The release of Windows Vista seems to have brought on a tremendous amount of criticism. Of course, CNET has yet another article with an apparent anti-microsoft agenda. The article criticizes the fact that Vista’s firewall does not block outgoing traffic by default. In other words, the author wants Vista to prompt you every time a program first accesses the internet. This is actually kind of ironic considering that Apple’s latest tv ads criticize Vista for too many security prompts.

So here’s my defense for Microsoft’s decision:

• Blocking and prompting on EVERYTHING is a good way to alienate users and encourage them to quickly just turn off the firewall and have no protection at all. Blocking incoming only by default is a pretty good defense with that most users won’t notice (or disable).
• Blocking outgoing traffic really isn’t as great a defense as some claim. Sure, it is a good way to provide an extra layer of protection and I use outgoing rules myself, but it wouldn’t be hard for a virus to just launch an invisible copy of IE to do its work. Certainly IE will be one of the first apps to be allowed through a firewall. Yes this does work and yes smart pen-testers (and hackers) have been doing this for years to get past personal firewalls. I even once helped someone write a backdoor (for legal pen-testing) that used IE to check an outside URL for a command to run, ran the command, posted the results back, then waited for the next command. All this while ZoneAlarm was running on the system blocking outgoing traffic.
• The Windows firewall is a free solution meant to provide a reasonable level of protection. There are many other firewalls you could buy as an alternative. I don’t expect the Windows firewall to be best in its class any more than I expect the Windows defrag utility to be best in its class, yet it is still pretty good.
• If someone is foolish enough to install or let be installed some malicious software on their PC that is going to execute and connect to the internet, there’s just no firewall configuration that will help them.

Yes, it is always fun to pick on Microsoft, especially when it comes to security, but come on, how many companies really have put as much money and effort into fixing their mistakes as Microsoft has? Vista’s firewall is an excellent and powerful tool and quite easy for users to understand. Firewalls aren’t friendly applications but they have done a fair job of hiding that complexity. There’s also a lot that goes on in the background, like being truly stateful and properly handling RPC traffic.

So don’t fault it’s default configuration, that was a usability decision. Probably one I would have chosen as well.

Related posts

• No related posts.