Sunday, January 18, 2009

Windows 7 Firewall - Outbound Blocking

I was lead to believe that Microsoft has been designing their latest releases with a "Secure by Design, Secure by Default" process. Apparently this has not been mentioned to the Windows Firewall team. In Windows Vista, I blogged here about the poor choice of defaults that the Windows firewall employs. I also blogged here about the other poor choice of defaults - disabled logging.

So, with this now being 2008/2009, why does Windows 7 come with the same insecure defaults? Both outbound access and logging are configured, by default, in their least secure possible modes.

Regards,

The Outspoken Wookie

19 comments:

Anonymous said...

This can be fixed by installing...
Vista Firewall Control (also for Windows 7) The freeware version works great for both inbound and outbound.

http://www.sphinx-soft.com/Vista/order.html?from=VistaFirewallControl

Hilton Travis said...

I'd have to warn people against using "security" software from a company who is quite unknown, with a website with some serious grammatical issues, and from a company that has *no* real contact nor company information on their website.

Sure, they *may* be legitimate, but from reading their website, they sure don't sound like it to me. Not even legitimate enough to look further at their software.

Besides, you *can* enable outbound filtering in the Windows 7 (and Vista) firewalls without any additional software, it is just that it is disabled by default (totally in Vista and "undefined" is allowed by default in Win 7).

Anonymous said...

WOW! "Vista Firewall Control" is recommended by PCWorld, Cnet, ZDnet, Majorgeeks, Softpedia, Brothersoft, Softsea and several hundred other shareware and freeware sites around the world. I have been using it close to a year now and it works great. But seeing as how you say it is not from a very good site with gramatical errors, I will remove it immeditately from my computer. Thanks.... Anonymous

Hilton Travis said...

Sorry, anonymous, if I'm a little more picky with my security apps than a bunch of Shareware and freeware sites are.

I don't know, but a company with so little effort in their website text tends to let me know how much effort has been put into their app.

And the main thing I mentioned was that these guys are basically unknown (sure, maybe except for a few shareware sites that recommend this, like they recommend pretty much anything else) and there is *no* (as in zilch, zip, nada) company information on their own site, which would really have to have one question the credentials of the company and its software. And they make *security* software? No thanks.

I value my security a little more than from some unknown company I know nothing at all about and who are unwilling to offer up any information on their own company.

Victor Constantinescu said...

Hi,
The reason behind not enabling outbound filtering has been made public several times during the past years. A simple google search would have solved your dilemma:

http://technet.microsoft.com/en-us/magazine/2008.06.security.aspx

Scroll down to "Outbound filtering"

Btw, I have not see any reasoning from your part on why you should enable outbound filtering; is it just because everyone does it? :)

Hilton Travis said...

G'day Victor,

I thought I was quite clear in saying that outbound filtering was part of a "secure by design, secure by default" ideology that Microsoft keeps tellign us that they are using these days. Apparently, they mean "kind of secure by design, not all that secure by default" - a not so subtle difference.

Securing *all* outbound traffic that is not explicitly allowed is a significantly better default than securing only the Service SIDs (so, yes, I have read that TechNet article). It *will* provide higher security than securing only the Service SIDs. Marginal, maybe, but definitely will provide more security.

So, again I say, Microsoft doesn't really follow their own "Secure by Design, Secure by Default" methodology when designing their products. They talk about it and follow the parts of it they want to, ignoring the parts they choose to.

Defence in depth - it is more than a catch phrase.

Ian said...

It is so aggravating how so many people who have obviously close to no knowledge of firewalls (other than the almost useless, user friendly GUI firewalls such as Norton firewall, zone alarm etc.) continue to bash the Vista firewall when it is one of the best and most secure firewalls there is. The reason why the user friendly firewalls are close to useless is becuase the following scenario is the usual one, user installs program, firewall says program wants to access the internet, user assumes program should have access to the interenet, user grants access to the internet, any spyware, malware, trojans etc included in said program now has internet access, firewall is rendered usless and computer is compromised.
Vista firewall has outbound filtering disabled by default for a very good reason, Microsoft chose not to implement one of those "this program wants internet access, allow yes no" GUI's for the very reasons I explain above, instead you must chose to enable outbound filtering and create the rules manually, thereby excersising a lot more control over exactly which processes, services, ports and protocols it applys to, which users that rule applys to, which computers, whether ip sec should be employed, and if it is which encrytion algorithm should be used.
This is how IT experts set up a firewall, Vista firewall has these options disabled by default so you can either learn to be an expert on the security of your computer and learn to configure your firewall correctly and securly, or you can be dumb and ignorant, intall zone alarm and bitch about the Vista firewall that you know nothing about.

Hilton Travis said...

G'day Ian,

Assuming I was a numptie, you may have a point.

But I'm not. I've been involved with computers, security and threat management since the mid 1980s. I know how firewalls work, how they should work and what defaults are mind-numbingly stupid.

Outbound filtering being disabled by default for all non-standard ports is mind-numbingly stupid. Always was and always will be. There's no sane security conscious person who can disagree with that on a valid basis.

Have you not seen applications that install andrequest permission to open up the firewall ports they need during installation? Of course you have - so what's wrong with that? A part of the install process actually installs the application properly - thereby meaning that if outbound filtering was enabled by default, when you install an application and allow it to open the port(s) (etc) it needs, you'd have enabled the LEGITIMATE applications to run, therefore disallowing the illegitimate use of outbound ports by illegitimate applications.

