nothing new, if anything it's halfway to an improvement.
You see? You see? Your stupid minds! Stupid! Stupid!
Yeah, it was the "enterprise customers" all right: I imagine the phone calls from Symantec, Kaspersky, FSecure et al: hey Microsoft, leave them damn ports open or we'll outta business pretty soon! (relax. It's just a lame joke)
Hello! I'm a disaster waiting to happen!
That is one confused story.
The lead says that "enterprise customers" want outbound opened up by default.
The rest of the story justifies the decision based on allowing individuals access to the outside world without having to figure out outbound firewall config.
Ny guess: they screwed up the user interface and cross-coupled certain permissions so that the most common configuration requires entering the more advanced configuration panes, rather than the selection of a cartoon icon on the basic configuration pane.
And they're blaming everyone but themselves.
I believe MS outlined 7 different versions for different markets... home, enterprise, small business, entertainment center, etc. Why wouldn't they configure the firewall in each of these by default to be what's appropriate for
its target market, rather than letting the desires of the Fortune 500 wag my
mother's machine in a less than completely safe way? Given the world's recent
experience with various forms of malware, erring on the side of safety certainly seems to be justified.
Why the hell would anyone other than a dial-up user need to have a firewall enabled under Windows? Everyone with broadband should have some other device between their computer and the big, bad internet to handle firewall duties. Corporate networks had better damned well have some security at the gateway to the WAN/internet.
One would expect that Entreprise customers could set this anyway they want via Group Policy
I wouldn't call this crippled. All you have to do is turn it on. I guess that my copy of Civilization 4 is crippled too, because I had to install it.
Seriously, though... blocking incoming traffic is more than half that battle. It is my understanding that blocking outgoing traffic is mainly useful after your system has been compromised.
You know a software is off to a bad start when the product isnt even out yet and they're already talking about bugs & features.
If you look like your passport photo, you're too ill to travel. - Will Kommen
I think that blocking incoming traffic is by far the most important thing on Windows boxes. We don't want another Code Red/Nimda.
Who here, honestly blocks outgoing traffic too on their home networks? I could, but I don't bother. Why? I run a tight enough ship to know that there won't be weird traffic going out, and I can't be bothered with the extra admin needed to keep everything happy and working.
Get your own free personal location tracker
Up to a point, I have to agree with you. The average home user is just not used to the level of annoyance it takes to train and maintain an outgoing firewall. I installed ZoneAlarm on my parent's computer, and get calls or emails routinely asking if they should OK a particular program's desire to access the internet. And many corporate users don't really care about the defaults - they are going to have IT manage it anyway.
But I have to ask, what is the point of Microsoft splitting Vista into however many different versions if not to have a granular response to problems like this? Many of XPs problems are related to its homogeneity...
Using plain ol' text since 1968
So why have 21 different versions of Vista if NOT to have a consumer version with as much protection as possible with as few services running as possible? A business office version you assume will be configured by an IT guy that has difficult to admin - but very flexible and detailed - firewall options. Yes.
But to not a have a 1 button "Protect me on the internets" button for grandma? That's MS effectively selling off its consumer base to big corporations at their request.
=Tod
Bill Gates - Creationist?!?
1) Most home users get annoyed at having to click on the options to allow outgoing connections, and they generally aren't concerned about applications "calling home."
2) The biggest culprit for applications that call home is Microsoft, and the Windows firewall doesn't block Microsoft applications anyway. (The biggest reason I have a 3rd-party firewall is to block outgoing connections from IE, Explorer, and Windows Media player)
3) Serious attacks come from incoming connections (or Trojans, which a traditional firewall can't stop anyway.) so this doesn't matter for them.
tool for perfect firewall
Now if there was only a firewall plugin to block outbound apostrophes in "it's".
Intron: the portion of DNA which expresses nothing useful.
10 more years of zombie botnets. I'm so pumped for all the spam I'll get.
Given that Microsoft has announced different versions of Vista for enterprise, home users, power users and so on, why would they cripple the firewall across the entire line? It seems to me that with all the versions they're planning, it would be a simple matter to keep the firewall off for those versions sold to enterprise customers, and leave it alone for everyone else. And speaking as someone who has had to deal with the fuckery of the windows firewall in an enterprise environment, I can't say I'm disappointed by that.
How much longer until we get some real application intelligence built into these things? If the firewall new what the application was supposed to do, it would be able to dynamically block malware/trojans.
God, Root, Whats the difference?
