Windows Vista Firewall Part 2: Advanced features
Firewall rules OK!
A rule is simply whether a program on your computer is allowed to communicate with a program on another computer on the network or the internet and whether other computers are allowed to communicate with yours.
Rules apply to inbound connections (when a computer elsewhere on the network or the internet tries to establish communication with your computer), or outbound connections (when software on your computer tries to establish a connection with a computer located somewhere on the network or the internet).
Notice that inbound connections that do not match a rule are blocked. This means that if someone or some computer on the network or the internet tries to connect to your computer, they will be blocked. The rule only applies to unauthorised connections and Internet Explorer, for example, can still connect to a web server and request a web page, and an FTP program can upload and download files without any problem. However, a hacker would find it difficult or impossible to establish a connection with your computer in order to steal information.
Notice that outbound connections that do not match a rule are allowed. This means that any program on your computer can access the network or the internet unless a rule has been created that specifically blocks it. This is a potential problem and in the default configuration Vista's Windows Firewall is only partially protecting you. To see why, suppose that some malicious program managed to get onto the computer. There is nothing to stop it gathering information about you and then sending it out to someone on the internet because no rule exists to stop it. To prevent this program from sending out the information it gathered you would need to create a rule that specifically blocked it.
There are tens of thousands of malicious programs including spyware, adware, viruses, worms, Trojans and so on. It would not be possible to write rules to block each of them and more malware is under constant development, so keeping a list of rules up to date would be an impossible task. The Windows Firewall is therefore completely open to outgoing connections in its default state. It is possible to remedy this situation though and we will see later on how to block outgoing connections to increase the security of a computer.
Back to the rules though and if you select Inbound Rules near the top of the left-hand pane of the window you will see lots of inbound rules displayed in the centre pane. This is because Windows and the software you have installed frequently needs to access the internet. Internet Explorer is used to browse the Web, Windows Update downloads updates to Windows, anti virus software automatically downloads the latest virus definitions, and so on. Many programs automatically create inbound rules when they are installed and you might see some of them listed.
The first column of the rules list displays the name of each program or service that there is a rule for and the second column is the group. The group isn't always used, but when it is, it gives you some information about the program. For example, several items belong to File and Printer Sharing, some others belong to Media Center Extenders, and so on.
The third column shows the profile that the rule applies to (profiles were explained earlier) and it might say Public, Private, Domain or All. The fourth column shows whether the rule is active or not and the fifth column shows the action, which is either Allow or Block. Many more columns can be seen if you drag the scrollbar at the foot of the middle pane. A useful one is the Program column and this shows the program name and where it is stored on the disk drive. It can be useful when you want to find out what a program is or where it is located. For example, the name for a rule might be avgamsvr.exe, which is pretty meaningless, but the Program column shows C:\Program Files\Grisoft\AVG Free\avgamsvr.exe and it's easy to see that this rule is for a component of Grisoft's AVG Anti Virus free edition.
If you select Outbound Rules near the top of the left-hand pane you will see a similar list of rules displayed. Remember that the overview reported that outgoing connections that do not match a rule are allowed, so no matter what rules are displayed and what the action is, they are ignored. If you want to turn on these rules and block outgoing connections, you should select Windows Firewall with Advanced Security at the top of the left-hand pane and then either click the Windows Firewall Properties link or select Properties on the Action menu. The dialog that is displayed enables you to block or allow incoming and/or outgoing connections. Don't change anything right now though, we will see how to change the rules in the next part.