Windows Firewall: the best new security feature in Vista?

Jesper speaks - Windows Vista firewall is goodness

Keith Combs' Blahg — Mon, 01 May 2006 19:56:23 GMT

Jesper Johansson&nbsp; is one of our Security Strategists and like all good evangelist, dishes out his...

Vista Windows Firewall

IT Blog — Mon, 01 May 2006 20:42:48 GMT

Jesper Johanson (Senior Security Strategist in the Security Technology Unit at Microsoft) hat einen Blog Artikel über die neue Windows Firewall in Vista geschrieben. Alles in allem sind das interessante Features, und es wird klar, dass Microsoft

Understanding the value of Vista's Firewall and outbound filtering

Dana Epp's ramblings at the Sanctuary — Mon, 01 May 2006 21:29:41 GMT

Jesper has an interesting blog post discussing what he thinks is the best new security feature in Vista... the Windows Firewall. I am more inclined to say I like UAC better, but thats just me. Anyways, besides the excellent breakdown on the benefits of

re: Windows Firewall: the best new security feature in Vista?

MikeB — Mon, 01 May 2006 22:09:39 GMT

This is the first time I've seen this information. So much focus from the press is on what Microsoft has pulled from the product. This post demonstrates that there is still a lot to the product that we have not seen yet!

re: Windows Firewall: the best new security feature in Vista?

eckes — Tue, 02 May 2006 00:46:05 GMT

Where are the SIDs of the restricted services in your screen shot? I only see Apps and library names?

Gruss
Bernd

Vista Firewall hobbled? I think not.

Michael Kleef ::: MSFT — Tue, 02 May 2006 04:18:33 GMT

I was reading a ZDnet article today&nbsp;about the Vista firewall being hobbled because it apparently...

Nice post about the new firewall in Vista

Eric Denekamp — Tue, 02 May 2006 09:13:47 GMT

re: Windows Firewall: the best new security feature in Vista?

Vasu — Tue, 02 May 2006 15:22:59 GMT

You are exactly right!. I think its a great post. Some of the things I found interesting..
--- Your comment --
In addition, as the dialogs above suggest, the vast majority of users are unable to make intelligent security decisions based on the information presented.
--- end your comment ----
I just don't think we as programmers present users with "information", we present them with 'data' something like "blah blah blah.. is blah blah blah" Think of this like driving a car, you don't need to be a mechanic in that case, versus you need to be pretty sophisticated computer user to use a computer 'securely'. I think we as an industry lack some new thought (of course I can't think anymore like a human after using computers for 10 yrs :) )
Also along the same lines,
--- Your comment ----the fact that Microsoft Word is attempting to make an outbound connection is not nearly
----- End your comment
I think MS as a company needs to get its act straight and stop programs from talking back (unless absolutely absolutely absolutely required). I (being an outsider), don't see any need for this, but I'm sure someone there has a 'realllllllllly (sic) good' reason for enabling this (?). If you look at the trends in the industry, somehow everyone now-a-days is obsessed with collecting 'data'. If there is something you can do to influence this..

--Vasu.

Windows Vista: nov

Martin Pavlis - pavlis.net — Tue, 02 May 2006 17:32:30 GMT

re: Windows Firewall: the best new security feature in Vista?

nick - london — Wed, 03 May 2006 00:02:32 GMT

yea sure and guess which one will be the most hacked and bypassed firewall in existance?

re: Windows Firewall: the best new security feature in Vista?

jesper — Wed, 03 May 2006 02:45:02 GMT

Bernd, to be honest I have not investigated how the firewall retrieves the service SIDs based on what is in the registry, but I am guessing it calls LookupAccountSid to get them. That is the normal way to do it. Call that API, passing in "NT SERVICE\servicename" for the name of the account. You can also get that information after the service is installed by calling QueryServiceConfig2 using the SERVICE_CONFIG_SERVICE_SID_INFO level.

re: Windows Firewall: the best new security feature in Vista?

Antans — Wed, 03 May 2006 11:01:52 GMT

So after reading this blog post about how cool Vista firewall will I still don't believe it will beter than proper 3rd party firewalls.