Some system level protection is always important(like starting off with a secure OS!) however I can tell you from my experiences remotely managing XP systems that the local firewall can be a major headache. In our office we have hardware based firewalls or firewall feature set routers at/on every subnet router. Its much easier managing a handful of hardware devices versus hundreds of individual software based firewalls that don't work half the time anyway.
crippled? how about "industry standard for home and light commercial use"?
what's wrong with INBOUND:BLOCK ALL - OUTBOUND:ALLOW ALL?
every NAT/router/firewall/shiny magic internet thing i;ve seen, oh, in the last 7 eons of mankind's glorious history is set up just so.
Default outbound blocking wouldn't matter in the home environment. The most likely malware targets are all running as Admin anyway, so smarter malware will just add themselves to the allowed list.
Vista will suck JUST LIKE all the other Windows versions have. If you want to solve the MS-Windows release problem, we should have made the former judge Jackson's judgement stick, "Break up Microsoft." That is the only way we will see MS-Windows problems disappear. They will never reall FIX them. Bill Gates and Steve Ballmer still need to be in their bad money making scheme of forcing trash onto the user.
And somehow Real Player will STILL find a way into my trusted sites.
I mod down so you can mod up. Your welcome.
On a technical side however, I don't see why this is a yes-or-no proposition. What would prevent the installer to ask a question like: "Do you want the firewall to block outgoing traffic? Yes/No" (with some blurb explaining to non-geeks why they might/might not need it, what implications it might have, and how to change one's decision later on).
the other half by design
First of all, inbound is not even half of the problem. Considering the recent development of malware, outgoing is by far the prefered way of attacking for today's malware. Simply because of the increasing number of NAT routers.
Second, I HOPE AND PRAY that they FINALLY add a "delay" to the "allow application to open connection" button. There's almost no current malware that does NOT create a thread to check in 5 ms intervals whether one of those allow-request windows is open and answer it in the prefered way for the malware before opening a connection, to make sure they get permissions.
If this loophole isn't closed, any MS-firewall in learning mode is as good as no firewall at all. Actually it would be worse, because it gives you a false sense of security where there is none.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Vapor OS, Vapor Firewall. makes sense to me.
at least the "object file system" promised in Cairo will be there. won't it?
I also hear they will be shipping the stability promised in Window 95
time to start lining up at Fry's
Windows never had, and never will, have a proper firewall accessible by end users. OS X has Little Snitch, an outbound, APPLICATION BASED, firewall. I can tell when Firefox, Excel, et al phone home. It's also great for entries to the host file.
My statement is not quite correct. Windows 3.1 had Trumpet WinSock to provide the TCP/IP layer, and included a window that listed every outbound connection. I bought a WeatherBug, when I saw it sending out a cookie with every URL I clicked, I learned about the host file. You notice there's nothing like this window for for Win9598ME2000XP? Hahahahahahaha, let's make doubleclick rich.
The Proxomitron does this, but buries the URLs is so much crap it is useless. I've just given some smart college kid a marketing idea that will make them a millionaire by 30, are any of you ambitious enough to sieze it?
Here's another idea for you kernel hackers. Change the hosts file to allow wildcards. I'd like to enter *.*doublclick*.* and wipe out everything. And *.goo*analy*.* too. But then again, Linux is just another marketeer beholden to advertisers, that's where he gets his real money from.
Computers are complicated machines, and a simple "firewall = on / off" command should not be expected to satisfy a phenomenal multitude of users.
Nor should anyone every venture into a computing task while uttering the words "This will be simple".
Those who believe the Internet is private,
find their privates are on the Internet.
Yeah, OK, whatever. Just as long as they leave the firewall alone in patches and service packs. I recall installing SP2 on a headless XP box. I was connected via remote desktop, installed the SP, rebooted, service pack turned on firewall blocking incoming connections, and ...
[Insert pithy quote here]
OEM customers (e.g., Dell, HP, Gateway, etc) often ship their PCs with dozens of what I call "shovel-ware" (trial versions of useless software that OEMs pile on heaps on the desktop). Often this shovel-ware likes to call home occasionally to notify you of "new updates available for download" and other such nonsense.
I'm sure it's very embarrasing (and costly) to the OEMs when they get support calls from their own customers when the microsoft outbound firewall blocks the shovelware and flashes up a dialog box. So they probably just asked microsoft to ship the firewall so that the outbound firewall doesn't validate the application (which makes it too easy for end users to "accidentally" disable the shovelware and too easy for experienced users to get a list of all the shovelware polluting their machines from the "allowed" list and uninstall it). Of course microsoft doesn't want to have too many configs out there, so they just make this the default setting out of the box.
