Vista Tutorial - Microsoft limits Vista Firewall - for their own good ?

05-05-2006

http://labnol.blogspot.com/2006/04/m...ewall-for.html

--
"What concerns me is not the way things are, but rather the way people think
things are."
- Epictetus 55-135

05-05-2006

This is because corporate customers requested it. They prefer to manage it
themselves.
--
--
Andre
Windows Connected | http://www.windowsconnected.com
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta

"John Jay Smith" <-> wrote in message
news:u8rNtkDcGHA.3364@TK2MSFTNGP05.phx.gbl...
> http://labnol.blogspot.com/2006/04/m...ewall-for.html
>
> --
> "What concerns me is not the way things are, but rather the way people
> think things are."
> - Epictetus 55-135
>
>

05-05-2006

The whole gist of that article is kinda dumb. What difference does it make
what the default settings are? How do default settings "limit" a firewall? I
think most commercial firewalls come with all the well-known ports open for
incoming traffic, and all outgoing ports open as well. But what difference
does it make? Everybody has to define their own ingress and egress filters
for their own network. You couldn't come up with default settings that work
for everyone.

"John Jay Smith" <-> wrote in message
news:u8rNtkDcGHA.3364@TK2MSFTNGP05.phx.gbl...
> http://labnol.blogspot.com/2006/04/m...ewall-for.html
>
> --
> "What concerns me is not the way things are, but rather the way people
> think things are."
> - Epictetus 55-135
>
>

05-05-2006

"Puppy Breath" <koolnerds@comcast.net> wrote in message
news:222036E4-D460-4E20-B839-A75EEF7BDBA6@microsoft.com...
> The whole gist of that article is kinda dumb. What difference does it make
> what the default settings are? How do default settings "limit" a firewall?
> I think most commercial firewalls come with all the well-known ports open
> for incoming traffic, and all outgoing ports open as well. But what
> difference does it make? Everybody has to define their own ingress and
> egress filters for their own network. You couldn't come up with default
> settings that work for everyone.

It is much better to err on the closed side and close things most often NOT
needed. Let the experienced user open what he needs to since most people
don't have a clue.

05-05-2006

Puppy Breath wrote:
> The whole gist of that article is kinda dumb. What difference does it make
> what the default settings are? How do default settings "limit" a
> firewall? I think most commercial firewalls come with all the well-known
> ports open for incoming traffic, and all outgoing ports open as well. But
> what difference does it make? Everybody has to define their own ingress
> and egress filters for their own network. You couldn't come up with
> default settings that work for everyone.

They have set the defaults (no monitoring of outgoing traffic) based on
feedback from enterprise customers. This seems strange as it is the
enterprise customer that is most likely to have someone on staff who knows
how to properly configure this for their enterprise.

The typical home user (for whom some basic defaults could be defined well)
will not know how to configure this and will therefore never take advantage
of those parts of the firewall.

I suspect the "because our enterprise customers asked us to" reason is not
really valid and that the true reason is they found they don't have enough
time to make this friendly enough for the average home user, and therefore
went with the option that will allow them to meet their delivery dates.
--
Tom Porterfield

05-05-2006

You guys may be right. However, even if they did close all ports, would
users know if/when it's OK to let something go through? Also, there's over
32,000 ports to worry about (65,635 if you look at it terms of TCP and UP).
I don't see how you could make it "user friendly".

Besides, the threats come from outside your own network, not inside. At
least, they shouldn't be coming from the inside if the rest of your security
is in place. And what's to keep a piece of malware from sending out through
port 80, which is always open on everyone's machine?

I don't know, I think closing all outgoing ports by default would be a real
nightmare for end users. Especially since the threats shouldn't be coming
from inside in the first place. But again, what difference does it make? It
only takes a mouse click to change them from Open to Closed.

"Tom Porterfield" <tpporter@mvps.org> wrote in message
news:utanX6FcGHA.4896@TK2MSFTNGP03.phx.gbl...
> Puppy Breath wrote:
>> The whole gist of that article is kinda dumb. What difference does it
>> make
>> what the default settings are? How do default settings "limit" a
>> firewall? I think most commercial firewalls come with all the well-known
>> ports open for incoming traffic, and all outgoing ports open as well. But
>> what difference does it make? Everybody has to define their own ingress
>> and egress filters for their own network. You couldn't come up with
>> default settings that work for everyone.
>
> They have set the defaults (no monitoring of outgoing traffic) based on
> feedback from enterprise customers. This seems strange as it is the
> enterprise customer that is most likely to have someone on staff who knows
> how to properly configure this for their enterprise.
>
> The typical home user (for whom some basic defaults could be defined well)
> will not know how to configure this and will therefore never take
> advantage of those parts of the firewall.
>
> I suspect the "because our enterprise customers asked us to" reason is not
> really valid and that the true reason is they found they don't have enough
> time to make this friendly enough for the average home user, and therefore
> went with the option that will allow them to meet their delivery dates.
> --
> Tom Porterfield

05-06-2006

"John Jay Smith" <-> wrote:

>http://labnol.blogspot.com/2006/04/m...ewall-for.html
> Unfortunately, Microsoft will turn off the ability to block outgoing
> traffic by default and set the new firewall to block incoming traffic
> only. Microsoft is doing this at the request of corporate customers and
> government departments who would like to manage this feature from an
> administrator level.

