Windows Firewall with Advanced Security (Guide for Vista)

[pandorax]

I am seeing this log regularly from Windows Firewall Notifier console. Should i set outgoing rule for svchost; UDP; 1900? I have seen a post about UDP 1900 in this thread. It was about UPnP. It is not active in my router.

And please, tell me what rules do you use for utorrent. Can you give me a screenshot your torrent rules?

My last question; Is there a way to disable firewall logging for particular application in Event Viewer? Let's say i don't want to see any log about svchost in Event Viewer. Or i don't want to see any log about svchost; UDP; 1900 for example.

[Romagnolo1973]

Regola Torrent - TCP out Tutti Sì Consenti C:\Program Files (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi TCP 1024-65535 (local port) 1024-65535 (remote port) Qualsiasi
Regola Torrent - UDP Server Tutti Sì Consenti %ProgramFiles% (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi UDP 1024-65535(local) 80, 443(remote) Qualsiasi
Regola Torrent - UDP Out Tutti Sì Consenti C:\Program Files (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi UDP 58812 1024-65535 Qualsiasi
Regola Utorrent - TCP Server Tutti Sì Consenti %ProgramFiles% (x86)\uTorrent\uTorrent.exe Qualsiasi Qualsiasi TCP 1024-65535 80, 443 Qualsiasi

sorry is in italian but Tutti is all profile; Sì is yes in active; consenti is allow; qualsiasi is any in local ip, remote ip etc..
you stil receive other several request depending on download files, servers and so on, you must allow just one this new requests or u are unable to dowloas fast. The rules I create are more or less the same I use in Comodo CIS and are the basic for dowload server, update
Rlules I create are only for outgoing connection due the fact that incoming is allowed in seven FW rules when you install torrent (exception on winFW)

[pandorax]

Thank you @Romagnolo1973.

[Escalader]

Quote:

Originally Posted by wat0114

You're welcome! Not overly important, at least not to the extent things will be crippled without them, but it's nice to have the option to ping or run a traceroute if needed. My ICMP rules are attached.

Thanks Wat! I've downloaded yout ICMP rules.... why recreate the wheel!

[Athletic]

Lot of people said that the W7 firewall outbound rules are difficult to set. O.K. it could be more simplified like in other firewalls...but, you must only once setup rules for browser, torrent client, chat client,(3-5 programs) and you are without problem ? I think thats true.

Problem can be for only users who set and want all programs to autoupdate.

There are no popups on outbound blocked programs in W7 firewall but does it have some sort of log or window where can i see what was blocked ?

[EboO]

Which rule do you create for bits service ? I can't upload files on emsisoft forum with chrome (tcp 80 and 443 allow)
Thanks.

[EboO]

After some researchs it seems i need a rule for rundll32.exe
Is it normal ? Can i create it without security risk ?

[m00nbl00d]

Quote:

Originally Posted by EboO

Which rule do you create for bits service ? I can't upload files on emsisoft forum with chrome (tcp 80 and 443 allow)
Thanks.

Excepting Windows itself, do you have any software that makes use of BITS? For example, Adobe Reader (at least version 10) makes use of it. So, for instance, if you'd want to update Adobe Reader using its own updating mechanism, then you should create a rule that would allow the Reader's process handling updates to use BITS.

Other than that, if you got no application that updates itself using it, I don't think you would have to create a rule for it?

-edit-

I see that you mentioned you can't upload files to Emsisoft forum? Why would it need BITS?

[EboO]

I made a mistake : i need to allow rundll32.exe for uploading files on emsisoft forum. Does bits is necessary for flash updates ?
Thanks.

[kilves76]

Is there a way to filter out broadcast packets in Event wiever custom view? It's hard to find important packet drops when most of it is broadcast traffic, source:224.0.0.252,255.255.255.255,ff02::1:3.

For example the xml says
<Data Name="SourceAddress">224.0.0.252</Data>
but i don't know how to incorporate that to the filter as a NOT rule.

[Greg S]

Quote:

Originally Posted by kilves76

Is there a way to filter out broadcast packets in Event wiever custom view? It's hard to find important packet drops when most of it is broadcast traffic, source:224.0.0.252,255.255.255.255,ff02::1:3.

For example the xml says
<Data Name="SourceAddress">224.0.0.252</Data>
but i don't know how to incorporate that to the filter as a NOT rule.

Is this what you are looking for?
http://www.wilderssecurity.com/showp...&postcount=321

[kilves76]

I managed to realize the proper syntax for the custom view xml filter

Quote:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=5157)]]
and *[EventData[Data[@Name="SourceAddress"]!="224.0.0.252"]]
and *[EventData[Data[@Name="SourceAddress"]!="ff02::2"]]
</Select>
</Query>
</QueryList>

Tweaking that it's possible to have a view that only includes whatever one considers important, cleaned of noise. Now if only i knew how to output the event data into the attached task popup box... Sparviero, could i persuade you to share your code how you do it?

Edit: seems there's a builtin limitation for 8 evaluations, so it's eventid=5157 + 7 addresses to suppress. Doesn't give room for extensive filtering but at least good for filtering out 224.0.0.22, 224.0.0.252, 255.255.255.255 + 4 more. Good if you're running ipv4 only but add ipv6 and there's too much junk to be filtered.

