Windows Firewall with Advanced Security (Guide for Vista)

I did the last update today and i've got the same problem : i launch the installer but it failed to download the files and the update is aborted.
If i allow all outbound trafic, no problem it works well.
Each time the installer's name change so the rule don't work.

 

Uh-oh, I missed one other rule. please see updated attachment. You are updating Flash for IE, correct?

*EDIT*

maybe it's Flash for Firefox you're trying to update? In this case it's a PITA I tested in the vm and twice as you mention the file name changed...

c:\users\vmware7\appdata\local\temp\install_flashplayer10_mssd_aih.exe

c:\users\vmware7\appdata\local\temp\install_flashplayer10_chrd_aih.exe

I don't know how often the name changes but you could simply copy and paste the one rule to create any additional ones, then just change the name in the program path to the new one. You could end up with several nearly identical rules, but at least it should solve the name change issue.

 

Thanks for the suggestion. You're rugby the problem is with Firefox and flash.
I'm going to try tour solution or perhaps i will allow outbound connection during the update.

 

It should work though it just depends on how many times it changes, so if it's 3 different file names, then you create 3 different rules, all the same with the only difference being the filename in the path. I don't use Firefox any more so I determined this by testing in the vm.

 

Yes i understand, i'll try for the next update.

 

Wonderful post Stem. Thank you - very helpful.

I am running Windows 7 and have 2 questions:

1. This was initially written for Windows Vista - is there a thread for Windows 7?

2. When I install or run a program (safe or malicious/unsafe), do they have the ability to modify the firewall settings. For example, when I run CCleaner - Windows UAC pops up asking if it is okay for the program to make changes to my computer. Of course I grant access, but could the program then add or modify rules, which may pose a security risk? Or, is the user the only one able to modify Firewall rules?

Thanks again.

 

1. The same applies to Win7.

2. Yes. An example is uTorrent. It's a good idea to check the status of the rules after you install any software.

 

Might be helpful to others if the initial post included some mention of Windows 7.

As for being a "good idea to check the status of the rules after you install any software", that does not sound too good. Why would it only apply during installation, it could also apply when the program is run (eg. CCleaner). Also, couldn't a program running in the background monitor the Windows firewall and if rules were preventing it from accessing, it could then modify and defeat the user's wishes?

I really like the idea of using Windows Firewall, but if others are able to control it, then it does not sound ideal. Does anyone know if there are other Firewall front end programs that monitor the settings and can notify or prevent changes?

Are there any others like SphinxSoftware's Windows 7 Firewall Control that are front ends for the Windows Firewall?

I have tried various popular firewalls in the past like Comodo, but just seem a bit too much overhead. I want control over outbound access by program with IP and port controls. I used to use ZoneAlarm way back, now I am using an older security suite that has built-in firewall, but looking for something better.

Any advice is appreciated.

Thanks.

 

You're making way too big a deal out of it. If the software creates its own rules, as annoying as this may be, it is because they are necessary for the proper functionality of the product. You will probably find the rules to be overly liberal, so you siimply modify them so they are allowing only what you deem necessary. BTW, I've never encountered anything that creates rules after the installation; it's always during it.

 

Interesting statement but doesn't the possiblility exist that if you used whatever firewall app that it too could be controled by others? I do not use one other than WFC so I have no way of knowing if they(whatever firewall app) have some sort of self protection for the scenario that you mention.

 

FWIW, some 3rd party products do have self protection.

OP, OA (I think) and KAV Pure.

 

The problem with Windows Firewall and other built-in security, such as AppLocker, is that, once you allow something to run as administrator, then it has full access to those components.

Those security components should be handled separately, IMHO.

I mentioned in another thread that UAC should allow us to install/run an application both in a global context (full access) and current user context (access limited to the specific user account).

Besides that, the security components should be password protected, IMHO. And, yes, independent of UAC.

 

You can do this by using Group Policy objects (GPOs) to create Windows Firewall rule. It takes precedence over local Group Policy firewall rule.
So, firewall rule createt by (safe or malicious/unsafe) software under local admin is disabled.

This option can be accessed and used if the firewall policy is part of the (GPOs). If the (GPOs) is used to distribute the firewall configuration, and rule merge is disabled, non of the settings for the 3 profiles (domain, private and public) will be changeable.Use of the (GPOs) will allow the impression that the local administrator can still add individual rules to the 3
profiles, but further investigation will prove otherwise. A rule added by the local administrator will appear in the inbound/outbound area of the advanced GUI, but not show up as part of the current active profile as displayed in the monitoring section of the same GUI. Use of (GPOs)
will also prevent the local administrator from disabling the firewall either through the command line netsh.

