Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Firewall to be Crippled

Posted by ryuzaki0 on from the no-surprises-here dept.

UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."

32 of 365 comments (clear)

  1. So? by mytec · · Score: 5, Insightful

    Given the vast number of home users MS has, this would seem to make sense. Really, how many *average* home users know what ports their programs use? Further, how many of those customers will want to fight with their firewall to get things working before they get frustrated and just turn it off? Turning the firewall off is far worse than having a firewall that only blocks inbound connections.

    I do hope that MS continues to allow you the ability to work with the firewall on an application level. It's much simpler to browse to "program xyz" and tell the firewall to allow whatever ports this program needs. Determining and then defining UPD vs TCP and ranges of ports is just not going to work for most non-technical people.

    Lastly, I think the request of the larger corporate customers and government makes sense. They don't want to micro-manage their machines.

    I don't understand the complaint here. MS is listening to their customers. Supposedly that is a good thing for a business to do, of course there is a limit. Secondly MS probably doesn't have a smoother way to make managing the firewall any easier than anyone else out there. It's a tough problem, especially for non-technical users.

    1. Re:So? by EvilSS · · Score: 5, Insightful

      If Windows had a firewall that blocked outbound connections by default there would be an article on /. blasting them for breaking user's PC's out of the box. Like it or not most end users don't know what the hell a firewall is, much less how to configure one.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:So? by XMyth · · Score: 4, Insightful

      Right....because code running on the users machine can't modify the Windows Firewall settings itself....

    3. Re:So? by TheJediGeek · · Score: 5, Interesting

      Actually, I'd say most users know they're supposed to have a firewall. Most don't know what it does or why they need it, but thanks to Norton and McAfee making all these "security suites" which generally break more than they protect, and retailers like Best Buy selling firewall software with a router that has a hardware firewall, people have heard enough FUD that they NEED 12 firewalls per computer.

    4. Re:So? by penix1 · · Score: 4, Insightful

      "Like it or not most end users don't know what the hell a firewall is, much less how to configure one."

      Which is why the default configuration is so important. Let's put this in perspective shall we...

      Enterprise company A wants outgoing connections open and have the resources to configure them.

      Home customer B doesn't have a clue.

      Microsoft's solution....

      We go with A because they are paying more money than B not because it is the "right" thing to do.

      B.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    5. Re:So? by EvilSS · · Score: 4, Insightful

      I'd love to educate the users. Hell, if they were educated on the basics of security they wouldn't even need outbound connection blocking, they would know better than to install every dumbass program because it has cute smilies or kittens or whatnot.

      Reality is if outbound connections are blocked they are just going to click Yes every time they are asked to allow a connection. This is exactly how ActiveX malware became so popular. All blocking outbound is going to do is create more problems for people like us when mom or grandma calls up because their new PC doesn't work. It won't stop botnets or any other malware.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    6. Re:So? by SatanicPuppy · · Score: 4, Insightful

      Meh. I think you're forgetting that Home and Enterprise users will be buying different "flavors" of Vista.

      There is no reason that you couldn't reverse your analogy...Be really restictive for home users, because enterprise users will have someone who is capable of opening the needed ports. Configuring a firewall is easy, if you have a baseline of technical knowledge.

      I think the big reason why they left the restrictions low by default is not because they thought that enterprise users were too stupid to figure out how to change the settings, but because they thought home users were too stupid to change the settings. Think about it. Dad's Turbo Tax program won't e-file. Mom's "Sims II" won't autopatch. Juniors games won't play online. They'll be calling MS tech support every two days, and be mad as hell, forcing MS to "patch" the firewall down to somethign that won't piss off the average user.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    7. Re:So? by rjstanford · · Score: 4, Insightful

      That's funny. I've worked IT for over 15 years now, and the Windows Firewall still confuses me from time to time. "Run DLL as an App has requested access to the internet. Allow or Deny?" Heck, I don't know, that's not enough information to make the decision. I denied it, but I'm still curious. Add to that the number of times that product installation will be interrupted with a (non-taskbar-visible) Firewall window and will fail, and I can see why an awful lot of non-computer-people would be confused and alarmed.

      --
      You're special forces then? That's great! I just love your olympics!
  2. Scripted Install by Stealth210 · · Score: 5, Insightful

    Don't most enterprise customers use scripted installs/images? Why would the default configuration matter at that point?

  3. Cuts Both Ways by dsginter · · Score: 5, Funny

    because that is what enterprise customers have requested

    So, if Microsoft listens to their customers, they make slashdotters angry but if they block bittorrent, they make slashdotters angry.

    I think that I'm starting to get this...

    --
    More
    1. Re:Cuts Both Ways by TheCarp · · Score: 5, Insightful

      In the past, and still, I have been a huge microsoft critic. I hate their buisness tactics, I dislike their software. Windows just annoys the hell out of me. I far prefer X.

