A site devoted to discussing techniques that promote quality and ethical practices in software development.

Tuesday, February 6, 2007

Vista firewall - outbound traffic is unblocked by default

It makes one wonder why a company spending so much on their activation scheme on their brand new Operating System is so stupid in configuring their firewall, relying on marketing spin to do the real work.

Take the report on Vista firewall by Robert Vamosi which says:
In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that's hardly worth the upgrade.
Moreover he finds the configuration confusing:
It's confusing ... But for outbound--that is, those connections starting within your computer and going out to the Internet-- connections are allowed except when excepted. Here Microsoft uses the good icon. This is not good.
His observation is further supported by correspondence from Symantec, which says:
"We have discovered that though Vista's outbound firewall is 'on' by default, all outbound connects that do not match a rule are allowed. In the default configuration, there are no outbound 'block' rules, only allow rules. In other words, even though [the Windows Firewall outbound protection is] on, it is not doing anything."
This is kind of dumb. I thought Vista is supposed to be much more secure OS. Perhaps they waste too much time on this activation and protection scheme instead of developing proper protection of their user's information. It seems Microsoft values their IP/Information more than the customers'.

Microsoft's defense says:
If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network. ....The out of box experience would be poor, and they would soon be desensitized to the prompts.
They do not seem to be bothered by firewall like ZoneAlarm or Internet Security From Symantec.

Perhaps this attitude explains why Microsoft has not done anything since the release of Windows 2000 to promote the use of non-admin account leaving their users defenseless against attacks. They build these security model and then encouraging user to run with security turned off by running in admin account. They do not force those rogue programs to correct their security violation. If they do that in year 2000, they would not need this UAC in Vista to support rogue programs.

The confusing Vista firewall experience was further illustrated by David Berlind, who composes a photo gallery of the issue.

Linux, this is your chance to showcase your talent!

No comments:

Blog Archive