Tactical Advice

Security Blanket: Vista's Outbound Firewall

You can configure outbound filtering to provide an additional layer of security — at little extra cost.
This story appears in the December 2009 issue of BizTech Magazine.

Many decried the Windows Vista firewall as broken when Microsoft released the operating system in 2006 because outbound filtering was turned off by default at the request of enterprise customers. But even in a disabled state, Vista’s firewall does provide limited outbound filtering.

The firewall has three distinct outbound filtering modes. In a disabled state, it uses outbound filtering rules to protect built-in Windows services as part of the service-hardening work undertaken during Vista’s development. The firewall can block outbound traffic from built-in services if unusual behavior is detected. Additionally, certain outbound network messages are blocked to guard against port-scanning attacks.

When you enable outbound filtering, there are standard rules that enable core network functionality. Any additional applications that require outbound access must be added to the rules list. This can be done using the firewall with the Advanced Security Microsoft Management Console (MMC), from the command line or through Group Policy.

Finally, the firewall incorporates Internet Protocol Security (IPsec) rules for authentication and encryption. Domain isolation can be configured to allow PCs joined to an Active Directory domain to send outbound traffic to one another (or to devices specified by systems administrators) and block any other outbound traffic. IPsec domain isolation rules are intended to protect groups of trusted computers, not prevent PCs in a domain from communicating with one another.

Is It Worth Enabling Outbound Filtering?

Microsoft argues that outbound filtering is not necessary because if a machine becomes infected with malware it might disable the firewall. Although other defense-in-depth mechanisms, such as running standard user and software restriction policies, are more important than filtering, organizations could benefit from the additional protection.

With the exception of a few core networking features, PCs on a corporate network shouldn’t be communicating with one another other, only with designated servers. You can enforce this practice with outbound filtering. This may also help prevent malware from propagating PC to PC, minimizing the spread of malware in the event of a virus outbreak. Without software restriction policies, users can run portable apps that generate unwanted outbound traffic.

Windows Firewall Limitations

Vista’s firewall has three operating profiles — Domain, Private and Public — that apply filter sets for different types of networks. Though it’s possible to assign different firewall profiles to network interfaces, only one profile can be active at a time. The most restrictive profile is always applied, potentially creating access problems for users who are connected to multiple networks simultaneously.

Outbound filtering may be worth setting up on PCs for an additional level of protection, providing extra value with little administrative cost. Although complex outbound rules can be enabled in high-security environments, most organizations should keep it simple and allow most or all outbound traffic to server IP addresses only.

Notebook systems need to be configured and tested more carefully because of the limitations of the firewall in Vista. Windows 7 addresses Vista’s shortcomings by allowing multiple firewall profiles to be active concurrently. (Read the BizTech article.)

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.

Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.