Tactical Advice

Security Blanket: Vista's Outbound Firewall

You can configure outbound filtering to provide an additional layer of security — at little extra cost.
This story appears in the December 2009 issue of BizTech Magazine.

Many decried the Windows Vista firewall as broken when Microsoft released the operating system in 2006 because outbound filtering was turned off by default at the request of enterprise customers. But even in a disabled state, Vista’s firewall does provide limited outbound filtering.

The firewall has three distinct outbound filtering modes. In a disabled state, it uses outbound filtering rules to protect built-in Windows services as part of the service-hardening work undertaken during Vista’s development. The firewall can block outbound traffic from built-in services if unusual behavior is detected. Additionally, certain outbound network messages are blocked to guard against port-scanning attacks.

When you enable outbound filtering, there are standard rules that enable core network functionality. Any additional applications that require outbound access must be added to the rules list. This can be done using the firewall with the Advanced Security Microsoft Management Console (MMC), from the command line or through Group Policy.

Finally, the firewall incorporates Internet Protocol Security (IPsec) rules for authentication and encryption. Domain isolation can be configured to allow PCs joined to an Active Directory domain to send outbound traffic to one another (or to devices specified by systems administrators) and block any other outbound traffic. IPsec domain isolation rules are intended to protect groups of trusted computers, not prevent PCs in a domain from communicating with one another.

Is It Worth Enabling Outbound Filtering?

Microsoft argues that outbound filtering is not necessary because if a machine becomes infected with malware it might disable the firewall. Although other defense-in-depth mechanisms, such as running standard user and software restriction policies, are more important than filtering, organizations could benefit from the additional protection.

With the exception of a few core networking features, PCs on a corporate network shouldn’t be communicating with one another other, only with designated servers. You can enforce this practice with outbound filtering. This may also help prevent malware from propagating PC to PC, minimizing the spread of malware in the event of a virus outbreak. Without software restriction policies, users can run portable apps that generate unwanted outbound traffic.

Windows Firewall Limitations

Vista’s firewall has three operating profiles — Domain, Private and Public — that apply filter sets for different types of networks. Though it’s possible to assign different firewall profiles to network interfaces, only one profile can be active at a time. The most restrictive profile is always applied, potentially creating access problems for users who are connected to multiple networks simultaneously.

Outbound filtering may be worth setting up on PCs for an additional level of protection, providing extra value with little administrative cost. Although complex outbound rules can be enabled in high-security environments, most organizations should keep it simple and allow most or all outbound traffic to server IP addresses only.

Notebook systems need to be configured and tested more carefully because of the limitations of the firewall in Vista. Windows 7 addresses Vista’s shortcomings by allowing multiple firewall profiles to be active concurrently. (Read the BizTech article.)

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.

Sign up for our e-newsletter

Security

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...
Edward Snowden Personifies t... |
The NSA leak shows critical areas where organizations can better protect their data.

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...
Curse Builds a Private Cloud... |
One of the top resources in online gaming builds out a robust infrastructure that can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...