Windows Firewall with Advanced Security (Guide for Vista)

[m00nbl00d]

Just found an interesting article about ICMP rules; in this case for inbound control.

http://articles.techrepublic.com.com...1-5087087.html

I only had Destination Unreachable and Time Exceeded allowed. Not sure if others are really necessary, though.

Anyway, any of you might be interested in the article. Just thought of sharing it.

Quote:

Originally Posted by m00nbl00d

Just found an interesting article about ICMP rules; in this case for inbound control.

ICMP: echo reply, time exceeded and unreachable inbound is okay afaik. Echo request outbound only is advised. You will want echo reply inbound and echo request outbound as the only other two necessary. I'm not so sure there's anything wrong with letting broadcasts outbound (as I've done), as long as inbound are blocked. You have to be careful not to get carried away with too much blocking, but I guess for most individual home pc's, it's probably harmless. Stem or someone else can better answer this for sure.

My inbound rules attached as well. Certainly a lot of unnecessary ones because inbound is blocked by default, but, again, created for my own entertainment purposes.

[Konata Izumi]

Does win7 firewall has SPI?
I'm on a router with NAT but no SPI and/ firewall.

[m00nbl00d]

Quote:

Originally Posted by Konata Izumi

Does win7 firewall has SPI?
I'm on a router with NAT but no SPI and/ firewall.

Quote:

Windows Firewall with Advanced Security provides technologies that help protect your computer from unwanted network traffic. By performing stateful packet inspection and supporting Internet Protocol security (IPsec) authentication and encryption, Windows Firewall with Advanced Security helps to ensure that your computer receives only network traffic that is requested or that is from authorized computers.

http://technet.microsoft.com/en-us/l...80(WS.10).aspx

[Rilla927]

Just wondering if ICMP rules should be bound to specific ports? Maybe Stem will chime in.

Quote:

Originally Posted by Rilla927

Just wondering if ICMP rules should be bound to specific ports?

Simple answer, no.

[Rilla927]

Okay thanks.

[m00nbl00d]

Quote:

Originally Posted by Escalader

Hello Thread:

Does WSQMCONS.EXE need dns and tcp connection to the www?

I'm wondering if you're asking because it's on Outpost rules (I'm asking because I've seen you starting a learning Outpost thread sometime ago)? If so, I don't see DNS connection rules, only the following:

Quote:

Windows SQM Consolidator HTTPS connection: TCP; Outbound, HTTPS; Allow
Windows SQM Consolidator HTTP connection: TCP; Outbound; HTTP-83; Allow

Anyway, I'm also setting rules for Windows Firewall having as a start point Outpost rules, and for what I could understand that process belongs to Windows SQM Consolidator, which in turn is part Windows Messenger Service Quality Monitor (SQM). (http://www.greatis.com/vista/Utiliti...qmcons.exe.htm)

Something related with Windows Live & MSN Messenger, by sending info how you make use of messenger: http://forums.techguy.org/windows-vi...solidator.html

Maybe others will explain better, if I'm wrong. And, if I'm wrong, I'm just saying back what I've been reading, so don't be too harsh on me. lol

-Edit-

Which also makes me wonder why would there be any rules for Consent.exe (UAC) for

Quote:

Consent UI for administrative applications HTTP connection: TCP; Outbound; HTTP-83; Allow
Consent UI for administrative applications DNS UDP connection: UDP; DNS SERVERS; DNS; Allow

Does it really require Internet access?

The same would apply for these 3 rules, as well:

Quote:

Microsoft Windows Search Protocol Host DNS UDP connection: UDP; DNS SERVERS; DNS; Allow

Quote:

Microsoft Windows Search Filter Host HTTP connection: TCP; Outbound; HTTP-83; Allow
Microsoft Windows Search Filter Host DNS UDP connection: UDP; DNS SERVERS; DNS; Allow

Quote:

Microsoft Windows Search Filter Host HTTP connection: TCP; Outbound; HTTP-83; Allow
Microsoft Windows Search Filter Host DNS UDP connection: UDP; DNS SERVERS; DNS; Allow

Why would Windows Search want to connect to Microsoft?

Quote:

Originally Posted by m00nbl00d

Which also makes me wonder why would there be any rules for Consent.exe (UAC) for

Does it really require Internet access?

Hey, it makes me wonder, too, and I've been unable to find an explanation via Google as to why. I block it outright.

[Rilla927]

In the most recent OP learning thread Stem had me block these but I guess it depends on your needs:

Feedback.exe
Explorer.exe
Searchindexer.exe
Searchfilterhost.exe
Mobysync.exe
LSASS.exe
Winlogon.exe
Services.exe
Wmiprvse.exe

http://www.wilderssecurity.com/showt...=280548&page=4

[m00nbl00d]

Quote:

Originally Posted by Rilla927

In the most recent OP learning thread Stem had me block these but I guess it depends on your needs:

Feedback.exe
Explorer.exe
Searchindexer.exe
Searchfilterhost.exe
Mobysync.exe
LSASS.exe
Winlogon.exe
Services.exe
Wmiprvse.exe

http://www.wilderssecurity.com/showt...=280548&page=4

Thanks for the link.

-Edit-

I guess that if no rules are even created, in Windows Firewall, then no need to even care for it (Except for Feedback.exe, which belongs to Outpost.), unless there are some inbound rules.

[m00nbl00d]

Quote:

Originally Posted by wat0114

Hey, it makes me wonder, too, and I've been unable to find an explanation via Google as to why. I block it outright.

Why do you block it? With a block all connections out if not matched, won't it be blocked by default? Or, is there some other default rule (by Microsoft) that allows it?

I'm guessing UAC connects with Microsoft to provide them with information about the processes users either allow or deny permission? No idea.

