Windows Firewall: It's a lose-lose proposition

Free firewalls offer the outbound monitoring that's missing in XP's firewall and off by default (and impractical) in Vista, but third-party tools may create problems of their own.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
2 min read

Sometimes you just can't win. That's the way it is with the Windows Firewall. The one in XP can't monitor connections from your PC to the outside world--which is how botnets, Trojans, and other malware operate. The firewall in Vista can block outbound connections, but this feature is off by default, and it's practically impossible to create filters to block selective outbound links.

On the one hand, Microsoft claims that you don't need outbound filtering if you use the Windows Defender anti-spyware app to keep the snoops off your PC in the first place. On the other, it sells the $50-per-year Windows Live OneCare service that does let you filter outbound connections selectively. Go figure.

If you make the safe assumption that outbound monitoring is a requirement of your software firewall, your only option is to replace the firewall built into Windows. Several free firewalls offer outbound filtering, but using a third-party firewall can slow your PC's performance, especially as the firewall learns what to allow and block without having to prompt you.

Quite often a problem connecting to the Internet or your ISP's e-mail server can be traced to a conflict with a third-party firewall. Disable the firewall, and the connection returns. Adding the destination to the firewall's allowed list usually takes care of the problem, but that doesn't lessen the aggravation level much.

And there's another risk entailed in using a third-party firewall, as some people who use ZoneAlarm found out last month when a Windows patch caused them to lose their Internet link.

Most Windows users will simply bite the bullet and run a third-party firewall, but I can't think of any other product that requires some second product to use safely. (Okay, maybe an outboard motor, but that's about it.) Relying on the Windows Firewall is like buying a car without seatbelts or with airbags that inflate only halfway.

I could tell you how to reset Vista's firewall to block outbound connections (press the Windows key, type wf.msc, press Enter, click Windows Firewall Properties, and change each profile's "Outbound connections" setting to Block), but there's no guarantee this will protect you, and doing so may cause some applications not to work properly.

Windows Vista firewall settings
Change the "Outbound connections" settings in the Vista firewall to Block. Microsoft

After reading through Microsoft's TechNet article on the Windows Firewall with Advanced Security (the version in Vista and Windows Server 2008), I figure the only profile I need to block outbound connections from is the Public Profile, which is the one Windows defaults to when you're not on a Windows domain or private network. (You designate a network as private in the dialog box that Windows pops up the first time you try to connect to it.)

I may pay a price, one way or another, for sticking with the firewall built into Vista, but I just can't bring myself to download software to provide a security measure that should be built into the OS. (Don't get me started on antivirus and spam blockers.)