windows services and internet access.

[argus tuft]

Hi all,
My question is questions are basically this:
Which windows services actually require internet access in order to function properly?
I use comodo fw, and so far, alg.exe, svchost.exe, and system all have pretty lax rules set, and I would like to tighten them up.

Does svchost actually need to access any site other than windows update?
I suspect not, if that is the case, what ip / ip range do I need to allow? ie, what;s the actual ip of http://update.microsoft.com/windowsu....aspx?ln=en-us

As I see it, limiting svchost to accessing windows update would cut down on all those (for eg) "itunes.exe may be using svchost to connect to the internet" popups, as comodo would then automatically block any attempts to go to an ip that wasn't windows update.

And what about alg.exe, and system? Is there any need to allow them access?

Thanks, argus

[WSFuser]

svchost.exe would also need access for DHCP/DNS.

alg.exe is used for ICS and I think the Windows Firewall. If you use neither it can be blocked.

[lucas1985]

Quote:

Originally Posted by WSFuser

svchost.exe would also need access for DHCP/DNS

and Windows Updates
You should make rules for DNS lookups, DHCP and Windows Updates and block the other instances of svchost.exe

[ThunderZ]

alg.exe can be turned off via Services if you are not using the Windows FW or ICS. One less thing to be concerned with and a few less K`s of memory used.

[farmerlee]

Well if you really want, you can deny all windows services access to the internet and then just work around the limitations.

[Climenole]

Hi argus tuft

Quote:

Originally Posted by argus tuft

Does svchost actually need to access any site other than windows update?
I suspect not, if that is the case, what ip / ip range do I need to allow? ie, what;s the actual ip of http://update.microsoft.com/windowsu....aspx?ln=en-us

Svchost may also access to Network Time Protocol sites but this service is useless. (The PC clock keep the time and date: if not change the battery...)

I you want to makes rules to allow Windows Updates to a specific range of IP addresses: good luck! This is almost unmanageable: there is different IP ranges including some non-M$ like akamai needed to access the updates...

Worst: these IP ranges changes with the time...

And don't expect any documentation from the M$ clowns about this: they don't care.

The best you can do is keep runnings only the needed services...
Some hints here: http://www.theeldergeek.com/services_guide.htm

and may be closed some useless open ports with "Windows Worms Doors Cleaner" : http://www.firewallleaktester.com/tools_list.htm

[Seer]

Hello.

Don't use your firewall for blocking Windows services.

Quote:

Originally Posted by Climenole

The best you can do is keep runnings only the needed services...

Follow this advice.

Cheers.

[Climenole]

Hi The Seer

Quote:

Originally Posted by The Seer

Follow this advice.

I hope so !

This morning I help a user on a MS News Group with a Fast User Switching problem... I ask him to give me the list of the services runnings on his PC.

Almost all services was started automatically !!!

Including many of them related to local network and connections to a domain on a W server (the user have a standalone PC) !

The Elder Geek web site is a reliable reference for this. Keep it in your favourites.

Have a nice day.

[Seer]

Hello.

Quote:

Originally Posted by Climenole

The Elder Geek web site is a reliable reference for this. Keep it in your favourites.

And the Black Viper is back! I have him in my favorites also.

Cheers.

[Climenole]

Hi The Seer

Quote:

Originally Posted by The Seer

Hello.

And the Black Viper is back! I have him in my favorites also.

Cheers.

Great News ! Finally he's back ! Super !

Thank you for this information.

[Stem]

Hello argus tuft,

Such as "ALG" this is basically an FTP client, used by 3rd party(and windows) to download. I still need to find a reason to allow this.

But please be carefull on the services you disable, as stoppping some may only be seen later for nothing more than being unable to defrag the HD, but, disable such as for example "Remote Procedure Call (RPC) Service" will stop you using your OS.

If you are to follow this path of disabling windows services,... make backup, and only disable one service at a time (then check for possible problems).

I would check out BV's Multiple Configurations page, especially if you want to tweak your services without worrying too much about getting overzealous.

[charincol]

Quote:

Originally Posted by WSFuser

alg.exe is used for ... the Windows Firewall

That's what we're told by MS. Windows Firewall runs perfectly fine with Application Layer Gateway service disabled on my machines.

[ThunderZ]

Quote:

Originally Posted by charincol

...............Application Layer Gateway service disabled on my machines.

Some where I read, got the impression ALG was needed for (some) FTP transactions. Wrong?

[eniqmah]

I enlist the help of batch files.
Most of the services are so useless, they only kick in once in a while. (wuauserv, spooler, workstation, server, etc...) So...disable them all, make a batch file, execute to turn them on and do what you need to do, then turn them off. In the mean time, your prescious RAM can be used for something more useful...pr0n? j/k

[charincol]

Quote:

Originally Posted by ThunderZ

Some where I read, got the impression ALG was needed for (some) FTP transactions. Wrong?

