Windows Firewall: It's a lose-lose proposition

Sometimes you just can't win. That's the way it is with the Windows Firewall. The one in XP can't monitor connections from your PC to the outside world--which is how botnets, Trojans, and other malware operate. The firewall in Vista can block outbound connections, but this feature is off by default, and it's practically impossible to create filters to block selective outbound links.

On the one hand, Microsoft claims that you don't need outbound filtering if you use the Windows Defender anti-spyware app to keep the snoops off your PC in the first place. On the other, it sells the $50-per-year Windows Live OneCare service that does let you filter outbound connections selectively. Go figure.

If you make the safe assumption that outbound monitoring is a requirement of your software firewall, your only option is to replace the firewall built into Windows. Several free firewalls offer outbound filtering, but using a third-party firewall can slow your PC's performance, especially as the firewall learns what to allow and block without having to prompt you.

Quite often a problem connecting to the Internet or your ISP's e-mail server can be traced to a conflict with a third-party firewall. Disable the firewall, and the connection returns. Adding the destination to the firewall's allowed list usually takes care of the problem, but that doesn't lessen the aggravation level much.

And there's another risk entailed in using a third-party firewall, as some people who use ZoneAlarm found out last month when a Windows patch caused them to lose their Internet link.

Most Windows users will simply bite the bullet and run a third-party firewall, but I can't think of any other product that requires some second product to use safely. (Okay, maybe an outboard motor, but that's about it.) Relying on the Windows Firewall is like buying a car without seatbelts or with airbags that inflate only halfway.

I could tell you how to reset Vista's firewall to block outbound connections (press the Windows key, type wf.msc, press Enter, click Windows Firewall Properties, and change each profile's "Outbound connections" setting to Block), but there's no guarantee this will protect you, and doing so may cause some applications not to work properly.

Change the "Outbound connections" settings in the Vista firewall to Block.

(Credit: Microsoft)

After reading through Microsoft's TechNet article on the Windows Firewall with Advanced Security (the version in Vista and Windows Server 2008), I figure the only profile I need to block outbound connections from is the Public Profile, which is the one Windows defaults to when you're not on a Windows domain or private network. (You designate a network as private in the dialog box that Windows pops up the first time you try to connect to it.)

I may pay a price, one way or another, for sticking with the firewall built into Vista, but I just can't bring myself to download software to provide a security measure that should be built into the OS. (Don't get me started on antivirus and spam blockers.)

[zand94]

Hey Dennis - check out a program called Vista Firewall Control at http://www.sphinx-soft.com/Vista/index.html - there's a free limited version (some features disabled) and paid full version. This gives you a bit of what I call "zone alarm style" notifications and control over inbound and outbound connections. You may want to do a followup article to this one once you use it a bit :)

Alex

[john55440]

If Vista included an advanced firewall, Symantec and other security companies would probably file an anti-trust complaint against Microsoft.

[macintard]

Honestly, who cares?

[alegr]

If you don't run as administrator, why should you worry about viruses and trojans and botnets? What's the point?