The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant.
Vista Firewall Shackled Due to Customer Demand
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
disable FW for volume license keys, enable for all else
“half” its protection turned off or “have”?
Please follow the link…
Perhaps it’s been fixed, but the sentence says, “… have half its protection….”
One of the major reasons Windows has never been secure is because Microsoft always focused on usability at the expense of security. For the sake of their users they really should be working on a better solution to this problem.
You’re right, though I hope you’re not suggesting that usability must always come at the expense of security. I’m sure we could argue till the cows come home about the usability, or otherwise, of Linux in general, but using Linux securely is NOT significantly more difficult than using Linux insecurely; and I’m sure that there’ll be no argument that (beyond getting used to the system if you’re a former Windows user) Mac OS X shows that secure-and-easy-to-use can be done in UNIX.
The problem is simply that from a security standpoint, Microsoft have no clue, and since a large chunk of their users don’t either, they’ve never had the incentive to design properly.
No, that’s not right. I hear (though I can’t confirm for myself) that security in NT and 2K was significantly better than in ’95/XP. So the problem must be that (unlike Apple/NeXT), as with their “solution” to running W95/98/ME programs in XP, they have no clue how to do this the right way. The odd thing is that NT is supposed to have mechanisms by which the 9x subsystem can coexist securely with the NT subsystem; did everyone who knew how to do this just leave?
” No, that’s not right. I hear (though I can’t confirm for myself) that security in NT and 2K was significantly better than in ’95/XP. So the problem must be that (unlike Apple/NeXT), as with their “solution” to running W95/98/ME programs in XP, they have no clue how to do this the right way. The odd thing is that NT is supposed to have mechanisms by which the 9x subsystem can coexist securely with the NT subsystem; did everyone who knew how to do this just leave?”
You have some reading up to do. Windows 95 and XP are not the same codebase at all. Windows 95 really doesn’t have any security at all and XP is built on the NT–>2000–> XP codebase which has lots of security you can enable.
Almost all win 95/85/me programs run perfectly in XP. When you use compatibility mode it has no effect/change on any other security principles at all.
Please educate yourself.
The UI is related code. The OS itself is entirely different.
Of course, once you think UI related things have nothing to do with security you end up with 12 jpg and png flaws
.
Then those nasty word documents executing code you didn’t want, outlook and ie being hijacked on javascript, etc.
I’m not saying that XP is the same codebase as 95, I know that it is not. Nor am I saying that it is difficult to run 95/98 programs in XP.
What I am saying is this:
Whilst XP is based on the NT codebase, and as I understand it NT should have had the facilities to integrate compatibility with 95 *both securely and in an easy-to-use fashion,* MS appear to have had no idea that this could be done and instead chosen to integrate support for Win 9x programs in *a fully compatible, but incredibly insecure way*.
Secondly, if the reputation for security which NT had was deserved, then (irrespective of any Win9x issues) WTF *happened* with XP?
Ahh thanks for clarifying that. To be honest with you its all market driven.
When you ask “WTF happened to XP” the answer is relatively simple.. Microsoft still wanted the users to run as Admin, and the userbase came over from Windows 98/ME directly to XP, and they behaved the same as they did before and caused their machines problems.
I worked on nt, 2000, xp, etc. But NT/2k were found in businesses and not very often at home (for joe sick pack, anyways). Microsoft didn’t help the users any by suggesting that XP was just the next upgrade, when in fact is was a leap of codebase completely.
So we really ended up with a transferal of user behaviours between Windows 98 and XP, as opposed to an evolution of user behaviour from NT–>2K–>XP.
Every major supported os out there is relatively friendly, relative useful, relatively secure. The bottom line is users need more training to use the tool they have better.
Secondly, if the reputation for security which NT had was deserved, then (irrespective of any Win9x issues) WTF *happened* with XP?
Idiots ran every program they were e-mailed.
Put up a decent small firewall and don’t blindly run programs you can’t trust and I’d be shocked if you ran into any malware/virus/worm issues, even if you’re always logged in as administrator.