</TINFOILHAT>
Sure microsoft is listening to their customers, it's just their OEM customers...
MS cannot install an outbound firewall, well they could but it would lead to a lawsuit. If they put an outbound firewall on the systems they would automatically set certain programs to be allowed through (IE, MS Instant Messenger, MS office, Outlook, etc.), they would block Real player, AIM, Google's Messenger, Firefox, etc. They would install the software, per the anti-trust agreement, but block it so it's as good as not installed. They know they are on the anti-trust edge and probably don't want to push themselves over. Maybe they are smart?
I think Microsoft's real problem is that (apparently) they are still building an OS that allows arbitrary software from the Internet, etc. to be downloaded and executed due to lax permissions and security via their ActiveX crapware, and other holes. Otherwise, why would there be a concern about malware, spyware and other types of malicious software making outbound connections in the first place? Other operating systems don't have this problem for a reason: permissions being what they are on a more reasonably secure system (particularly one that isn't so wedded to a weak point of entry like a browser) don't allow code from external sources to be executed on a system level without the proper permissions, and proper security. In an attempt to make Windows "user friendly", they've tossed the baby out with the bath water, in terms of security. In light of all this customer demand (which means there must have been some communication about the functionality of their firewall configuration to outside sources), it would appear that the Vista team isn't learning from the mistakes of their predecessors.
Hades, PoD: Official Advocate
Let's sacrifice the quality for people who don't know what they need to please those that don't know what they want!
Sarcasm!
"I'm not religious, but at the same time I don't get why science always has to have something to prove."
"Vista may allow ports from 0-65535 outbound, but it seems an easily remedied thing"
Quo usque tandem abutere, Nimbus, patientia nostra?
The functionality is still there, it's just not being used. Seat belts don't cease to exist because people don't use them.
Jesus, I despise the fact that jackasses like you are so prevalent on this god damned web board.
I always come to slashdot with the broad, and sometimes naive assumption that the articles provided will be neutral. Whether or not the responses to these articles are neutral is another story, and any biased there towards OSS, away from MS, agaisnt Apple, or whatever, is just fine in my book. Thats what makes the internet great.
;)
That said, I strongly detest the wording of this headline and the tagline below it. Especially from CmdrTaco.
When I read the topic in RSS, I thought that some features would be removed from the exisitng firewall, or that some key features would require a paid subscription to be activated. When I read the summary, however, I realized that was not the case. The attitude on slashdot towards Microsoft (as well as any other non-OSS business model that seems to work) is jaded and negative enough without being given a predisposition via headlines like this.
The summary in 1.5: Negative, misleading headlines need to go.
So, mod me down for offtopic, mod me down for Troll, mod me down for Redundant. My Karma can take it. Or, if you agree, mod the other way
Will Microsoft follow the trend established in Windows XP SP2 and allow certain applications (Microsoft's and others) to open holes in the firewall so they can communicate stealthily, or will the firewall obey only the user's configuration.
Personally, I want dedicated hardware doing my firewalling -- I'd wager that a low-end D-Link router/firewall is more immune to compromise than a userland software firewall. Problem is, Grandma is not going to buy a router but if NVidia can embed firewalls in their motherboard products, why can't Motorola do the same for their modems?
body massage!
Something else that bugs me about the "we're doing it for enterprise customers" argument -how many different versions of Vista are there? Isn't the whole idea that the business/enterprise versions would have different default settings and configurations than home versions?
What's going on?
You don't understand the MS advert model. You aren't an MS customer. Advertisers are the MS customer, you are the product MS sells to its customers.
Right now I get mad props at work for keeping bagel, netsky, and mydoom at bay through attachment and AV blocking, spam filtering, and a little bit of shell scripting. Here I was afraid that those would go away and I'd have to find something else to justify my existence within the next couple years. Now it looks like I'm in good shape til at least 2010. Thanks Microsoft!
ps - Other AV programs probably do this, but in case anyone's interested the firewall built into McAfee VirusScan Enterprise v8 blocks SMTP and IRC communication outbound by default unless the executable firing up the communication belongs to a specific set of known email and IRC clients. Good times...
Yes, my only tool is a hammer. And you're starting to look like a nail.
Someone at Microsoft thought it was a good idea to somehow, one product is all anyone needs. Although a lofty goal, it is entirely unrealistic. It is like assuming a car manufacture can build "one car" that will satisfy all needs.