By default, rule merging is enabled between local firewall policy on Windows 7 computers and firewall policy specified in GPOs that target those computers. This means that local administrators can create their own firewall and connection security rules on their computers, and these rules will be merged with the rules obtained through Group Policy targeting the computers. Rule merging can be enabled or disabled on a per-GPO, per-profile basis by opening the Properties of the policy node described previously, selecting a firewall profile, and clicking Customize under Settings. Then under Rule Merging in the Customize Settings For The firewall_profile dialog box, change the Apply Local Firewall Rules and/or Apply Local Connection Security Rules policy settings from Not Configured to No.

Have Fun..

 

Is it possible in your view, in W7 to use Group Policies to completly replace these rule heavy firewalls?

If so please exlain in general terms at first or provide a link to a beginners guide to Group Policy?

 

-I got back this question-

 

It is certainly possible, and WF is not rule heavy firewalls. I try to explain the easiest way.

Example:

Access by running gpedit.msc, open > Computer Configuration /Windows Settings /Security Settings /Windows Firewall with Advanced Security /Outbound Rules > Right mouse click on empty right space > select New Rule.. > make a new rule that blocks your favorite browser connection with example name (test_rule).

Now > mouse click on /Windows Firewall with Advanced Security-Local Grroup Policy Object, in the right space, open > Windows Firewall Properties. In the configuration window select for the all 3 profiles (domain, private and public) in this mode:

http://i54.tinypic.com/2ngs93m.jpg


Then of the same window under Settings click on Customize.. and to do so:

http://i55.tinypic.com/2mybw5c.jpg

(OK > Aplly)


Now Run.. firewall.cpl > open Advanced settings > Outbound Rules, you see all previous rules and newly with example name (test_rule) created by Group Policy, but if you open Monitoring > Firewall , you will see only active newly with example name (test_rule) created by Group Policy. Run your favorite browser and will be denied access to network by the (test_rule).

Firewall rule createt by local admin is disabled (inactive).Same firewall rule createt by (safe or malicious/unsafe) software under local admin is disabled (inactive), working firewall rules is part of the (GPOs).

_______________________________

 

@ sparviero

What you mention does the trick, but when I said what I said, I had in mind that Group Policy Editor is not present in all Windows editions. That's the problem.

That said, Windows should isolate permissions access to those components in all editions.

This is actually something that could be done, and as an optional feature. UAC could be used to achieve just that. When this feature is enabled, then UAC would ask the user whether or not he/she wants to permit the application to change firewall/applocker/etc rules.

I have my doubts that Microsoft is going to provide just one edition when Windows 8 comes out.

 

No, is not present in all Windows editions, and is not a trick, is Group Policy Settings applicable to local PC. I think you can install it separately (gpedit.msc).

Download Group Policy Settings Reference

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=25250

It is certainly possible, but if you tend to paranoia ends the good use of this medium. And UAC will become like other useless HIPS/HOPS.

___________________

 

I never mentioned G.P.Editor was a trick. I mentioned that what can be done via G.P.Editor does the trick, considering what I previously expressed. There's a difference.

And, as I said Group Policy Editor is only present in the more expensive Windows Editions. So, no, you cannot install it separately. Unless, Microsoft sells it separately? I suppose not. I never heard of such.

Paranoia? Is it paranoia to want to have my settings protected against tampering, even from legit applications?

I mean, every freaking time I upgrade an application, I always need to open WFAS and check and, if the case, delete rules. This must be some nightmare.

And, what I mentioned about UAC was in case Gpedit, as usually, only becomes available in the more expensive Windows editions. So, in this case, Microsoft should provide the option to turn on such UAC setting.

Considering that this would be an option, average users and users not wishing it, would never use it. So, what paranoia? I could say the same about Gpedit. The end goal is the same. The only difference is the tool one would use, depending on the different Windows versions. Not to mention that, in this case, UAC will only be giving very specific and very few alerts. Far from being a hips-like tool, IMHO.

Or, are you saying that if I can't afford to pay for a more expensive Windows version, I don't have the right to be able to protect my Windows firewall settings?

 

I see in the start of this thread Stem showed how to make a ICMP rule but it is not mentioned which ones to check mark (like echo request etc.) for inbound and outbound.

 

Typically, echo request would be for outbound, while echo reply would be for inbound.

 

I suspect the last posts wants ALL the ICMP rules and to know what the settings should be.

 

I don't know. How important is ICMP to home users?

Thanks wat!

 

You are angry , of course that you have the right to protect your PC, the same can do it via registry, but, best left in peace this registry.

Or you will be forced to use third-party HIP-HOP software, I'm sorry.

Have a nice day...

 

You're welcome! Not overly important, at least not to the extent things will be crippled without them, but it's nice to have the option to ping or run a traceroute if needed. My ICMP rules are attached.