Password-protected firewall for XP and Vista

Discussion in 'other firewalls' started by Gez, Sep 15, 2007.

Thread Status:
Not open for further replies.
  1. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    Hi
    I have an Endian firewall at the perimeter proxying web traffic for a business client. I want to install a software firewall on each of 10 workstations to enforce use of the proxy, by blocking port 80 and routing all web traffic thru the proxy's port, eg., 3128. At the moment I'm enforcing the use of the proxy by blocking port 80 on the proxy itself, but for various reasons I feel it would be better to use a firewall on each workstation.
    Of course I would need a software firewall with password protection to make sure the rule blocking port 80 could not be deleted by the user. Kerio 2.1.5 does this perfectly for XP, but the problem is the business has a number of Vista workstations, and I'm not too familiar yet with Vista, and certainly not with firewalls for Vista. Can anyone recommend a stable firewall with password protection for the Vista clients, preferably free?
    Thank you,
    Gerard.
     
  2. Bls440

    Bls440 Registered Member

    Joined:
    Jun 22, 2007
    Posts:
    82
    Zone Alarm ... I don't know if the Free edition provides password protection, but the Pro one does. Hope this helps!
     
  3. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater

    Hmmmm, but there is no ZA Pro for Vista, only ZASS which includes an anti virus.

    Its a good question. Perhaps there is some way to do this with the built in firewall (its free) by enabling outbound filtering with port 80 blocked, and setting up a policy that prevents changing the firewall settings. Actually, if the computers are locked down to user rights, when the advanced firewall settings are run, there will be a UAC prompt requiring the administrator password (might require a setting in local security policy), which the users do not have to be given.

    Truth be told, the selection of available Vista firewalls that are not part of a suite is not anyway near as large as what is available for XP and the list for free is smaller yet. You could take a look at PCtools. I don't know if it will do the job, but it is free and Vista compatible.
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Have you even attempted to use the firewall in Vista, its bi-directional, and rule based.
     
  5. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    Trouble is -- as usual -- I'm trying to keep costs down, simply because the network has been neglected and there are so many other things I have to justify buying for it that are more important! Thanks anyway.
     
  6. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    This is a good tip. Thanks. There's just so much to do I haven't really got round to looking at the ins and outs of Vista's firewall yet.
     
  7. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    I'm back in this evening to look at it. Thanks for your help. I'm using your ruleset for Kerio as well which is a great help.
     
  8. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    You want the advanced firewall settings in the administrator tools, this is where you can setup the rule, and only administrators can change the firewall rules.
     
  9. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    To get to the Vista firewall advanced settings, type wf.msc in the search box and press return. Probably with outbound filtering turned on iexplore.exe would need a rule allowing tcp out on 3128. You could also set up rule blocking all applications from using tcp port 80. I have a udp loopback rule, IE and several other apps need it. It is simply allow all UDP ports to access remote address 127.0.0.1. Also needed are rules for windows update (svchost.exe, windows update service, TCP remote ports 80 and 443 and a rule for windows time same, but UDP remote port 123). Help is helppane.exe, allowed out on TCP.

    The key is not a password on the firewall, but a complete system lockdown requiring a password for UAC. Otherwise, there are too many ways around the firewall.

    Hey, BZ your Kerio rules forum over at DSLR has been a great resource. I still check it now and then. We need to do something like that on the Vista firewall.
     
  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Thought about it, and not touching it... Without the ability to prompt the user, only block, or allow, I see it as only an admin tool. If you could get prompted it would be much easier, but the constant typing in of the admin pass due to UAC would be very annoying.
     
Loading...
Thread Status:
Not open for further replies.