It seems mostly unreasonable that one can try sell (or repackage) the same products and technology to home users (grandma), buisness users (enterprise), and data center (data services). The problem is that the technology and use case senarios for each of the situations is dramatically different. When you try to unify these products you end up with the "swiss army knife" product that barely covers the basic features between the segment instead of a robust product that each can be happy with.
Why does grandma need the ACL and the other domain/Active Directory control behavior? One can claim it is for security but it seems that the security threat and security model for home users is different than the enterprise level which is where these tools belong. Why does hundreds of computers that are used for ERP need Direct X? It is yet more configuration and software that can possibly diviate if not break across hundreds of installations. Why does a server in a cluster configuration need Outlook?? Trying to support these pieces of oddball software in all three of these examples is hard. I wonder what advantage MS has by continually sticking to this. Is it really the so called "look" that they think they are getting value out of? If they stepped back and looked at the feature sets of just these three use cases, there is very little in common between them.
I've always said that Microsoft would be better served if they focused down their products. If they had a *true* home version that setup in minutes and only included the things necessary to web surf and play games that would be some great value. If they had a *true* enterprise version that offered a bunch of services that hook into enterprise control that would be some great value. If they had a *true* server that installed what is needed to do high performance cluster and balancing that would be some great value. Trying to create Windows version that has sprinklings of all of this is a beast. It is like trying to car that has the features of a sedan, a SUV, and limo. The "car" you end up turns out to be something that is none of them.
I appreciate that Microsoft wants to sell products in these spaces. In fact I encourage them to do so. However I don't encourage trying to make their products all behave like each other because they simply aren't deployed that way. This article is an effect of this misplaced endevor. The firewall configuration for home users should be dramatically differen than the one offered to enterprise configuration anyway. Ideally we shouldn't be freaking out about changes to the enterprise sofware will effect other installations (like home and servers) but we are forced too.
I think that I'm starting to get this...
You are almost there. You see, Microsoft makes slashdotters angry simply by existing, if it were ever to go bankrupt and disappear our brains would suffer a kernel panic requiring a reboot followed by a lengthy boot-time scan for another equally powerful source of anger energy.
Only to idiots, are orders laws.
-- Henning von Tresckow
linky
Posted by Slashdot editors just to engage in MS bashing. This site really is run by immature idiots.
We still have software patents, the DMCA, censorship of the Internet, and the PC vs Apple, KDE vs Gnome, Linux vs BSD, Postgres vs MySQL and emacs vs vi flamewars to keep us riled up.
Just because it CAN be done, doesn't mean it should!
Enterprise users should know how to configure and setup their firewalls. While average joe consumer most likely doesn't have a clue. So why would Microsoft disable things for the knowledgeable users which in turn will most likely cause problems for the general populace? What are they thinking?
whine, whine again.
"Do you wish to allow 'Amanda Peet Naked.You_must_allow_to_see_her_naked.jpg.scr' to access the internet?"
[yes] [no] [cryptic help page]
-M
when you see the word 'Linux', drink!
So it's not really crippled, it can be configured for outbound protection. Maybe the "varying degree of technical knowledge" implies that it's not as straightforward as a nice GUI configuration window and hence "crippled" in that respect.
Saying it is "crippled" would imply that the outbound protection code exists, but it is permanently disabled, i.e. not configurable at all.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Considering that Windows firewall today is a simple matter of clicking yes/no on a popup dialog. Go into Windows XP SP2 with firewall turned on, open ftp and connect to a site. Instantly a message pops up along the lines of "You are attempting to make an outgoing connection on Port 21, by application FTP. Would you like to allow outgoing communications on this yes? Yes/Once/No/Never"
Thats not exactly brain surgery imho. Also, I tried an earlier CTP for Vista, and Windows Firewall was basically identical to the XP version, so dont expect many changes. Plus, given the fact they are saying "from corporate requests" I imagine home editions will have much different default values.
I've got an idea. There's going to be what, 6 different verions of Vista targeting basic home users, media center users, on up to corporate clients? Why not make different defaults depending on what type of user each version targets. Home users: leave IM and streaming media ports open and close most of the rest. Business users: leave outgoing open and close selected inbound. Best (and worst, but I think we still come out ahead) of both worlds.
Gee that was a tough concept. Somebody should pay me for it. Perhaps Microsoft already thought of it though and somebody, somewhere took something they said out of context. That would be a first.
Is that really all that hard to do?
Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
It's good to see level-headed, non-biased Slashdot articles. Crippled would mean that the firewall doesn't even have the ability to block outgoing data, it does, it's just not enabled by default.
This just in, most Linux distributions don't have firewalls enabled by default. News at 11!
