Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Vista Firewall to be Crippled 365

UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."
This discussion has been archived. No new comments can be posted.

Vista Firewall to be Crippled

Comments Filter:
  • So? (Score:5, Insightful)

    by mytec ( 686565 ) * on Wednesday April 26, 2006 @09:31AM (#15204478) Journal

    Given the vast number of home users MS has, this would seem to make sense. Really, how many *average* home users know what ports their programs use? Further, how many of those customers will want to fight with their firewall to get things working before they get frustrated and just turn it off? Turning the firewall off is far worse than having a firewall that only blocks inbound connections.

    I do hope that MS continues to allow you the ability to work with the firewall on an application level. It's much simpler to browse to "program xyz" and tell the firewall to allow whatever ports this program needs. Determining and then defining UPD vs TCP and ranges of ports is just not going to work for most non-technical people.

    Lastly, I think the request of the larger corporate customers and government makes sense. They don't want to micro-manage their machines.

    I don't understand the complaint here. MS is listening to their customers. Supposedly that is a good thing for a business to do, of course there is a limit. Secondly MS probably doesn't have a smoother way to make managing the firewall any easier than anyone else out there. It's a tough problem, especially for non-technical users.

    • Half So? (Score:5, Insightful)

      by QuaintRealist ( 905302 ) * <quaintrealist&gmail,com> on Wednesday April 26, 2006 @09:39AM (#15204543) Homepage Journal
      Up to a point, I have to agree with you. The average home user is just not used to the level of annoyance it takes to train and maintain an outgoing firewall. I installed ZoneAlarm on my parent's computer, and get calls or emails routinely asking if they should OK a particular program's desire to access the internet. And many corporate users don't really care about the defaults - they are going to have IT manage it anyway.

      But I have to ask, what is the point of Microsoft splitting Vista into however many different versions if not to have a granular response to problems like this? Many of XPs problems are related to its homogeneity...
      • I like the point you raise.

      • Re:Half So? (Score:2, Insightful)

        by Anonymous Coward
        I installed ZoneAlarm on my parent's computer, and get calls or emails routinely asking if they should OK a particular program's desire to access the internet.

        So you mean, like, the firewall is actually doing its job?
        • Re:Half So? (Score:5, Insightful)

          by Imsdal ( 930595 ) on Wednesday April 26, 2006 @10:37AM (#15205043)
          Probably not. The firewall only added value if it ever corectly stopped a program from gaining access.

          The GP doesn't indicate if that was the case or not, but I know that when I used ZoneAlarm, I never even once denied an application access.

          I am willing to bet good money that in 90% of typical homes, the users accept everything. Or they deny one thing once which they should have accepted, which breaks some functionality. They then "learn the lesson" and accept everything from then on, including whatever malware they may have.

          Come to think of it, I have never heard of a success story where someone got infected, but micromanaging the firewall prevented the infection from creating havoc. I'm sure they exist, but I doubt they are common.

      • Re:Half So? (Score:2, Interesting)

        by misleb ( 129952 )
        But I have to ask, what is the point of Microsoft splitting Vista into however many different versions if not to have a granular response to problems like this?

        The point is to confuse customers and to unnecessarily inflate the price of the more "advanced" version... as if leaving out features actually saves Microsoft money in producing it.

        Many of XPs problems are related to its homogeneity...

        Exactly what I've been saying for years. We need to get more Windows distributions. Maybe a "Debian" version. A "RedH
        • Re:Half So? (Score:3, Insightful)

          by Imsdal ( 930595 )
          The point is to confuse customers and to unnecessarily inflate the price of the more "advanced" version... as if leaving out features actually saves Microsoft money in producing it.

          No, actually, the point is that you don't know the first thing about pricing, and, to quote a famous thinker "since when did ignorance become a point of view?"