> having outbound filtering on Windows XP is meaningless
> from a security perspective

I think that's very false thinking. I do understand that vast majority of Windows users are "novice" and that outbound filtering isn't so great for them. But there are some "advanced" users like me who like running windows. When the firewall pops out saying that ftp.exe tries to connect somewhere I realise there is something strange going on and I need to investigate.
The dialog with foo.exe makes sense to me. I want even more options like "alow once", "block once", "create rule". I do know what that means.
You say that outbound filtering on XP is useless for "novice" users and the only reason it was added on Vista is becouse of the new feature with services. So does that mean that M$ firewall was desingned for "novice" users on XP and it will remain the same on Vista? Well judging from the screenshots I it's true. They have this.. um.. novice feeling to them. Especially the "Learn more about profiles" (what happened to simple Help button :)). Would be nice if windows firewall would have pro version or pro mode or something.
Well I think I will be using Outpost on Vista too. I to have lots of options and detailed logs. Windows firewall in my eyes is stiil amateur's tools (not that it is very bad).

re: Windows Firewall: the best new security feature in Vista?

Velocity — Wed, 03 May 2006 18:02:57 GMT

What's about IPv6?

re: Windows Firewall: the best new security feature in Vista?

HJT — Thu, 04 May 2006 20:38:47 GMT

I have used run Windows XP as non-admin user since 2003. I try to install applications I don't totally trust as non-admin. I would like a firewall to alert me when those programs are attempting outgoing connections. I would think an outbound firewall would work pretty well for those cases.

In cases where the application has suitable rights to disable the firewall or go around it, the app won't do that unless it is programmed to do so. Like you said, nowadays programs very rarely do that. So having an outbound firewall would buy some security still.

I do agree those dialogs rarely help ordinary users, and avoiding them in the first place is the way to go if possible.

By the way, you seem to imply Windows Vista will encourage users to run as administrators all the time which I find disappointing. I hope that is not really the case.

On Vista and GPO's (and more!)

TenBrink Tech — Thu, 04 May 2006 21:21:55 GMT

For those of you in enterprises testing Vista, here are a couple resources from today&rsquo;s blog reader....

re: Windows Firewall: the best new security feature in Vista?

Bryan — Sat, 06 May 2006 19:21:46 GMT

Jesper, thanks for the thought-provoking article. I particularly enjoyed your comments re: "Protection belongs on the asset you are trying to protect, not the one you are trying to protect against!" I also completely agreed with the fast-clicking syndrome your dancing pigs scenario entertainingly illustrates.

I wanted to bring up another angle on this, because outbound firewalls have confused me for a long time. If I have an outbound firewall, am I not sort of giving up, saying to malware:

"Rape and pillage *my computer*- just leave all the *other computers* alone please!?!"

This seems obvious when you say it out loud but I have caused a few dropped jaws among those who like outbound firewalls by, you know, *saying* it. It seems that a lot of them liked this appearance of safety, but had not considered that by the time their outbound firewall has popped up a dialog, the malware is already having its way with the local system. The malware could be deleting files, installing a rootkit, whatever. The local damage is done already.

So it seems to me that an outbound firewall takes what could be a valuable set of rules and applies them TOO LATE. Why isn't that set of rules ("the following Known Good Stuff is allowed to run, everything else is not") being applied at a point where it can make a difference - like just before executables are allowed to run?

I'd enjoy hearing your thoughts on systems like Prevx which use this methodology.

Thanks!

re: Windows Firewall: the best new security feature in Vista?

Dewi Morgan — Sat, 20 May 2006 19:55:35 GMT

As security professionals, I agree that it is our duty and responsibility to consider the "what if". But we must advise with an eye to reality.

The pre-Vista reality is that process spoofing can't be prevented, but that outbound protection detects the majority of undesirable outgoing connections. It gives users the choice to investigate or block that connection before it is made.

You wrote recently: "I am absolutely not advocating against least privilege." However, outbound firewalling, aka "per-program firewalling" is just that: least privilege for each program.

Your argument against it seems to stand on two very shaky legs.

"First, the vast majority of Windows XP users run as administrators"

This is no more an argument against outbound firewalls than it is against non-admin accounts. It simply shows that many security features, even basic ones such as non-admin accounts, are for the minority that understand and care about security and privacy. And for the majority? At least they'd get a CHANCE to block the dancing pigs from connecting out. In XP, they don't.

So you're left with a one-legged argument: just because outbound protection detects and blocks most malware that makes it to the system now, doesn't mean it always will, since malware could in theory use the privileges of other processes.

However, that argument fails as you promptly agree that "it stops some malware, today, but only because current malware has not been written to circumvent it". Well, then, today, we should use it. Tomorrow, we'll upgrade to something better as it becomes available.

Then your argument collapses completely as you utterly fail to consider what many consider the main purpose of outbound blocking: privacy protection, preventing non-malware that people intentionally run (Realplayer, Acrobat reader) from "phoning home".

That process spoofing is possible is an unpatched flaw in the OS (not just Win OS's), which has yet to be exploited to its full potential: it is NOT a flaw in the principle of least privilege as implemented by outbound filtering.