P.S: I've noted that, in one of your posts that are behind, you block access to Remote Registry service. Do you find that necessary? Won't disabling the service suffice? Or, there's something deep beneath that service that still allows some sort of connection?

[Rilla927]

Quote:

Originally Posted by m00nbl00d

Thanks for the link.

-Edit-

I guess that if no rules are even created, in Windows Firewall, then no need to even care for it (Except for Feedback.exe, which belongs to Outpost.), unless there are some inbound rules.

If they have access to the internet it is a possible open vector for malware the way I understood.

[Rilla927]

Quote:

Originally Posted by m00nbl00d

Why do you block it? With a block all connections out if not matched, won't it be blocked by default?

How did you end up with that rule for outbound? On all my profiles I have this (see picture). I want to have the same rule you have but I don't know how you did it. This don't make sense I found the setting in each profile and set to block outbound and then I had no internet connection. I'm using Public profile and it shows in the screen shot that Private is active. Does the order of the rules matter?

[m00nbl00d]

In mine, Public is active, and this is what I got





Just went to Proprietes and then chose to Block outbound traffic.

When I first set up my Internet connection (direct connection), Windows asked me what I wanted to apply to it: Domain, Private or Public. Public is mine.

[Rilla927]

Thanks moonblood, I found the problem.

[m00nbl00d]

Quote:

Originally Posted by Rilla927

Thanks moonblood, I found the problem.

What was it? If you could share, other who may be having the same problem could solve it. (And, I'm also curious. lol)

Quote:

Originally Posted by m00nbl00d

Why do you block it? With a block all connections out if not matched, won't it be blocked by default? Or, is there some other default rule (by Microsoft) that allows it?

I'm using Jetico 2 fw lately.

Quote:

I'm guessing UAC connects with Microsoft to provide them with information about the processes users either allow or deny permission? No idea.

I'm not sure. I haven't really looked at the ip address origins yet.

Quote:

P.S: I've noted that, in one of your posts that are behind, you block access to Remote Registry service. Do you find that necessary? Won't disabling the service suffice? Or, there's something deep beneath that service that still allows some sort of connection?

Maybe, maybe not. I just create the rule, again, simply to help me understand things better (hands on helps me this way) even if it's not necessary. It doesn't hurt anyway.

[m00nbl00d]

Quote:

Originally Posted by wat0114

I'm using Jetico 2 fw lately.

Oh, OK. Trying out other ones.

Quote:

Maybe, maybe not. I just create the rule, again, simply to help me understand things better (hands on helps me this way) even if it's not necessary. It doesn't hurt anyway.

I get you. I do that sometimes. And, sometimes is a good way of learning what rules really are.

Quote:

Originally Posted by m00nbl00d

Oh, OK. Trying out other ones.

Actually used it before, just recently renewed the license on it and using it to aid me in finalizing the Win7 fw ruleset, which I'm so close to finalizing. It's difficult to accurately build all the rules with Win7/Vista's fw because of the lack of pop-up functionality. Jetico's light, apparently exceptional packet filtering capabilities, with detailed logging, and a serious, Spartan-like gui so I've always had an affinity for it

[m00nbl00d]

Quote:

Originally Posted by wat0114

Actually used it before, just recently renewed the license on it and using it to aid me in finalizing the Win7 fw ruleset, which I'm so close to finalizing. It's difficult to accurately build all the rules with Win7/Vista's fw because of the lack of pop-up functionality. Jetico's light, apparently exceptional packet filtering capabilities, with detailed logging, and a serious, Spartan-like gui so I've always had an affinity for it

Yeah, Microsoft could make it a lot easier, for example, by having outbound blocked by default, and then create rules for well known and digitally signed applications, by checking hashes as well; and, giving the opportunity for advanced users to modify such rules.

Then again, third-party vendors would complain.

Anyway, I'm also doing the same using Outpost, in my case. I guess you know that by now, considering some of my previous posts regarding some rules. It helps a lot.

[m00nbl00d]

Some mind exercise.

Current situation: All inbound traffic blocked. This means what it means, all inbound traffic gets blocked.

Only as a mind exercise, imagine I'd block inbound to port 445. What would be the best way? Block to all programs and choose what port to block (445), or simply block inbound traffic to the Port itself? I'm leaning towards the second option. Am I correct assuming it?

I think your latter idea would work. If you see mine, 3rd rule from bottom inbound, I just used the built-in File and Printer sharing rule block to System.

[Rilla927]

Quote:

Originally Posted by m00nbl00d

What was it? If you could share, other who may be having the same problem could solve it. (And, I'm also curious. lol)

Sure I can. I didn't realize that my profile was linked to when I installed the OS as you pointed out in your post so I changed it. Also, I had previously unchecked Domain and Private on all my rules cuz I was using Public profile; big mistake. I then went back and changed every rule to apply to all profiles and then blocked all outbound for all profiles and it works great.

I'm learning.... I so grateful that Stem worked with me on OutPost. That helped a lot. And now I found the hole I had so everything is good. I find it much easier using WF than OP so I'm going to stick to it.

I have the FW set to notify me if anything gets blocked with no rule.

[Rilla927]

Quote:

Originally Posted by m00nbl00d

Some mind exercise.

Current situation: All inbound traffic blocked. This means what it means, all inbound traffic gets blocked.

Only as a mind exercise, imagine I'd block inbound to port 445. What would be the best way? Block to all programs and choose what port to block (445), or simply block inbound traffic to the Port itself? I'm leaning towards the second option. Am I correct assuming it?

I have all inbound connections blocked no exceptions. Port 445 (if I remember correctly is used for VPN's) is blocked outbound also.