      This however is a very sensible move.

      Honestly, I have the knowledge to deal with my own firewall rules, hell, I just the other day had to wrestle iptables and the nfs deamons to play nice so my kickstart server would work right.

      I still think outbound filtering is a royal pain in my ass. I mean sure its pretty easy to remember to open incomming ports but... outgoing? Now every time I use a new peice of software, I have to figure out what ports it wants to connect out to?

      Ugh. Thats fine for a server, and... in fact, I use it on my colo box. However... on a desktop, where a user expects to pick up a new peice of software and play with it on a fairly regular basis?

      No fucking way.

      Good job microsoft. You made a very sensible decision. Now if they would just come over to the free software movement and GPL windows, that would be awesome.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
    2. Re:Cuts Both Ways by aardvarkjoe · · Score: 4, Funny
      M$ does not exist to make /. angry.
      Maybe, but sometimes I think that /. exists to get angry about Microsoft.
      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  4. MS is right. by Tweekster · · Score: 5, Funny

    Whenever I install a firewall that will block outgoing applications, and make sure everything needed is allowed already such as IM, email etc. The first thing a user does when they see that screen is click "Yes always allow Trojan.I.Steal.Credit.Card.Numbers.and.kick.puppie s.Trojan"

    Atleast the incoming is blocked like it should be, it would be nice if there was a way to flash bright red so obnoxiously, and make the user think for a second. Like how firefox makes you wait before clicking yes. Possibly by moving the yes button around and saying "YOU PROBABLY DONT WANT TO ALLOW THIS" and then repeat. "ARE YOU ABSOLUTELY POSITIVE"
    then deny it regardless of what the user says :)

    --
    The phrase "more better" is acceptable English. suck it grammar Nazis
  5. Crippled is an exaggeration by Junior+J.+Junior+III · · Score: 4, Insightful

    Crippled would be if the functionality were not present, or so badly broken that it does not work properly. Including the functionality but not enabling it by default is not crippling. Microsoft has a long history of enabling wide-open security settings by default, so this is really nothing new, if anything it's halfway to an improvement.

    --
    You see? You see? Your stupid minds! Stupid! Stupid!
  6. Entreprise customers? by ElGanzoLoco · · Score: 4, Insightful

    Yeah, it was the "enterprise customers" all right: I imagine the phone calls from Symantec, Kaspersky, FSecure et al: hey Microsoft, leave them damn ports open or we'll outta business pretty soon! (relax. It's just a lame joke)

    --
    Hello! I'm a disaster waiting to happen!
  7. Aren't there 7 versions of Vista? by sotweed · · Score: 5, Insightful

    I believe MS outlined 7 different versions for different markets... home, enterprise, small business, entertainment center, etc. Why wouldn't they configure the firewall in each of these by default to be what's appropriate for
    its target market, rather than letting the desires of the Fortune 500 wag my
    mother's machine in a less than completely safe way? Given the world's recent
    experience with various forms of malware, erring on the side of safety certainly seems to be justified.

  8. Why? by marcovje · · Score: 4, Insightful


    One would expect that Entreprise customers could set this anyway they want via Group Policy

    1. Re:Why? by chill · · Score: 4, Informative

      One would expect that Entreprise customers could set this anyway they want via Group Policy.

      You'd be surprised at the number of companies that are still running Win2K domain servers, Novell or NT Domains for their core. I've run into several, including quite a few who still have Win98 boxes on the network as single-purpose terminals.

      Workstations migrate in to an environment much quicker than servers do, so the companies see WinXP much faster than they can upgrade to Win2003.

      The majority of companies that I have talked to about Windows Firewall have it disabled totally. They have real firewalls at the gateways and per-machine firewalls can be a totaly nightmare in a Windows environment.

        -Charles

      --
      Learning HOW to think is more important than learning WHAT to think.
  9. crippled? by AxemRed · · Score: 5, Insightful

    I wouldn't call this crippled. All you have to do is turn it on. I guess that my copy of Civilization 4 is crippled too, because I had to install it.

    Seriously, though... blocking incoming traffic is more than half that battle. It is my understanding that blocking outgoing traffic is mainly useful after your system has been compromised.

  10. Inbound is the important one. by caluml · · Score: 4, Insightful

    I think that blocking incoming traffic is by far the most important thing on Windows boxes. We don't want another Code Red/Nimda.
    Who here, honestly blocks outgoing traffic too on their home networks? I could, but I don't bother. Why? I run a tight enough ship to know that there won't be weird traffic going out, and I can't be bothered with the extra admin needed to keep everything happy and working.

