Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how to lock down windows-10 firewall rules?


  • Please log in to reply
7 replies to this topic

#1 glenndm

glenndm

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 30 January 2018 - 03:39 PM

Hi,
 
I use windows10's standard firewall with inbound and outbound blocking together very minimal set of rules.
The rules essentially allow only a few applications access to the internet like firefox and windows update.
 
The limited number of rules makes it easy to configure and maintain.
 
But, at every update the windows system adds rules for its components (store, Pay, weather,...). All of which I delete as soon as I see them.
Now I discovered rules get added independent of updates - this happens practically every few reboots.
 
I want to lock down the rule modification, so that only on my explicit consent, rules can be modified.
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 
To my astonishment, such a lockdown seems impossible.
Does anyone know better?
 
 


BC AdBot (Login to Remove)

 


#2 Umbra

Umbra

    Authorized Emsisoft Rep


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 31 January 2018 - 08:53 PM

The thing is that people seems to misunderstand what firewall were originally made for: blocking inbound connections from the outside. 

 

 
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 

 

 

MS has full access to your system, so they can add any rules they want. 

Hackers don't, they must access your system, if an hacker manage to get access to the firewall rules, which means he compromised your system already, there is nothing you can do except reformat the system.

 

Now to block rules creation, you have to set Windows Firewall to block all outbound connections in all profiles (it is what i do) but by doing this when an apps need to connect the internet , you must manually create the rule (which may be an hassle for most people).

 

the other solution is using a 3rd party firewall or a  Windows Firewall extension (like binisoft Windows Firewall Control) which will alert you of inbound/outbound connections then ask you if you want block or allow it.



Emsisoft Community Manager


#3 glenndm

glenndm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 01 February 2018 - 08:38 AM

Thank you for your reply.

however, I respectfully disagree with some of your replies. Please do not take offence.

 

The thing is that people seems to misunderstand what firewall were originally made for: blocking inbound connections from the outside. 

 

It is irrelevant what the original purpose was. What is important, is what its capabilities are now. That includes outbound filtering.
Computers were first meant as simple adding machines, Now they can twitter.

 

 

 
Indeed, a firewall does not amount to much if it can be modified without explicit consent. If Microsoft can do it, some smart hacker can do it also.
 

 

 

MS has full access to your system, so they can add any rules they want. 

Hackers don't, they must access your system, if an hacker manage to get access to the firewall rules, which means he compromised your system already, there is nothing you can do except reformat the system.

 

That is too simple an argument.

1) It is my system. I have the final say what goes or not. MS will disagree :)
Windows is full of permissions, rights, and such. An admin has be able to rely on them without anyone even MS having a backdoor. That said, an admin has the sacred right to screw up his system too.
2) Outbound filtering can stop many hacking attempts. Yes even from the inside. If the ransomware scourge has taught us anything, is that users need to be protected from themselves.
3) I agree a hacked system should be reinstalled (I use imaging, much faster than reformatting) 

 

 

Now to block rules creation, you have to set Windows Firewall to block all outbound connections in all profiles (it is what i do) but by doing this when an apps need to connect the internet , you must manually create the rule (which may be an hassle for most people).

That is what I do too. I have about 10 rules.   Agreed most people won't do this. too bad for them.

the other solution is using a 3rd party firewall or a  Windows Firewall extension (like binisoft Windows Firewall Control) which will alert you of inbound/outbound connections then ask you if you want block or allow it.
I have searched but not found one to my liking.
WFC sit on top of windows firewall. Other than the learning helpful feature. nothing is added.
Zonealarm and others are too much bling.

As I said, windows firewall is sufficient  but the lockdown possibility I feel is lacking. An MS cop out in order to keep windows and its store running even with reduced protection.



#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 6,815 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:00 PM

Posted 01 February 2018 - 11:27 AM

There is such a thing as worrying too much and overthinking.  You're doing both.


Brian  AKA  Bri the Tech Guy (my website address is in my profile) Windows 10 Home, 64-bit, Version 1709, Build 16299

       

    Here is a test to find out whether your mission in life is complete.  If you’re alive, it isn’t.
             ~ Lauren Bacall
              

 


#5 TairikuOkami

TairikuOkami

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:08:00 PM

Posted 09 February 2018 - 07:42 AM

Now I discovered rules get added independent of updates - this happens practically every few reboots.

Not just upon reboots, simply installing a software will do. MS assumes, that if you allow to run a software with admin rights, you trust it to create those rules, like Steam.

 

You can either use a 3rd party firewall or 3rd party GUI for Windows Firewall, like Glasswire or Sphinx Windows Firewall Control, which take control over WF.

 

I remove and re-add Windows firewall rules every day with a script.

