Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Firewall to be Crippled

Posted by ryuzaki0 on from the no-surprises-here dept.

UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."

11 of 365 comments (clear)

  1. So? by mytec · · Score: 5, Insightful

    Given the vast number of home users MS has, this would seem to make sense. Really, how many *average* home users know what ports their programs use? Further, how many of those customers will want to fight with their firewall to get things working before they get frustrated and just turn it off? Turning the firewall off is far worse than having a firewall that only blocks inbound connections.

    I do hope that MS continues to allow you the ability to work with the firewall on an application level. It's much simpler to browse to "program xyz" and tell the firewall to allow whatever ports this program needs. Determining and then defining UPD vs TCP and ranges of ports is just not going to work for most non-technical people.

    Lastly, I think the request of the larger corporate customers and government makes sense. They don't want to micro-manage their machines.

    I don't understand the complaint here. MS is listening to their customers. Supposedly that is a good thing for a business to do, of course there is a limit. Secondly MS probably doesn't have a smoother way to make managing the firewall any easier than anyone else out there. It's a tough problem, especially for non-technical users.

    1. Re:So? by EvilSS · · Score: 5, Insightful

      If Windows had a firewall that blocked outbound connections by default there would be an article on /. blasting them for breaking user's PC's out of the box. Like it or not most end users don't know what the hell a firewall is, much less how to configure one.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:So? by TheJediGeek · · Score: 5, Interesting

      Actually, I'd say most users know they're supposed to have a firewall. Most don't know what it does or why they need it, but thanks to Norton and McAfee making all these "security suites" which generally break more than they protect, and retailers like Best Buy selling firewall software with a router that has a hardware firewall, people have heard enough FUD that they NEED 12 firewalls per computer.

  2. Scripted Install by Stealth210 · · Score: 5, Insightful

    Don't most enterprise customers use scripted installs/images? Why would the default configuration matter at that point?

  3. Cuts Both Ways by dsginter · · Score: 5, Funny

    because that is what enterprise customers have requested

    So, if Microsoft listens to their customers, they make slashdotters angry but if they block bittorrent, they make slashdotters angry.

    I think that I'm starting to get this...

    --
    More
    1. Re:Cuts Both Ways by TheCarp · · Score: 5, Insightful

      In the past, and still, I have been a huge microsoft critic. I hate their buisness tactics, I dislike their software. Windows just annoys the hell out of me. I far prefer X.

      This however is a very sensible move.

      Honestly, I have the knowledge to deal with my own firewall rules, hell, I just the other day had to wrestle iptables and the nfs deamons to play nice so my kickstart server would work right.

      I still think outbound filtering is a royal pain in my ass. I mean sure its pretty easy to remember to open incomming ports but... outgoing? Now every time I use a new peice of software, I have to figure out what ports it wants to connect out to?

      Ugh. Thats fine for a server, and... in fact, I use it on my colo box. However... on a desktop, where a user expects to pick up a new peice of software and play with it on a fairly regular basis?

      No fucking way.

      Good job microsoft. You made a very sensible decision. Now if they would just come over to the free software movement and GPL windows, that would be awesome.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
  4. MS is right. by Tweekster · · Score: 5, Funny

    Whenever I install a firewall that will block outgoing applications, and make sure everything needed is allowed already such as IM, email etc. The first thing a user does when they see that screen is click "Yes always allow Trojan.I.Steal.Credit.Card.Numbers.and.kick.puppie s.Trojan"

    Atleast the incoming is blocked like it should be, it would be nice if there was a way to flash bright red so obnoxiously, and make the user think for a second. Like how firefox makes you wait before clicking yes. Possibly by moving the yes button around and saying "YOU PROBABLY DONT WANT TO ALLOW THIS" and then repeat. "ARE YOU ABSOLUTELY POSITIVE"
    then deny it regardless of what the user says :)

    --
    The phrase "more better" is acceptable English. suck it grammar Nazis
  5. Aren't there 7 versions of Vista? by sotweed · · Score: 5, Insightful

    I believe MS outlined 7 different versions for different markets... home, enterprise, small business, entertainment center, etc. Why wouldn't they configure the firewall in each of these by default to be what's appropriate for
    its target market, rather than letting the desires of the Fortune 500 wag my
    mother's machine in a less than completely safe way? Given the world's recent
    experience with various forms of malware, erring on the side of safety certainly seems to be justified.

  6. crippled? by AxemRed · · Score: 5, Insightful

    I wouldn't call this crippled. All you have to do is turn it on. I guess that my copy of Civilization 4 is crippled too, because I had to install it.

    Seriously, though... blocking incoming traffic is more than half that battle. It is my understanding that blocking outgoing traffic is mainly useful after your system has been compromised.

  7. Half So? by QuaintRealist · · Score: 5, Insightful

    Up to a point, I have to agree with you. The average home user is just not used to the level of annoyance it takes to train and maintain an outgoing firewall. I installed ZoneAlarm on my parent's computer, and get calls or emails routinely asking if they should OK a particular program's desire to access the internet. And many corporate users don't really care about the defaults - they are going to have IT manage it anyway.

    But I have to ask, what is the point of Microsoft splitting Vista into however many different versions if not to have a granular response to problems like this? Many of XPs problems are related to its homogeneity...

    --
    Using plain ol' text since 1968
  8. Eh? how is "normal"=="crippled"? by eekygeeky · · Score: 5, Insightful

    crippled? how about "industry standard for home and light commercial use"?

    what's wrong with INBOUND:BLOCK ALL - OUTBOUND:ALLOW ALL?

    every NAT/router/firewall/shiny magic internet thing i;ve seen, oh, in the last 7 eons of mankind's glorious history is set up just so.