“I hear (though I can’t confirm for myself) that security in NT and 2K was significantly better than in ’95/XP”
I have to disagree with your statement: despising the fact XP replace both the pro (former win2k) and the consumer (former Windows 9x-Me) OS families, XP kernel is the NT kernel version 5.1 and consequently it is quite similar to Windows 2000 kernel (NT kernel 5.0, making XP a “minor” revision, from the kernel point of view, of 2k) rather than 9x-Me kernel, that belongs to an entirely different OS family.
XP fully implement the protection and user right models of previous NT OSes and also in most occasions it has stricter security defaults than 2K and NT4, at least after SP2.
what are the bets that this will be turned on again in Windows Vista Service Pack 1 due to some unseen virus/worm/trojan taking advantage of the ‘default’ rule and wreaking havoc across some large entreprise customers.
I can understand Microsoft wanting to work with their Enterprise customers, and by disabling the outgoing firewall by default, they are hoping that will appease them, however, what they should have done is provide clear details via Technet or user guides (group policies, sms updates whatever) for those very same Enterprise admins, which would allow them to disable/enable all/half/some functionality of said firewall.
Chances are they are doing that already, so why disable some of the firewall functionality by default, this doesnt make sense to me.
again, I feel what Microsoft SHOULD do is to have the entire firewall functionality (both inbound and outbound) working AND enabled by default, and to provide CLEAR instructions to end users/customers/domain admins/enterprise users how to configure AND/OR disable this firewall via methods such as
command line script
group policy
regedit
sms
sysprep
etc…
just my thoughts
cheers
anyweb
Enterprise customers that don’t have security/networking experts to customize the firewall ? It’s too difficult for MS to implement an outbound firewall (another accusation from the article) ? I call BS, how difficult is designing a dialog “Outbound connection X, allow ? (now) (never) (always)” ?
It seems MS in their infinite wisdom have decided your privacy isn’t worth protecting as much as the interests of people who would like their applications to phone home to gather data on you or to spy on you to make sure you are being good (anti-piracy).
I hope this comes back to bite them in the ass – hard. Luckily compromising security inevitably will in the end.
The Vista firewall is fully bidirectional. It’s just that the default behavior is to permit regular internet access to programs, and prompt the user for permission if they attempt to listen to a port.
If you dislike that, run “wf.msc” and you’ll get the MMC snapin that let’s you tweak it to your liking, be it configing it to asking on any kind of program, or more advanced settings: http://en.wikipedia.org/wiki/Image:Vista_Firewall_MMC.png
Total BS.
Don’t go blaming Enterprise customers. They do a standard build, preconfigured, including firewall.
This is clearly about the HO’s at Microsoft being BOUGHT by software companies breaking the rules. Who’s machine is it? Not Yours. Microsoft “Innovation” strikes again.
Here’s a perfect example of why a lot of people don’t take some of you seriously. MS is listening to its customers. These customers want the outgoing firewall turned off by default. But so what: It’s completely configurable! Enterprise customers — the ones that this functionality change is targeted at — have the ability and resources to decide what their firewall policy is. Want outgoing firewalling turned on by default? No problem! Just implement the enterprise policy — and bingo — the change propagates across your org.
The point here is that MS can’t win with the haters. If MS listens to its customers, it’s violating some illusory security requirement that the haters think is important; and, if they don’t listen to customers, they’re being “Draconian” or “evil”. See how this game works? It’s rigged.
The game isn’t rigged. You said it yourself: “But so what: It’s completely configurable!”
Exactly. So, enable full firewall protection by default and let those who don’t want bi-directional protection configure it themselves!
The consumer is a customer as well.
“Enterprise customers that don’t have security/networking experts to customize the firewall?”
I totally agree. The MS choice seem totally clueless to me, why should not the bidirectional FW be fully active by default?
Corporate users have administrators that can change system defaults in a second (more or less…) and usually make a standard installation and ghost it for all similar machine on the net, so it will not be a real problem having the FW fully on by default, nor a seizeable advantage having it partially down by default.
In fact, changing some system defaults is not a problem for an IT staff while it may be a mess for Average Joe the home user.
This is one of the shorcomings of having a single system for home and pro users, I would rather prefer a little more flexible installation process letting the user chose in what *typical* profile he/she fit (home user with his defaults, corporate with different ones, a “secure configuration” with strict security policies and so on) and, better, an advanced panel where making detailed choiches of system default before having the system up and running (into some malware…) for the first time.
