Taking a leap, going to Win7 built-in firewall: anything to be aware of?

After years of using 3rd party firewalls, from Kerio to Outpost, I'm looking at making my life (and those of my relations) easier to manage. Thanks to many regular members here at Wilders I finally have the confidence to let go of controlling firewalls where every incoming and outgoing connection can be monitored, examined, and restricted. So, THANKS to those who've supported the idea that -- yes -- the built-in firewall is secure enough. (It's a big step for me.) I figure my relations will appreciate having less (and potentially confusing) prompts appearing, and we'll all appreciate having less support issues with hardware and software not working because of the firewall.

That being said, is there anything I should know configuration wise? I've seen it a bit but haven't seriously looked at configuration. I do know the difference in choosing home/work/public network ... is that about it for hands-on setup? Or is there more to be aware of?

 

Windows 7 has a quite a few unnecessary internet connecting services for a normal user. For a user like me disabling those services is not practical and can cripple your computer.

They are allowed by the built-in firewall to connect to internet. What is allowed out for those services is restricted by Windows firewall rules and the public setting is most restrictive (secure). Still there are many unnecessary services if you for example just browse in internet. They could possibly be exploited I guess.

You install software, it is allowed out. The problem comes with installing bad stuff that can further exploit your computer or get it had.

Compare with this from TinyWall: http://www.saunalahti.fi/~jarmos3/TinyWall_rules.jpg
Those are the default install rules. I even exclude the Network Discovery from those. Nothing else except what is in those Windows firewall rules is allowed to connect out or to in. This restricts much more what services are allowed compared to the default Windows firewall settings.

Of course you need to add rules for every application you use connecting to internet. Rule making is probably too much for normal users. So if they have some 3rd party firewall they allow everything out to be sure all works. TinyWall is silent, blocks everything. It is a geeky controller for Windows firewall. You will have to work to find out what rules are needed to make your internet applications work.

A 2-way firewall is just an added security layer. Your safety in internet should be fine with with the built in Windows firewall rules if you are a safe user, not installing stuff and keeping everything up to date.

EDIT:
If you don't have a network of computers, I would do also this. Go to network connections and disable there IPv6 and basically everything else except IPv4. Put for it OpenDNS server IPs or some other trusted DNS servers, but not your ISP's. Further disable NetBIOS over TCP. My Win7 is not english so I cannot be more specific, but you will find instructions in internet.

 

Thanks, Jarmo. Yeah, I've used 2-way firewall for many years (I liked the sense of control) and installed them for others too. The problem I've had, of course, is those users not knowing how to answer firewall prompts or how to set rules properly to allow their software (and hardware) to work. Over the years I've instilled in them the awareness and education part of surfing safely, and that's worked to a good extent so I know they're careful users. I think the features that 2-way firewalls provide are completely lost on them because they're either going to allow something (inadvertently or not), or block something and then complain it doesn't work.

Thanks for the additional tips. I'm familiar with disabling NetBIOS over TCP, but that was many years ago and since then I've relied on the 2-way firewall rules to block NetBIOS. Thanks for the reminder.

About DNS, you said "but not your ISP's", why is that? Because of trust or because of the possibility of it being hijacked?

 

That DNS server change suggestion was automatic, without much giving it a thought. For me it has been used since also using VPN connection and that helps hiding myself by not revealing my ISP DNS servers.

It might otherwise be not so needed or even slowing down your connection as posted in this: http://apcmag.com/why-using-google-dns-opendns-is-a-bad-idea.htm
Or this: http://www.labnol.org/internet/changing-dns-servers/18996/