Crippled seems a rather extreme description. Security software of various types with moderate defaults aren't all that rare -- e.g., SELinux in Fedora Core also doesn't default to the most strict ruleset possible -- simply because the strictest limits, while most secure, also provide barriers to the usability most people expect and want.
OTOH, the particular choice of defaults seems dumb to me -- the third party firewall I use at home is set to ask about creating a new policy when an unfamiliar program attempts to listen or send, which seems a lot more sensible than disabling outgoing blocking entirely by default. Nothing you want is ever blocked unless you tell it to be, but you don't get blindsided by anything sending out without you having cleared that program to do so.
And while I can see why enterprises might not want their desktop users faced with "Allow/Deny" popups, how hard is it to have a couple of basic default options (say "Ask" vs. "Allow" on all outgoing reqeusts) chosen on install?
M$FT is an "Enterprise Customer"
M$FT is the No 1 "Enterprise customer" for all the home boxes (in their minds)
M$FT can't monitor you usage, searches, music, etc unless visTE calls home.
We all use zone alarm to selectively enable outbound.
What is so hard?
Your parents are much better about that than the average user. Most people would just figure they don't understand the question, and click on an answer randomly to make it go away before it gets any scarier.
OK, folks...at what point does the Windows bashing just become so silly that it's wrong. Oh, wait...we reached that point long ago.
/. can do is whine that it isn't turned on by default. Last time I checked, lots of Linux distros come setup this way as well, yet I don't see anyone moaning about that.
The headline is just wrong. The Vista firewall is no more "crippled" than iptables is "crippled" in Fedora. Microsoft is making the default behavior identical to the XP firewall, but getting bidirectional port filtering/blocking is merely a matter of turning it on. The whole "requiring various degrees of technical expertise" is a ridiculous red herring coming from a website where Linux users constantly preach their technical superiority to the common lowly user. Pardon me, would you like some elitism with that pedantic whine?
For the vast majority of users, bidirectional firewalling is overkill. For those who want it, it can be turned on. This isn't a story, it's propaganda masquerading as news. I swear, Microsoft tries to improve things (adding the ability to do outbound blocking), and all
Microsoft is the competitor, not the enemy. Quit making this whole crusade a personal affair and this silly anti-MS bias will disappear.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I work at an ISP doing Tech Support.
On a daily basis, I get calls from users of Norton Internet Security or McAfee Security Center (or whaever "I don't know, whatever came with my computer") who, for some reason, can't get Internet Explorer/Outlook Express to work. They don't know what a firewall *is* let alone how to configure it.
If I suggest they turn of that firewall and try it, everything is suddenly happy again.
Many of them don't understand. "It worked fine yesterday/last week/last year and I haven't changed anything..."
I specifically despise the Norton firewall as it seems to be the most popular problem causer.
I am glad that Microsoft isn't turning this feature on by default because many clueless lusers will accidentally block the programs that they're trying to use and then not understand why it doesn't work anymore.
Frequently these users try to blame us at the ISP, not realizing that it's their own fault. Firewalls are my most frequent frustration, and I'm glad this one will behave the way it will.
Enterprise customers have dedicated firewalls outside of Vista, not to mention they will more than likely pre-configure the OS's firewall settings and can continue to configure it with Group Policy. As long as these enterprises have a decent IT team they will be able to stop any malicious ports at the (hard) firewall (LAN to WAN). And any LAN to LAN mischeif through GPO.
What self respecting sysadmin is relying on the windows firewall to protect his enterprise's network? Sheesh, look after a government department of 30 users and when I took over 7 years ago my first task was to purchase and install a hardware firewall. Two years later a government-wide firewall was installed. Sure they do content blocking and block more ports than I am completely happy with, but it is handled at the ENTERPRISE level. Trying to manage a corporate network on an individual basis is insane. As a previous user noted, group policies could handle all of this. I am still convinced that a hardware firewall is the only reasonable choice. Hell, I have one at home for a 3 machine network!
Couldn't the build a list of popular programs with outbound access and build those into a default "approved" list?
And just like adblockers for firefox and safepeer, they could then grow that list over time.
Why can private individuals do something easily while a huge corporation cannot?
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
As someone who works broadband support, that's because we need to eliminate that as a cause of blocked connections. I cannot count how many times that IE/Firefox/Outlook won't connect or browse because of a badly configured firewall. If it's not the problem, we tell you to turn it back on straight away, because we like our servers un-molested by botnets and zombies.
:P
If you haven't got a clue how tech support works, I think you should probably rein in your complaints about what we will or will not let you do on our connections.