And, your suggestion that this was done so that users had more control over the configuration (your last paragraph) is simply not true - how many home users even know that outbound filtering is disabled and would know what to do to enable it, let alone configure it? None. Maybe less. In business this is up to an administrator, sure, who *should* know what s/he's doing. Should. But for home users, this will simply never happen, except in the rare occasion that a proper network admin with understanding of security and where it is disabled by default in Vista has configured the home computer.

All up, disabling outbound security by default has reduced the security of the Vista install, resulted in more compromised machines being able to run more compromises against other, equally insecurely configured computers, and ultimately wasted Internet bandwidth, caused user frustration and allowed malware authors to gain more of a stronghold than they would had this been enabled and configured properly by default and during the installation of legitimate applications.

Anonymous said...

I too started to use the Sphinx free firewall on my Windows 7 RC1.

Thought it was working well and it has such a small footprint and is simple to use.

I always like to give start-ups a chance, but I may replace this firewall merely because there are practically no posters using their support forum, and more importantly it looks like there are only (at max) 4 employees in the entire company.

http://www.manta.com/coms2/dnbcompany_f6bm2f

Anonymous said...

Outbound filtering is disabled for one simple reason: if it were enabled, it would render the PC near useless for 90% of the internet browsing population.

Most people would not know how to add filters manually. And any popup GUI would be plagued by the issues discussed above, automatic yes clicks.

Either way, for the unsavvy folks out there, outbound filtering is less than useless. Usability considerations will always trump security considerations.

Hilton Travis said...

That's utter rubbish. If outbound filtering was enabled with rules to allow outbound traffic only to destination :80/TCP, :443/TCP, :20/TCP and :21/TCP and all other ports blocked, then 99% of people would surf away quite successfully without even knowing there was any filtering in place - the junk that tries getting out to random ports would be blocked and offer a popup window asking to be allowed - if they are instaling a game or something that uses other ports, then as happens now with inbound ports, they could open outbound ports. People would see some malware trying to get out, know they aren't installing something, and disallow its port opening request.

So what you are anonymously claiming is complete and utter rubbish.

Dirk said...

I'm not an expert. I think Microsoft did a good work on their firewall (windows Vista and 7). Only problem: the interface isn't that user friendly for an average user. Wouldn't it bij more simple if Microsoft supplies a configuration file(s) for the most important users? (Surf, download, P2P, chat and VoIP?).
Or Am I missing something and they provide such 'single click" solution and I didn't searched well?

Hilton Travis said...

G'day Dirk,

The Win 7 firewall isn't bad, but it could be a lot better if Microsoft had configured more appropriate defaults. People wouldn't be continually looking at third party firewalls if the inbuilt one was configured properly.

Also, people won't look for a way to configure the Win 7 firewall to be more secure - they will (generally) assume it is crap and look for a third party product to do what the Win 7 firewall could easily handle if Microsoft made an easy way for people to make it secure. The best move would be to make it more secure by default.

So, is there a tool to make configuration easier (and comprehensible) for the average user? Not that I know of. Fail, Microsoft.

Anonymous said...

Allowing outbound access to the aforementioned ports (:80/TCP, :443/TCP, :20/TCP and :21/TCP) would not stop any spyware or malware from phoning home - they could simply connect to their home servers on 80, 443, 20 or 21...

In addition, many games use other ports (>1024) to connect to their servers... If you blocked outbound traffic on these ports by default then you would have a TON of users complaining that Windows 7 has broken their games.

There really is no good way to block outgoing traffic unless you do it on a per-process basis. To make this effective you would have to prompt the user every time a new process wants outbound access, however you then hit the "user always clicks ALLOW because he doesn't know any better" problem.

I think the defaults used by Microsoft preserve the best balance between security, usability and user experience.

Hilton Travis said...

That's where we differ. I say that programmers should create these firewall exceptions as these applications that require additional ports are installed, which happens now with well coded applications. That way there's no need for these prompts as and when the apps are first run.

That's better than the current default of "allow it all" which is simply unacceptable in today's security environment.

Santhosh said...

Do you find any solution for this ? I enabled outbound filter, but other PC's on LAN not able to connect to FTP. Anyway to allow all connection from LAN and only allow specified program in MY PC connect to internet ? This way only allowed programs in my PC get internet access, other PC's on LAN net full internet access with out any blocking ? My PC is used to share internet to others on LAN.

Hilton Travis said...

Santhosh, there's really nothing to find a solution to other than what I outlined - Microsoft chose really low security defaults and I suggest that you increase the security of your desktops.

Now, if you don't have a real router/firewall and want to do what you're asking... good luck! You can't (easily) do that on a Windows desktop operating system.

The Larch said...

The comments here about popup GUI leading to automatic "yes" clicks is stupid, because the default situation with Windows Firewall is that EVERYTHING gets a "yes" to connect out anyway, so at worst case we get what we have by default anyway. I have had ZoneAlarm on a Windows 98 machine for years, and I really appreciated being able to stop applications from trying to access the internet when they have no need to -- I know they aren't being malware, but I don't like software overstepping privileges without me even knowing. I was also able to stop some actual malware from being a worse problem, because the firewall would ask if I would allow something with a name that I know I had never installed. Stopped that crap cold, easy. I could also quickly read with Process Explorer when some malware dll was involved with an otherwise legitimate Windows thing that was oddly trying to connect out, and get onto fixing. Far easier than figuring out this rules crap.

Hilton Travis said...

The Larch, quite clearly you are not an average user if you have even heard of "Process Explorer" let alone have run it up and not had your head explode at the interface.

What this whole post was about was using sensible security policies for protection of the average user on a network.

Sensible security policy for a network is disabling all unnecessary protocols. That's clearly in addition to other layers in a good and sensible security model. It should be the step immediately after disabling UPnP on any gateway device.