Windows Firewall with Advanced Security (Guide for Vista)

[Stem]

Quote:

Originally Posted by ruinebabine

And it seems, from this post , that this tweak should also be working on win 7.

Thanks for finding that.


- Stem

[firzen771]

Quote:

Originally Posted by Stem

Hi firzen771,

It all depends on your setup.

If you are on an home LAN and you know all the nodes(PCs) are clean, then it is not really a problem with no boot protection.
If connecting directly to the Internet, then some caution is needed, certainly at login.


- Stem

alright, thx, ill be on a university network so i guess it would be nice to have this function

Quote:

Originally Posted by Stem

With the actual service disabled, as it is by default, then blocking it should not cause issue.
I will check it out on Win7 x64 as I do want to make win updates over the weekend on that setup.

Thanks Stem. I tried again and took some screen shots. With three of the svchost Block rules disabled and out of the picture, leaving only the Routing and Remote access service "Block" rule enabled, wuauserv seems clearly to be blocked when I attempt Windows update scan. PID 920 is blocked and the only service spawned by that svchost process that appears related to Windows updating is wuauserv. Please note the svchost - wuauserv service "Allow" rule is enabled as well.

[Stem]

Hi wat114,

Quote:

Originally Posted by wat0114

I tried again and took some screen shots.

From the log I take it that your ISP is running IPV6 across its network.
If it is directly related to IPV6 I cannot check, as my ISP is not using the protocol (it struggles with IPV4 lol).


- Stem

Quote:

Originally Posted by Stem

Hi wat114,

From the log I take it that your ISP is running IPV6 across its network.

I have no idea How can you tell from the log? I'm also connected to a home router (ISP-supplied D-Link on Telus' DSL).

[Stem]

Quote:

Originally Posted by wat0114

How can you tell from the log?

Ignore that, for some reason I thought Protocol 6 was IPV6, I only realised what I had done when I came back to forum.


I just made win7 updates, and yes, you are correct. If the router service is directly blocked, then that blocks win updates. I just did not have a rule to specifically block(or allow) the router service.


- Stem

Thank you for confirming. Maybe it's a bug then, because that "Block" rule is for the specific Routing&Remoteaccess service, which of course is disabled.

[sparviero]

Hi wat0114

Quote:

Maybe it's a bug then, ...

Not a bug, I would say rather that missconfigured.

First you should configure service and Loacal Area Connection .

Go service,

1. stop DNS Client ==> Startup Type: Disabled

2. Windows Update ==> Startup Type: Manual

Open a command window as administrator and type the following commands:
ipconfig /flushdns

Open Loacal Area Connection

configure something like this:


Open Windows Firewall with Advanced Security

1. Occurs if all inbound connections are blocked and outbound connections that do not match a rule are blocked

2. Delete all default (you can restore Default Policy if you need it) and your custom rule.All !

3. Creates new Outbound Rules (separate UDP/TCP for same app.) something like this:

For Windows Update rule (both UDP/TCP) select svchost as the program, then the service Windows Update-wuauserv
No more unsolicited/auto outbound connection !

I wish you a very beautiful day...

Thank you for your time sparviero! However, I'm not so sure I want to go that route, disabling dns service then assigning separate dns rules for every Internet venturing app, although I've done that in the past with 3rd party firewalls. I know for sure my current svchost ruleset blocks it unless I disable two of the Block rules,so I think I'll stick with it for the time being. Take care

[pandlouk]

Quote:

Originally Posted by wat0114

Thank you for your time sparviero! However, I'm not so sure I want to go that route, disabling dns service then assigning separate dns rules for every Internet venturing app, although I've done that in the past with 3rd party firewalls. I know for sure my current svchost ruleset blocks it unless I disable two of the Block rules,so I think I'll stick with it for the time being. Take care

wat0114 just pay attention that, when you block a service, windows firewall seems to block also the services and drivers that it depends on to run properly.

When you block "Routing and remote access" is also blocked the service "Remote Access Connection Manager"(RasMan), and cause "Windows Update" to fail (have not figured why though).
Same if you block ICS or RasAuto.

If you deactivate "Remote Access Connection Manager" windows update will proceed without problems.

Panagiotis

edit: 10 minutes ago it worked and now it doesn't. Probably because both depend on "Remote Procedure Call (RPC)" service.

Quote:

Originally Posted by pandlouk

wat0114 just pay attention that, when you block a service, windows firewall seems to block also the services and drivers that it depends on to run properly.

When you block "Routing and remote access" is also blocked the service "Remote Access Connection Manager"(RasMan), and cause "Windows Update" to fail (have not figured why though).
Same if you block ICS or RasAuto.

If you deactivate "Remote Access Connection Manager" windows update will proceed without problems.

Panagiotis

Interesting how one action influences another. I never before thought of the dependencies of a service possibly having an effect on the firewall rules. Thank you for the information, Panagiotis!

[pandlouk]

Quote:

Originally Posted by wat0114

Interesting how one action influences another. I never before thought of the dependencies of a service possibly having an effect on the firewall rules. Thank you for the information, Panagiotis!

