Windows Vista Firewall w/ Advanced Security

Hi all,

Does anyone have any research or analysis into the Vista Firewall (w/ Advanced Security), when you change the default rules to block and only allow access by application?

By default, its set to allow all outbound connections (essentially no outbound protection). However, I'm curious if its good against leaktests when you set rules to only permit applications you want to connect.

 

I am using the Vista FW with outbound filtering. It is not easy to set up as it does not tell you when it is blocking a program. Things like Windows Update and Windows Time require a rule for svchost limited to a particular service and port. That is better than an outbound rule for svchost without limitation, or just port limited.

Upgrades of applications do not require a revision of a rule. There is no crc checking. A hacked version of IE could replace the good one, so that avenue of attack is open. Applications with administrative privileges (given with UAC) can open inbound ports without warning. I found this out with Distrix ultimate Defrag, which only runs with elevated privileges.

I would recommend blocking IRC ports 6660-6669. This is how most botnets communicate with their owners. But this recommendation goes for any firewall. Ever wonder why Kaspersky classifies Mirc as undesirable?

No, I have not done any leak tests. Any outbound firewall can be defeated by installing a communications driver below it or it can be temporarily disabled. Leak testing's importance is greatly overblown IMO. Many pages have been written about the Windows firewall. Google is your friend.

 

Thanks for the info!

I've Googled lots actually -- Most articles thus far have been around the Firewall itself (no real recommendations on configuration), or leaktests regarding the default settings (which have no outbound protection).

Its new of course, so there won't be as much material, but I hoped someone here would have some of these details (and sure enough you did).

Thanks!

 

Oh, side note -- As may of the issues you mentioned are potential problem spots in many firewalls, do you view the WFAS as secure as its peers?

My concern for now is that most firewalls that are "Vista Ready" are still not taking advantage of Vista's security features. The one I've seen thus far is ZoneAlarm, and they only have the free version available (not the Pro).