          The classic example of pricing schemse such as this is in pocket calculators where an entire line of calculators use the same chip and the only difference is the number

    • Re:So? (Score:3, Interesting)

      by mwvdlee ( 775178 )
      XP SP2's firewall is easy to configure for a typical application; wait for the firewall to popup a window asking whether the application can access the internet and. The message is simple enough to be understood by anybody who knows what an "application" and "internet" is.
      • Re:So? (Score:5, Insightful)

        by rjstanford ( 69735 ) on Wednesday April 26, 2006 @11:22AM (#15205469) Homepage Journal
        That's funny. I've worked IT for over 15 years now, and the Windows Firewall still confuses me from time to time. "Run DLL as an App has requested access to the internet. Allow or Deny?" Heck, I don't know, that's not enough information to make the decision. I denied it, but I'm still curious. Add to that the number of times that product installation will be interrupted with a (non-taskbar-visible) Firewall window and will fail, and I can see why an awful lot of non-computer-people would be confused and alarmed.
    • Re:So? (Score:3, Interesting)

      by shotfeel ( 235240 )
      Really, how many *average* home users know what ports their programs use?

      They shouldn't need to. Their firewall software should do it for them. Currently, whenever my firewall sees an app try to use a closed port, it throws up a dialog telling me what app is trying to open what port, and asks me if I want to always allow it, deny it, or only allow it this one time. That's really very little hassle in getting things set up correctly.

      Lastly, I think the request of the larger corporate customers and government
      • by mpe ( 36238 )
        I'm not sure it does make sense. These are customers who do micro-manage the computers. They have mechanisms in place to install everything from the OS to the most basic of apps with a preset configurations.

        Including any relevent firewall rules. Quite possibly including preventing the end user from being able to change these rules at all.

        This move does nothing for them when the first thing they do on receipt of the computer is wipe the drive and intall their in-house "flavor".

        How many "enterprise cust
    • "Secondly MS probably doesn't have a smoother way to make managing the firewall any easier than anyone else out there."

      Agreed, and I hate Micro$loth. You could be like Norton/Mcaffee/ZoneAlarm etc. and make it such that your firewall is too stupid to understand that your WAN IP addy might change and simply block all traffic when DHCP refreshes(it happens so often that now the first things I teach my techs is how to disable them to show the customer they ARE connected and running and need to deal with the

    • Something else that bugs me about the "we're doing it for enterprise customers" argument -how many different versions of Vista are there? Isn't the whole idea that the business/enterprise versions would have different default settings and configurations than home versions?

      What's going on?

    • I do hope that MS continues to allow you the ability to work with the firewall on an application level. It's much simpler to browse to "program xyz" and tell the firewall to allow whatever ports this program needs. Determining and then defining UPD vs TCP and ranges of ports is just not going to work for most non-technical people.

      That does seem possible; see this page [microsoft.com] for more detals on the Vista firewall (including screenshots). The configuration wizard lets you configure both inbound and outbound except

  • First thing first - I wouldn't say that the firewall, is going to have "half its protections turned off" - it blocks inbound by default which is where most attacks come from.

    Blocking outbound by default is mostly going to protect the rest of the internet from your owned box spamming/ddosing/etc them. (I guess you're outbound connection could get hosed too).

    On a side note, from TFA
    Microsoft claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements.
    Yes MS, its hard to setup properly - thats why you have to have it turned on by default

    At least it's better then Apple's Firewall [apple.com] (turned off by default, PITA to block outbound traffic).
    • Hard to set up in a way that doesn't actually fuck with the user's programs. let's block outbound traffic! apart from port 80, and port 443, and whatever MSN messenger uses, and however google earth talks to the servers, and smtp but ONLY to the isp, and pop3 and imap and pop3-ssl and imap-ssl and ...

      get it? the 8-pending-connection limit is imo a much saner way to limit the damage a contaminated box can do.
      • That's not how ports work, but nice try. I recommend googling for an understanding of TCP, UDP, firewalls, etc. Previous comments about how the Windows firewall exists to protect the rest of the internet are fairly accurate. The default settings of the firewall are designed to prevent the spread of fairly dumb worms and other such malware. If the OS wasn't security Swiss cheese to begin with, this default setting wouldn't be necessary. Yes, it is annoying, but it also happens to be a good idea. Handli
    • On a side note, from TFA

      Microsoft claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements.