You are welcome.
I edited my previous post. before you replied. It seems to be caused by the "Remote Procedure Call (RPC)" service.

Panagiotis

[Stem]

Quote:

Originally Posted by pandlouk

wat0114 just pay attention that, when you block a service, windows firewall seems to block also the services and drivers that it depends on to run properly.

When you block "Routing and remote access" is also blocked the service "Remote Access Connection Manager"(RasMan), and cause "Windows Update" to fail (have not figured why though).

It is the "Routing and remote access" that depends on "Remote Access Connection Manager" not the other way around.
If any services/system components depended on the "Routing and remote access" service, then they would have problems as that service is disabled by default.


- Stem

[pandlouk]

Quote:

Originally Posted by Stem

It is the "Routing and remote access" that depends on "Remote Access Connection Manager" not the other way around.
If any services/system components depended on the "Routing and remote access" service, then they would have problems as that service is disabled by default.


- Stem

Actually I said the same thing...
"...when you block a service, windows firewall seems to block also the services and drivers that it depends on to run properly." => "Routing and remote access" depends on "Remote Access Connection Manager"....

Panagiotis

[Escalader]

Here are my current settings for w7 64 bit update services.

These x@+n services are like a project planning network with many dependences. If I had the time and energy I could produce a network chart/diagram depicting every one.

It's possible to disable one then without being aware of the downstream dependences kill a few other services you really need!

Be real careful.

[sparviero]

Hi wat0114

If you started with this configuration:

Quote:

All inbound connections are Blocked and Outbound connections that do not match a rule are Blocked enabled

Global blocked rule is being used, now is needed the permission rules, no other that block again.

Because you make firewall rules that have apparent conflicts, it is important to understand the order in which the rules are processed.

As soon as a network packet matches a rule, that rule is applied, and processing stops.
For example, network packet is first compared to the rules.
If it matches one, that rule is applied and processing stops.
The packet is not compared to the other rules. If the packet does not match allow rule, then it is compared to the block rules.

If it matches one, the packet is blocked, and processing stops, and so on.

I wish you a very beautiful day...

Quote:

Originally Posted by sparviero

Hi wat0114

If you started with this configuration:



Global blocked rule is being used, now is needed the permission rules, no other that block again.

Because you make firewall rules that have apparent conflicts, it is important to understand the order in which the rules are processed.

As soon as a network packet matches a rule, that rule is applied, and processing stops.
For example, network packet is first compared to the rules.
If it matches one, that rule is applied and processing stops.
The packet is not compared to the other rules. If the packet does not match allow rule, then it is compared to the block rules.

If it matches one, the packet is blocked, and processing stops, and so on.

I wish you a very beautiful day...

Hi sparviero,

That is my default configuration as the Public profile is also active. I've taken your advice to heart and simplified the rules, purging most of the Block rules as a result. I get carried away sometimes creating all kinds of rules, maybe because it helps me better understand things and keeps me more or less sharp

[sparviero]

Ok, since you are always more sharp , a beautiful and simple last aid.

Windows provides advanced users with a flexible interface through which they may configure and monitor the system from one place, the Microsoft Management Console (MMC).

Creating a Console File:

Open Start ==> Run, type mmc. Microsoft Management Console starts with an empty root console.

On the Console menu open File open Add/Remove Snap-in.

Add or Remove Snap-in box starts, from Available snap-ins: Add> Selected snap-ins:

Something like this:


Save as (ex. Security Control).

Go Start ==> All Programs ==> Administartive Tools your <console name> or right-click on it and Pin to Start Menu or Taskbar

Have fun and I wish you a very beautiful day...

Very nice again sparviero, thank you

[m00nbl00d]

I'd like to know if any one is using Windows Live Messenger and which rules have you applied.
I already got all rules writen in a paper, after checking them out with Outpost Firewall Pro.

Quote:

Windows Live Messenger

Process: MSNMSGR.EXE
Allow Outbound to Port 7001: TCP; Outbound; 7001; Allow
Windows Live Messenger STUN connection: UDP; Outbound; 3478; Allow (Stateful Inspection)
Windows Live Messenger STUN connection: UDP; Outbound; 3478; Allow
MSN Messenger Webcam: TCP; Outbound; 9010, 9000; Allow
MSN Messenger Voice communication (UDP): UDP; 6901; Allow
MSN Messenger Voice communication (TCP): TCP; Outbound; 6901; Allow
MSN Messenger RTP connection: UDP; 5004-65535; Allow
MSN Messenger Remote Assistance: TCP; Outbound; RDP; Allow
MSN Messenger file transfer: TCP; Outbound; 6891-6900; Allow
MSN Messenger connection: TCP; Outbound; 1863; Allow
MSN Messenger application sharing and whiteboard: TCP; Outbound; 1503; Allow
Allow UDP LDAP for Windows Live Messenger: UDP; Outbound; LDAP; Allow
Windows Live Messenger HTTPS connection: TCP; Outbound; HTTPS; Allow
Windows Live Messenger HTTP connection: TCP; Outbound; HTTP-83; Allow
Windows Live Messenger DNS UDP connection: UDP; DNS SERVERS; DNS; Allow
Windows Live Messenger Block 1900 port: UDP; 1900; Block

I want to give proper allow rules and deny rules (Which according to Outpost is one block rule.). But, actually, I'll also block remote assistance. I'm only looking for the basic rules which allows "conversation", and sending/receiving stuff.
I want to deploy this into a family member, but to be honest, I'm not a user of Windows Live Messenger, and I can't ask him to test because his on holidays, and I'd like to have it all set before he arrives.

