Tuning The Windows Vista FirewallApril 12, 2008 – 6:42 AM
At first glance, the Windows Vista firewall is disappointing to say the least. On the surface, it looks like a Windows XP leftover. In fact, the firewall’s user interface in Windows Vista is nearly identical to the interface found in Windows XP. There aren’t even any new configuration options available.
The problem with the firewall’s user interface is that it is easy to assume that the configuration options shown within the user interface are the only options available. However, you can actually gain much more control over the Vista firewall by configuring it using Group Policy Editor.
To do so, open Vista’s Group Policy Editor and load the local security policy. Next, navigate through the console tree to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Windows Firewall with Advanced Security. When you select the Windows Firewall with Advanced Security container, you will see a summary of the Windows Firewall configuration, as shown here:
As you look at the figure, you will probably first notice the various profiles that are available. Microsoft introduced the concept of multiple profiles when it released Windows XP Service Pack 2. The idea was that if a domain controller could be contacted, then Windows would use a domain profile for the firewall and a standard profile if no domain controller was available. It was a neat idea, but there are many situations in which Windows XP incorrectly uses a standard profile.
In Vista, Microsoft still allows a domain profile to be used when a domain controller is detected. Many of the kinks seem to be corrected, and domain controller detection seems to be more reliable than before.
If you look at the various profiles in Figure A, you will notice that there is no standard profile. In Windows Vista, Microsoft has chosen to do away with the standard profile and offer public and private profiles instead. To understand why, consider the way a mobile user operates. Some days the user is in the office with her laptop directly connected to the corporate network. Other times she might work at home or from an airport, coffee shop, etc.
Mobile users at home probably have home networks in place and might need to connect to resources on their networks, such as a network printer. Doing so would likely require the user to open firewall ports in order to facilitate communications. Since there is no domain controller on most home networks, the solution in Windows XP was to open the necessary ports in the standard profile. The problem is that when users would use their laptops at airports, hotels or coffee shops, the standard profile was still in effect and those ports were still open.
Windows Vista’s Public and Private firewall profiles allow the user to have one profile (the Private profile) for working on a home network and another profile (the Public profile) for connecting to public networks. Unfortunately, Vista has no way of differentiating between a public and private network, so Windows will actually ask users whether they are attaching to a public or private network at the time that the connection is established.
The configuration process is fairly simple. You just select either the inbound or outbound rules container and click the New Rule link in the Actions pane. When you do, Windows launches a wizard that walks you through the creation of the firewall rule. One of the wizard’s screens asks you which profiles should include the new rule.
This is a little off topic, but we need to talk about it. In the paragraph above, you might have noticed that I mentioned an Outbound Rules container. In the past, the Windows firewall has drawn a lot of criticism for not blocking outbound traffic (although Windows XP SP2 offered limited support for outbound traffic filtering). Lack of support for outbound rules was an issue in the past because many malware programs are designed to “phone home” through obscure TCP or UDP ports. If the firewall is not blocking outbound traffic on these ports, then there is nothing to stop the malware from transmitting sensitive information across the Internet.
Don’t expect Vista firewall’s outbound rules to be a long-term solution to this problem though. Initially, the outbound rules feature will probably go a long way toward keeping your private data private — assuming you properly configure the rules. I don’t expect this to hold up as a long-term solution because today’s malware is not designed to circumvent Windows firewall rules. I think it will only be a matter of time, though, before disabling outbound filtering becomes standard practice for malware.
If you don’t believe me, then think about it this way: Can a compromised operating system really protect you? If someone is able to infect your system with malware, do you honestly expect the infected system to be able to defend itself against the malware sending outbound traffic? It’s kind of like expecting a thief not to steal anything after he has gone through the trouble of breaking into your house.
In conclusion, though, I believe Windows Vista firewall is a huge improvement over the Windows XP version. The catch is that most of the new features are not available through the firewall’s user interface; they are only accessible through the Group Policy Editor. Windows Vista is still in beta testing, and I myself am still learning about the capabilities in the new firewall. I can tell you this: You can create some fairly sophisticated rules, and the firewall has been designed as a complement to the IPsec protocol. Sadly, I don’t think most home users will ever see the true benefit of this firewall unless Microsoft chooses to change some of the default configuration options.