Also bear in mind that broadband internet is a priviledge you pay for, not a right, and therefore your connection to it is on our terms, not yours
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
That microsoft can release an OS and be allowed to make/sell fixes for their flawed plateform in the way of firewalls/anti-spyware/anti-virus software.
That would be like a car company selling you a car that has known bad tires and as soon as you take it home to actually make it safe to drive you have to go purchase a new set of tires from the car company.
"because that is what enterprise customers have requested,"
Enterprise customers as in "large organizations who want to manage their own software and security policies," or "large organizations that want to install backdoor apps on their customers' PCs without their knowledge?" Do these "enterprise cusomters" include Claria and Sony?
Before you mod me troll, consider: why isn't Microsoft simply releasing an "enterprise" version with the deactivated firewall while maintaining full security settings on the "retail" version? If they can sell multiple copies of XP that may or may not seek activation depending on the customer, they can do this.
I will still use Zone Alarm for my win boxes.
Generally Windows firewalls that do outbound fitlering do it on an application level. The first time an app tries to access the net they ask if it's ok. You then either permit ALL outbound traffic for that particular app, or deny it all. You can use more granular control, but there's generally no point.
However it is still annoying when you first set it up. Run IE to get FF, add a rule. Run FF, add a rule, run SSH, add a rule. After a couple days you generally have everything and it doesn't bother you much.
The problem is, of course, non-technical users don't know what it means so they freak out. I tried it with my parents and it just didn't work. My mom decided not to permit anything without asking me so I was getting tons of tech support calls. My dad just ignored it. It was another hoop to jump through so he did, without questionging. Just told anything that asked to permit.
Like so many tools it's useful, but only in the right hands. I have one as a last line of defense and as a monitoring tool. Supposing I somehow got a trojan that didn't get picked up by my virus scanner and I didn't notice it, the firewall would stop it when it tried to get out on the net and I'd know I had a problem. It also lets me keep tabs on software that phones home. I don't much care, I just like to know if it's happening.
However it's not something that is generally useful, like an inbound deny. Thus it is a good idea for MS to turn it off by default. It would do nothing but confuse normal users, and then they'd just ignore it as they do any other hoop to jump through.
I'm happy Microsoft is actually shipping Windows with something turned off. It'd be so nice to get an OS without 20+ on-by-default resources that almost nobody uses.
I'm glad. I've been testing OneCare and the way it blocks outgoing connections is annoying. Unlike with Windows XP SP2 / Server 2003 Firewall, it doesn't block traffic until you answer (or the request times out in the client app). It just causes the connection to die unless the program is already approved. If you select "allow" then it will work next time...at long as the client program isn't already screwed-up because of the blocked connection (this could've killed my Treo 700w with the recent update if the blocked connection was killed later in the update process).
Now, presumably Vista Firewall will block lower in the network stack so it won't just cause the connection attempt to immediately die, but if it works like OneCare I'm blad it won't block outgoing by default.
X?
The X Window System / X11?
Mac OS X?
X marks the spot?
wha?
I think Slashdot's tagline is in need of a change. This isn't news, it's an Opinion piece based on current news. Unprofessionalism for nerds, stuff that kinda matters. If you're a zealot.
This seems like a smart move on Microsofts part actually. Not only has this been requested, but it also makes a lot of sense. Blocking incoming is a good way to cover your ass, and if you are smart enough to block outgoing you will be even more covered. If you don't know enough to block outgoing, it's not a huge loss since if you are really a major virus problem your ISP will kill your connection until you fix it anyway. They (your ISP) maybe even help you clean up (or tell you where/how/who).
The purpose of this is not to please enterprise customers. The purpose of this is to provide an easy reason for people to plop down $49/year for a OneCare subscription which conveniently does happen to come with a fully functional firewall with program rules.
if not what we need. Obviously a compromise of convenience over security. Kind of surprising that microsoft is doing this now, after having finally started taking security more seriously... SP2 actually seemed to be locked down pretty tight, in terms of the firewall being turned on, automatic updates on, probably some rate limiting stuff to slow down DDOS attacks (also seemed to slow down some p2p traffic, maybe that's just anecdotal though). I guess its sad, but kind of predictable, giving all the whining people did over SP2... I still know plenty of people that refuse to run it, just get the security patches and add them to SP1.
To block commercial software from phoning home. Any other type of outbound filtering is a fucking waste of time because users have no idea what to do when "svchost.exe is trying to connect to 12.55.60.2 port 300" "Is that okay?".
