Windows Firewall with Advanced Security (Guide for Vista)

[Greg S]

Quote:

Originally Posted by sparviero

You can do that, enable, IPsec and Windows Firewall Audit Events

http://technet.microsoft.com/en-us/l...14(WS.10).aspx

After you do that, go Start ==> Run, type in eventvwr, the Event Viewer applet will load.

Open Windows Logs ==> Security, double click on Keywords ==> Audit Success or Audit Failure, you'll see popup, something like this.

Audit Success



Audit Failure


You can create custom fine-tuning view (by source) event log, and alert popup for permitted or blocked connection, if you wish or you need it, something like this.!

http://i25.tinypic.com/214n0k.png http://i28.tinypic.com/2vsj0c6.jpg


Have a nice day....

I've followed this to a T and do not get anything like the pictures you show. All I ever get is the message I manually type when creating it. How do you get this to work with a descriptive popup shown in your two pictures?

[m00nbl00d]

Quote:

Originally Posted by Greg S

I've followed this to a T and do not get anything like the pictures you show. All I ever get is the message I manually type when creating it. How do you get this to work with a descriptive popup shown in your two pictures?

You're half-blessed then, because I can't even make that command to work, at all. I get an error. I even copied and pasted it, and still an error message

No idea why, as it should work, if it works to others, I suppose.

[Greg S]

Quote:

Originally Posted by m00nbl00d

You're half-blessed then, because I can't even make that command to work, at all. I get an error. I even copied and pasted it, and still an error message

No idea why, as it should work, if it works to others, I suppose.

Yea, I have no problem with the popup displaying the popup title and message that I enter manually but that's it. I don't get anything like the two pics the other user posted. When in the wizard, the only options are to start a program, email or display a message which I assume is the one that should be checked. I check it but as I said, it's only good for the manually edited message which is kinda worthless,lol. Like hey here's a popup alert saying what I told it to say now go to the event viewer and check for the info. Why not just keep the event viewer up and refresh from time to time and view the info instead of creating an extra step. Obviously we are missing something, what I don't know. I wish I did though, anyone else care to shed some light for us?

If it can be done and I can figure it out, I'll post a detailed way of doing it with pics. As it stands right now, I don't think it can be done. The only thing I've done different was this "/success:disable /failure:enable" as others have done in an attempt to cut down on the excess log entries which shouldn't make a difference.

Greg, m00nbl00d,

do you not get anything like seen in the attached screenshots? All I can think of is maybe this is a version-dependent function, maybe only working on Pro or Ultimate Win7? Which version are you two using?

[Greg S]

Quote:

Originally Posted by wat0114

Greg, m00nbl00d,

do you not get anything like seen in the attached screenshots? All I can think of is maybe this is a version-dependent function, maybe only working on Pro or Ultimate Win7? Which version are you two using?

I'm using 7 Professional. Yes, I get or have what you are showing and unless my eyes are deceiving me, I see two different things in your screenshot. The top item for me is just the normal Event Viewer whilst the bottom part of your upper screenshot is an event which has been double clicked. The bottom pic is the same as double clicking an event also. Is that correct? According to this post, http://www.wilderssecurity.com/showp...&postcount=135 I was under the impression that this attaching a task to the 5152,5157 events would yield something like what is shown in the two pics that sparviero has linked to in the bottom of that post and that they would be in the form of a popup information dialog. I can get a popup alert but it's nothing more than whatever I create typed manually in the next to the last step of the task Wizard. In other words, if I type in the wizard, Firewall Blocked this packet, when the firewall blocks that's all I get for a popup alert. I don't get any detailed info like in sparvieros screenshot.

[sparviero]

Hi Greg S,

You can create the custom fine-tuning log view if you are familiar with Visual C# .NET or Visual C#.
Otherwise you have to be satisfied with default popup.

The pop-ups are not needed, they are too boring.
Block all, permit only what you need, and forget.

Have Fun ...

[Greg S]

Quote:

Originally Posted by sparviero

Hi Greg S,

You can create the custom fine-tuning log view if you are familiar with Visual C# .NET or Visual C#.
Otherwise you have to be satisfied with default popup.

Ah, mystery solved. I was hoping for popups like the pictures you posted where detailed info is given about a block.

[m00nbl00d]

Quote:

Originally Posted by wat0114

Greg, m00nbl00d,

do you not get anything like seen in the attached screenshots? All I can think of is maybe this is a version-dependent function, maybe only working on Pro or Ultimate Win7? Which version are you two using?

