Slashdot Mirror
Vista Firewall to be Crippled
UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."
Given the vast number of home users MS has, this would seem to make sense. Really, how many *average* home users know what ports their programs use? Further, how many of those customers will want to fight with their firewall to get things working before they get frustrated and just turn it off? Turning the firewall off is far worse than having a firewall that only blocks inbound connections.
I do hope that MS continues to allow you the ability to work with the firewall on an application level. It's much simpler to browse to "program xyz" and tell the firewall to allow whatever ports this program needs. Determining and then defining UPD vs TCP and ranges of ports is just not going to work for most non-technical people.
Lastly, I think the request of the larger corporate customers and government makes sense. They don't want to micro-manage their machines.
I don't understand the complaint here. MS is listening to their customers. Supposedly that is a good thing for a business to do, of course there is a limit. Secondly MS probably doesn't have a smoother way to make managing the firewall any easier than anyone else out there. It's a tough problem, especially for non-technical users.
Blocking outbound by default is mostly going to protect the rest of the internet from your owned box spamming/ddosing/etc them. (I guess you're outbound connection could get hosed too).
On a side note, from TFAYes MS, its hard to setup properly - thats why you have to have it turned on by default
At least it's better then Apple's Firewall (turned off by default, PITA to block outbound traffic).
There are shills on slashdot. Apparently, I'm one of them.
Don't most enterprise customers use scripted installs/images? Why would the default configuration matter at that point?
Crippled would be if the functionality were not present, or so badly broken that it does not work properly. Including the functionality but not enabling it by default is not crippling. Microsoft has a long history of enabling wide-open security settings by default, so this is really nothing new, if anything it's halfway to an improvement.
You see? You see? Your stupid minds! Stupid! Stupid!
Yeah, it was the "enterprise customers" all right: I imagine the phone calls from Symantec, Kaspersky, FSecure et al: hey Microsoft, leave them damn ports open or we'll outta business pretty soon! (relax. It's just a lame joke)
Hello! I'm a disaster waiting to happen!
I believe MS outlined 7 different versions for different markets... home, enterprise, small business, entertainment center, etc. Why wouldn't they configure the firewall in each of these by default to be what's appropriate for
its target market, rather than letting the desires of the Fortune 500 wag my
mother's machine in a less than completely safe way? Given the world's recent
experience with various forms of malware, erring on the side of safety certainly seems to be justified.
Why the hell would anyone other than a dial-up user need to have a firewall enabled under Windows? Everyone with broadband should have some other device between their computer and the big, bad internet to handle firewall duties. Corporate networks had better damned well have some security at the gateway to the WAN/internet.
One would expect that Entreprise customers could set this anyway they want via Group Policy
I wouldn't call this crippled. All you have to do is turn it on. I guess that my copy of Civilization 4 is crippled too, because I had to install it.
Seriously, though... blocking incoming traffic is more than half that battle. It is my understanding that blocking outgoing traffic is mainly useful after your system has been compromised.
I think that blocking incoming traffic is by far the most important thing on Windows boxes. We don't want another Code Red/Nimda.
Who here, honestly blocks outgoing traffic too on their home networks? I could, but I don't bother. Why? I run a tight enough ship to know that there won't be weird traffic going out, and I can't be bothered with the extra admin needed to keep everything happy and working.
Get your own free personal location tracker
Up to a point, I have to agree with you. The average home user is just not used to the level of annoyance it takes to train and maintain an outgoing firewall. I installed ZoneAlarm on my parent's computer, and get calls or emails routinely asking if they should OK a particular program's desire to access the internet. And many corporate users don't really care about the defaults - they are going to have IT manage it anyway.
But I have to ask, what is the point of Microsoft splitting Vista into however many different versions if not to have a granular response to problems like this? Many of XPs problems are related to its homogeneity...
Using plain ol' text since 1968
In the past, and still, I have been a huge microsoft critic. I hate their buisness tactics, I dislike their software. Windows just annoys the hell out of me. I far prefer X.
This however is a very sensible move.
Honestly, I have the knowledge to deal with my own firewall rules, hell, I just the other day had to wrestle iptables and the nfs deamons to play nice so my kickstart server would work right.
I still think outbound filtering is a royal pain in my ass. I mean sure its pretty easy to remember to open incomming ports but... outgoing? Now every time I use a new peice of software, I have to figure out what ports it wants to connect out to?
Ugh. Thats fine for a server, and... in fact, I use it on my colo box. However... on a desktop, where a user expects to pick up a new peice of software and play with it on a fairly regular basis?
No fucking way.
Good job microsoft. You made a very sensible decision. Now if they would just come over to the free software movement and GPL windows, that would be awesome.
-Steve
"I opened my eyes, and everything went dark again"
1) Most home users get annoyed at having to click on the options to allow outgoing connections, and they generally aren't concerned about applications "calling home."