Don't use FTP much so can't confirm or deny. Windows Firewall opens ports just fine for the applications set up on it without alg.exe running. That's all I need.

[Climenole]

Hi ThunderZ

Quote:

Originally Posted by ThunderZ

Some where I read, got the impression ALG was needed for (some) FTP transactions. Wrong?

Downloads are managed by Backgroung Intelligent Transfer Service for Windows updates. For ALG, as far as I know it's used for Windows Firewall and the Internet Connection Sharing.

For sure ALG is used to transfer files downloaded by the BITS to the ICS server and then to the client PC in the ICS but is this can be describe as "an FTP" service ?

"Hmgrmgrmgrm" dixit Marge Simpson...

It seems that's correct :

« Application Layer Gateway (ALG) Service

This subcomponent of the Internet Connection Sharing (ICS)/Internet Connection Firewall (ICF) service provides support for plug-ins that allow network protocols to pass through the firewall and work behind ICS. Application Layer Gateway plug-ins have the power to open ports and change data (such as ports and IP addresses) embedded in packets. File Transfer Protocol (FTP) is the only network protocol with a plug-in that is released with Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.

The ALG FTP plug-in is designed to support active FTP sessions through the network address translation (NAT) engine used by these components. The ALG FTP plug-in does this by redirecting all traffic passing through the NAT destined for port 21 to a private listening port in the 3000-5000 range on the loopback adapter. The ALG FTP plug-in then monitors and updates FTP control channel traffic so that the FTP plug-in can plumb port mappings through the NAT for the FTP data channels. The FTP plug-in will also update ports in the FTP control channel stream. »

Ref.:http://www.microsoft.com/technet/sec...s_ms_prod.mspx


Poeple of M$ are always funny and full of suprise !

[ThunderZ]

Thanks Climenole. At least now I know my memory has not completely left me. Now if I could always remember where I left it.....

[Climenole]

Hi charincol

Quote:

Originally Posted by charincol

That's what we're told by MS. Windows Firewall runs perfectly fine with Application Layer Gateway service disabled on my machines.

May be because ALG is used only with Internet Connection Sharing...
Without ICS, ALG service seems to be useless.

As usual, there is no clear statement from MS about this. They don't care!

[Climenole]

Hi ThunderZ

Quote:

Originally Posted by ThunderZ

Thanks Climenole. At least now I know my memory has not completely left me. Now if I could always remember where I left it.....

You're lucky ThunderZ to be a human being !

Personnaly, I have no memory at all except Google and other search engines.

I'm glued to this computer for a too long time and this transform me into a kind of zombie with an external brain.
Is this what they call "bio-Technology"

Is there a life outside Internet? I have no idea...

I'm going to ask this to Master Google !

[charincol]

Quote:

Originally Posted by Climenole

May be because ALG is used only with Internet Connection Sharing...
Without ICS, ALG service seems to be useless.

A couple of months ago, I had a Win98 computer getting internet from a WinXP one that had ICS turned on and a wireless connection. I know that I had messed around with seeing if ICS would work without ALG, but I can't remember what the outcome was. I do know for sure that trying to run ICS without ALG won't hurt anything, so it's worth a try to turn it off and try to run with 1 less service.

Quote:

Originally Posted by Climenole

As usual, there is no clear statement from MS about this. They don't care!

I'm shocked!

[Climenole]

Hi charincol

Quote:

Originally Posted by charincol

I'm shocked!

This is only an "auto-censored" comment about MS.

This is nothing compare to many of my comment in the MS News Groups about their lacks.
Anyway it seems they like to be "shocked" since I'm still in their mvp sect.

[charincol]

It's been a little while since I had turned on the WinXP computer referred to above,(it was running my private World of Warcraft server used by me and my daughter, I just hadn't played in a while) and I checked if the ALG service was disabled. It is, and I haven't changed any network settings on it since the Win98 computer was getting internet access from it.

Also, Black Viper says it's not needed after SP2. Application Layer Gateway service is another totally useless windows component wasting resources in most (if not all) Windows computers.

[argus tuft]

Thanks everyone for your replies, I had no idea what I was up against!
I've disabled the alg service, blocked [system] from any access, and basically let svchost do whatever it wants to. '

Does explorer.exe need access?

[Climenole]

Hi argus tuft

Quote:

Originally Posted by argus tuft

Does explorer.exe need access?

Explorer.exe (the "Windows explorer") is always used to launch other programs including programes which connect to internet.

Explorer.exe must be authorised by the FW to "access" in order to launch other programs but not directly to internet...