rem Remove All Windows Firewall Rules (2 options)
netsh advfirewall firewall delete rule name=all
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f

rem Windows Firewall Rules
netsh advfirewall firewall add rule name="COD MW2 DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 2\iw4sp.exe"
netsh advfirewall firewall add rule name="COD MW2 TCP" dir=out action=allow protocol=TCP remoteport=27015 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 2\iw4sp.exe"
netsh advfirewall firewall add rule name="COD MW2 UDP" dir=out action=allow protocol=UDP remoteport=1025-65535 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 2\iw4sp.exe"
netsh advfirewall firewall add rule name="COD MW3 DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 3\iw5sp.exe"
netsh advfirewall firewall add rule name="COD MW3 TCP" dir=out action=allow protocol=TCP remoteport=3074 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 3\iw5sp.exe"
netsh advfirewall firewall add rule name="COD MW3 UDP" dir=out action=allow protocol=UDP remoteport=1025-65535 program="E:\Steam\steamapps\common\Call of Duty Modern Warfare 3\iw5sp.exe"
netsh advfirewall firewall add rule name="DriverEasy DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles%\Easeware\DriverEasy\DriverEasy.exe"
netsh advfirewall firewall add rule name="DriverEasy TCP" dir=out action=allow protocol=TCP remoteip=169.53.0.193,172.217.11.14 remoteport=80,443 program="%ProgramFiles%\Easeware\DriverEasy\DriverEasy.exe"
netsh advfirewall firewall add rule name="ETS2 DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\steamapps\common\Euro Truck Simulator 2\bin\win_x64\eurotrucks2.exe"
netsh advfirewall firewall add rule name="ETS2 TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="E:\Steam\steamapps\common\Euro Truck Simulator 2\bin\win_x64\eurotrucks2.exe"
netsh advfirewall firewall add rule name="FortiClient DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\Fortinet\FortiClient\update_task.exe"
netsh advfirewall firewall add rule name="FortiClient TCP" dir=out action=allow protocol=TCP remoteport=80,443 remoteip=173.243.128.0-173.243.143.255 program="%ProgramFiles(x86)%\Fortinet\FortiClient\update_task.exe"
netsh advfirewall firewall add rule name="POP Peeper DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"
netsh advfirewall firewall add rule name="POP Peeper IMAP" dir=out action=allow protocol=TCP remoteip=94.100.176.0-94.100.183.255,217.69.136.0-217.69.141.255 remoteport=143,587 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"
netsh advfirewall firewall add rule name="RadioSure DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%LocalAppData%\RadioSure\RadioSure.exe"
netsh advfirewall firewall add rule name="RadioSure TCP" dir=out action=allow protocol=TCP remoteport=80,1025-65535 program="%LocalAppData%\RadioSure\RadioSure.exe"
netsh advfirewall firewall add rule name="Steam DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\Steam.exe"
netsh advfirewall firewall add rule name="Steam TCP" dir=out action=allow protocol=TCP remoteport=80,443,27015-27030,27050 program="E:\Steam\Steam.exe"
netsh advfirewall firewall add rule name="Steam UDP" dir=out action=allow protocol=UDP remoteport=1025-65535 program="E:\Steam\Steam.exe"
netsh advfirewall firewall add rule name="Steam Web DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Steam\bin\cef\cef.win7\steamwebhelper.exe"
netsh advfirewall firewall add rule name="Steam Web TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="E:\Steam\bin\cef\cef.win7\steamwebhelper.exe"
netsh advfirewall firewall add rule name="TeamViewer DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="TeamViewer UDP" dir=out action=allow protocol=UDP remoteport=5938 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="TeamViewer TCP" dir=out action=allow protocol=TCP remoteport=80,443,5938 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="Update Time DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Downloads\Custom Tools\Added Custom Tools\UpdateTime.exe"
netsh advfirewall firewall add rule name="Update Time UDP" dir=out action=allow protocol=UDP remoteip=85.236.36.0-85.236.36.127 remoteport=123 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Downloads\Custom Tools\Added Custom Tools\UpdateTime.exe"
netsh advfirewall firewall add rule name="WRT DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Windows_Repair_Toolbox.exe"
netsh advfirewall firewall add rule name="WRT TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="E:\Software\Temp\Soft\Windows Repair Toolbox\Windows_Repair_Toolbox.exe"
netsh advfirewall firewall add rule name="WU DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%WinDir%\System32\svchost.exe"
netsh advfirewall firewall add rule name="WU TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WinDir%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Yandex DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="Z:\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex DNSS" dir=out action=allow protocol=UDP remoteip=208.67.220.123,208.67.222.123 remoteport=443 program="Z:\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex Sync" dir=out action=allow protocol=TCP remoteip=213.180.193.0-213.180.193.255 remoteport=443,5222 program="Z:\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="Z:\Yandex\YandexBrowser\Application\browser.exe"

Edited by TairikuOkami, 09 February 2018 - 08:05 AM.


#6 glenndm

glenndm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 10 February 2018 - 09:45 AM

 

Now I discovered rules get added independent of updates - this happens practically every few reboots.

Not just upon reboots, simply installing a software will do. MS assumes, that if you allow to run a software with admin rights, you trust it to create those rules, like Steam.

 

You can either use a 3rd party firewall or 3rd party GUI for Windows Firewall, like Glasswire or Sphinx Windows Firewall Control, which take control over WF.

 

I remove and re-add Windows firewall rules every day with a script.

rem Remove All Windows Firewall Rules (2 options)
netsh advfirewall firewall delete rule name=all
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f

rem Windows Firewall Rules
netsh advfirewall firewall add ....
8<

Finally, a real useful insight. which will be implemented immediately
Also true about the admin rights.

Thank you for the great help.

 



#7 glenndm

glenndm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 10 February 2018 - 11:16 AM

another thought:

perhaps by locking write permissions to the registry, I can prevent any unwanted modification
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"

 

it works  but it may break updates - we'll see
 



#8 TairikuOkami

TairikuOkami

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:08:00 PM

Posted 10 February 2018 - 12:21 PM

I think, I have tried that one and it broke Windows Firewall, so it was unable to start, but not sure now. Rules do not change, but saved MD5 signatures do.


Edited by TairikuOkami, 10 February 2018 - 12:22 PM.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users