I am in a public profile. How good is the default profile of Windows Firewall. What should I do to ensure maximum protection? I use utorrent and Dropbox.
I am using Vista 32bit. Please explain as I am not at all expert in Firewall configuration.

Please don't suggest any 3rd party Firewalls. I have come back to Windows Firewall after using almost all of them. It's the best silent firewall in my opinion.

The public profile is the strictest of all 3, but will give you issues if you're simply using it in a home environment, for example SSDP/UPnP is blocked which is generally used by programs such as uTorrent to open ports.

I use the Home profile at home, as far as I'm aware it doesn't reduce your security or leave you vulnerable to attack from external sources, it just allows more internal network data to be transmitted/received, which is why it's generally safe to use Home on a private Home network.

If Stem is around he will hopefully explain it somewhat better than I did. ;D

@funkydude: Thanks for your answer.
I am using a public broadband. While I used Avast or Kaspersky I got a lot of dcom attack and helkern attack. Also my friend who uses the same ISP, see lots of IP blocking in idle time from MBAM pro. That why I think there are botnets working inside our ISP. I also see a lots of attacks blocked in Bullguard IS.
I am using public profile in windows firewall right now and not facing any problems in utorrent. Should I do anything more to tighten the filtration of incoming traffic?

Use Peerblock :isay:

-{ Quote: "Use Peerblock :isay:" }-
I use peerblock...;)

Not sure what you mean by public broadband. Are you at home behind a router with a broadband connection from an ISP, or on a 3G/wireless public network?

But yeah, public will give you the most protection.

-{ Quote: "While I used Avast or Kaspersky I got a lot of dcom attack and helkern attack." }-
To do an easy safe configuration I use e.g. "Windows Woorsm Doors Cleaner" (WWDC) and "Seconfig XP" (it seems works in Vista also). With this configuration tools is added aditional security to Windows Firewall. To check the protection in ShieldsUP! is adviced.

-{ Quote: "I use peerblock...;)" }-

Who is your ISP? Bharti Airtel or BSNL ?

-{ Quote: "Who is your ISP? Bharti Airtel or BSNL ?" }-
BSNL


-{ Quote: "Not sure what you mean by public broadband. Are you at home behind a router with a broadband connection from an ISP, or on a 3G/wireless public network?" }-
I am not behind a router. Direct Broadband connection from my ISP.


-{ Quote: "To do an easy safe configuration I use e.g. "Windows Woorsm Doors Cleaner" (WWDC) and "Seconfig XP" (it seems works in Vista also). With this configuration tools is added aditional security to Windows Firewall. To check the protection in ShieldsUP! is adviced." }-
Both seems to work upto xp...:( Anyway thanks..:)

sg09, have you taken a look at Stem's tutorial Windows Firewall with Advanced Security (Guide for Vista/Win7 - two-way control) (http://www.wilderssecurity.com/showthread.php?t=239750)?

-{ Quote: "sg09, have you taken a look at Stem's tutorial Windows Firewall with Advanced Security (Guide for Vista/Win7 - two-way control) (http://www.wilderssecurity.com/showthread.php?t=239750)?" }-

thanks I read that again. But there is no mention of further hardening of security. Just the Windows Firewall is thoroughly explained. I guess the public profile is strong enough to protect from botnets. Moreover I have Peer Block.

sg09, if it's possible for you, you should invest in a decent router. It would be your first big barrier of defence.

Hi sg09,

Check in the firewalls "public policy" for any rule that allows inbound and then check for any "exceptions"(you should be able to find info for that in the post linked to by JRViejo)
You should only have inbound allow rules/exceptions for the applications that actually require that inbound, such as (possibly) your torrent client.


- Stem

-{ Quote: "sg09, if it's possible for you, you should invest in a decent router. It would be your first big barrier of defence." }-
Thanks, I am really thinking of buying one...:)

-{ Quote: "Check in the firewalls "public policy" for any rule that allows inbound and then check for any "exceptions"(you should be able to find info for that in the post linked to by JRViejo)
You should only have inbound allow rules/exceptions for the applications that actually require that inbound, such as (possibly) your torrent client." }-
Thanks for your help ;D I am doing this....8)

How good is the Default settings of Windows Firewall?

