Auggie2k
January 26th, 2006, 08:44 AM
Microsoft is readying a new highly configurable firewall for its upcoming Windows Vista operating system that is designed to give administrators much greater control over which applications are allowed to run on the systems they manage. After just over one month of testing by users of Microsoft’s Community Technology Preview (CTP), the firewall is “very much on track” to be in the final Vista release scheduled for later this year and they're thinking about adding a similar feature for its consumer users, said Austin Wilson, a director in Microsoft’s Windows Client group.
The new firewall is called “two-way” because it filters both incoming and outgoing network traffic, meaning that it can be used to block machines that are trying to connect to the Windows PC as well as applications on the PC that are trying to connect to other systems on the network.
This ability to block outgoing traffic does not currently exist in Windows XP, but it will give powerful options to Vista administrators, Wilson said. By using the firewall, administrators could, for example, ensure that their PCs only use a preferred instant messaging application. “If you tried a different instant messaging application, then it would be blocked,” he said. “It’s really something that we’re targeting toward enterprise administrators in corporations.”
Though Microsoft has previously discussed plans to include the firewall in Vista, it has only recently provided details (http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx) on how it will work.
The new firewall capabilities were introduced in last month’s CTP build 5270, but they were difficult to access, and turned out to be much more extensive than testers had expected, according to Windows blogger Ed Bott, a co-author of the book, “Microsoft Windows XP Inside Out”.
“After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that Windows Firewall hadn’t changed at all,” he wrote in a Jan. 14 blog posting (http://www.edbott.com/weblog/?p=1219).
In order to access the new firewall features, Vista users need to create a customized management console and then configure it to load the “Windows Firewall with Advanced Security.”
The console can be run in two ways. It can be used in “single machine mode” to manage only the PC where it has been installed or it can be configured using Active Directory to set up policies that apply to a large number of machines. “If I have 10,000 machines, I can set up a policy, one time, to block a given application. And that would propagate across all of my 10,000 machines,” Wilson said.
Though many security products already have similar capabilities, the fact that outbound blocking will be built into the operating system will make life much easier for enterprise system administrators, who will now be able to create custom scripts and group policies to restrict the uses of Windows PCs, Bott said.
Though the underlying firewall code, called the Windows Filtering Platform, has been rewritten for Vista, Wilson said that most users will not notice major differences between XP and the new operating system. “There are really two different firewall consoles in Vista. If you go to Control Panel / Firewall, you get the traditional one that was there in Windows XP,” he said. “If you go to the other console, which is called Windows Firewall with Advanced Security, then you see both the inbound and outbound filtering.”
The Windows Filtering Platform, which is used by both firewall consoles, has been rewritten to improve the way Windows intercepts network traffic and to make the software work more efficiently with the Windows kernel, Wilson said. “We wanted to have a flexible platform that we could use and that third parties could use for filtering,” he said.
Microsoft is thinking about adding outbound filtering for consumers to a post-Vista Windows product, but work needs to be done to ensure that such a two-way firewall is easy to use, Wilson said. “First of all, we have to make sure that application compatibility is very good when that’s enabled,”he said.
Microsoft must also make sure it does a “great job of helping users make good decisions on what applications would be allowed to talk outbound, and make that decision without overwhelming them with dialog boxes,” he said.
The new firewall is called “two-way” because it filters both incoming and outgoing network traffic, meaning that it can be used to block machines that are trying to connect to the Windows PC as well as applications on the PC that are trying to connect to other systems on the network.
This ability to block outgoing traffic does not currently exist in Windows XP, but it will give powerful options to Vista administrators, Wilson said. By using the firewall, administrators could, for example, ensure that their PCs only use a preferred instant messaging application. “If you tried a different instant messaging application, then it would be blocked,” he said. “It’s really something that we’re targeting toward enterprise administrators in corporations.”
Though Microsoft has previously discussed plans to include the firewall in Vista, it has only recently provided details (http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx) on how it will work.
The new firewall capabilities were introduced in last month’s CTP build 5270, but they were difficult to access, and turned out to be much more extensive than testers had expected, according to Windows blogger Ed Bott, a co-author of the book, “Microsoft Windows XP Inside Out”.
“After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that Windows Firewall hadn’t changed at all,” he wrote in a Jan. 14 blog posting (http://www.edbott.com/weblog/?p=1219).
In order to access the new firewall features, Vista users need to create a customized management console and then configure it to load the “Windows Firewall with Advanced Security.”
The console can be run in two ways. It can be used in “single machine mode” to manage only the PC where it has been installed or it can be configured using Active Directory to set up policies that apply to a large number of machines. “If I have 10,000 machines, I can set up a policy, one time, to block a given application. And that would propagate across all of my 10,000 machines,” Wilson said.
Though many security products already have similar capabilities, the fact that outbound blocking will be built into the operating system will make life much easier for enterprise system administrators, who will now be able to create custom scripts and group policies to restrict the uses of Windows PCs, Bott said.
Though the underlying firewall code, called the Windows Filtering Platform, has been rewritten for Vista, Wilson said that most users will not notice major differences between XP and the new operating system. “There are really two different firewall consoles in Vista. If you go to Control Panel / Firewall, you get the traditional one that was there in Windows XP,” he said. “If you go to the other console, which is called Windows Firewall with Advanced Security, then you see both the inbound and outbound filtering.”
The Windows Filtering Platform, which is used by both firewall consoles, has been rewritten to improve the way Windows intercepts network traffic and to make the software work more efficiently with the Windows kernel, Wilson said. “We wanted to have a flexible platform that we could use and that third parties could use for filtering,” he said.
Microsoft is thinking about adding outbound filtering for consumers to a post-Vista Windows product, but work needs to be done to ensure that such a two-way firewall is easy to use, Wilson said. “First of all, we have to make sure that application compatibility is very good when that’s enabled,”he said.
Microsoft must also make sure it does a “great job of helping users make good decisions on what applications would be allowed to talk outbound, and make that decision without overwhelming them with dialog boxes,” he said.