From the snippet, I expected something worse.
If everyone’s firewall is setup to not allow any connections (or only the required minimum), than malware won’t have any place (port) to connect to anyway. The local fw will allow it to make an outbound connection, but there’ll be no other computer allowed to listen for it..
In the ideal case, of course.
OTOH, if malware gets Administrator rights, it can reconfigure the local firewall to whatever settings it likes. If not by editing configuration files or registry entries, then definitely by injecting mouse and keyboard events into the firewall configuration window.
Getting administrative rights for the firewall can actually be quite hard. Even while running as administrator, Vista treats you like a standard user and the system will prompt you to give the firewall configuration dialog elevated rights if you want to change settings.
In the latest Vista build, the behavior of the dialog was changed to make this kind of attack much harder. When the dialog pops up, the system locks the desktop so that none of the applicatios can send mouse or keyboard events to the dialog. An attack like that is possible, but it would require the user to approve launching the firewall configuration utillity (which ought to ring some alarm bells for most).
Wow, exactly what Gnome is doing for years.
So if you log in as root in Gnome, applications will run as a standard user and pop up the su dialog if you try to do administrative stuff?
No, not when I log in as root, but when I run as standard user, just how 99,9% of all Linux user do. When I run the package manager for example the screen is locked (greyed out) and a dialog apperas where I have to enter my password.
Tom
Then it’s not just like Gnome then, is it?
Nothing that Gnome does was new when Gnome did it. Gnome took some ideas from others and others took ideas from Gnome.
I did not want to say that Vista stole this from Gnome. Actually, I think this whole “they-have-stolen-this-from-them” debate is just nonsense. It’s totally normal to “adobt” good ideas from others. What I tried to say is that it’s sad that it took so long for Windows to have such a functionality. Windows just wasn’t designed as a true multiuser OS, in fact it was a pure single user OS at first, and now it’s just pretty hard for MS to transform it into a multiuser OS it seems.
Yeah it’s not _exactly_ like Gnome, but such a functionality – that even root is somewhat resitrcted – is possible with SELinux for example. The “traditional” root user is almighty though, so when you’re loged in as root, you can do EVERYTHING. But Ubuntu does this pretty good I think: Everything is done with sudo. When a user tries to do something on the system and when he’s in the “admin” group then he’s asked for HIS password.
Tom
WindowsNT has ALWAYS been a multi-user system.
Not a true one. Afaik you can’t have multiple users be logged in at the same time, like I can do it with several Linux terminals for example.
Tom
That’s still a multi-user system.
It just recently was able to do simultaneous users.
have you any idea what a multi-user system is ?
clearly you have not.
Microsoft still has not got an idea on how to implement a multi-user system.
Please, enlighten us.
So if you log in as root in Gnome, applications will run as a standard user and pop up the su dialog if you try to do administrative stuff?
Who the f__k does log in as root? To desktop? (oh yeah, Linspire company manager, and few users without a clue)
Seriously, I don’t know one single person logging in as root. What would be the benefit of that?
Moving from lesser to higher privilege is too simple in any *X. I do understand why Windows users do that, but *X? No.
OK. At least something. I have not studied Vista in detail (Linux fits me for the desktop better then current version of Windows), so I did not know they made something like this.
Still, what about posing as this firewall configuration dialog? It has to use some syscalls, or similar…
This is an excuse to encourage mediocrity.Might be harsh but either grow with the product or dont use it.Do computer crackers pity people ?
stupid, stupid Windows…
I question, when was the last time you ran a personal firewall the blocked outbound connections?
I personally never have.
They are quite difficult to configure properly as you have to make rules for every networked application you use.
I can imagine them being basically impossible for an average user to configure properly and without properly understanding them they will just cause more support issues.
It’s much smarter to prevent the rogue applications from being installed in the first place, much easier
to do.
– Jesse McNelis
Definitely. The trouble is that they popup those little dialogs, and you stop reading them unless you’re very careful because they get in your way _right now_.
They also limit what you can do as an app designer. Users may wonder why your one program has three programs requesting internet access (not that this is a common scenario). And when users wonder, we all know, they make up crap
.
And it doesn’t stop the more common type of rogue virus: The one that’s installed into some dll somewhere that runs with a program. Although it may save you from some nasty spyware, which you were probably told you were installing while you clicked “next” repeatedly.
