Microsoft Corp. has touted Windows Vista as giving significant security improvements over Windows XP, and it offers the Windows Firewall, with its new two-way filtering feature, as one reason for that better security.
But as shipped, the Windows Firewall offers little outbound protection, and it’s not clear how outbound protection can be configured to protect against spyware, Trojans and bots.
Firewalls such as the Windows Firewall work by halting dangerous connections a PC makes over the Internet. The Windows XP firewall offered inbound protection, but did not offer outbound protection. Some malware makes unwanted, invisible outbound connections with hackers, which let them take control of a PC.
In some cases, a computer can be turned into a “zombie” or a “bot,” spewing out thousands of pieces of spam over outbound connections without the owner’s knowledge.
Competing firewalls such as ZoneAlarm, the Norton Personal Firewall and the McAfee Internet Security Suite offer user-configurable outbound protection, also known as outbound filtering. When Microsoft reworked its firewall for Windows Vista, it added the ability to perform outbound filtering.
But by default, most outbound filtering in the Windows Vista firewall is turned off. In addition, there may be no practical way to use outbound filtering to stop all unwanted outbound connections.
Normally, to configure the Window Vista Firewall, you choose Control Panel –>Security –> Turn Windows Firewall on or off. You’ll see the screen shown in the nearby figure.
There is no way to configure outbound filtering — you can only turn inbound filtering on or off, and through the various tabs, configure how inbound filtering works.
To work with outbound filtering, you instead have to use the Microsoft Management Console, specifically the Windows Firewall with Advanced Security Group Policy applet, by typing wf.msc at the Search box or command prompt and pressing Enter. It’s shown in the nearby figure.
If you look in the various profiles in the Overview area, you’ll see that for each profile, “Outbound connections that do not match a rule are allowed.”
Every rule in the Windows Firewall allows outbound connections, though. Click the Outbound Rules icon on the left side of the screen, and you’ll see all the outbound rules. As you can see from the nearby figure, every outbound rule allows outbound connections. None block connection.
Making matters worse, there is no way for an individual or IT staff on their own to create an all-purpose rule that will block malware from making outbound connections. You can only create a rule to block a specific piece of malware, and doing that is an extremely difficult task, requiring that you know quite a bit of information about that piece of malware, including its location on your PC, the port it uses to make outbound connections, and so on.
To stop all malware from making outbound connections, you’d have to know all those details of all the thousands of pieces of malware in existence, and create rules for each one individually. But even that wouldn’t work, because you wouldn’t know about malware that has not yet been detected.
In short, as a practical matter, it’s an impossible task.
Competing firewalls often use built-in intelligence to allow certain programs to make outbound connections, and then issue alerts when other programs make connections. You’re told the program name and executable, and given a recommendation as to whether the program should be allowed. You can then block or allow the program to make a connection on a one-time or permanent basis.
Microsoft’s reaction
Microsoft claims that the firewall does perform some outbound filtering, but that the filtering is invisible to users. Jason Leznek, Microsoft senior product manager, told Computerworld that outbound filtering rules “are enabled by default for core Windows services as part of Windows Service Hardening, which enables the firewall to understand specific behaviors Windows services should have, and block them if they are doing something unexpected (ie, via an exploited vulnerability). Windows Firewall also protects the computer by blocking certain outgoing messages to help prevent the computer against certain port scanning attacks.” In other words, Microsoft claims that the firewall can block some malware. But Leznek concedes that it cannot block all malware, and he claims that a more effective approach than outbound filtering is to use antispyware such as Windows Defender, which the company claims will stop malware from being installed on the PC in the first place.
This reflects what Vista group product manager Greg Sullivan told BusinessWeek. Outbound filtering is “a high cost to pay for what we thought was not that much benefit,” he told the magazine. “The support burden it would generate for us and our partners, mostly manufacturers, is a very high cost to pay for very little benefit.”
But Microsoft has a somewhat schizophrenic approach to outbound protection. When questioned about the need for outbound filtering, Leznek told Computerworld that Windows Live OneCare, a product and subscription service Microsoft sells for US$49.95 a year “provides outbound filtering as a service and may also be an attractive option….”
So even though two-way filtering isn’t used extensively in the Windows Firewall, you can buy two-way filtering by buying extra Microsoft software.
What’s the upshot? If you’re a Windows Vista user and want to make sure that you get configurable two-way filtering, you’ll need to buy either OneCare Live or another security product or firewall that provide outbound as well as inbound protection. Make sure that the product works with Windows Vista, though, because not all firewalls do yet.