Microsoft limits Vista Firewall - for their own good ?

  • Thread starter Thread starter John Jay Smith
  • Start date Start date
The whole gist of that article is kinda dumb. What difference does it make
what the default settings are? How do default settings "limit" a firewall? I
think most commercial firewalls come with all the well-known ports open for
incoming traffic, and all outgoing ports open as well. But what difference
does it make? Everybody has to define their own ingress and egress filters
for their own network. You couldn't come up with default settings that work
for everyone.
 
Puppy Breath said:
The whole gist of that article is kinda dumb. What difference does it make
what the default settings are? How do default settings "limit" a firewall?
I think most commercial firewalls come with all the well-known ports open
for incoming traffic, and all outgoing ports open as well. But what
difference does it make? Everybody has to define their own ingress and
egress filters for their own network. You couldn't come up with default
settings that work for everyone.

It is much better to err on the closed side and close things most often NOT
needed. Let the experienced user open what he needs to since most people
don't have a clue.
 
Puppy said:
The whole gist of that article is kinda dumb. What difference does it make
what the default settings are? How do default settings "limit" a
firewall? I think most commercial firewalls come with all the well-known
ports open for incoming traffic, and all outgoing ports open as well. But
what difference does it make? Everybody has to define their own ingress
and egress filters for their own network. You couldn't come up with
default settings that work for everyone.

They have set the defaults (no monitoring of outgoing traffic) based on
feedback from enterprise customers. This seems strange as it is the
enterprise customer that is most likely to have someone on staff who knows
how to properly configure this for their enterprise.

The typical home user (for whom some basic defaults could be defined well)
will not know how to configure this and will therefore never take advantage
of those parts of the firewall.

I suspect the "because our enterprise customers asked us to" reason is not
really valid and that the true reason is they found they don't have enough
time to make this friendly enough for the average home user, and therefore
went with the option that will allow them to meet their delivery dates.
 
You guys may be right. However, even if they did close all ports, would
users know if/when it's OK to let something go through? Also, there's over
32,000 ports to worry about (65,635 if you look at it terms of TCP and UP).
I don't see how you could make it "user friendly".

Besides, the threats come from outside your own network, not inside. At
least, they shouldn't be coming from the inside if the rest of your security
is in place. And what's to keep a piece of malware from sending out through
port 80, which is always open on everyone's machine?

I don't know, I think closing all outgoing ports by default would be a real
nightmare for end users. Especially since the threats shouldn't be coming
from inside in the first place. But again, what difference does it make? It
only takes a mouse click to change them from Open to Closed.
 
John Jay Smith said:
http://labnol.blogspot.com/2006/04/microsoft-limits-vista-firewall-for.html
Unfortunately, Microsoft will turn off the ability to block outgoing
traffic by default and set the new firewall to block incoming traffic
only. Microsoft is doing this at the request of corporate customers and
government departments who would like to manage this feature from an
administrator level.

No, that's not really unfortunate at all. That's a no-brainer. Prohibit
all inbound traffic, allow all outbound. This is only really a problem if
you don't trust the network or system you're on (in which maybe it's time
to take a serious look at your implementation if you don't trust it).
 
Please quote inline, top posting is antisocial.
http://ursine.ca/Top_Posting

Puppy said:
You guys may be right. However, even if they did close all ports, would
users know if/when it's OK to let something go through? Also, there's over
32,000 ports to worry about (65,635 if you look at it terms of TCP and
UP). I don't see how you could make it "user friendly".

65,535 ports. 131,070 if you consider TCP and UDP ports to be unique.
Besides, the threats come from outside your own network, not inside. At
least, they shouldn't be coming from the inside if the rest of your
security is in place. And what's to keep a piece of malware from sending
out through port 80, which is always open on everyone's machine?

Not always. Many networks do things like transparent proxying through Squid
(http://www.squid-cache.net/) or other caching web proxy to reduce
bandwidth usage and do content filtering or banner/pop-up ad-zapping
(http://adzapper.sf.net/ is good and free for this). This is generally a
good thing, as it reduces web server load as well. I find it odd that more
ISPs don't do server-side ad-zapping for their customers, though.
I don't know, I think closing all outgoing ports by default would be a
real nightmare for end users.

Anybody else remember the Trumpet Winsock nightmare and the hoops you had to
jump through to get that to work? Even the various BSDs have open output
by default, and those operating systems have bragging rights for going
years without any security holes in the default install.
Especially since the threats shouldn't be
coming from inside in the first place. But again, what difference does it
make? It only takes a mouse click to change them from Open to Closed.

At least they're finally adding the functionality for those who know they
need it.
 
