Nov 24 2009

Security Blanket: Vista's Outbound Firewall

You can configure outbound filtering to provide an additional layer of security — at little extra cost.

Many decried the Windows Vista firewall as broken when Microsoft released the operating system in 2006 because outbound filtering was turned off by default at the request of enterprise customers. But even in a disabled state, Vista’s firewall does provide limited outbound filtering.

The firewall has three distinct outbound filtering modes. In a disabled state, it uses outbound filtering rules to protect built-in Windows services as part of the service-hardening work undertaken during Vista’s development. The firewall can block outbound traffic from built-in services if unusual behavior is detected. Additionally, certain outbound network messages are blocked to guard against port-scanning attacks.

When you enable outbound filtering, there are standard rules that enable core network functionality. Any additional applications that require outbound access must be added to the rules list. This can be done using the firewall with the Advanced Security Microsoft Management Console (MMC), from the command line or through Group Policy.

Finally, the firewall incorporates Internet Protocol Security (IPsec) rules for authentication and encryption. Domain isolation can be configured to allow PCs joined to an Active Directory domain to send outbound traffic to one another (or to devices specified by systems administrators) and block any other outbound traffic. IPsec domain isolation rules are intended to protect groups of trusted computers, not prevent PCs in a domain from communicating with one another.

Is It Worth Enabling Outbound Filtering?

Microsoft argues that outbound filtering is not necessary because if a machine becomes infected with malware it might disable the firewall. Although other defense-in-depth mechanisms, such as running standard user and software restriction policies, are more important than filtering, organizations could benefit from the additional protection.

With the exception of a few core networking features, PCs on a corporate network shouldn’t be communicating with one another other, only with designated servers. You can enforce this practice with outbound filtering. This may also help prevent malware from propagating PC to PC, minimizing the spread of malware in the event of a virus outbreak. Without software restriction policies, users can run portable apps that generate unwanted outbound traffic.

Windows Firewall Limitations

Vista’s firewall has three operating profiles — Domain, Private and Public — that apply filter sets for different types of networks. Though it’s possible to assign different firewall profiles to network interfaces, only one profile can be active at a time. The most restrictive profile is always applied, potentially creating access problems for users who are connected to multiple networks simultaneously.

Outbound filtering may be worth setting up on PCs for an additional level of protection, providing extra value with little administrative cost. Although complex outbound rules can be enabled in high-security environments, most organizations should keep it simple and allow most or all outbound traffic to server IP addresses only.

Notebook systems need to be configured and tested more carefully because of the limitations of the firewall in Vista. Windows 7 addresses Vista’s shortcomings by allowing multiple firewall profiles to be active concurrently. (Read the BizTech article.)

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.