Btw this whole Vista thing of making user have to hit "okay" whenever something 'fishy' is happening will backfire bigtime. It will annoy users who know what they are doing, ie is it okay to delete this file, and it will confuse users who don't, blank needs permissoin to blank is that okay?
We are all basically screwed because when it comes to software you cannot honestly trust anyone with anything at anytime. Especially when it comes to closed source.
If you wanna get rich, you know that payback is a bitch
The problem with installing multiple versions is the sharp increase in software development complexity. If you have multiple versions of Windows each with different features, a software developer might have a problem if a necessary feature is only available in one or two of the different versions. This increases the required technical knowledge of users, since they need to know which version of Windows will run the programs they need. If they need two pieces of software that require a different version of Vista, then that has problems. The most economical way to implement multiple versions is to create tiered versions, where each better version is a superset of the lesser versions.
---- "XML is like violence. If it doesn't fix the problem, you aren't using enough."
"My firewall is HARDware so its stronger". If a port is blocked, its blocked. Its not more blocked because you are using hardware.
Naturally.
That's not ZoneAlarm's fault, part of its basic functionality is to prompt the user to see if it's ok to allow the traffic. The fact that the user is an ignorant moron is no reason to remove a layer of protection. MS's enterprise customers have requested this because upper management is tired of the prompts to allow traffic, and doesn't understand (or care) about why they're there.
The user cares and understands why ZoneAlarm is there: he does not want his system infected. The problem is that the user does not know the internal workings of their applications or OS, and thus are not in the position to really judge which connections are good and which are bad.
This is where ZoneAlarm errs: the user should not HAVE to know which IP addresses and port numbers are bad. Heck, as a techie, even I dont even want to have to know -- I have more interesting things to do. There are obviously patterns which allows us to judge roughly which connections to block. But ZoneAlarm should detect those patterns (heck, maybe even by quering a zonealarm.com server or your-techie-nephew.com for info), and tell the user what he DOES want to know: the probability the connection is dangerous.
If ZoneAlarm is meant for the general audience, it fails miserably in terms of GUI. It also wouldn't hurt if applications could inform the user and ask for a retry if the firewall blocks the connection. The firewall should then of course also support that in a user-friendly way, instead of browsing through a zillion settings. As previous posters pointed out, users now generally quickly learn to accept everything to not having to bother their nephew every single damn time, otherwise stuff will probably break.
But which ones? MS listens to corporate customers -- no news there. But MS seems to ignore the home user just about entirely, choosing instead to try to balance between corporate functionality and moron-friendliness -- that being user-friendliness taken to such an extreme that only the severely retarded (literally) would have use for such coddling, and the vast majority of real users find it only gets in the way.
There's a reason I tell people to pirate XP Corporate edition.
Don't thank God, thank a doctor!
Most Home users are capable of clicking "Yes, allow this program to connect to the Internet". Quite a lot of them are actually intelligent enough to notice when a program trying to connect shouldn't be allowed to -- at least, my NVidia firewall represents programs well enough.
And no, they won't be calling MS tech support, they'll be calling Turbo Tax tech support, Sims II tech support, and Valve tech support, who will all give them a simple solution for letting their programs work without having to disable the firewall.
Don't thank God, thank a doctor!
I would like to have a Windows firewall, which could be dinamically updated by Snort.
Mac OS X's firewall -- basically a limited GUI for the FreeBSD ipfw facility -- is configured out of the box in just the same way: only incoming TCP traffic is examined. If you want to diddle with UDP or with outgoing TCP connections, you need to use the command line and poke around in logfiles -- not for the faint-hearted. Or there's a shareware system preference panel, Little Snitch, that can do a lot of the diddling for you. I dare say that something similar will quickly appear for Vista. You'll just have to persuade your system that it's trustworthy...
Anyone who uses KDE's Guarddog knows exactly what program uses what port. It's grouped by type of application and has nice little pictures to clue you in. Knowing port numbers is not rocket science. M$ needs to be at least as smooth as anyone else, even as smooth as they previously have been. As planned, they are treating "security" as a "profit center" by removing features so that a lack of flexibility will force an "upgrade".
I don't understand the complaint here. MS is listening to their customers.
Reasonable defaults can be found in any modern GNU/Linux distribution. They are all about the same and better reflect user demand than M$'s demented policy, which will polute the world without the option to turn it off.
Friends don't help friends install M$ junk.
Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge
This is going to lead to a massive swing towards Linux. I mean, my Mum can configure iptables to fit her needs without breaking a sweat, and she's not technical at all.
this is somehow strange... it must be some kind of a cheap excuse BECAUSE:
professionals want the firewall to be lame
you need to be a pro to make it non-lame-anymore
the average user is screwed...
if it was vice-versa it would be like this:
average users are kinda secured
professionals are kinda secured
if they want the firewall to be lame they could adjust it to be lame
you see, this shows that something odd is going on... if they did it vice-versa everyone would be happy, but this way the average user is screwed... that must be their intention...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I do not set up programs for "automagic" updates. I even manually update my AV software. When an application tries to "phone home", I check out what that application is, where it's calling, and *then* decide if I want to allow it. That's the entire purpose of a firewall which blocks outgoing traffic.
.mp3 files to some outside server, &c. (e.g. Do you want to allow FreeWareAudioApp to access the Internet?), or -- better yet, that an app is listening for instructions (e.g. opening port 127.0.0.1:6669, to join a bot-net, &c.) from a remote source. That's not quite like asking me if I want to "Flang the Zip-Zop-zoodle".
When I run a program that should have no reason to access the internet, and - the moment that it loads, it tries to "phone home", that is, IMNSHO, usefull information. I can see that e.g. my new audio editing app is trying to upload a list of all of my locally hosted
>So I know for sure they weren't providing enough information to know whether to allow the traffic or not
You've put the spotlight on the key point. You have't used Zone Alarm, but I have, and it has the same problem. For one thing, if something comes through the Windows equivalent of inetd, that's what Zone Alarm reports. Do you want Services and Controllers app to accept connections from the Internet? There's no way to answer that without some time-consuming and frustrating Googline through a bunch of people who mostly don't know either.
I stop media applications from phoning home and I keep Internet Explorer on a prompt-always basis so that I can stop it if it accidentally gets launched for something other than Windows Update.
All basic engineering. If you want a human, or a program, or a thermostat to make a correct decision you'd better make sure it has correct and useful information.
Wow, when it comes to MS, they always use term like 'crippled' for turning something off for easier use for some people.
Look at Mac OS X, the entire firewall is turned off by DEFAULT. Now, let's see how they come up with subject when they tell story about this.
Oh wait, the Mac OS is a holy product they don't want to show the bad part of it, and never make it a story.
Seriously, what average user would even dig the system settings under Sharing in the second tab to realize their firewall is actually off?
At least as far as I can tell, MS turn it ON for those people...
I bet that they will have the full protection turned on only in the version that costs the most money, therefore making people that dont know the difference between spyware and Flash buy the most expensive version.
I want to take a moment here to thank you for your valuable service. Without your guidance to these customers I might never have heard the plight of Mr Crawford Leeds of Natwest Bank London, who is currently partnering with me in regards to the disposition of some inheritance monies held in trust by his bank.
Help stamp out iliturcy.
"But ZoneAlarm should detect those patterns (heck, maybe even by quering a zonealarm.com server or your-techie-nephew.com for info), and tell the user what he DOES want to know: the probability the connection is dangerous."
;)
;)
:( :)
It (paid versions i believe) does TRY to check. And one of the setting is to use these defaults. Although the database seems quite limited and missing some fairly common stuff with virtually no answers on games that need network access. Your techie nephew will have a better database handy? Maybe he should send to ZA
Unfortunately both are probably based on name so the malware named after something is let thru anyways.....
There could certainly be a list with file size or checksum or something thats allows more good stuff thru automatically than they do. Once they learn that much maybe they could open the correct for the correct app only while they are at it
HArd stuff to solve
I tell people to ok it if they added something that should need access, and nothing needs to be a server(they aren't installling games) and pray
Um, no, most of the vendors will not give a simple solution for letting their programs work without having to disable the firewall they'll add "Disable your firewall" into the Level 1 droid checklist, much as they do for antivirus today.
It's far easier to blame the antivirus and firewall software when things don't work; after all, their code is perfect </sarcasm>
Also, you get the call closed quicker, you can make more money in the call centre by beating time targets, using less people to answer more calls, etc, etc ad nauseam
If you read article, I'd think you'd figure out that M$ is following good business practice, I like to call is "Customer Demand". Crippled? C'mon slashdot, lose the freaking bias please, it's really annoying.
I've always thought that this was the original way of operating a firewall?
Surely if its blocking incoming AND outgoing its not a firewall its just a wall??
This makes sense considering originally you would be ok to trust outgoing connections seeing as you started them!
Obviously now they might not be trusted as much, but I would say that if a plain install of vista has things connecting to the outside without your express permission, then thats the bigger problem.
----- I refuse to have an argument with an unarmed person