Share via

Safety settings?

Anonymous
2024-03-28T19:42:36+00:00

When one go to Windows settings - network and internet - Windows firewall, it says the following: Domain network - the firewall is enabled.Private network - the firewall is enabled. Network at home or at work, where you trust the people and devices on the network, and where the device is set as visible.Public network (active) - the firewall is enabled. Network in a public place, such as an airport or cafe', and where the device is set as not visible.Is it standard that a public network is used/is active on Windows 10 Home Version?Should one activate private network instead for security or other reasons?Or is the public network setting the safest and best because it says that the device is then set as not visible?One can tick: "Blocks all incoming connections, including those in the list from allowed apps" on both domain networks, private networks and public networks.Should one tick of domain networks, private networks and public networks for safety or other reasons so all 3 blocks all incoming connections, including those in the list from allowed apps? Or can one then risk that security apps or other things do not do their job properly?

***Moved from Windows / Windows 10 / Sikkerhet, personvern og kontoer***

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Koch 25,885 Reputation points Volunteer Moderator
    2024-03-30T19:20:39+00:00

    Yes, my answer in that case would be the risk of complexity, since complexity makes things confusing and often leads to mistakes and failures.

    We already know that setting the network type to Public blocks all incoming connections by default, so why unnecessarily complicate things by making the other types operate differently than normally expected?

    I suppose you could argue that doing that would inherently make choosing any network type safer, but this implies that you and anyone else using your devices will be aware you've done this and not have any unexpected issues far in the future as a side effect.

    Rob

    Was this answer helpful?

    0 comments
  2. Anonymous
    2024-03-30T18:35:17+00:00

    Thanks a lot, really appreciate it.

    Maybe the last question was answered inderictly, but what about this?: One can tick: "Blocks all incoming connections, including those in the list from allowed apps" on both domain networks, private networks and public networks. Should one tick of domain networks, private networks and public networks for safety or other reasons so all 3 blocks all incoming connections, including those in the list from allowed apps?Or can one then risk that security apps or other things do not do their job properly?

    Was this answer helpful?

    0 comments
  3. Rob Koch 25,885 Reputation points Volunteer Moderator
    2024-03-29T20:06:10+00:00

    Though all of this has really likely already been stated here, the problem with understanding these differing settings for the Windows firewall are related more to the particular words used as choices, since to most the idea of a 'Private' network sounds inherently more secure than 'Public', when in fact the reverse is really true if you examine them closely.

    Instead, I'll describe how as a past network administrator and security professional, I have configured my own firewall selections since Microsoft first made theirs available in Windows XP, though I'll use the more modern Private/Public terminology in order to clarify which current Windows 10 or 11 settings apply.

    When Microsoft first added the firewall to Windows XP Service Pack 2 as I recall, it quickly became popular for those with high security concerns to configure a firewall mode that blocked all inbound traffic for use when operating in unsafe environments like airports, hotels, or other external situations where the risk of direct attack of your device is typically higher, and in most cases you wouldn't be using features like file or printer sharing, since those devices are typically left at home and thus unavailable. In the Windows XP days, this all ports blocked configuration was commonly referred to as 'stealth' in popular nomenclature, since to the external networks world the PC configured this was basically invisible, since it wouldn't accept and so would also never reply to any inbound request for any service.

    When creating later versions of the Windows firewall, Microsoft began using the Public network terminology to describe this mode, since they thought it was obvious that 'Public' referred to networks where the usage pattern was by the public at large, while the 'Private' term applied to networks where the usage pattern was private to individuals with physical access, such as in the home or a business.

    Since the 'Public' term applies to external and untrusted networks, the legacy 'stealth' terminology relates to this type of untrusted network, so by implication, there's typically no inbound access allowed to the device in this mode, making it inherently the most secure as well as easiest to configure.

    From these slightly different descriptions, you can probably guess that as a networking professional, my own devices have always been configured for the historical stealth or modern Public mode of operation, since I often traveled between both my own personal home, customer business, and less trusted networks like airport or hotels on the same day. Spending time configuring my laptop device to adjust to a particular network made little sense, since in most cases I had no need to connect directly to either the servers or printers at a customer or other non-home site, so the more important factor was to make my own device as impenetrable as possible, in case some other system on that network might have malware that could attack mine and cause me to carry it into another customer network or to my own home.