      Yes MS, its hard to setup properly - thats why you have to have it turned on by default

      Except that your "average user" will then be trapped into allowing everything to send outbound traffic because of the constant and annoying interrupts. What it really n

      • Mind you, this requires Microsoft to have access to your machine and send untold quantities of data back and forth, so I don't know how popular that would be with most people.

        You could always block this traffic in the firewall. ;)
        • You could always block this traffic in the firewall. ;)

          Good point. But knowing our "friends" at Redmond, they'd write it into the firewall to make sure you couldn't block it. Of course someone would find out, they'd sue, Microsoft would stall it in the courts for about 5 years before finally acquiescing, and by then it would become ubiquitous and no one would disable it voluntarily except geeks who don't trust MS.

    • But an inbound protection does not provide anything behind a NAT right ? And most people having an ADSL connexion currently get a modem-router that provides that NAT functionnality (not always activated by default, granted). So it's mostly redundant.

      An outbound protection however has the ability to avoid malware / trojans most people are loading their computer with to "phone home". And once a connection is established, traffic can go both ways...

      I now have an RSS feed to OSNews that it seems get the news b
    • At least it's better then Apple's Firewall [apple.com] (turned off by default, PITA to block outbound traffic).

      Doesn't matter since Apple laughs in the face of malware. Turning a firewall on would mean it expects fire.
  • Scripted Install (Score:5, Insightful)

    by Stealth210 ( 447350 ) on Wednesday April 26, 2006 @09:32AM (#15204488)
    Don't most enterprise customers use scripted installs/images? Why would the default configuration matter at that point?
    • By the same token. Don't most enterprise customers rely on an internet facing hardware or dedicated PC firewall(s)? And wouldn't the presence of an unconfigured workstation firewall tube any systems management?

      And lastly, in regard to the outbound blocking: Shouldn't a properly configured workstation have established user rights restrictions limiting the likelihood of rogue software installation either deliberately or clandestinely?

      And...

      Wait! Why would enterprise customers even care about the
    • "Don't most enterprise customers use scripted installs/images?"

      The short answer is "no".

      The long answer is that people typically take the base and try to tweak as few things as possible to get it to work. It makes better business sense to ship with the icons in their default place, for example, than waste time and money to decide to individually place each one.

      Most corporations keep the Windows firewall off anyway, so this isn't a big change.
    • Where I work our Windows Clients firewall settings are delivered to them via Active Directory - Domain Policies so yes I have to wonder why a corporate entity would need "insecure by default" settings in order to mitigate micro management of Windows Firewall.
  • by dsginter ( 104154 ) on Wednesday April 26, 2006 @09:33AM (#15204492)
    because that is what enterprise customers have requested

    So, if Microsoft listens to their customers, they make slashdotters angry but if they block bittorrent, they make slashdotters angry.

    I think that I'm starting to get this...
    • I think you're starting to get paranoid.

      M$ does not exist to make /. angry.
    • So, if Microsoft listens to their customers, they make slashdotters angry but if they block bittorrent, they make slashdotters angry.

      The difference is that your average BitTorrent user can configure a firewall. Your average Windows user *can't*.

    • Re:Cuts Both Ways (Score:5, Insightful)

      by TheCarp ( 96830 ) * <sjc&carpanet,net> on Wednesday April 26, 2006 @09:41AM (#15204565) Homepage
      In the past, and still, I have been a huge microsoft critic. I hate their buisness tactics, I dislike their software. Windows just annoys the hell out of me. I far prefer X.

      This however is a very sensible move.

      Honestly, I have the knowledge to deal with my own firewall rules, hell, I just the other day had to wrestle iptables and the nfs deamons to play nice so my kickstart server would work right.