No, that's not really unfortunate at all. That's a no-brainer. Prohibit
all inbound traffic, allow all outbound. This is only really a problem if
you don't trust the network or system you're on (in which maybe it's time
to take a serious look at your implementation if you don't trust it).

--
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca
Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber

05-06-2006

Please quote inline, top posting is antisocial.
http://ursine.ca/Top_Posting

Puppy Breath wrote:

> You guys may be right. However, even if they did close all ports, would
> users know if/when it's OK to let something go through? Also, there's over
> 32,000 ports to worry about (65,635 if you look at it terms of TCP and
> UP). I don't see how you could make it "user friendly".

65,535 ports. 131,070 if you consider TCP and UDP ports to be unique.

> Besides, the threats come from outside your own network, not inside. At
> least, they shouldn't be coming from the inside if the rest of your
> security is in place. And what's to keep a piece of malware from sending
> out through port 80, which is always open on everyone's machine?

Not always. Many networks do things like transparent proxying through Squid
(http://www.squid-cache.net/) or other caching web proxy to reduce
bandwidth usage and do content filtering or banner/pop-up ad-zapping
(http://adzapper.sf.net/ is good and free for this). This is generally a
good thing, as it reduces web server load as well. I find it odd that more
ISPs don't do server-side ad-zapping for their customers, though.

> I don't know, I think closing all outgoing ports by default would be a
> real nightmare for end users.

Anybody else remember the Trumpet Winsock nightmare and the hoops you had to
jump through to get that to work? Even the various BSDs have open output
by default, and those operating systems have bragging rights for going
years without any security holes in the default install.

> Especially since the threats shouldn't be
> coming from inside in the first place. But again, what difference does it
> make? It only takes a mouse click to change them from Open to Closed.

At least they're finally adding the functionality for those who know they
need it.

--
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca
Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber

05-06-2006

"Paul Johnson" <baloo@ursine.ca> wrote in message
news:35sti3-3ec.ln1@ursine.ca...
> Please quote inline, top posting is antisocial.
> http://ursine.ca/Top_Posting

Guess I'm just an antisocial kinda guy. Hate scrolling through something I
just read two seconds ago.

In retrospect, I think that whole article is bogus. I doubt enterprises made
that request and if they did, I doubt it would matter. But I agree that
giving people the option to use a firewall as a sort of
after-the-infection-malware-detection tool is probably a good idea. At least
from a marketing standpoint is not a practical one.

05-06-2006

Puppy Breath wrote:

> "Paul Johnson" <baloo@ursine.ca> wrote in message
> news:35sti3-3ec.ln1@ursine.ca...
>> Please quote inline, top posting is antisocial.
>> http://ursine.ca/Top_Posting
>
> Guess I'm just an antisocial kinda guy. Hate scrolling through something I
> just read two seconds ago.

If you're quoting enough you have to scroll before you see new text, you're
including too much. Your answer indicates you didn't read that website.
The idea of quoting is to give people as much conversational context as
possible for what you're saying. If you're having a hard time spotting new
material, try changing the color of quoted material to green: Any real news
reader can do this.

> In retrospect, I think that whole article is bogus. I doubt enterprises
> made that request and if they did, I doubt it would matter.

I can. Block users from file sharing or connecting to any type of service
the enterprise doesn't consider work-related.

> But I agree
> that giving people the option to use a firewall as a sort of
> after-the-infection-malware-detection tool is probably a good idea.

That's not what any firewall is good for. If Microsoft is trying to
implement packet filtering for this reason, they're probably better
rewriting all that 20+ year old code they keep case-and-pasting into the
next version instead of keeping it and it's bugs around.

> At least from a marketing standpoint is not a practical one.