I'm using Windows 7 Ultimate. The problem is that the command at Technet page fails to work with me. I don't remember the error right now, but it will check later.

I'm wondering if the problem is the full command being in English I highly doubt that, because so many other Windows commands are typed only in English and they are accepted, as they should. But, what other reason could there be for it not to apply correctly and giving an error? It beats me.
It could not had been a misspelling, because I copied and pasted the full command from the Technet page.

That's why I've been using TCPView to see what start xyz connection, until I find something else that fits my needs.

Quote:

Originally Posted by m00nbl00d

But, what other reason could there be for it not to apply correctly and giving an error?

That copy/paste method is what I've used no problem. I assume you open a command line as administrator?

[m00nbl00d]

Quote:

Originally Posted by wat0114

That copy/paste method is what I've used no problem. I assume you open a command line as administrator?

Yes, I have.

[Greg S]

Quote:

Originally Posted by m00nbl00d

Yes, I have.

Not that it should matter but when you open up cmd, which directory are you in. Normally this shouldn't make a difference but from personal experience, it does for me. Admin cmd should default to system32 and mine does. I paste the snippet in that directory within cmd and it works for me. Just out of curiousity, can you paste the code you are trying to use?

Code:

auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:disable /failure:enable

I have a question, is there another option to tweak this further? I don't need a listing in event viewer for the default block of inbound, just outbound. Well actually I don't need it since I have outbound setup with all that I want but it would be nice to have just in case. Is that doable?

[sparviero]

Quote:

I have a question, is there another option to tweak this further? I don't need a listing in event viewer for the default block of inbound, just outbound.

Of course, first disable previous settings, run this command.

Quote:

auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:disable /failure:disable

net stop MPSSVC

net start MPSSVC

Then do this.

Quote:

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

net stop MPSSVC

net start MPSSVC

and from 'Custom Views' (Blocked Connection views) delete Event ID:5152

-open run.., type in wf.msc
-open 'Windows Firewall Properties'
-under 'Profile' (Domain,Private,Public), go 'Settings' ==> 'Customize'
-under 'Firewall setings' (Display notifictions...blocked from receiving inbound connections)
'Display a notificatio: to NO

Have Fun ...

[Greg S]

Quote:

Originally Posted by sparviero

Then do this.



net stop MPSSVC

net start MPSSVC

and from 'Custom Views' (Blocked Connection views) delete Event ID:5152

Have Fun ...

Very Good! This cuts down quite a bit of extra fluff in the Event Viewer for blocking. Thanks

Is it just me or outside of WinUpdates, MSE etc.., the svchost.exe is constantly trying to gain outbound to a supposed Microsoft site? I checked one which has the most blocked attempts. It has a broad IP range but most of the info pointed to MSN and Hotmail. I don't use either. All works well here blocking these so I'll leave it as is unless you guys know of any reason why they should be allowed??

[m00nbl00d]

Quote:

Originally Posted by Greg S

Very Good! This cuts down quite a bit of extra fluff in the Event Viewer for blocking. Thanks

Is it just me or outside of WinUpdates, MSE etc.., the svchost.exe is constantly trying to gain outbound to a supposed Microsoft site? I checked one which has the most blocked attempts. It has a broad IP range but most of the info pointed to MSN and Hotmail. I don't use either. All works well here blocking these so I'll leave it as is unless you guys know of any reason why they should be allowed??

That's a good question. I've been narrowing down the IPs MSE and Windows Update needs, and I have noticed that MSE makes connections to IPs that seem to belong to Hotmail IP range.


By the way, it also makes connections - needed ones - to this IP range http://www.dshield.org/ipinfo.html?ip=92.123.154.81

NetRange: 92.0.0.0 - 92.255.255.255 -Edit- This all IP range won't be needed, because some IPs are not from akamai, oddly (Example: http://www.dshield.org/ipinfo.html?ip=92.0.0.0)

More may be made, but they are different every time, so it will take a few time to spot it all. lol

[Greg S]

Quote:

Originally Posted by m00nbl00d

That's a good question. I've been narrowing down the IPs MSE and Windows Update needs, and I have noticed that MSE makes connections to IPs that seem to belong to Hotmail IP range.