      I still think outbound filtering is a royal pain in my ass. I mean sure its pretty easy to remember to open incomming ports but... outgoing? Now every time I use a new peice of software, I have to figure out what ports it wants to connect out to?

      Ugh. Thats fine for a server, and... in fact, I use it on my colo box. However... on a desktop, where a user expects to pick up a new peice of software and play with it on a fairly regular basis?

      No fucking way.

      Good job microsoft. You made a very sensible decision. Now if they would just come over to the free software movement and GPL windows, that would be awesome.

      -Steve
  • by Tweekster ( 949766 ) on Wednesday April 26, 2006 @09:34AM (#15204495)
    Whenever I install a firewall that will block outgoing applications, and make sure everything needed is allowed already such as IM, email etc. The first thing a user does when they see that screen is click "Yes always allow Trojan.I.Steal.Credit.Card.Numbers.and.kick.puppie s.Trojan"

    Atleast the incoming is blocked like it should be, it would be nice if there was a way to flash bright red so obnoxiously, and make the user think for a second. Like how firefox makes you wait before clicking yes. Possibly by moving the yes button around and saying "YOU PROBABLY DONT WANT TO ALLOW THIS" and then repeat. "ARE YOU ABSOLUTELY POSITIVE"
    then deny it regardless of what the user says :)
    • Also, once malware is installed, can it not just turn off the firewall outbound or pop up its own dialogs to further confuse the user?
      • I have wondered that, I would thank it could be automated to change the setting, unless their is a watchdog preventing that? Anyone with insight of how it determines those settings and protects them?

        How about if a rootkit was included to over ride certain checks etc. It gets to be a real problem very quickly.
  • by Junior J. Junior III ( 192702 ) on Wednesday April 26, 2006 @09:34AM (#15204496) Homepage
    Crippled would be if the functionality were not present, or so badly broken that it does not work properly. Including the functionality but not enabling it by default is not crippling. Microsoft has a long history of enabling wide-open security settings by default, so this is really nothing new, if anything it's halfway to an improvement.
  • by ElGanzoLoco ( 642888 ) on Wednesday April 26, 2006 @09:34AM (#15204499) Homepage
    Yeah, it was the "enterprise customers" all right: I imagine the phone calls from Symantec, Kaspersky, FSecure et al: hey Microsoft, leave them damn ports open or we'll outta business pretty soon! (relax. It's just a lame joke)
  • That is one confused story.

    The lead says that "enterprise customers" want outbound opened up by default.

    The rest of the story justifies the decision based on allowing individuals access to the outside world without having to figure out outbound firewall config.

    Ny guess: they screwed up the user interface and cross-coupled certain permissions so that the most common configuration requires entering the more advanced configuration panes, rather than the selection of a cartoon icon on the basic configuration p
  • by sotweed ( 118223 ) on Wednesday April 26, 2006 @09:36AM (#15204511)
    I believe MS outlined 7 different versions for different markets... home, enterprise, small business, entertainment center, etc. Why wouldn't they configure the firewall in each of these by default to be what's appropriate for
    its target market, rather than letting the desires of the Fortune 500 wag my
    mother's machine in a less than completely safe way? Given the world's recent
    experience with various forms of malware, erring on the side of safety certainly seems to be justified.
  • In all honesty... (Score:2, Insightful)

    by SaDan ( 81097 )
    Why the hell would anyone other than a dial-up user need to have a firewall enabled under Windows? Everyone with broadband should have some other device between their computer and the big, bad internet to handle firewall duties. Corporate networks had better damned well have some security at the gateway to the WAN/internet.
    • Uh, because I have one computer, don't have the space to devote to a second box, and I don't feel like buying and configuring a router. So a software firewall is the best option for me. At least I'm smart enough to not use MS's built-in.
    • by corellon13 ( 922091 ) on Wednesday April 26, 2006 @10:02AM (#15204747)
      FTA: The Microsoft spokesperson said that Vista's firewall is just one layer of security in the new operating system: "New features such as User Account Control (UAC), Windows Defender, and Internet Explorer Protected Mode along with improvements to Windows Firewall and Windows Update work together to help shield Windows Vista PCs from malware."

