Microsoft Corp. has touted Windows Vista as providing significant security improvements over Windows XP, and it offers the Windows Firewall, with its new two-way filtering feature, as one example of that better security.
But as shipped, the Windows Firewall offers little outbound protection, and it's not clear how outbound protection can be configured to protect against spyware, Trojan horses and bots.
Firewalls such as the Windows Firewall work by halting dangerous connections a PC makes over the Internet. The Windows XP firewall offered inbound protection but did not offer outbound protection. Some malware makes unwanted, invisible outbound connections with hackers that can let them take control of a PC.
In some cases, a computer can be turned into a "zombie" or a bot, spewing out thousands of pieces of spam over outbound connections without the owner's knowledge.
Competing firewalls such as ZoneAlarm, the Norton Personal Firewall and the McAfee Internet Security Suite offer user-configurable outbound protection, also known as outbound filtering. When Microsoft reworked its firewall for Windows Vista, it added the ability to perform outbound filtering.
But by default, most outbound filtering in the Windows Vista firewall is turned off. In addition, there may be no practical way to use outbound filtering to stop all unwanted outbound connections.
Normally, to configure the Window Vista Firewall, you choose Control Panel, then Security, then Turn Windows Firewall on or off. You'll see the screen shown in the figure below.
This screen doesn't let you configure outbound filtering for the Windows Firewall.(Click image to see larger view.)
As you can see, there is no way to configure outbound filtering -- you can only turn inbound filtering on or off, and through the various tabs, you can configure how inbound filtering works.
To work with outbound filtering, you instead have to use the Microsoft Management Console, specifically the Windows Firewall with Advanced Security Group Policy applet, by typing wf.msc at the Search box or command prompt and pressing Enter. It's shown in the figure below.
To configure outbound filtering, use the Windows Firewall with Advanced Security Group Policy applet.(Click image to see larger view)
If you look in the various profiles in the Overview area, you'll see that for each profile, "Outbound connections that do not match a rule are allowed."
Every rule in the Windows Firewall allows outbound connections, though. Click the Outbound Rules icon on the left side of the screen, and you'll see all the outbound rules. As you can see from the figure below, every outbound rule allows outbound connections. None block connection.
Every single outbound rule allows outbound connections.(Click image to see larger view.)
Making matters worse, there is no way for an individual or IT staffer on his own to create an all-purpose rule that will block malware from making outbound connections. You can only create a rule to block a specific piece of malware. That is an extremely difficult task, requiring that you know quite a bit of information about that piece of malware, including its location on your PC, the port it uses to make outbound connections and so on.
To stop all malware from making outbound connections, you'd have to know all those details of all the thousands of pieces of malware in existence, and create rules for each one individually. But even that wouldn't work, because you wouldn't know about malware that has not yet been detected.
In short, as a practical matter, it's an impossible task.
Competing firewalls often use built-in intelligence to allow certain programs to make outbound connections, and then issue alerts when other programs make connections. You're told the program name and executable and given a recommendation as to whether the program should be allowed. You can then block or allow the program to make a connection on a one-time or permanent basis.
Microsoft claims that the firewall does perform some outbound filtering, but that the filtering is invisible to users. Jason Leznek, Microsoft senior product manager, told Computerworld that outbound filtering rules "are enabled by default for core Windows services as part of Windows Service Hardening, which enables the firewall to understand specific behaviors Windows services should have, and block them if they are doing something unexpected -- i.e., via an exploited vulnerability. Windows Firewall also protects the computer by blocking certain outgoing messages to help prevent the computer against certain port scanning attacks."
In other words, Microsoft claims that the firewall can block some malware. But Leznek acknowledges that it can't block all malware, and he claims that a more effective approach than outbound filtering is to use antispyware such as Windows Defender, which the company claims will stop malware from being installed on the PC in the first place.
This reflects what Vista group product manager Greg Sullivan told BusinessWeek. Outbound filtering is "a high cost to pay for what we thought was not that much benefit," he told the magazine. "The support burden it would generate for us and our partners, mostly manufacturers, is a very high cost to pay for very little benefit."
But Microsoft has a somewhat schizophrenic approach to outbound protection. When questioned about the need for outbound filtering, Leznek told Computerworld that Windows Live OneCare, a product and subscription service that Microsoft sells for $49.95 a year, "provides outbound filtering as a service and may also be an attractive option."
So even though two-way filtering isn't used extensively in the Windows Firewall, you can buy two-way filtering by buying extra Microsoft software.
What's the upshot? If you're a Windows Vista user and want to make sure that you get configurable two-way filtering, you'll need to buy either OneCare Live or another security product or firewall that provide outbound as well as inbound protection. Make sure that the product works with Windows Vista, though, because not all firewalls do yet.
Preston Gralla is a contributing editor to Computerworld Online, and the author of more than 35 books, including Windows Vista in a Nutshell (O'Reilly Media, 2006).