Paul Johnson said:
Please quote inline, top posting is antisocial.
http://ursine.ca/Top_Posting

Guess I'm just an antisocial kinda guy. Hate scrolling through something I
just read two seconds ago.

In retrospect, I think that whole article is bogus. I doubt enterprises made
that request and if they did, I doubt it would matter. But I agree that
giving people the option to use a firewall as a sort of
after-the-infection-malware-detection tool is probably a good idea. At least
from a marketing standpoint is not a practical one.
 
Puppy said:
Guess I'm just an antisocial kinda guy. Hate scrolling through something I
just read two seconds ago.

If you're quoting enough you have to scroll before you see new text, you're
including too much. Your answer indicates you didn't read that website.
The idea of quoting is to give people as much conversational context as
possible for what you're saying. If you're having a hard time spotting new
material, try changing the color of quoted material to green: Any real news
reader can do this.
In retrospect, I think that whole article is bogus. I doubt enterprises
made that request and if they did, I doubt it would matter.

I can. Block users from file sharing or connecting to any type of service
the enterprise doesn't consider work-related.
But I agree
that giving people the option to use a firewall as a sort of
after-the-infection-malware-detection tool is probably a good idea.

That's not what any firewall is good for. If Microsoft is trying to
implement packet filtering for this reason, they're probably better
rewriting all that 20+ year old code they keep case-and-pasting into the
next version instead of keeping it and it's bugs around.
At least from a marketing standpoint is not a practical one.

From a marketing standpoint, a lot of the Right Stuff is utterly impossible
to market since
 
Yes I saw the Wikipedia netiquette article. I'm not the only one who doesn't
quote here. I find the replies that don't cross post quicker to get through.
But then again, maybe that's just because the indentations in me newsreader
make it so obvious who is replying to what, the quotes are just causing me
to scroll unnecessarily.



I do understand what it's good to have a firewall PC that blocks unsolicited
traffic. And I do understand why in larger networks you need firewalls to
control traffic between subnets. And I think it's great that the new Win
firewall is totally configurable.



The only thing I can't get my head around is the notion that shipping the
firewall with the Outbound connections set to Allow by default is somehow
"limiting" or "bad".
 
Let me rephrase that last post,


.Your answer indicates you didn't read that website..



I did read the Wikipedia netiquette article. I just don't know that it
applies here. This isn't a Usenet newsgroup. I'm not the only person here
who doesn't quote. I have no problem following the thread when people don't
quote. The quoting seems superfluous here unless you're replying to
something a few steps back in the thread. It's easy enough to see who is
replying to what in my newsreader without the quoting.


..various firewall comments.



I totally understand why it's good to have a PC firewall that blocks
unsolicited traffic. And I totally understand why enterprises need firewalls
to control traffic between subnets and at the perimeter. And I think it's
great that the new Windows firewall gives you granular control over traffic
based on port, group, addresses, and so forth. The only thing I can't get my
head around is this notion that having the Outbound connections set to Allow
by default is somehow "limiting" or "bad".
 
<Quote>
Trimming the quoted material down to only what you need for context and flow
of conversation is not only a proven way to save people's mail quotas and
dialup download times, it also makes it perfectly clear what you're
responding to and in what context. If someone opens your message and finds
the first screen full of message to be nothing but previously quoted
material, your message will just get skipped over and your audience will
just move on.
<\Quote>

These guidelines were true back in 1995 when they were designed for Windows
95 and 14.4kb/sec modems. Most of it just isn't true anymore, and top
posting simply works better. In line replies do have their place when
needed, but bottom posting just plain sucks. Bottom posting is going to die
of with the older generation of users; it's already happening.

Finally, if too much quoting is going to push you over your
news/mail/download quota, I'm not sure how to help you beyond saying, "get a
new isp, goofball."

-Mike
 
It certainly has changed how I read usenet posts. Now, when I come in
late on a thread between top posters that has grown from 20 - 30 lines
of text and quoted material to 400 - 500 lines of previous material, I
don't need to read all the posts, I just open the most recent post
because it contains the entire muti-day thread with all it's replies.

Top posting also saves time because I often get to see the answer
before I see the question.

I think your next point is wrong, though.


<Quote>
Trimming the quoted material down to only what you need for context and flow
of conversation is not only a proven way to save people's mail quotas and
dialup download times, it also makes it perfectly clear what you're
responding to and in what context. If someone opens your message and finds
the first screen full of message to be nothing but previously quoted
material, your message will just get skipped over and your audience will
just move on.
<\Quote>

These guidelines were true back in 1995 when they were designed for Windows
95 and 14.4kb/sec modems. Most of it just isn't true anymore, and top
posting simply works better. In line replies do have their place when
needed, but bottom posting just plain sucks. Bottom posting is going to die
of with the older generation of users; it's already happening.