      The point is that there is no one solution to security. You need to have a layered approach (i.e. hardware, software, policies, etc.). Placing a router in front of you and the Internet isn't enough. Corporate networks do have a lot more in the way of the user and the Internet. Thus, the reason they don't want a lot of ports being blocked from the user desktop perspective; they've already got ACL's, firewalls, etc. to block what they want blocked.

      Turning this feature on will cause a firestorm of help desk tickets at the corporate level and cause your phone and mine to ring off the hook with calls from clueless relatives trying to figure out why they can't go online. IMHO I think it is a good decision for the right reasons.
    • I use a router but I can see why other users won't. For one, my ISP absolutely refuses to provide support to any user who uses a router. Second they don't tell you directly the information you need to configure the router, they give you a Windows program that sets automatically sets up your computer for their service.

      If they don't understand how to set up a firewall properly, they probably don't know how to set up PPPOE on their router without even being given the proper information by their ISP.
    • Everyone with broadband should have some other device between their computer and the big, bad internet to handle firewall duties.

      The sad truth is that they don't, hence the plethora of botnets run by scumbags. The sheeple tend to plug their PCs right into their cable/dsl modems. Many (though not all) of the broadband providers are guilty of facilitating this by handing out cheap modems that don't double as firewall/routers.
    • Re:In all honesty... (Score:3, Interesting)

      by pegr ( 46683 )
      Why the hell would anyone other than a dial-up user need to have a firewall enabled under Windows?
       
      Oh, I don't know, because 85% of all system intrusions are inside jobs? Heck with the Internet, protect me from my company's network...
  • Why? (Score:5, Insightful)

    by marcovje ( 205102 ) on Wednesday April 26, 2006 @09:37AM (#15204531)

    One would expect that Entreprise customers could set this anyway they want via Group Policy
    • Re:Why? (Score:5, Informative)

      by chill ( 34294 ) on Wednesday April 26, 2006 @09:54AM (#15204665) Journal
      One would expect that Entreprise customers could set this anyway they want via Group Policy.

      You'd be surprised at the number of companies that are still running Win2K domain servers, Novell or NT Domains for their core. I've run into several, including quite a few who still have Win98 boxes on the network as single-purpose terminals.

      Workstations migrate in to an environment much quicker than servers do, so the companies see WinXP much faster than they can upgrade to Win2003.

      The majority of companies that I have talked to about Windows Firewall have it disabled totally. They have real firewalls at the gateways and per-machine firewalls can be a totaly nightmare in a Windows environment.

        -Charles
  • crippled? (Score:5, Insightful)

    by AxemRed ( 755470 ) on Wednesday April 26, 2006 @09:37AM (#15204533)
    I wouldn't call this crippled. All you have to do is turn it on. I guess that my copy of Civilization 4 is crippled too, because I had to install it.

    Seriously, though... blocking incoming traffic is more than half that battle. It is my understanding that blocking outgoing traffic is mainly useful after your system has been compromised.
  • by Programmer_In_Traini ( 566499 ) on Wednesday April 26, 2006 @09:38AM (#15204534)
    You know a software is off to a bad start when the product isnt even out yet and they're already talking about bugs & features.
  • by caluml ( 551744 ) <(slashdot) (at) (spamgoeshere.calum.org)> on Wednesday April 26, 2006 @09:38AM (#15204537) Homepage
    I think that blocking incoming traffic is by far the most important thing on Windows boxes. We don't want another Code Red/Nimda.
    Who here, honestly blocks outgoing traffic too on their home networks? I could, but I don't bother. Why? I run a tight enough ship to know that there won't be weird traffic going out, and I can't be bothered with the extra admin needed to keep everything happy and working.
    • Who here, honestly blocks outgoing traffic too on their home networks?
      I block NetBIOS and SMB at the gateway. I figure one shouldn't need to configure an outbound filter if one has a clean, properly adjusted system.
  • by HiredMan ( 5546 ) on Wednesday April 26, 2006 @09:41AM (#15204561) Journal
    So why have 21 different versions of Vista if NOT to have a consumer version with as much protection as possible with as few services running as possible? A business office version you assume will be configured by an IT guy that has difficult to admin - but very flexible and detailed - firewall options. Yes.