From a marketing standpoint, a lot of the Right Stuff is utterly impossible
to market since

--
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca
Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber

05-05-2006	#1 (permalink)
John Jay Smith Guest n/a posts	Microsoft limits Vista Firewall - for their own good ? http://labnol.blogspot.com/2006/04/m...ewall-for.html -- "What concerns me is not the way things are, but rather the way people think things are." - Epictetus 55-135
My System Specs

05-05-2006	#2 (permalink)
Andre Da Costa [Extended64] Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? This is because corporate customers requested it. They prefer to manage it themselves. -- -- Andre Windows Connected \| http://www.windowsconnected.com Extended64 \| http://www.extended64.com Blog \| http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta "John Jay Smith" <-> wrote in message news:u8rNtkDcGHA.3364@TK2MSFTNGP05.phx.gbl... > http://labnol.blogspot.com/2006/04/m...ewall-for.html > > -- > "What concerns me is not the way things are, but rather the way people > think things are." > - Epictetus 55-135 > >
My System Specs

05-05-2006	#3 (permalink)
Puppy Breath Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? The whole gist of that article is kinda dumb. What difference does it make what the default settings are? How do default settings "limit" a firewall? I think most commercial firewalls come with all the well-known ports open for incoming traffic, and all outgoing ports open as well. But what difference does it make? Everybody has to define their own ingress and egress filters for their own network. You couldn't come up with default settings that work for everyone. "John Jay Smith" <-> wrote in message news:u8rNtkDcGHA.3364@TK2MSFTNGP05.phx.gbl... > http://labnol.blogspot.com/2006/04/m...ewall-for.html > > -- > "What concerns me is not the way things are, but rather the way people > think things are." > - Epictetus 55-135 > >
My System Specs

05-05-2006	#4 (permalink)
mmmmark Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? "Puppy Breath" <koolnerds@comcast.net> wrote in message news:222036E4-D460-4E20-B839-A75EEF7BDBA6@microsoft.com... > The whole gist of that article is kinda dumb. What difference does it make > what the default settings are? How do default settings "limit" a firewall? > I think most commercial firewalls come with all the well-known ports open > for incoming traffic, and all outgoing ports open as well. But what > difference does it make? Everybody has to define their own ingress and > egress filters for their own network. You couldn't come up with default > settings that work for everyone. It is much better to err on the closed side and close things most often NOT needed. Let the experienced user open what he needs to since most people don't have a clue.
My System Specs

05-05-2006	#5 (permalink)
Tom Porterfield Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? Puppy Breath wrote: > The whole gist of that article is kinda dumb. What difference does it make > what the default settings are? How do default settings "limit" a > firewall? I think most commercial firewalls come with all the well-known > ports open for incoming traffic, and all outgoing ports open as well. But > what difference does it make? Everybody has to define their own ingress > and egress filters for their own network. You couldn't come up with > default settings that work for everyone. They have set the defaults (no monitoring of outgoing traffic) based on feedback from enterprise customers. This seems strange as it is the enterprise customer that is most likely to have someone on staff who knows how to properly configure this for their enterprise. The typical home user (for whom some basic defaults could be defined well) will not know how to configure this and will therefore never take advantage of those parts of the firewall. I suspect the "because our enterprise customers asked us to" reason is not really valid and that the true reason is they found they don't have enough time to make this friendly enough for the average home user, and therefore went with the option that will allow them to meet their delivery dates. -- Tom Porterfield
My System Specs

05-05-2006	#6 (permalink)
Puppy Breath Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? You guys may be right. However, even if they did close all ports, would users know if/when it's OK to let something go through? Also, there's over 32,000 ports to worry about (65,635 if you look at it terms of TCP and UP). I don't see how you could make it "user friendly". Besides, the threats come from outside your own network, not inside. At least, they shouldn't be coming from the inside if the rest of your security is in place. And what's to keep a piece of malware from sending out through port 80, which is always open on everyone's machine? I don't know, I think closing all outgoing ports by default would be a real nightmare for end users. Especially since the threats shouldn't be coming from inside in the first place. But again, what difference does it make? It only takes a mouse click to change them from Open to Closed. "Tom Porterfield" <tpporter@mvps.org> wrote in message news:utanX6FcGHA.4896@TK2MSFTNGP03.phx.gbl... > Puppy Breath wrote: >> The whole gist of that article is kinda dumb. What difference does it >> make >> what the default settings are? How do default settings "limit" a >> firewall? I think most commercial firewalls come with all the well-known >> ports open for incoming traffic, and all outgoing ports open as well. But >> what difference does it make? Everybody has to define their own ingress >> and egress filters for their own network. You couldn't come up with >> default settings that work for everyone. > > They have set the defaults (no monitoring of outgoing traffic) based on > feedback from enterprise customers. This seems strange as it is the > enterprise customer that is most likely to have someone on staff who knows > how to properly configure this for their enterprise. > > The typical home user (for whom some basic defaults could be defined well) > will not know how to configure this and will therefore never take > advantage of those parts of the firewall. > > I suspect the "because our enterprise customers asked us to" reason is not > really valid and that the true reason is they found they don't have enough > time to make this friendly enough for the average home user, and therefore > went with the option that will allow them to meet their delivery dates. > -- > Tom Porterfield
My System Specs