Anyway, if anyone already has rules set in place, and wouldn't mind sharing, so I could give it a run and see if it fits the needs, it would be great. I don't want to give more permissions that it needs to be functional, nor less permissions and then having to check it all over again.

And, WLM is just one of the quite few apps I need to look into, and would be a time saver, for sure.


Thanks

Edit: Hope you guys and girls understand what the rules are.

[Konata Izumi]

can one import/export rules for Windows Firewall with Advanced Security for windows 7?

i want to make every traffic denied except Windows Update and Internet Explorer.

Quote:

Originally Posted by Konata Izumi

can one import/export rules for Windows Firewall with Advanced Security for windows 7?

i want to make every traffic denied except Windows Update and Internet Explorer.

You're blocking a lot with that approach. What about dns, dhcp, application updates, etc...?

It's possible to export/import the rules. See screenshot If required you can easily restore the default policy.

@M00nBl00d, I don't use Live Messenger, but that rule set is probably excessive. Clearly, it is covering every possible scenario imaginable.

[Konata Izumi]

Quote:

Originally Posted by wat0114

You're blocking a lot with that approach. What about dns, dhcp, application updates, etc...?

It's possible to export/import the rules. See screenshot If required you can easily restore the default policy.

@M00nBl00d, I don't use Live Messenger, but that rule set is probably excessive. Clearly, it is covering every possible scenario imaginable.

I see. Can you create me a ruleset that will block everything but the 'most needed' rules for normal browsing in IE and able to do Windows Update.
I can then modify the ruleset to whitelist the very few 3rd party apps I have.

[m00nbl00d]

Quote:

Originally Posted by wat0114

[...]

@M00nBl00d, I don't use Live Messenger, but that rule set is probably excessive. Clearly, it is covering every possible scenario imaginable.

Yes, indeed. Most likely all that will be needed will be

MSN Messenger file transfer: TCP; Outbound; 6891-6900; Allow (Pretty sure it is needed to transfer files... Makes sense, at least taking in consideration the rule's name. lol)

Windows Live Messenger STUN connection: UDP; Outbound; 3478; Allow (Stateful Inspection)
Windows Live Messenger STUN connection: UDP; Outbound; 3478; Allow

STUN seems to be needed

Quote:

STUN is a light-weight client-server protocol requiring only simple query and response via UDP. The client side is implemented in the user's communications application, such as a Voice over Internet Protocol (VoIP) phone or instant messaging client.

Quote:

STUN usually operates on a User Datagram Protocol (UDP) messaging transport. Since UDP does not provide reliable transport guarantees, reliability is achieved by application-controlled retransmissions of the STUN requests. STUN servers do not implement any reliability mechanism for their responses. When reliability is mandatory, Transmission Control Protocol (TCP) may be used, but induces extra networking overhead.

Source: https://secure.wikimedia.org/wikipedia/en/wiki/STUN

Windows Live Messenger HTTPS connection: TCP; Outbound; HTTPS; Allow
Windows Live Messenger HTTP connection: TCP; Outbound; HTTP-83; Allow
Windows Live Messenger DNS UDP connection: UDP; DNS SERVERS; DNS; Allow (Obvious reasons)
Windows Live Messenger Block 1900 port: UDP; 1900; Block

I'll try to set those rules, and then see if my family members is able to work just fine with it, which I think he will. Those rules seem to be all that is actually needed. No webcam, no remote assistance...

Quote:

Originally Posted by Konata Izumi

I see. Can you create me a ruleset that will block everything but the 'most needed' rules for normal browsing in IE and able to do Windows Update.
I can then modify the ruleset to whitelist the very few 3rd party apps I have.

Attached is a ss of my latest rules, built in part with the aid of rules I created using Jetico fw. You can create your IE or other rules based on mine if you like. You may need some "Core" rules at least for dhcp and dns. If you are not on a network, choose "Public" as the active profile and "All inbound connections are blocked" and "Outbound connections that do not match a rule are blocked". This way you will not actually have to create block rules, because anything without a rule will be blocked by default. I have created some block rules just because I like to do this sort of thing, rather than out of necessity

Quote:

Originally Posted by m00nbl00d

I'll try to set those rules, and then see if my family members is able to work just fine with it, which I think he will. Those rules seem to be all that is actually needed. No webcam, no remote assistance...

Those rules look good and might just work. You may only need HTTP 80, rather than 80-83 but not entirely sure.