    But to not a have a 1 button "Protect me on the internets" button for grandma? That's MS effectively selling off its consumer base to big corporations at their request.

    =Tod
    • So why have 21 different versions of Vista if NOT to have a consumer version with as much protection as possible with as few services running as possible? A business office version you assume will be configured by an IT guy that has difficult to admin - but very flexible and detailed - firewall options. Yes.

      It might well be the business version which wants a very restricted set of services on by default...
      Maybe whilst they are at it Microsoft could think of things like only turning on the wireless service
  • Makes sense (Score:5, Insightful)

    by MobyDisk ( 75490 ) on Wednesday April 26, 2006 @09:42AM (#15204567) Homepage
    1) Most home users get annoyed at having to click on the options to allow outgoing connections, and they generally aren't concerned about applications "calling home."

    2) The biggest culprit for applications that call home is Microsoft, and the Windows firewall doesn't block Microsoft applications anyway. (The biggest reason I have a 3rd-party firewall is to block outgoing connections from IE, Explorer, and Windows Media player)

    3) Serious attacks come from incoming connections (or Trojans, which a traditional firewall can't stop anyway.) so this doesn't matter for them.
  • tool for perfect firewall [wealddown.co.uk]

    Now if there was only a firewall plugin to block outbound apostrophes in "it's".
  • This will be fine (Score:3, Insightful)

    by cerberus4696 ( 765520 ) on Wednesday April 26, 2006 @09:46AM (#15204601)
    Given that Microsoft has announced different versions of Vista for enterprise, home users, power users and so on, why would they cripple the firewall across the entire line? It seems to me that with all the versions they're planning, it would be a simple matter to keep the firewall off for those versions sold to enterprise customers, and leave it alone for everyone else. And speaking as someone who has had to deal with the fuckery of the windows firewall in an enterprise environment, I can't say I'm disappointed by that.
  • Some system level protection is always important(like starting off with a secure OS!) however I can tell you from my experiences remotely managing XP systems that the local firewall can be a major headache. In our office we have hardware based firewalls or firewall feature set routers at/on every subnet router. Its much easier managing a handful of hardware devices versus hundreds of individual software based firewalls that don't work half the time anyway.
  • by eekygeeky ( 777557 ) on Wednesday April 26, 2006 @09:52AM (#15204642)
    crippled? how about "industry standard for home and light commercial use"?

    what's wrong with INBOUND:BLOCK ALL - OUTBOUND:ALLOW ALL?

    every NAT/router/firewall/shiny magic internet thing i;ve seen, oh, in the last 7 eons of mankind's glorious history is set up just so.
    • Traditionally though, those boxes are not getting owned every 10 minutes, so allowing them to connect to others is not a problem, As well Windows has a history of not only straight up getting taken over, but also having lots of nosy app's that connect for nefarious reasons.
    • Nope. Wrong.

      I've supplied firewall/routers (SOHO type) to people preconfigured to only allow the usual suspects out and deny all other packets. (Out tends to be web,mail,ftp and whatever else is requested, everything inbound is blocked as standard and some can be opened). I also put full instructions (with screenshot examples) to open up other protocols and a copy of the custom config file on CD together with the router...
  • Home Admin (Score:2, Interesting)

    by Anonymous Coward
    Default outbound blocking wouldn't matter in the home environment. The most likely malware targets are all running as Admin anyway, so smarter malware will just add themselves to the allowed list.
  • And somehow Real Player will STILL find a way into my trusted sites.
  • by abelikoff ( 412709 ) on Wednesday April 26, 2006 @09:55AM (#15204671) Homepage
    So much for sensationalism ("Boo hoo! Vista will ship with firewall turned [partially] OFF") At this point, some news sources really love to grab any single rumor about Vista and turn it into big news.