05-06-2006	#7 (permalink)
Paul Johnson Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? "John Jay Smith" <-> wrote: >http://labnol.blogspot.com/2006/04/m...ewall-for.html > Unfortunately, Microsoft will turn off the ability to block outgoing > traffic by default and set the new firewall to block incoming traffic > only. Microsoft is doing this at the request of corporate customers and > government departments who would like to manage this feature from an > administrator level. No, that's not really unfortunate at all. That's a no-brainer. Prohibit all inbound traffic, allow all outbound. This is only really a problem if you don't trust the network or system you're on (in which maybe it's time to take a serious look at your implementation if you don't trust it). -- Paul Johnson Email and IM (XMPP & Google Talk): baloo@ursine.ca Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber
My System Specs

05-06-2006	#8 (permalink)
Paul Johnson Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? Please quote inline, top posting is antisocial. http://ursine.ca/Top_Posting Puppy Breath wrote: > You guys may be right. However, even if they did close all ports, would > users know if/when it's OK to let something go through? Also, there's over > 32,000 ports to worry about (65,635 if you look at it terms of TCP and > UP). I don't see how you could make it "user friendly". 65,535 ports. 131,070 if you consider TCP and UDP ports to be unique. > Besides, the threats come from outside your own network, not inside. At > least, they shouldn't be coming from the inside if the rest of your > security is in place. And what's to keep a piece of malware from sending > out through port 80, which is always open on everyone's machine? Not always. Many networks do things like transparent proxying through Squid (http://www.squid-cache.net/) or other caching web proxy to reduce bandwidth usage and do content filtering or banner/pop-up ad-zapping (http://adzapper.sf.net/ is good and free for this). This is generally a good thing, as it reduces web server load as well. I find it odd that more ISPs don't do server-side ad-zapping for their customers, though. > I don't know, I think closing all outgoing ports by default would be a > real nightmare for end users. Anybody else remember the Trumpet Winsock nightmare and the hoops you had to jump through to get that to work? Even the various BSDs have open output by default, and those operating systems have bragging rights for going years without any security holes in the default install. > Especially since the threats shouldn't be > coming from inside in the first place. But again, what difference does it > make? It only takes a mouse click to change them from Open to Closed. At least they're finally adding the functionality for those who know they need it. -- Paul Johnson Email and IM (XMPP & Google Talk): baloo@ursine.ca Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber
My System Specs

05-06-2006	#9 (permalink)
Puppy Breath Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? "Paul Johnson" <baloo@ursine.ca> wrote in message news:35sti3-3ec.ln1@ursine.ca... > Please quote inline, top posting is antisocial. > http://ursine.ca/Top_Posting Guess I'm just an antisocial kinda guy. Hate scrolling through something I just read two seconds ago. In retrospect, I think that whole article is bogus. I doubt enterprises made that request and if they did, I doubt it would matter. But I agree that giving people the option to use a firewall as a sort of after-the-infection-malware-detection tool is probably a good idea. At least from a marketing standpoint is not a practical one.
My System Specs

05-06-2006	#10 (permalink)
Paul Johnson Guest n/a posts	Re: Microsoft limits Vista Firewall - for their own good ? Puppy Breath wrote: > "Paul Johnson" <baloo@ursine.ca> wrote in message > news:35sti3-3ec.ln1@ursine.ca... >> Please quote inline, top posting is antisocial. >> http://ursine.ca/Top_Posting > > Guess I'm just an antisocial kinda guy. Hate scrolling through something I > just read two seconds ago. If you're quoting enough you have to scroll before you see new text, you're including too much. Your answer indicates you didn't read that website. The idea of quoting is to give people as much conversational context as possible for what you're saying. If you're having a hard time spotting new material, try changing the color of quoted material to green: Any real news reader can do this. > In retrospect, I think that whole article is bogus. I doubt enterprises > made that request and if they did, I doubt it would matter. I can. Block users from file sharing or connecting to any type of service the enterprise doesn't consider work-related. > But I agree > that giving people the option to use a firewall as a sort of > after-the-infection-malware-detection tool is probably a good idea. That's not what any firewall is good for. If Microsoft is trying to implement packet filtering for this reason, they're probably better rewriting all that 20+ year old code they keep case-and-pasting into the next version instead of keeping it and it's bugs around. > At least from a marketing standpoint is not a practical one. From a marketing standpoint, a lot of the Right Stuff is utterly impossible to market since -- Paul Johnson Email and IM (XMPP & Google Talk): baloo@ursine.ca Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber
My System Specs

Similar Threads
Thread	Forum
Good free Firewall for x64	System Security
vista firewall: is it really protecting good?	Vista security
How good is Vistas firewall	Vista General
Microsoft Vista Firewall question	Vista General
Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain	Vista networking & sharing