By the way, it also makes connections - needed ones - to this IP range http://www.dshield.org/ipinfo.html?ip=92.123.154.81

NetRange: 92.0.0.0 - 92.255.255.255

More may be made, but they are different every time, so it will take a few time to spot it all. lol

I don't recognize that range but the name looked familiar for me with another range. Speaking about MSE, I've noticed that it does something odd through win updates for me. The MSE updates come through win updates. I'm set to download but let me choose when to install. After a download, I get the usual tray icon that updates are ready. Sometimes I'm busy with something on the laptop and don't install right then. After a certain amount of time, I get an alert from MD saying some process is wanting outbound connection, I click deny through about three prompts and all of sudden the MSE update is installed without my consent. Strange to say the least.

Forgot to mention, I also get alot of outbound denies with svchost.exe for comodoca.com. I don't understand that one either unless it's for CTM. As far as I know CTM doesn't check for updates and it's done manually which I never do.

[m00nbl00d]

How many IPs have you guys spotted so far for Windows Update?

I've come across some, but so far they all belong to IP range 65.52.0.0 - 65.55.255.255

wat0114 as spotted from this one as well, and one more: 207.46.0.0 - 207.46.255.255

It would be great if you could also add more. The more the better. lol

-Edit-

These three IPs seem to be needed: 92.123.154.81; 92.123.154.82; 92.123.154.72 (http://www.dshield.org/ipinfo.html?ip=92.123.154.81), because I keep seeing them being blocked when performing Windows Updates.

[Greg S]

Quote:

Originally Posted by m00nbl00d

How many IPs have you guys spotted so far for Windows Update?

I've come across some, but so far they all belong to IP range 65.52.0.0 - 65.55.255.255

wat0114 as spotted from this one as well, and one more: 207.46.0.0 - 207.46.255.255

It would be great if you could also add more. The more the better. lol

-Edit-

These three IPs seem to be needed: 92.123.154.81; 92.123.154.82; 92.123.154.72 (http://www.dshield.org/ipinfo.html?ip=92.123.154.81), because I keep seeing them being blocked when performing Windows Updates.

Mine are essentially the same with the exception of the 92.123 range. To be honest, everything else is blocked for svchost with no ill effects. But, I also am only a little over two weeks into running Advanced Security full time. I don't know how detrimental it is to be blocking all this extra svchost.exe outbound stuff but so far so good with it all being blocked except for Win/Mse updates.

I don't know how outdated MD 2.6 is but here is the Trusted Network group. The first four are for Microsoft and the last range is for Verisign. Looks a little loose to me. I've mentioned this to someone, I think it was wat, most of those in MD's trusted range for Microsoft seem to be for Ads of some kind.

[m00nbl00d]

Quote:

Originally Posted by Greg S

Mine are essentially the same with the exception of the 92.123 range. To be honest, everything else is blocked for svchost with no ill effects. But, I also am only a little over two weeks into running Advanced Security full time. I don't know how detrimental it is to be blocking all this extra svchost.exe outbound stuff but so far so good with it all being blocked except for Win/Mse updates.

I don't know how outdated MD 2.6 is but here is the Trusted Network group. The first four are for Microsoft and the last range is for Verisign. Looks a little loose to me. I've mentioned this to someone, I think it was wat, most of those in MD's trusted range for Microsoft seem to be for Ads of some kind.

Attachment 223265

Thanks! Much appreciated!

I've come across this article/question in another forum, related to Windows Update IPs (http://www.eggheadcafe.com/software/...ws-update.aspx) and from the mentioned ones:

131.107.0.0/16 is part of Microsoft (http://www.dshield.org/ipinfo.html?ip=131.107.0.0) (You have this range in your MD)

http://www.dshield.org/ipinfo.html?ip=207.46.0.0 also

http://www.dshield.org/ipinfo.html?ip=64.4.0.0 Hotmail

http://www.dshield.org/ipinfo.html?ip=65.52.0.0 This one was already mentioned by me and wat0114.

208.111.148.50 - http://www.dshield.org/ipinfo.html?ip=208.111.148.50 - AS Name: LLNW - Limelight Networks, Inc. ?

Well, so on... lol

You get the picture.

-Edit-

I wonder why Windows firewall won't accept domains instead of IPs.

[Greg S]

Quote:

Originally Posted by m00nbl00d

131.107.0.0/16 is part of Microsoft (http://www.dshield.org/ipinfo.html?ip=131.107.0.0) (You have this range in your MD)

No I don't have anything for that, deny or allow.