    On a technical side however, I don't see why this is a yes-or-no proposition. What would prevent the installer to ask a question like: "Do you want the firewall to block outgoing traffic? Yes/No" (with some blurb explaining to non-geeks why they might/might not need it, what implications it might have, and how to change one's decision later on).

  • the other half by design
  • Doesn't matter (Score:3, Informative)

    by Opportunist ( 166417 ) on Wednesday April 26, 2006 @09:56AM (#15204687)
    First of all, inbound is not even half of the problem. Considering the recent development of malware, outgoing is by far the prefered way of attacking for today's malware. Simply because of the increasing number of NAT routers.

    Second, I HOPE AND PRAY that they FINALLY add a "delay" to the "allow application to open connection" button. There's almost no current malware that does NOT create a thread to check in 5 ms intervals whether one of those allow-request windows is open and answer it in the prefered way for the malware before opening a connection, to make sure they get permissions.

    If this loophole isn't closed, any MS-firewall in learning mode is as good as no firewall at all. Actually it would be worse, because it gives you a false sense of security where there is none.
  • by wardk ( 3037 )
    Vapor OS, Vapor Firewall. makes sense to me.

    at least the "object file system" promised in Cairo will be there. won't it?

    I also hear they will be shipping the stability promised in Window 95

    time to start lining up at Fry's
  • Yeah, OK, whatever. Just as long as they leave the firewall alone in patches and service packs. I recall installing SP2 on a headless XP box. I was connected via remote desktop, installed the SP, rebooted, service pack turned on firewall blocking incoming connections, and ...
  • by slew ( 2918 ) on Wednesday April 26, 2006 @10:07AM (#15204807)
    <TINFOILHAT>
    OEM customers (e.g., Dell, HP, Gateway, etc) often ship their PCs with dozens of what I call "shovel-ware" (trial versions of useless software that OEMs pile on heaps on the desktop). Often this shovel-ware likes to call home occasionally to notify you of "new updates available for download" and other such nonsense.

    I'm sure it's very embarrasing (and costly) to the OEMs when they get support calls from their own customers when the microsoft outbound firewall blocks the shovelware and flashes up a dialog box. So they probably just asked microsoft to ship the firewall so that the outbound firewall doesn't validate the application (which makes it too easy for end users to "accidentally" disable the shovelware and too easy for experienced users to get a list of all the shovelware polluting their machines from the "allowed" list and uninstall it). Of course microsoft doesn't want to have too many configs out there, so they just make this the default setting out of the box.
    </TINFOILHAT>

    Sure microsoft is listening to their customers, it's just their OEM customers...
  • I think Microsoft's real problem is that (apparently) they are still building an OS that allows arbitrary software from the Internet, etc. to be downloaded and executed due to lax permissions and security via their ActiveX crapware, and other holes. Otherwise, why would there be a concern about malware, spyware and other types of malicious software making outbound connections in the first place? Other operating systems don't have this problem for a reason: permissions being what they are on a more reasonabl
  • Let's sacrifice the quality for people who don't know what they need to please those that don't know what they want!

    Sarcasm!
  • by Siberwulf ( 921893 ) on Wednesday April 26, 2006 @10:15AM (#15204890)
    I always come to slashdot with the broad, and sometimes naive assumption that the articles provided will be neutral. Whether or not the responses to these articles are neutral is another story, and any biased there towards OSS, away from MS, agaisnt Apple, or whatever, is just fine in my book. Thats what makes the internet great.

    That said, I strongly detest the wording of this headline and the tagline below it. Especially from CmdrTaco.

    When I read the topic in RSS, I thought that some features would be removed from the exisitng firewall, or that some key features would require a paid subscription to be activated. When I read the summary, however, I realized that was not the case. The attitude on slashdot towards Microsoft (as well as any other non-OSS business model that seems to work) is jaded and negative enough without being given a predisposition via headlines like this.