The firewall on OS X is not even turned on by deafult! I’ve never really understood that since I’ve never had any issues with it on.
Microsoft have dug themselves a hole with their lax stance on security for years that is proving difficult to patch up because of so much compatibility breakage. Windows Vista is getting lamer by the day.
…will usually have a heavy investment in more robust firewall technologies, form the likes of McAfee, Norton, etc. In addition, they will have some heavy-duty hardware firewalls. I’ve yet to come across any large scale corporates (presumably the ones with influence over MS) who use the built-in XP firewall.
So who exactly has persuaded MS to make this strange decision? It does seem odd to me.
The ones with a heavy investment in other firewall technologies? Large enterprises tend to firewall at a higher level, not at the PC level. PC level firewalls also tend to play at lot of havok with their applications, so they would likely prefer it off, moreso when said applications were developed by parties with no idea what they’re doing, unfortunately too common. Nothing odd about that.
Then there’s always the wonderful ‘anti-competitive’ card.
“So who exactly has persuaded MS to make this strange decision? It does seem odd to me.”
You’d be surprised at how little many “enterprise level experts” actually know.
Outbound traffic includes all “phone home” traffic, and “spy on the user” traffic, and “genuine (spit) advantage” traffic.
Thinks Microsoft: “can’t have average joe users blocking any of that stuff”.
“So who exactly has persuaded MS to make this strange decision? It does seem odd to me.”
MS products have always followed the completely open security model as part of the enterprise security model to allow for administrators and users to tighten up as needed.
The *nix security model, which has been around for decades, as-well-as BSD and Linux are to varying degrees more secure since they are generally operating in the mode of tighter control. Users that need access to a process or share are granted it.
All I have to say regarding Vista is caveat emptor. You get what your MS license pays for.
I can’t believe I am actually chiming in on the side of MS, but the default on Linux is to allow outgoing traffic too. At least on any distro I have ever used. I know for sure thats the policy on Red Hat based distros. So whats the big deal? Remember, the home user isnt smart enough to know what a fireall does or how it works. How are they going to be expected to configure it?
//I can’t believe I am actually chiming in on the side of MS, but the default on Linux is to allow outgoing traffic too.//
The default on a Linux system is also to not have any spyware/phone home/DRM/genuine advantage/keylogger/mandatory update/rootkit/spambot type software on it that can and would take advantage of an open firewall in the outbound direction.
I too can’t believe you are actually chiming in on the side of the indefensible.
So there is no such thing as rootkits for linux? Hm.. interesting.
Yes their is root kits for linux however they are harder to install and you dont have Groups like sony sticking linux root kits on music cd’s
I too can’t believe you are actually chiming in on the side of the indefensible.
Pot, meet kettle. There’s plenty of malware out there for Linux (rootkits, BO’s etc). Try to be a little more honest when you defend the indefensible…
There’s plenty of malware out there for Linux (rootkits, BO’s etc).
If by plenty you mean 1000x less than for Windows, why, yes, you’re right. When taking market share into account (because I know you will, even though the logical conclusion of that option is that you should encourage more people to use Linux), the proportion is still 50x more for Windows than Linux.
If there’s plenty of malware for Linux out there, then what would you say for Windows? (P.S. there are rootkits for Windows too, now…)
He never said there wasn’t rootkits for Windows or that Windows doesn’t have more malware…
Gee, you think perhaps you should let him answer?
In any case, “plenty” presupposes a scale, which would go from “next to nothing” to “innumerable”. “Plenty” seems pretty high on that scale, but clearly it’s a lot less than Windows. Therefore, the use of the word here seems heavily biased, which is why I asked how he would characterize the amount of malware on Windows (i.e. what adjective he would use). An overabundance? A flood? A total saturation? A disaster?
How would YOU qualify it?
//By hal2k1 (1.46) on 2006-04-26 14:22:59 UTC in reply to “its only outound traffic”
The default on a Linux system is also to not have any spyware/phone home/DRM/genuine advantage/keylogger/mandatory update/rootkit/spambot type software on it that can and would take advantage of an open firewall in the outbound direction. //
//By sappyvcv (1.19) on 2006-04-26 15:21:02 UTC in reply to “RE: its only outound traffic”
So there is no such thing as rootkits for linux? Hm.. interesting.//
//By sappyvcv (1.19) on 2006-04-26 17:13:54 UTC in reply to “”
He never said there wasn’t rootkits for Windows or that Windows doesn’t have more malware…//
Just as I never said that “there is no such thing as rootkits for linux”.