Quote:

Originally Posted by m00nbl00d

http://www.dshield.org/ipinfo.html?ip=65.52.0.0 This one was already mentioned by me and wat0114.

Yes, this one is part of MD's Trusted Network range for MS.


Here is all the svchost.exe deny's that I have in MD. As mentioned, some of this may be legit I'm not for sure because I'm not smart enough to know if they are or not. These were at one time manually denied but with Advanced Seurity, and using the IP ranges for MS updates that you and wat mention, they never get a chance to now be questioned by MD. I really do wonder if any of them are legit but hey, everything updates and works well here so they haven't been allowed through Advanced Security and are denied by MD.

[m00nbl00d]

Quote:

Originally Posted by Greg S

No I don't have anything for that, deny or allow. [...]

Yes, you do. It's the IP range 131.107.0.0 - 131.107.255.255.

[Greg S]

Quote:

Originally Posted by m00nbl00d

Yes, you do. It's the IP range 131.107.0.0 - 131.107.255.255.

Ah, you are correct. I was thinking in terms of Deny. Yes that also is part of MD's Trusted Network range for MS but it is not part of any rule I have for Advanced Security and svchost.exe tied to the service of winupdates or at least I don't think so,lol. I better go and check that right now.

[Greg S]

Quote:

Originally Posted by m00nbl00d

How many IPs have you guys spotted so far for Windows Update?

I've come across some, but so far they all belong to IP range 65.52.0.0 - 65.55.255.255

wat0114 as spotted from this one as well, and one more: 207.46.0.0 - 207.46.255.255

.

Yea, I know I've gone back to your original post but it is also a follow up to my checking Advanced Security. Here's what I have for WinUpdates/MSE

Code:

Protocol=TCP
Direction=outbound
Remote Ports=80, 443
Remote Addresses= 
207.46.0.0/16
65.54.95.0/24
65.55.0.0/16

I just checked WinUpdates and then manually checked MSE. There was a ton of blocks in the Event Viewer for 65.54.xx.xx. It made no difference to either, both connected fine.

Quote:

Originally Posted by Greg S

Here's what I have for WinUpdates/MSE

Code:

Protocol=TCP
Direction=outbound
Remote Ports=80, 443
Remote Addresses= 
207.46.0.0/16
65.54.95.0/24
65.55.0.0/16

Exactly what I have and so far haven't needed to add to them

[m00nbl00d]

Quote:

Originally Posted by wat0114

Exactly what I have and so far haven't needed to add to them

I only have 65.52.0.0 - 65.55.255.255 and 207.46.0.0 - 207.46.255.255. Everything seems to work fine.

65.52.0.0 - 65.55.255.255, obviously handles 65.54.95.0/24 and 65.55.0.0/16.

It does take, for example, like 2/3 more seconds to verify for MSE updates in a relative's system, because some IPs are obviously being blocked and new ones trying to be connected at.

-Edit-

It is needed to allow either one or both these IPs: 92.123.154.82; 92.123.154.81, if anyone is running Microsoft Security Essentials, otherwise it will fail to update.

-Edit-

You also will need to allow either or both 173.223.232.50; 173.223.232.10. Otherwise, Windows Update checks for updates, but will display an error message and won't transfer them.

[Greg S]

Quote:

Originally Posted by m00nbl00d

I only have 65.52.0.0 - 65.55.255.255 and 207.46.0.0 - 207.46.255.255. Everything seems to work fine.

65.52.0.0 - 65.55.255.255, obviously handles 65.54.95.0/24 and 65.55.0.0/16.

It does take, for example, like 2/3 more seconds to verify for MSE updates in a relative's system, because some IPs are obviously being blocked and new ones trying to be connected at.

-Edit-

It is needed to allow either one or both these IPs: 92.123.154.82; 92.123.154.81, if anyone is running Microsoft Security Essentials, otherwise it will fail to update.

-Edit-

You also will need to allow either or both 173.223.232.50; 173.223.232.10. Otherwise, Windows Update checks for updates, but will display an error message and won't transfer them.

Are you running the Beta of MSE. Mine just now updated to what I think is a release version of the Beta. Anywho, MSE now needs new rules for updating. A rule for msseces.exe is now required and possibly NisSrv.exe. Event Viewer shows them in the 64.xxx.xxx.xxx range. I wish there was an MS site to shed some light on what specifically needs allowed for MSE.