Answer: Good enough for the average user who doesn't download illegal warez/apps/software, illegal cracks and serials and only uses the internet for honest purposes and only downloads legal and legitimate programs from reputable companies.

-{ Quote: "
Please don't suggest any 3rd party Firewalls. I have come back to Windows Firewall after using almost all of them. It's the best silent firewall in my opinion." }-

Agreed wholeheartedly :)

sg09, if you want, list the apps you have that you know need Internet connectivity and I'll help if possible with granular rule settings. Public profile is the tightest for sure, but it can certainly be improved.

-{ Quote: "
Answer: Good enough for the average user who doesn't download illegal warez/apps/software, illegal cracks and serials and only uses the internet for honest purposes and only downloads legal and legitimate programs from reputable companies." }-

Windows firewall would keep you protected no matter what you were downloading.

-{ Quote: "
sg09, if you want, list the apps you have that you know need Internet connectivity and I'll help if possible with granular rule settings. Public profile is the tightest for sure, but it can certainly be improved." }-
thanks. I am attaching the whole list of my installed applications.
218861

sg09, you have a lot of apps I don't use, but some of my rules could apply to your situation. Make sure to visit the link in post #10 of this thread for Stem's excellent tutorial on how to set up the fw rules.

Here are my outbound rules, mostly made up of my custom rules with the rest built-in core rules. The Active profile is “Public”. They are certainly not perfected, some could maybe be tighter, but I believe mostly thorough. The trouble with setting specific program rules in Win 7/Vista fw is knowing exactly which programs need Internet access, because there are no pop-ups like in 3rd party firewalls. Java, for example, was rather difficult, so I just created rules for all its executables to ports 80 & 443. For FTP, I simply created for any program, but perhaps I should restrict this to specific ones. My son plays Fusion Fall and that was difficult because IE needs to connect to non- standard remote ports. I had to examine the logs to figure it out. There are four “Block” rules for svchost services, but I need to temporarily allow the second and fourth ones when running Win updates. I block them most always because svchost likes to connect out whenever it pleases without good reason, so I keep it on a short leash ;)


EDIT 06152010 I've updated the outbound rules so a new screenshot.

-{ Quote: "

Here are my outbound rules, mostly made up of my custom rules with the rest built-in core rules. The Active profile is “Public”. " }-
Nice post wat, thanks for the graphic too

-{ Quote: "Nice post wat, thanks for the graphic too" }-

Thank you Greg! Tomorrow will be my inbound rules. It was tight getting all the important columns into the shot (Snagit would only scroll vertically), so I had to remove some of the other columns to make it all fit.

Thanks a lot wat0114..:)

-{ Quote: "Thanks a lot wat0114..:)" }-

You are welcome!

Here are my inbound rules, a lot of which I don't even need because I'm behind a router and not on a local network, but I created them anyway just for the learning experience. Again, maybe they're too restrictive, not restrictive enough or I'm missing something, but I think they're a decent starting point. I block SSDP from my router because I can't get it to stop sending them.

EDIT 06142010 I've updated the inbound rules so a new screenshot.

Wow, Thanks again.... Very useful indeed...:thumb:

-{ Quote: "

Here are my inbound rules..." }-

Forgive my curiosity but why did you change the default ICMPv4 and ICMPv6 inbound rules?

-{ Quote: "Forgive my curiosity but why did you change the default ICMPv4 and ICMPv6 inbound rules?" }-

I wanted to make some ICMP rules on my own, even though I could just have easily gone with the Core defaults. This way better (hopefully) my knowledge on what they're all about :) I will have to go through them carefully and look for duplicates. I have already found a couple. Feel free to point out anything that looks odd. I'm certainly no expert at this and it's a long, painstaking process to create and fine-tune these rules, so mistakes and incomplete rules are possible, if not likely.

-{ Quote: "I wanted to make some ICMP rules on my own, even though I could just have easily gone with the Core defaults... " }-

To some extent the rules you create for your software firewall will depend upon the capabilities of the firewall in your router. I use custom firmware, which allows me to control firewall rules via customisable iptables for both inbound and outbound access.

With your inbound ICMPv4 rules, you seem to be allowing Network unreachable (ICMP 3 11) but not Host Unreachable (ICMP 3 1), Port Unreachable (ICMP 3 3) or Fagmentation Needed (ICMP 3 4)?