2) The biggest culprit for applications that call home is Microsoft, and the Windows firewall doesn't block Microsoft applications anyway. (The biggest reason I have a 3rd-party firewall is to block outgoing connections from IE, Explorer, and Windows Media player)
3) Serious attacks come from incoming connections (or Trojans, which a traditional firewall can't stop anyway.) so this doesn't matter for them.
Given that Microsoft has announced different versions of Vista for enterprise, home users, power users and so on, why would they cripple the firewall across the entire line? It seems to me that with all the versions they're planning, it would be a simple matter to keep the firewall off for those versions sold to enterprise customers, and leave it alone for everyone else. And speaking as someone who has had to deal with the fuckery of the windows firewall in an enterprise environment, I can't say I'm disappointed by that.
Some system level protection is always important(like starting off with a secure OS!) however I can tell you from my experiences remotely managing XP systems that the local firewall can be a major headache. In our office we have hardware based firewalls or firewall feature set routers at/on every subnet router. Its much easier managing a handful of hardware devices versus hundreds of individual software based firewalls that don't work half the time anyway.
crippled? how about "industry standard for home and light commercial use"?
what's wrong with INBOUND:BLOCK ALL - OUTBOUND:ALLOW ALL?
every NAT/router/firewall/shiny magic internet thing i;ve seen, oh, in the last 7 eons of mankind's glorious history is set up just so.
On a technical side however, I don't see why this is a yes-or-no proposition. What would prevent the installer to ask a question like: "Do you want the firewall to block outgoing traffic? Yes/No" (with some blurb explaining to non-geeks why they might/might not need it, what implications it might have, and how to change one's decision later on).
OEM customers (e.g., Dell, HP, Gateway, etc) often ship their PCs with dozens of what I call "shovel-ware" (trial versions of useless software that OEMs pile on heaps on the desktop). Often this shovel-ware likes to call home occasionally to notify you of "new updates available for download" and other such nonsense.
I'm sure it's very embarrasing (and costly) to the OEMs when they get support calls from their own customers when the microsoft outbound firewall blocks the shovelware and flashes up a dialog box. So they probably just asked microsoft to ship the firewall so that the outbound firewall doesn't validate the application (which makes it too easy for end users to "accidentally" disable the shovelware and too easy for experienced users to get a list of all the shovelware polluting their machines from the "allowed" list and uninstall it). Of course microsoft doesn't want to have too many configs out there, so they just make this the default setting out of the box.
</TINFOILHAT>
Sure microsoft is listening to their customers, it's just their OEM customers...
Let's sacrifice the quality for people who don't know what they need to please those that don't know what they want!
Sarcasm!
"I'm not religious, but at the same time I don't get why science always has to have something to prove."
I always come to slashdot with the broad, and sometimes naive assumption that the articles provided will be neutral. Whether or not the responses to these articles are neutral is another story, and any biased there towards OSS, away from MS, agaisnt Apple, or whatever, is just fine in my book. Thats what makes the internet great.
;)
That said, I strongly detest the wording of this headline and the tagline below it. Especially from CmdrTaco.
When I read the topic in RSS, I thought that some features would be removed from the exisitng firewall, or that some key features would require a paid subscription to be activated. When I read the summary, however, I realized that was not the case. The attitude on slashdot towards Microsoft (as well as any other non-OSS business model that seems to work) is jaded and negative enough without being given a predisposition via headlines like this.
The summary in 1.5: Negative, misleading headlines need to go.
So, mod me down for offtopic, mod me down for Troll, mod me down for Redundant. My Karma can take it. Or, if you agree, mod the other way
"Do you wish to allow 'Amanda Peet Naked.You_must_allow_to_see_her_naked.jpg.scr' to access the internet?"
[yes] [no] [cryptic help page]
-M
when you see the word 'Linux', drink!
So it's not really crippled, it can be configured for outbound protection. Maybe the "varying degree of technical knowledge" implies that it's not as straightforward as a nice GUI configuration window and hence "crippled" in that respect.
Saying it is "crippled" would imply that the outbound protection code exists, but it is permanently disabled, i.e. not configurable at all.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
OK, folks...at what point does the Windows bashing just become so silly that it's wrong. Oh, wait...we reached that point long ago.
/. can do is whine that it isn't turned on by default. Last time I checked, lots of Linux distros come setup this way as well, yet I don't see anyone moaning about that.
The headline is just wrong. The Vista firewall is no more "crippled" than iptables is "crippled" in Fedora. Microsoft is making the default behavior identical to the XP firewall, but getting bidirectional port filtering/blocking is merely a matter of turning it on. The whole "requiring various degrees of technical expertise" is a ridiculous red herring coming from a website where Linux users constantly preach their technical superiority to the common lowly user. Pardon me, would you like some elitism with that pedantic whine?
For the vast majority of users, bidirectional firewalling is overkill. For those who want it, it can be turned on. This isn't a story, it's propaganda masquerading as news. I swear, Microsoft tries to improve things (adding the ability to do outbound blocking), and all
Microsoft is the competitor, not the enemy. Quit making this whole crusade a personal affair and this silly anti-MS bias will disappear.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Naturally.