    --
    Get your own free personal location tracker
  11. Half So? by QuaintRealist · · Score: 5, Insightful

    Up to a point, I have to agree with you. The average home user is just not used to the level of annoyance it takes to train and maintain an outgoing firewall. I installed ZoneAlarm on my parent's computer, and get calls or emails routinely asking if they should OK a particular program's desire to access the internet. And many corporate users don't really care about the defaults - they are going to have IT manage it anyway.

    But I have to ask, what is the point of Microsoft splitting Vista into however many different versions if not to have a granular response to problems like this? Many of XPs problems are related to its homogeneity...

    --
    Using plain ol' text since 1968
    1. Re:Half So? by Imsdal · · Score: 4, Insightful
      Probably not. The firewall only added value if it ever corectly stopped a program from gaining access.

      The GP doesn't indicate if that was the case or not, but I know that when I used ZoneAlarm, I never even once denied an application access.

      I am willing to bet good money that in 90% of typical homes, the users accept everything. Or they deny one thing once which they should have accepted, which breaks some functionality. They then "learn the lesson" and accept everything from then on, including whatever malware they may have.

      Come to think of it, I have never heard of a success story where someone got infected, but micromanaging the firewall prevented the infection from creating havoc. I'm sure they exist, but I doubt they are common.

    2. Re:Half So? by 2short · · Score: 4, Insightful

      Whose the more moronic, the moron, or the moron who knows the first one is a moron, but depends on him for security decisions anyway?

      Prompts to ask whether certain traffic should be allowed are not are idiotic if the person you are asking doesn't know. Most users don't know, care, want to know, or wish to have to care what a UDP port is. You can call them "ignorant morons" for this if you like, they probably don't care waht you think of them either. Regardless, if ZoneAlarm derives it's "security" by asking such users to make technical security decisions, it's not adding anything. I've not used ZoneAlarm, but have used Norton. Because I have much more knowledge than most of their users would be expected to, I actually do know what the prompts were talking about. So I know for sure they weren't providing enough information to know whether to allow the traffic or not.

      I could write you a program that pops up a prompt every 30 seconds or so. This propmt will say "Flang the Zip-Zop-zoodle?". If you click "OK", nothing will happen. If you click "Cancel" it will kill a randomly selected process (which could be malware after all). After the first day, do you think you'll hit "cancel" much? This script will add exactly as much value as the "security suites" I have seen.

  12. Then why the all the versions? by HiredMan · · Score: 4, Interesting

    So why have 21 different versions of Vista if NOT to have a consumer version with as much protection as possible with as few services running as possible? A business office version you assume will be configured by an IT guy that has difficult to admin - but very flexible and detailed - firewall options. Yes.

    But to not a have a 1 button "Protect me on the internets" button for grandma? That's MS effectively selling off its consumer base to big corporations at their request.

    =Tod

    --
    Bill Gates - Creationist?!?
  13. Makes sense by MobyDisk · · Score: 4, Insightful

    1) Most home users get annoyed at having to click on the options to allow outgoing connections, and they generally aren't concerned about applications "calling home."

    2) The biggest culprit for applications that call home is Microsoft, and the Windows firewall doesn't block Microsoft applications anyway. (The biggest reason I have a 3rd-party firewall is to block outgoing connections from IE, Explorer, and Windows Media player)

    3) Serious attacks come from incoming connections (or Trojans, which a traditional firewall can't stop anyway.) so this doesn't matter for them.

  14. Eh? how is "normal"=="crippled"? by eekygeeky · · Score: 5, Insightful

    crippled? how about "industry standard for home and light commercial use"?

    what's wrong with INBOUND:BLOCK ALL - OUTBOUND:ALLOW ALL?

    every NAT/router/firewall/shiny magic internet thing i;ve seen, oh, in the last 7 eons of mankind's glorious history is set up just so.

  15. Re:In all honesty... by corellon13 · · Score: 4, Insightful

    FTA: The Microsoft spokesperson said that Vista's firewall is just one layer of security in the new operating system: "New features such as User Account Control (UAC), Windows Defender, and Internet Explorer Protected Mode along with improvements to Windows Firewall and Windows Update work together to help shield Windows Vista PCs from malware."

    The point is that there is no one solution to security. You need to have a layered approach (i.e. hardware, software, policies, etc.). Placing a router in front of you and the Internet isn't enough. Corporate networks do have a lot more in the way of the user and the Internet. Thus, the reason they don't want a lot of ports being blocked from the user desktop perspective; they've already got ACL's, firewalls, etc. to block what they want blocked.

    Turning this feature on will cause a firestorm of help desk tickets at the corporate level and cause your phone and mine to ring off the hook with calls from clueless relatives trying to figure out why they can't go online. IMHO I think it is a good decision for the right reasons.