It also seems the ICMPv6 rule allows Destination Unreachable (type 1) but you have removed the essential ICMPv6 rules. Granted, if you're not actively using IPv6 you may not notice, however, ICMPv6 is a somewhat different beast to ICMPv4 and is actually existential for proper communication over IPv6.

Apologies if I missed something

-{ Quote: "To some extent the rules you create for your software firewall will depend upon the capabilities of the firewall in your router." }-

I created the majority of them without regard to the router's filtering, mainly because I'm more interested in a rule set for a stand-alone Win 7 fw setup.

-{ Quote: "With your inbound ICMPv4 rules, you seem to be allowing Network unreachable (ICMP 3 11) but not Host Unreachable (ICMP 3 1), Port Unreachable (ICMP 3 3) or Fagmentation Needed (ICMP 3 4)?

It also seems the ICMPv6 rule allows Destination Unreachable (type 1) but you have removed the essential ICMPv6 rules. Granted, if you're not actively using IPv6 you may not notice, however, ICMPv6 is a somewhat different beast to ICMPv4 and is actually existential for proper communication over IPv6." }-

ICMP rules give me some of the most difficulty in understanding what is needed - even for a basic home setup without networking. I don't use ICMPv6 but decided to simply keep the ones for a basic setup, although I may have missed some. I am in the gradual process of poring over the rules and correcting mistakes I or others spot :) Tomorrow I think I will replace the current outbound rules ss with an updated one.

-{ Quote: "Apologies if I missed something" }-

No need to apologize. Thanks for pointing out any oddities.

-{ Quote: "
ICMP rules give me some of the most difficulty in understanding what is needed " }-

Indeed, they can be a little tricky. If it were me, I'd include a rule for ICMPv4 that allows Fragmentation Needed as that can be pretty important for the correct flow of data over TCP.

I'd also think about restoring the ICMPv6 defaults. As I mentioned in my last post, ICMPv6 is essential and even if you don't knowingly use IPv6, at least one of your applications can. uTorrent.

uTorrent, if configured to do so, will use Teredo, which is an IPv6 transition technology, basically IPv6 over IPv4. For Teredo to work correctly, it has to be able to find Teredo relays. To do that in uses an ICMPv6 Echo request.

By removing the defaults, you've effectively crippled some of the functionality of IPv6.

Heimdall, thank you for your help! :) this is what I was hoping for because I knew they needed some work. Just minutes ago I had to correct my Java update rules because of the latest release. I will modify my rules according to your recommendations and replace my screenshots tomorrow am.

How to protect the firewall settings from applications such as Skype, which themselves create their own rules and add them to the firewall ?

-{ Quote: "How to protect the firewall settings from applications such as Skype, which themselves create their own rules and add them to the firewall ?" }-

I'm not sure there is an easy way of dealing with programs like Skype, apart from letting it create the rules it believes it needs, then editing them to be more in-line with what you need.

Skype is a particular PITA but it's not impossible to lock it down. I haven't used it in a while, but I can probably knock up a rule set PDQ. if I can help, let me know.

-{ Quote: "I'm not sure there is an easy way of dealing with programs like Skype, apart from letting it create the rules it believes it needs, then editing them to be more in-line with what you need.
" }-

I agree the easiest way to deal with it.

BTW, updated outbound rule set here in post #19... (http://www.wilderssecurity.com/showpost.php?p=1694486&postcount=19)

As recommended to me, I added the ICMPv6 Core defaults plus a custom rule for ICMP Fragmentation (there was no default available??). Also added some remote mail server ip addresses, cleaned up some other rules such as Java update program locations for jucheck.exe and jusched.exe found at: C:\Program files (x86)\Common files\Java\Jave Update

Thanks, wat0114!

Heimdall,
I would like very much to see what rules you would create for Skype.
Is there an order by which the windows 7 firewall processes rules? I have rules for skype in another firewall and their order is critical.