The SIDs appear to be a commendable first effort to resolve this issue.

However, what you say about them makes me less convinced: you write "In fact, firewall filtering on service SIDs is enabled by default in Windows Vista."

So, if I read that right (and I may well not have), only services are filtered? And, regular programs and services with SIDs that aren't in the list get... what? What's the default access for an unlisted service? No filtering? Or no access? Or a user dialog? What are the SIDs for cmd/command/runas/rundll/svchost? Do these change depending on the batch file/dll being called?

I'm also a little confused by an apparent discrepancy, which may only be because I am misinterpreting "run as" and "servicename" to be the same thing:

"even though two services run as NetworkService, they cannot manage each others processes and the firewall can be configured to allow only one of them to communicate out."
vs:
"I am guessing it calls LookupAccountSid to get them. That is the normal way to do it. Call that API, passing in "NT SERVICE\servicename" for the name of the account."

Shouldn't calling the API with two service names that happen to be the same, return two identical SIDs?

And, will this outbound protection allow users to stop semitrusted applications like Realplayer from phoning home while still allowing them to watch streaming media? Will it allow them to receive a notification when semitrusted applications attempt to connect to the internet? (when streaming, it's OK: when playing a local file, it's not).

If not, then I will, even with Vista, continue to recommend that our clients use third party applications to maximise their security and privacy.

re: Windows Firewall: the best new security feature in Vista?

Jennifer — Thu, 15 Jun 2006 10:53:04 GMT

Our computer is connected to the internet almost 24/7 and we can simply not use a firewall to protect ourself. At minimum, any computer connected to the Internet needs to have all current patches to its operating system and browser installed as well as personal firewall, antivirus and anti-spyware software. A more complete solution is taking a layered approach to protect your security and privacy.

A firewall prevents some communications forbidden by the security policy, analogous to the function of firewalls in building construction. A firewall is also called a Border Protection Device (BPD). A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust).

My place for free firewalls is therefore:
http://www.freespamfilter.nl/uk/firewall.htm

They always have the latest and best firewalls available and have good reviews of all firewalls.

Jennifer

re: Windows Firewall: the best new security feature in Vista?

Callie Jordan — Mon, 17 Jul 2006 05:39:10 GMT

I love what Vasu said:
-------
I just don't think we as programmers present users with "information", we present them with 'data' something like "blah blah blah.. is blah blah blah" Think of this like driving a car, you don't need to be a mechanic in that case, versus you need to be pretty sophisticated computer user to use a computer 'securely'. I think we as an industry lack some new thought (of course I can't think anymore like a human after using computers for 10 yrs :) )
---------
I'm a "human" who tries to understand enough about computers to interpret for other humans --- I teach "computer basics" to seniors and job seekers at a community college.

Ordinary people have never really been the target audience for computers --- all the usability has responded to techie type early adopters. It's time for The Computer to mature to the point where there are no longer *any* intimidating dialog boxes. I don't think we're going that way yet, but it looks like more and more people are recognizing there are "humans" out there. Thanks, Vasu

Welcome to the Windows Vista Security Blog

Windows Vista Security — Mon, 24 Jul 2006 21:22:26 GMT

Thousands of people from around the world have been hard at work to ensure that Windows Vista is the...

Melhorias de segurança no Windows Vista

Oneda — Sun, 28 Jan 2007 05:25:41 GMT

Segurança foi uma área que recebeu atenção especial no desenvolvimento do

At Least This Snake Oil Is Free

Jesper's Blog — Fri, 20 Jul 2007 08:39:28 GMT

Snake oil , for those that are not familiar with the U.S. English vernacular, is a derogatory term for

re: Windows Firewall: the best new security feature in Vista?

Allyn Yeager — Tue, 20 Jan 2009 04:48:45 GMT

If you want to learn more about Windows Vista security features check out this page. There are a ton of good resources; webcasts, podcasts and videos.

http://www.microsoft.com/events/series/technetvista.aspx

Passwort-Verwaltung - Seite 4 | hilpers

Passwort-Verwaltung - Seite 4 | hilpers — Tue, 20 Jan 2009 17:10:31 GMT

PingBack from http://www.hilpers.com/58216-passwort-verwaltung/4

Firewall installation | keyongtech

Firewall installation | keyongtech — Thu, 22 Jan 2009 11:25:59 GMT

PingBack from http://www.keyongtech.com/3530890-firewall-installation

technet » Archive du blog » Re: Sygate Firewall (part 2) - Technology Questions

Thu, 04 Jun 2009 08:57:57 GMT

PingBack from http://technet.quebecblogue.com/2009/06/04/re-sygate-firewall-part-2-technology-questions/