    The summary in 1.5: Negative, misleading headlines need to go.

    So, mod me down for offtopic, mod me down for Troll, mod me down for Redundant. My Karma can take it. Or, if you agree, mod the other way ;)
  • Will Microsoft follow the trend established in Windows XP SP2 and allow certain applications (Microsoft's and others) to open holes in the firewall so they can communicate stealthily, or will the firewall obey only the user's configuration.
  • I'm all for it. (Score:5, Interesting)

    by Glamdrlng ( 654792 ) on Wednesday April 26, 2006 @10:25AM (#15204958)
    Right now I get mad props at work for keeping bagel, netsky, and mydoom at bay through attachment and AV blocking, spam filtering, and a little bit of shell scripting. Here I was afraid that those would go away and I'd have to find something else to justify my existence within the next couple years. Now it looks like I'm in good shape til at least 2010. Thanks Microsoft!

    ps - Other AV programs probably do this, but in case anyone's interested the firewall built into McAfee VirusScan Enterprise v8 blocks SMTP and IRC communication outbound by default unless the executable firing up the communication belongs to a specific set of known email and IRC clients. Good times...
  • by frdmfghtr ( 603968 ) on Wednesday April 26, 2006 @10:43AM (#15205086)
    Isn't this headline a little sensationalist?

    When Windows Vista is released early next year its firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic.
    ...
    Microsoft claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements.


    So it's not really crippled, it can be configured for outbound protection. Maybe the "varying degree of technical knowledge" implies that it's not as straightforward as a nice GUI configuration window and hence "crippled" in that respect.

    Saying it is "crippled" would imply that the outbound protection code exists, but it is permanently disabled, i.e. not configurable at all.
  • by prisoner-of-enigma ( 535770 ) on Wednesday April 26, 2006 @10:58AM (#15205223) Homepage
    OK, folks...at what point does the Windows bashing just become so silly that it's wrong. Oh, wait...we reached that point long ago.

    The headline is just wrong. The Vista firewall is no more "crippled" than iptables is "crippled" in Fedora. Microsoft is making the default behavior identical to the XP firewall, but getting bidirectional port filtering/blocking is merely a matter of turning it on. The whole "requiring various degrees of technical expertise" is a ridiculous red herring coming from a website where Linux users constantly preach their technical superiority to the common lowly user. Pardon me, would you like some elitism with that pedantic whine?

    For the vast majority of users, bidirectional firewalling is overkill. For those who want it, it can be turned on. This isn't a story, it's propaganda masquerading as news. I swear, Microsoft tries to improve things (adding the ability to do outbound blocking), and all /. can do is whine that it isn't turned on by default. Last time I checked, lots of Linux distros come setup this way as well, yet I don't see anyone moaning about that.

    Microsoft is the competitor, not the enemy. Quit making this whole crusade a personal affair and this silly anti-MS bias will disappear.
  • Thank you! (Score:5, Interesting)

    by semifamous ( 231316 ) on Wednesday April 26, 2006 @10:59AM (#15205232)
    I work at an ISP doing Tech Support.

    On a daily basis, I get calls from users of Norton Internet Security or McAfee Security Center (or whaever "I don't know, whatever came with my computer") who, for some reason, can't get Internet Explorer/Outlook Express to work. They don't know what a firewall *is* let alone how to configure it.

    If I suggest they turn of that firewall and try it, everything is suddenly happy again.

    Many of them don't understand. "It worked fine yesterday/last week/last year and I haven't changed anything..."

    I specifically despise the Norton firewall as it seems to be the most popular problem causer.

    I am glad that Microsoft isn't turning this feature on by default because many clueless lusers will accidentally block the programs that they're trying to use and then not understand why it doesn't work anymore.

    Frequently these users try to blame us at the ISP, not realizing that it's their own fault. Firewalls are my most frequent frustration, and I'm glad this one will behave the way it will.

To understand a program you must become both the machine and the program.

Working...