[sparviero]

Quote:

Tweaking that it's possible to have a view that only includes whatever one considers important, cleaned of noise.

Certainly possible, but do not know if you need for simple desktop. If you have a bit of experience with C# code and reading through MSDN Library like; http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx, you can apply what you think most need.

This one: http://wokhan.online.fr/progs.php?sec=WFN , I think it's the best Windows 7 Firewall Notifier available, just use it.

have fun ...

[kilves76]

Is it possible to find out which firewall rule actually made the block, from the filter information?

Filter Information:
Filter Run-Time ID: 68839
Layer Name: Connect
Layer Run-Time ID: 48

Tried googling this but without any success.

[EboO]

Is it necessary to create a rule for localhost ? Which application use it ?

Thanks.

[sparviero]

Quote:

Is it necessary to create a rule for localhost ?

- not bad to create a rule for localhost.

- example: protocol; any / port: all/all / IP: 127.0.0.1 > 127.0.0.1

Have a nice day...

[EboO]

Thanks

[EboO]

I've got another problem with windows firewall : can someone post his rules for norton antivirus please ?

Updates blocks since norton update, if i allow outbound it works well. I don't understand why.

Thanks.

[jitte]

Nevermind.

[adrenaline7]

Thanks for this great thread I used this to help me configure my Windows 7 firewall. I really only had to set a rule for Firefox and the rest has been easy. I liked windows firewall control but found this just as easy and the fewer apps I have on my system the better for me. I still have a few of the default things on windows allowed that I plan on researching and I've closed several windows services so I also like to investigate closing ports in windows 7.

[alexandrud]

Quote:

Originally Posted by adrenaline7

Thanks for this great thread I used this to help me configure my Windows 7 firewall. I really only had to set a rule for Firefox and the rest has been easy. I liked windows firewall control but found this just as easy and the fewer apps I have on my system the better for me. I still have a few of the default things on windows allowed that I plan on researching and I've closed several windows services so I also like to investigate closing ports in windows 7.

You don't have to disable Windows services. Neither to close ports. Many of these are myths from Windows XP era. Closing the Windows services will not give you any benefit. They may be dependencies between them, and instead of giving you a faster start-up time you will end with a longer start-up time because some of them did not started when they should. By default all ports are closed for inbound connections.

[adrenaline7]

point taken about ports and I probably am outdated, I've just always thought the slimmer your list of exceptions is and less ports open inherently the more secure. I don't go crazy disabling services but for instance, homegroup is enabled by default and uses 2 services which I disable as I see no reason good reason to keep it enabled since its something I would never use, or something like remote registry another thing I'd never need and you would think things like remote access would be a detriment to security.

[alexandrud]

Quote:

Originally Posted by adrenaline7

point taken about ports and I probably am outdated, I've just always thought the slimmer your list of exceptions is and less ports open inherently the more secure. I don't go crazy disabling services but for instance, homegroup is enabled by default and uses 2 services which I disable as I see no reason good reason to keep it enabled since its something I would never use, or something like remote registry another thing I'd never need and you would think things like remote access would be a detriment to security.

As I know, HomeGroup is set to manual, until you really create one. Remote Registry is used by Remote Desktop Connection. In my opinion, if your system's security is compromised and an attacker has acces to your computer by using any kind of malware, it doesn't matter anymore if you have Remote Registry set to disabled or manual. Anyway, malware does not rely on Remote Registry. You better don't spend to much time on tweaking Windows services, because it won't give you any real benefit.

[Escalader]

Quote:

Originally Posted by alexandrud

You don't have to disable Windows services. Neither to close ports. Many of these are myths from Windows XP era. Closing the Windows services will not give you any benefit. They may be dependencies between them, and instead of giving you a faster start-up time you will end with a longer start-up time because some of them did not started when they should. By default all ports are closed for inbound connections.

There are difference twxt xp and W7 services. The best reliable source IMHO for what services can be disabled, set to manual etc are found at

http://www.blackviper.com/category/faq/services-faq/

Certain windows services I disable. One is windows update since I don't need M$ to hear from my computer daily asking got any updates. I turn the service on the day after patch tuesday, the other one is windows time, same rationale I know what time it is and so does my PC and my isp.

Of course check the dependancies if there aren't any set to manual and windows will turn it on when/if needed.

If you don't know what you are doing do nothing in this area.

[adrenaline7]

Quote:

Originally Posted by alexandrud

As I know, HomeGroup is set to manual, until you really create one. Remote Registry is used by Remote Desktop Connection. In my opinion, if your system's security is compromised and an attacker has acces to your computer by using any kind of malware, it doesn't matter anymore if you have Remote Registry set to disabled or manual. Anyway, malware does not rely on Remote Registry. You better don't spend to much time on tweaking Windows services, because it won't give you any real benefit.

The 2 homegroup services were running despite being set to manual and without having ever configured homegroup. It was just an example anyways, same for remote registry, I could find other examples but its clear that we will just agree to disagree about disabling services, its a legit practice if you know what your doing IMO.