Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how to lock down windows-10 firewall rules?


  • Please log in to reply
16 replies to this topic

#1 glenndm

glenndm

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 30 January 2018 - 03:39 PM

Hi,
 
I use windows10's standard firewall with inbound and outbound blocking together very minimal set of rules.
The rules essentially allow only a few applications access to the internet like firefox and windows update.
 
The limited number of rules makes it easy to configure and maintain.
 
But, at every update the windows system adds rules for its components (store, Pay, weather,...). All of which I delete as soon as I see them.
Now I discovered rules get added independent of updates - this happens practically every few reboots.
 
I want to lock down the rule modification, so that only on my explicit consent, rules can be modified.
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 
To my astonishment, such a lockdown seems impossible.
Does anyone know better?
 
 


BC AdBot (Login to Remove)

 


#2 Umbra

Umbra

    Authorized Emsisoft Rep


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 31 January 2018 - 08:53 PM

The thing is that people seems to misunderstand what firewall were originally made for: blocking inbound connections from the outside. 

 

 
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 

 

 

MS has full access to your system, so they can add any rules they want. 

Hackers don't, they must access your system, if an hacker manage to get access to the firewall rules, which means he compromised your system already, there is nothing you can do except reformat the system.

 

Now to block rules creation, you have to set Windows Firewall to block all outbound connections in all profiles (it is what i do) but by doing this when an apps need to connect the internet , you must manually create the rule (which may be an hassle for most people).

 

the other solution is using a 3rd party firewall or a  Windows Firewall extension (like binisoft Windows Firewall Control) which will alert you of inbound/outbound connections then ask you if you want block or allow it.



Emsisoft Community Manager


#3 glenndm

glenndm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 01 February 2018 - 08:38 AM

Thank you for your reply.

however, I respectfully disagree with some of your replies. Please do not take offence.

 

The thing is that people seems to misunderstand what firewall were originally made for: blocking inbound connections from the outside. 

 

It is irrelevant what the original purpose was. What is important, is what its capabilities are now. That includes outbound filtering.
Computers were first meant as simple adding machines, Now they can twitter.

 

 

 
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 

 

 

MS has full access to your system, so they can add any rules they want. 

Hackers don't, they must access your system, if an hacker manage to get access to the firewall rules, which means he compromised your system already, there is nothing you can do except reformat the system.

 

That is too simple an argument.

1) It is my system. I have the final say what goes or not. MS will disagree :)
Windows is full of permissions, rights, and such. An admin has be able to rely on them without anyone even MS having a backdoor. That said, an admin has the sacred right to screw up his system too.
2) Outbound filtering can stop many hacking attempts. Yes even from the inside. If the ransomware scourge has taught us anything, is that users need to be protected from themselves.
3) I agree a hacked system should be reinstalled (I use imaging, much faster than reformatting) 

 

 

Now to block rules creation, you have to set Windows Firewall to block all outbound connections in all profiles (it is what i do) but by doing this when an apps need to connect the internet , you must manually create the rule (which may be an hassle for most people).

That is what I do too. I have about 10 rules.   Agreed most people won't do this. too bad for them.

the other solution is using a 3rd party firewall or a  Windows Firewall extension (like binisoft Windows Firewall Control) which will alert you of inbound/outbound connections then ask you if you want block or allow it.
I have searched but not found one to my liking.
WFC sit on top of windows firewall. Other than the learning helpful feature. nothing is added.
Zonealarm and others are too much bling.

As I said, windows firewall is sufficient  but the lockdown possibility I feel is lacking. An MS cop out in order to keep windows and its store running even with reduced protection.



#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,042 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:11:11 PM

Posted 01 February 2018 - 11:27 AM

There is such a thing as worrying too much and overthinking.  You're doing both.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 TairikuOkami

TairikuOkami

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:11 AM

Posted 09 February 2018 - 07:42 AM

Now I discovered rules get added independent of updates - this happens practically every few reboots.

Not just upon reboots, simply installing a software will do. MS assumes, that if you allow to run a software with admin rights, you trust it to create those rules, like Steam.

 

You can either use a 3rd party firewall or 3rd party GUI for Windows Firewall, like Glasswire or Sphinx Windows Firewall Control, which take control over WF.

 

I remove and re-add Windows firewall rules every day with a script.

rem Remove All Windows Firewall Rules (2 options)
netsh advfirewall firewall delete rule name=all
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f

