Microsoft readies two-way firewall for Vista

IDG News Service - Microsoft Corp. is readying a new, highly configurable firewall for its upcoming Windows Vista operating system that is designed to give administrators much greater control over which applications are allowed to run on the systems they manage.

After just over a month of testing by users in Microsoft's Community Technology Preview (CTP) program, the firewall is "very much on track" to be in the final Vista release, which is scheduled for later this year, said Austin Wilson, a director in Microsoft's Windows Client group. The company is considering a similar feature for its consumer users, he said.

Microsoft describes the firewall as "two-way" because it filters both incoming and outgoing network traffic, meaning it can be used to block machines attempting to connect to the Windows PC as well as applications on the PC trying to connect to other systems on the network.

The ability to block outgoing traffic does not currently exist in Windows XP, but it will give powerful options to Vista administrators, Wilson said. For example, administrators could use the firewall to ensure that their PCs run only a preferred instant messaging application. "If you tried a different instant messaging application, then it would be blocked," he said. "It's really something that we're targeting toward enterprise administrators in corporations."

Though Microsoft has previously discussed plans to include the firewall in Vista, it has only recently provided details on how it will work.

The new firewall capabilities were introduced in last month's CTP Build 5270, but they were difficult to access and turned out to be much more extensive than testers had expected, according to Windows blogger Ed Bott, co-author of the book Microsoft Windows XP Inside Out.

"After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that Windows Firewall hadn't changed at all," he wrote in a Jan. 14 blog posting.

To access the new firewall features, Vista users need to create a customized management console and then configure it to load the "Windows Firewall with Advanced Security."


The console can be run in two ways. It can be used in single-machine mode to manage only the PC it has been installed on, or it can be configured using Active Directory to set up policies that apply to a large number of machines. "If I have 10,000 machines, I can set up a policy, one time, to block a given application. And that would propagate across all of my 10,000 machines," Wilson said.

Though many security products already have