Finally, if too much quoting is going to push you over your
news/mail/download quota, I'm not sure how to help you beyond saying, "get a
new isp, goofball."

-Mike
 
I be interested to here from anyone who is going over their quota because of
extra text. My free news account has 2Gigs a month, and I'd be surprised if
I use even 1/20th of it. Not to mention, even the text in the longest
threads, pales in comparison to the text in the average .html (webpage)
file. Plus, the web pages have pictures too.

-Mike
 
Mike said:
<Quote>
Trimming the quoted material down to only what you need for context and
flow of conversation is not only a proven way to save people's mail quotas
and dialup download times, it also makes it perfectly clear what you're
responding to and in what context. If someone opens your message and finds
the first screen full of message to be nothing but previously quoted
material, your message will just get skipped over and your audience will
just move on.
<\Quote>

These guidelines were true back in 1995 when they were designed for
Windows 95 and 14.4kb/sec modems. Most of it just isn't true anymore, and
top posting simply works better.

No, not really. It's still true for anybody who deals with a high volume of
electronic correspondence. If you're going through ~1100 messages a day,
with some NNTP and email not arriving synchronously (NNTP and email are not
gauranteed to deliver in order, and frequently don't), are you going to be
able to follow threads that are top posted without jumping through hoops?
No.

If you're reading the archives, are you going to want to read everything in
reverse order to catch up on a problem you're trying to solve without
having to ask the group the same tired, old questions? No.

Spam filters, kill files, flaky servers, cancellations, and bad links cause
messages to get dropped silently before being delivered to all
destinations. Do people that didn't get the opportunity to read every
article for whatever reason know what you're talking about without framing
things in context? No.

European, African and Asian users frequently pay by the kilobyte to read
more. Do they want to pay to download the entire previous article in
addition to top-posting's reduced visibility? No.

Please show some consideration and forethought for those that aren't in the
exact same situation that you are. Please understand that not all Internet
conventions are purely technical, particularly in correspondence. Assume
that your audience has not seen the message you are responding to.
In line replies do have their place when needed, but bottom posting just
plain sucks. Bottom posting is going to die of with the older generation
of users; it's already happening.

Bottom posting does suck, however, it was never a common convention except
on very short messages. Your news reader puts the cursor at the top
assuming you're going to be editing as you're working your way down.
Finally, if too much quoting is going to push you over your
news/mail/download quota, I'm not sure how to help you beyond saying, "get
a new isp, goofball."

Not always an option for all users, especially outside North America. Show
some consideration for your fellow users instead of just saying, "I'm too
lazy to learn how to use electronic correspondence."
 
Many people still share your sentiments, but most are older users. I'm going
to take a wild guess here that you are over 35. I'm not saying your way is
wrong, I'm just saying it is falling out of popularity (which I'm sure you
already know by the number of top posts you see each day). I, like most
younger users, find having to scroll through a post to read it to be far
more aggravating and common than the issues, you are describing.

It's really a case of "I want it this way because . . . and they want it
that way because . . . and everyone thinks their reasons are more
important/right. I do think you'll find that top posting will continue gain
popularity as it has been doing for a few years now. It's not a case of, "I
don't want learn," it's more a case of, "I've heard and understand the
argument, but I disagree with it."

-Mike
 
Mike said:
Many people still share your sentiments, but most are older users. I'm
going to take a wild guess here that you are over 35.

And you'd be wrong by over a decade. 24.
I'm not saying your
way is wrong, I'm just saying it is falling out of popularity (which I'm
sure you already know by the number of top posts you see each day).

Only with people whose first newsreader was Outlook Express or whatever AOL
provided. Clueful users don't have this problem.
 
"Clueful users don't have this problem"
That is clearly one of your big mistakes since top posting is not a problem.

An observation over several years.
Top posters rarely complain, it seems they can usually easily deal with it
however it comes.
If there are complaints, it usually comes from other posters who see some
imagined problem with top posting.
Even then it is a small minority who complain.
They also need to use phrases such as "Clueful users... " "top posting is
antisocial" to drive their point.
Apparently some feel top posters are clueless, antisocial etc and need to
attempt to intimidate since facts are elusive to those few complainers.

The ones who have the problem need to deal with their problem.
Attempting to foist their problem on others only reflects on their own
inability. .
 
Another reason for not using Vista unless someone really has nothing better
to do.

I have the feeling that Visa could be the end of the company although I am
not against it in any ways.
 
Back
Top