-{ Quote: "
I would like very much to see what rules you would create for Skype.
Is there an order by which the windows 7 firewall processes rules? I have rules for skype in another firewall and their order is critical." }-
-{ Quote: " Firewall rule priority

Because you can make firewall rules that have apparent conflicts, it is important to understand the order in which the rules are processed:

1. Authenticated bypass. These are rules in which the Override block rules option is selected. These rules allow matching network traffic that would otherwise be blocked. The network traffic must be authenticated by using a separate connection security rule. You can use these rules to permit access to the computer to authorized network administrators and authorized network troubleshooting devices. For more information, see Dialog Box: Customize Allow If Secure Settings

2. Block connection. These rules block all matching inbound network traffic.

3. Allow connection. These rules allow matching inbound network traffic. Because the default behavior is to block unsolicited inbound network traffic, you must create an allow rule to support any network program or service that must be able to accept inbound connections.

4. Default profile behavior. The default behavior is to block unsolicited inbound network traffic, but to allow all outbound network traffic. You can change the default behavior on the Domain Profile, Private Profile, and Public Profile tabs of the Windows Firewall with Advanced Security Properties dialog box.

As soon as a network packet matches a rule, that rule is applied, and processing stops. For example, an arriving network packet is first compared to the authenticated bypass rules. If it matches one, that rule is applied and processing stops. The packet is not compared to the block, allow, or default profile rules. If the packet does not match an authenticated bypass rule, then it is compared to the block rules. If it matches one, the packet is blocked, and processing stops, and so on." }-
http://technet.microsoft.com/en-us/library/dd421709%28WS.10%29.aspx

Panagiotis

I wish my Windows XP firewall work like that :(

Hello,

I blocked successfully "check for updates" function in SIW program (just for experiment), creating a general "block all" outgoing connection rule in my Windows Firewall with advanced security (Win7 64). But I have a little problem now.

If I try to open SIW homepage from the program itself, my firefox open that page, without that firewall can block it.

How to block also these requests?

-{ Quote: "I'm not sure there is an easy way of dealing with programs like Skype, apart from letting it create the rules it believes it needs, then editing them to be more in-line with what you need.
" }-

Yes, but if you edit those rules, they will revert back to the original ones that were created when Skype is run next time.

-{ Quote: "Yes, but if you edit those rules, they will revert back to the original ones that were created when Skype is run next time." }-

If you disable upnp in Skype, it won't.

-{ Quote: "Hello,

I blocked successfully "check for updates" function in SIW program (just for experiment), creating a general "block all" outgoing connection rule in my Windows Firewall with advanced security (Win7 64). But I have a little problem now.

If I try to open SIW homepage from the program itself, my firefox open that page, without that firewall can block it.

How to block also these requests?" }-

No one knows the reply? :doubt:

-{ Quote: "-{ Quote: "Hello,

I blocked successfully "check for updates" function in SIW program (just for experiment), creating a general "block all" outgoing connection rule in my Windows Firewall with advanced security (Win7 64). But I have a little problem now.

If I try to open SIW homepage from the program itself, my firefox open that page, without that firewall can block it.

How to block also these requests?" }-
No one knows the reply? :doubt:" }-
You cannot block these requests with windows firewall.

Panagiotis

riolionel, do you mean this one?:

http://www.gtopala.com/siw-software/updates.html

if so, you should be able to create a rule to block that specific ip address for all programs. Hopefully I understand what you're asking because I'm not sure of the acronym SIW.

-{ Quote: "riolionel, do you mean this one?:

http://www.gtopala.com/siw-software/updates.html

if so, you should be able to create a rule to block that specific ip address for all programs. Hopefully I understand what you're asking because I'm not sure of the acronym SIW." }-

Then how to set an ip block rule with windows firewall? I don't know a way to do it.

-{ Quote: "Then how to set an ip block rule with windows firewall? I don't know a way to do it." }-

Check the screenshots...

After the 5th, hit: Next -> Next -> keep all three checkboxes enabled (Private, Domain, Public) -> Type a name for the rule, maybe: "Block remote ip SIW" -> Finish.

Also, check out Stem's Vista (applies to Win7 too) tutorial here. (http://www.wilderssecurity.com/showthread.php?t=239750)

It works! About hostname rules instead is necessary to edit the hosts file, right?

Because there isn't nothing in Windows Firewall about this aspect.

Thank you.

You're welcome. Sorry, I don't know about the hosts file, because I haven't used it in years.

Blocking IPs in IPsec is simpler than that in Firewall Advanced Security,I think.