rem Windows Firewall Rules
netsh advfirewall firewall add rule name="COD MW2 DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 2\iw4sp.exe"
netsh advfirewall firewall add rule name="COD MW2 TCP" dir=out action=allow protocol=TCP remoteport=27015 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 2\iw4sp.exe"
netsh advfirewall firewall add rule name="COD MW2 UDP" dir=out action=allow protocol=UDP remoteport=1025-65535 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 2\iw4sp.exe"
netsh advfirewall firewall add rule name="COD MW3 DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 3\iw5sp.exe"
netsh advfirewall firewall add rule name="COD MW3 TCP" dir=out action=allow protocol=TCP remoteport=3074 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 3\iw5sp.exe"
netsh advfirewall firewall add rule name="COD MW3 UDP" dir=out action=allow protocol=UDP remoteport=1025-65535 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 3\iw5sp.exe"
netsh advfirewall firewall add rule name="DriverEasy DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles%\Easeware\DriverEasy\DriverEasy.exe"
netsh advfirewall firewall add rule name="DriverEasy TCP" dir=out action=allow protocol=TCP remoteip=169.53.0.193,172.217.11.14 remoteport=80,443 program="%ProgramFiles%\Easeware\DriverEasy\DriverEasy.exe"
netsh advfirewall firewall add rule name="ETS2 DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\steamapps\common\Euro Truck Simulator 2\bin\win_x64\eurotrucks2.exe"
netsh advfirewall firewall add rule name="ETS2 TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="E:\Steam\steamapps\common\Euro Truck Simulator 2\bin\win_x64\eurotrucks2.exe"
netsh advfirewall firewall add rule name="FortiClient DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\Fortinet\FortiClient\update_task.exe"
netsh advfirewall firewall add rule name="FortiClient TCP" dir=out action=allow protocol=TCP remoteport=80,443 remoteip=173.243.128.0-173.243.143.255 program="%ProgramFiles(x86)%\Fortinet\FortiClient\update_task.exe"
netsh advfirewall firewall add rule name="POP Peeper DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"
netsh advfirewall firewall add rule name="POP Peeper IMAP" dir=out action=allow protocol=TCP remoteip=94.100.176.0-94.100.183.255,217.69.136.0-217.69.141.255 remoteport=143,587 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"
netsh advfirewall firewall add rule name="RadioSure DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%LocalAppData%\RadioSure\RadioSure.exe"
netsh advfirewall firewall add rule name="RadioSure TCP" dir=out action=allow protocol=TCP remoteport=80,1025-65535 program="%LocalAppData%\RadioSure\RadioSure.exe"
netsh advfirewall firewall add rule name="Steam DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\Steam.exe"
netsh advfirewall firewall add rule name="Steam TCP" dir=out action=allow protocol=TCP remoteport=80,443,27015-27030,27050 program="E:\Steam\Steam.exe"
netsh advfirewall firewall add rule name="Steam UDP" dir=out action=allow protocol=UDP remoteport=1025-65535 program="E:\Steam\Steam.exe"
netsh advfirewall firewall add rule name="Steam Web DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\bin\cef\cef.win7\steamwebhelper.exe"
netsh advfirewall firewall add rule name="Steam Web TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="E:\Steam\bin\cef\cef.win7\steamwebhelper.exe"
netsh advfirewall firewall add rule name="TeamViewer DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="TeamViewer UDP" dir=out action=allow protocol=UDP remoteport=5938 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="TeamViewer TCP" dir=out action=allow protocol=TCP remoteport=80,443,5938 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="Update Time DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Downloads\Custom Tools\Added Custom Tools\UpdateTime.exe"
netsh advfirewall firewall add rule name="Update Time UDP" dir=out action=allow protocol=UDP remoteip=85.236.36.0-85.236.36.127 remoteport=123 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Downloads\Custom Tools\Added Custom Tools\UpdateTime.exe"
netsh advfirewall firewall add rule name="WRT DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Windows_Repair_Toolbox.exe"
netsh advfirewall firewall add rule name="WRT TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Windows_Repair_Toolbox.exe"
netsh advfirewall firewall add rule name="WU DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%WinDir%\System32\svchost.exe"
netsh advfirewall firewall add rule name="WU TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WinDir%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Yandex DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="Z:\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex DNSS" dir=out action=allow protocol=UDP remoteip=208.67.220.123,208.67.222.123 remoteport=443 program="Z:\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex Sync" dir=out action=allow protocol=TCP remoteip=213.180.193.0-213.180.193.255 remoteport=443,5222 program="Z:\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="Z:\Yandex\YandexBrowser\Application\browser.exe"

Edited by TairikuOkami, 09 February 2018 - 08:05 AM.


#6 glenndm

glenndm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2018 - 09:45 AM

 

Now I discovered rules get added independent of updates - this happens practically every few reboots.

Not just upon reboots, simply installing a software will do. MS assumes, that if you allow to run a software with admin rights, you trust it to create those rules, like Steam.

 

You can either use a 3rd party firewall or 3rd party GUI for Windows Firewall, like Glasswire or Sphinx Windows Firewall Control, which take control over WF.

 

I remove and re-add Windows firewall rules every day with a script.

rem Remove All Windows Firewall Rules (2 options)
netsh advfirewall firewall delete rule name=all
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f

rem Windows Firewall Rules
netsh advfirewall firewall add ....
8<

Finally, a real useful insight. which will be implemented immediately
Also true about the admin rights.

Thank you for the great help.

