Slashdot Mirror
Vista Firewall to be Crippled
UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."
One would expect that Entreprise customers could set this anyway they want via Group Policy.
You'd be surprised at the number of companies that are still running Win2K domain servers, Novell or NT Domains for their core. I've run into several, including quite a few who still have Win98 boxes on the network as single-purpose terminals.
Workstations migrate in to an environment much quicker than servers do, so the companies see WinXP much faster than they can upgrade to Win2003.
The majority of companies that I have talked to about Windows Firewall have it disabled totally. They have real firewalls at the gateways and per-machine firewalls can be a totaly nightmare in a Windows environment.
-Charles
Learning HOW to think is more important than learning WHAT to think.
First of all, inbound is not even half of the problem. Considering the recent development of malware, outgoing is by far the prefered way of attacking for today's malware. Simply because of the increasing number of NAT routers.
Second, I HOPE AND PRAY that they FINALLY add a "delay" to the "allow application to open connection" button. There's almost no current malware that does NOT create a thread to check in 5 ms intervals whether one of those allow-request windows is open and answer it in the prefered way for the malware before opening a connection, to make sure they get permissions.
If this loophole isn't closed, any MS-firewall in learning mode is as good as no firewall at all. Actually it would be worse, because it gives you a false sense of security where there is none.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I am trying to understand your point here, but when I go to TFA I see the headline
"Vista firewall shackled due to customer demand: Microsoft"
While the wording was not exact (for obvious reasons) it seems to me to reflect the jest of TFA. Am I missing something here?
I lost my sig...
That's not ZoneAlarm's fault, part of its basic functionality is to prompt the user to see if it's ok to allow the traffic. The fact that the user is an ignorant moron is no reason to remove a layer of protection. MS's enterprise customers have requested this because upper management is tired of the prompts to allow traffic, and doesn't understand (or care) about why they're there.
The user cares and understands why ZoneAlarm is there: he does not want his system infected. The problem is that the user does not know the internal workings of their applications or OS, and thus are not in the position to really judge which connections are good and which are bad.
This is where ZoneAlarm errs: the user should not HAVE to know which IP addresses and port numbers are bad. Heck, as a techie, even I dont even want to have to know -- I have more interesting things to do. There are obviously patterns which allows us to judge roughly which connections to block. But ZoneAlarm should detect those patterns (heck, maybe even by quering a zonealarm.com server or your-techie-nephew.com for info), and tell the user what he DOES want to know: the probability the connection is dangerous.
If ZoneAlarm is meant for the general audience, it fails miserably in terms of GUI. It also wouldn't hurt if applications could inform the user and ask for a retry if the firewall blocks the connection. The firewall should then of course also support that in a user-friendly way, instead of browsing through a zillion settings. As previous posters pointed out, users now generally quickly learn to accept everything to not having to bother their nephew every single damn time, otherwise stuff will probably break.