    --
    Do what is right and let the consequence follow
  16. This is probably for their OEM customers... by slew · · Score: 4, Insightful


    OEM customers (e.g., Dell, HP, Gateway, etc) often ship their PCs with dozens of what I call "shovel-ware" (trial versions of useless software that OEMs pile on heaps on the desktop). Often this shovel-ware likes to call home occasionally to notify you of "new updates available for download" and other such nonsense.

    I'm sure it's very embarrasing (and costly) to the OEMs when they get support calls from their own customers when the microsoft outbound firewall blocks the shovelware and flashes up a dialog box. So they probably just asked microsoft to ship the firewall so that the outbound firewall doesn't validate the application (which makes it too easy for end users to "accidentally" disable the shovelware and too easy for experienced users to get a list of all the shovelware polluting their machines from the "allowed" list and uninstall it). Of course microsoft doesn't want to have too many configs out there, so they just make this the default setting out of the box.
    </TINFOILHAT>

    Sure microsoft is listening to their customers, it's just their OEM customers...

  17. Neutrality in Slashdot by Siberwulf · · Score: 4, Insightful

    I always come to slashdot with the broad, and sometimes naive assumption that the articles provided will be neutral. Whether or not the responses to these articles are neutral is another story, and any biased there towards OSS, away from MS, agaisnt Apple, or whatever, is just fine in my book. Thats what makes the internet great.

    That said, I strongly detest the wording of this headline and the tagline below it. Especially from CmdrTaco.

    When I read the topic in RSS, I thought that some features would be removed from the exisitng firewall, or that some key features would require a paid subscription to be activated. When I read the summary, however, I realized that was not the case. The attitude on slashdot towards Microsoft (as well as any other non-OSS business model that seems to work) is jaded and negative enough without being given a predisposition via headlines like this.

    The summary in 1.5: Negative, misleading headlines need to go.

    So, mod me down for offtopic, mod me down for Troll, mod me down for Redundant. My Karma can take it. Or, if you agree, mod the other way ;)

  18. I'm all for it. by Glamdrlng · · Score: 4, Interesting

    Right now I get mad props at work for keeping bagel, netsky, and mydoom at bay through attachment and AV blocking, spam filtering, and a little bit of shell scripting. Here I was afraid that those would go away and I'd have to find something else to justify my existence within the next couple years. Now it looks like I'm in good shape til at least 2010. Thanks Microsoft!

    ps - Other AV programs probably do this, but in case anyone's interested the firewall built into McAfee VirusScan Enterprise v8 blocks SMTP and IRC communication outbound by default unless the executable firing up the communication belongs to a specific set of known email and IRC clients. Good times...

    --

    Yes, my only tool is a hammer. And you're starting to look like a nail.
  19. Sensational headline is just plain wrong by prisoner-of-enigma · · Score: 4, Insightful

    OK, folks...at what point does the Windows bashing just become so silly that it's wrong. Oh, wait...we reached that point long ago.

    The headline is just wrong. The Vista firewall is no more "crippled" than iptables is "crippled" in Fedora. Microsoft is making the default behavior identical to the XP firewall, but getting bidirectional port filtering/blocking is merely a matter of turning it on. The whole "requiring various degrees of technical expertise" is a ridiculous red herring coming from a website where Linux users constantly preach their technical superiority to the common lowly user. Pardon me, would you like some elitism with that pedantic whine?

    For the vast majority of users, bidirectional firewalling is overkill. For those who want it, it can be turned on. This isn't a story, it's propaganda masquerading as news. I swear, Microsoft tries to improve things (adding the ability to do outbound blocking), and all /. can do is whine that it isn't turned on by default. Last time I checked, lots of Linux distros come setup this way as well, yet I don't see anyone moaning about that.

    Microsoft is the competitor, not the enemy. Quit making this whole crusade a personal affair and this silly anti-MS bias will disappear.

    --
    In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
  20. Thank you! by semifamous · · Score: 4, Interesting

    I work at an ISP doing Tech Support.

    On a daily basis, I get calls from users of Norton Internet Security or McAfee Security Center (or whaever "I don't know, whatever came with my computer") who, for some reason, can't get Internet Explorer/Outlook Express to work. They don't know what a firewall *is* let alone how to configure it.

    If I suggest they turn of that firewall and try it, everything is suddenly happy again.

    Many of them don't understand. "It worked fine yesterday/last week/last year and I haven't changed anything..."

    I specifically despise the Norton firewall as it seems to be the most popular problem causer.

    I am glad that Microsoft isn't turning this feature on by default because many clueless lusers will accidentally block the programs that they're trying to use and then not understand why it doesn't work anymore.

    Frequently these users try to blame us at the ISP, not realizing that it's their own fault. Firewalls are my most frequent frustration, and I'm glad this one will behave the way it will.