 



#7 glenndm

glenndm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2018 - 11:16 AM

another thought:

perhaps by locking write permissions to the registry, I can prevent any unwanted modification
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"

 

it works  but it may break updates - we'll see
 



#8 TairikuOkami

TairikuOkami

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:11 AM

Posted 10 February 2018 - 12:21 PM

I think, I have tried that one and it broke Windows Firewall, so it was unable to start, but not sure now. Rules do not change, but saved MD5 signatures do.


Edited by TairikuOkami, 10 February 2018 - 12:22 PM.


#9 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:11 PM

Posted 29 June 2018 - 10:39 PM

 

Now I discovered rules get added independent of updates - this happens practically every few reboots.

Not just upon reboots, simply installing a software will do. MS assumes, that if you allow to run a software with admin rights, you trust it to create those rules, like Steam.

 

You can either use a 3rd party firewall or 3rd party GUI for Windows Firewall, like Glasswire or Sphinx Windows Firewall Control, which take control over WF.

 

 

 

I know this is an old thread but want to clarify.  Sphinx is NOT a GUI for Windows Firewall. It' completely independent. In fact you can/should turn off Windows Firewall. Just retain the Windows filtering engine.


Edited by tos226, 29 June 2018 - 10:40 PM.


#10 Marpessa

Marpessa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 16 August 2018 - 10:26 AM

All great info!!!

 

I've noticed that Win 10 has somehow disabled 3 of my firewall apps via updates. And I can hear something running undetected by my process monitor app, task manager or any firewall, that stops when i turn off the internet. If anyone has any info on that...

 

How do I get notices for updates to this discussion?



#11 MZOP

MZOP

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 17 September 2018 - 10:37 PM

The thing is that people seems to misunderstand what firewall were originally made for: blocking inbound connections from the outside. 

 

 
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 

 

 

MS has full access to your system, so they can add any rules they want. 

Hackers don't, they must access your system, if an hacker manage to get access to the firewall rules, which means he compromised your system already, there is nothing you can do except reformat the system.

 

Now to block rules creation, you have to set Windows Firewall to block all outbound connections in all profiles (it is what i do) but by doing this when an apps need to connect the internet , you must manually create the rule (which may be an hassle for most people).

 

the other solution is using a 3rd party firewall or a  Windows Firewall extension (like binisoft Windows Firewall Control) which will alert you of inbound/outbound connections then ask you if you want block or allow it.

 

You make it sound easy. How does the average user determine what rules are necessary for system process or whether a certain piece of software really needs to connect to an external address.



#12 TairikuOkami

TairikuOkami

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:11 AM

Posted 18 September 2018 - 07:11 AM

 

 

You make it sound easy. How does the average user determine what rules are necessary for system process or whether a certain piece of software really needs to connect to an external address.

 

 

By something like https://www.nirsoft.net/utils/live_tcp_udp_watch.html - it logs all the traffic, unlike TaskManager or Currports. But you need to allow all the traffic temporarily to monitor it.

 

Or you can just use 3rd party firewall, like Free Firewall, Glasswire, Zone Alarm or a better GUI for Windows Firewall, like Sphinx or Windows Firewall Notifier (WFN at Github).



#13 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,042 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:11:11 PM

Posted 18 September 2018 - 08:36 AM

 How does the average user determine what rules are necessary for system process or whether a certain piece of software really needs to connect to an external address.

 

 

"The average user" does not have the background to make informed determinations on this sort of thing.  "The sophisticated user" generally doesn't, either.

 

There is a reason that certain functions, regardless of the OS in question, are generally handled by those who maintain the OS itself and get pushed out to the user community.  It's not a perfect process, as all OSes are the "Swiss Army Knives" of software and decisions about firewall access are generally based on what is needed by a user community far broader than whatever circle of the Venn diagram of the whole user community you happen to be in.

 

When certain rules need to be added or tweaked as the result of, say, new hardware being added (e.g., wireless printers with cloud function) then the installers for said devices generally make them, and make them based on the choices the user makes with regard to whether or not they intend to use functions that would require those additions/tweaks.

 

Most end users do not and will not ever have the knowledge required to make intelligent and informed decisions regarding firewall rules and, if they do what intelligent people who realize they don't have that knowledge do, they will defer to the subject matter experts tasked with doing that work for them.


Edited by britechguy, 18 September 2018 - 08:38 AM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#14 Guest_Joe C_*

Guest_Joe C_*

  • Guests
  • OFFLINE
  •  

Posted 20 September 2018 - 11:07 AM

What's your point?

Average users probably don't even know what a firewall is much less what it does or what to do with it. The more tech savvy users are the folks that want to know more about securing their system against intrusive programs or what Microsoft does while they are using their pc's. They get this wild idea that they would like to have more privacy while using their Microsoft's computer


Edited by Joe C, 20 September 2018 - 11:08 AM.


#15 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,042 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA

Posted 20 September 2018 - 02:25 PM

My point is that tech savvy individuals, particularly professionals, will warn anyone away from messing with firewall rules except under a very constrained set of circumstances, as they will warn people away from the foolish belief that they can pick and choose among updates released by the OS creator and maintainer better than that entity can.

 

Fools rush in where angels fear to tread and an ounce of prevention is worth a pound of cure both apply.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users