    In fact, the very configuration of network sharing in order to perform either printing or in fact most modern web-based apps like email, online banking, shopping or others is really unnecessary, since these apps and devices are typically only accessed outbound from your device, with only the scanning functions of some printers requiring inbound access to your own PC/Laptop device, and even that has changed in most cases with modern printer design that takes this into account.

    To this day, the Microsoft Surface Go tablet device with Windows 10 in S Mode I'm using to write this is configured for a Public network, with the HP printer fully functional including scanner, though I have no file sharing since the rare file I need is typically available to me either via my Microsoft OneDrive or directly from another external service like my bank, tax preparation, energy company or any other Internet service available online. I've purposefully operated in this manner for decades now in order to ensure this is true, avoiding not only the risk for direct attack of my personal device(s) but also the loss of data from either theft, damage, or failure of any personal device, since all of my data is stored and/or synced elsewhere.

    So, unless you need to store and share data between personal devices while in the home like maybe large videos or others you'd prefer not to store externally for whatever reason, including potential temporary loss of access when your Internet is down, this mode of operation can work both to make you more resilient to individual device failure, as well as the potential loss of your home itself due to disaster, since all data is stored or synced elsewhere.

    Returning to your original questions, I think this at least indirectly answers all of them, since by isolating each device from the others, you both reduce the chance of any direct attack, while still allowing access to most common devices like printers and even most modern scanners. There are likely other settings you can make to perform something similar with those various checkboxes you mentioned, but I personally prefer the most simple and straightforward configuration of Public, since I know what that means and would have to take significant steps to make it less secure, if that's even possible.

    In general, I prefer to live by the 'KISS' principal; 'Keep It Simple Stupid', since this method reduces the chance that something I do might make my device less secure and also that any likely changes by Microsoft to Windows itself might do the same.

    Rob

    Was this answer helpful?

    0 comments
  4. Anonymous
    2024-03-29T16:57:07+00:00

    The questions apply to home networks.

    What would be the most secure settings for a home network according to this?:

    When one go to Windows settings in Windows 10 Home version - network and internet - Windows firewall, it says the following: Domain network - the firewall is enabled.Private network - the firewall is enabled. Network at home or at work, where you trust the people and devices on the network, and where the device is set as visible.Public network (active) - the firewall is enabled. Network in a public place, such as an airport or cafe', and where the device is set as not visible.Is it standard that a public network is used/is active on Windows 10 Home Version?Should one activate private network instead for security or other reasons?Or is the public network setting the safest and best because it says that the device is then set as not visible?One can tick: "Blocks all incoming connections, including those in the list from allowed apps" on both domain networks, private networks and public networks.Should one tick of domain networks, private networks and public networks for safety or other reasons so all 3 blocks all incoming connections, including those in the list from allowed apps? Or can one then risk that security apps or other things do not do their job properly?

    Was this answer helpful?

    0 comments
  5. Anonymous
    2024-03-29T06:02:42+00:00

    Hi JG5044,

    Welcome to Microsoft Community.

    We don't have devices with Windows Home Edition installed in our device environment.

    In our experience with other Windows devices, it is common for "Public network" to be used/activated.

    Most networks in public environments, such as those in airports and coffee shops, are not actually configured with strict traffic protection rules, which may make the device more vulnerable to attacks from other devices.

    In Windows (and perhaps not only in Windows, other systems should have a similar design concept for firewalls), the system considers public networks to be insecure and provides a firewall profile with some predefined traffic rules for such network environments, the name of the profile is defined as "Public network".

    In short, "Private network" or "Public network" in the system is a name/designator that has some pre-designed rules/templates for the corresponding scenario.

    Compared to the two, "Pubic network" is a relatively more secure option.

    "Private network" is more suitable for home environments.

    In this type of environment, you are theoretically aware of the presence of other devices, and even if you are attacked you will be able to find the source device faster.

    Because the user of the system has "complete knowledge" of all the other devices in the home environment, and has the means to deal with network traffic anomalies in the home environment, it may be more appropriate to choose a more open/less restrictive "private network" to minimize potential impediments to the access of devices in the home network to each other.

    Comparatively speaking, the domain network is probably the most secure type, and in this configuration the system traffic is almost entirely taken over by the domain network (corporate or school IT department).

    If I misunderstand your situation, feel free to correct me and share the information.

    Best Regards,

    Kyo - MSFT | Microsoft Community Technical Support

    Was this answer helpful?

    0 comments