If you call strawman arguement, so do I.
What I said was that “by default” there was no “spyware/phone home/DRM/genuine advantage/keylogger/mandatory update/rootkit/spambot type software” on Linux.
However, in contrast, “by default” there IS spyware/phone home/DRM/genuine advantage/mandatory update/ type software on Windows.
If you are going to argue against someone, at least argue against what they actually say. I does you no credit at all to make up stuff and try to pretend that is what they said, rather it detracts seriously from whatever point you were trying to make.
Your strawman is particularly ironic considering that you subsequently complain about someone else making a strawman arguement against your viewpoint.
Edited 2006-04-27 12:09
The fact that Windows may allow programs access to things they shouldnt have has little to do with the firewall. The firewall is not the right place to worry about access levels. Face it, any program that has elevated permissions could just turn the damn thing off anyway. Security needs to be improved across the board. And if MS doesn’t do that, it will never be considered a secure OS. Unix and now Linux figured this out a long time ago. Someday Bill may catch up, but I doubt it considering that it really goes against a family-friendly PC.
I don’t buy their reason. Why don’t they just ask you how you want the firewall to behave during installation? It should be relatively easy to do and will make all users happy.
Enterprise customers do custom installs, right? A rhetorical question, I know; but, I fail to see how this would cause a lot of problems for an enterprise customer. From what I understand, a standardized .iso is created by IT, and then put on every box in the company. So, what does it matter what MS does by default, every company has their own needs, hence their custom .iso. Ship Vista with the firewall enabled, and let the IT departments configure their licensed copy as they see fit, that is, afterall, one of the jobs for which they are paid.
What kind of “enterprise customer” uses standard install CDs? Don’t they use tools like nlite to create unattended installations and/or slipstream service packs and updates? If they’re setting up a new batch of machines, do they really do a full manual installation on every machine or do they do one machine, make an image, and load the image on the rest?
That’s what I do. Need a new machine in advertising? Grab one from inventory, zap it with the “advertising model 170” image, change the netbios name, put in the email info, and it’s good to go. Takes 10 minutes. If I sat there and manually installed the OS, all those service packs and updates, all the software and its service packs and updates, etc., etc., etc. it’d take me half a day to prep a single machine. That’s just dumb.
Like I said, this doesn’t make sense. Real enterprise customers are going to make their own custom installations. The methods they use to push out boxes will bear little resemblance to the procedure used by Joe User.
but I really can’t understand why is everybody so concerned about outbound traffic?
Every OS has it opened by default (linux does it, solaris does it, osx does it). Not just Vista. It is inbound traffic that has to be sorted out.
Having outbound traffic firewall disabled is not half functionality. It is still full fledged firewall without fine grained tweaking for maximum protection.
//but I really can’t understand why is everybody so concerned about outbound traffic? //
All “spyware” and “reporting on the user” and “generated spam” is outbound traffic. Keyloggers are outbound traffic. etc.
As a general rule, all such traffic is generated by closed-source software (for reasons that if it were open source people would see it in the source and remove it).
One can keep one’s system protected (or at least minimise the risks) from the potential nastiness in outbound traffic using either (or both) of two ways:
(1) Use purely open source software from a trusted verifiable source and guarantee no malware thereby, or
(2) have an effective outbound firewall installed.
Windows and Windows firewall appears to be set up by default to avaoid both of these approaches.
Windows and Windows firewall appears to be set up by default to avaoid both of these approaches.
Not really true. One can always load software from trusted vendors only. What you described is poor choice of user, not the fault of OS.
Put out million of proprietary gadgets (containing all sorts of spyware but flashy) for linux. Give them to the same stupid user. What will he do on linux? The same thing as he did on Windows. This would mean that linux has the same problem with firewall.
Not true. And the same not true is valid for Windows also.
Connecting to the net & playing games, thats all I use it for now. I surf in Linux, I mean like X-Box has.