Windows Firewall with Advanced Security (Guide for Vista)

Discussion in 'other firewalls' started by Stem, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. Rain_Train

    Rain_Train Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    142
    I'm don't understand why you are asking o_O . This is a personal question, and your tone comes across as aggressive. :ouch:

    The paranoia I was referring to was the premise that Vista Firewall might not do its job properly when it very well might. Paranoia in this regard means that, when something might be adequate, one feels that it is not enough.

    Perhaps it was poor word choice on my part, but I do not appreciate you being so up front about it. I'm not very knowledgeable about firewalls, so that is why I asked what I did; solely to get a better idea. Even if I did have "new inventions" on my hard drive, do you really thing I would share those? I'm interested in securing my computer just like everyone else on this forum.
     
  2. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Me aggressive? Man, I couldn't even scare a flea if it looked at me. I am sure you are tough enough to take it what I said.. you will live, don't worry :)

    And when you say "Vista Firewall might not do its job properly". What "job" exactly do you refer to? Can you please elaborate on that in detail exactly what type of job you expect of the firewall to do?

    You said, "but I do not appreciate you being so up front about it."... And would you have preferred if I was asking from a side angle and not directly? Would that have made you feel more safer and not so intimated and scared off me? :blink:

    And how do you think files on your Hard Drive would be sent to someone else on the internet? Are you worried you get infected with a program that starts sending every single file on your hard drive to someone "out there", so they can read and study all your 100,000 files? :gack:
     
  3. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    My internal firewall rejected your request, sorry. This request comes across my security policy :)
     
  4. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    :argh:
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    Each to their own. On my system, there's nothing to take, so I can understand Tony's comments.

    But on the other hand, a friend of mine, with several TBs of every latest blockbuster movie, he is very cautious about privacy.

    Not implying that those who are cautious must be downloading TBs of data, as the opposite can occur.

    Someone with nothing to take can be 'paranoid', while another user with 'lots of private info worth taking' can be naive and blind to security, couldn't care for it. It's all a matter of perception. Some people might be working away developing websites, others writing programs, like I said, matter of perception - what you think is important.

    Anyway, hope this is brought back on topic. We're all friends here with the same interest. :) Great instructional thread, thanks Stem. :thumb:
     
    Last edited: Apr 27, 2009
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Stem, you mentioned you are looking at the registry regarding the firewall in Vista. Are you also looking at any scripting capabilities or similar with the likes of net or other similar tool? Are you going to post information about the registry? I for one would be interested to see what you find in that area.

    Sul.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Sul,

    I have been trying to find more documentation concerning the registry entries for the group policy, but it is looking like it will be too time consuming in collecting/testing any info.

    - Stem
     
  8. JohnnyDollar

    JohnnyDollar Guest

    I for one would appreciate any more guidance or suggestions using vista firewall with advanced security myself. Reading your thread is what got me to uninstall vista firewall control and give it a try. If I can harden my defenses for network traffic with vista firewall without too much excessive configuration then I would prefer to do that. It's built into the os and if it doesn't cause problems like a lot of 3rd party solutions, which it shouldn't, then I would rather stick with it. I have learned that the best security really is the user. Using common sense, educating yourself on the subject, practicing safe surfing habits, downloading from reputable sites etc. etc., you get my point. But with that said I was looking forward to more of your tutrorials about the original thread subject matter and not leak tests and so forth.
     
  9. rolarocka

    rolarocka Guest

    Is there a way to reset the firewall rules to its defaults?
     
  10. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Thank you Stem for this wonderful guide + thread as a whole.

    1 question for whoever can answer: I have downloaded the Vista FW control free app, and have not enabled outbound protection (in the advanced configuration of vista fw) because my browsers are the only thing that would not work no matter what i do.

    Anyways, does the Vista Control Free tool act as if i had enabled the outbound protection? While trying new programs i had pop-ups from it telling me xyz wanted to connect but im just not sure it does provide me with outbound protection if the original option is turned off.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Gen, I believe Vista Firewall Control acts independently of the Vista firewall UI itself, and I think they state on their site that you can even turn off Vista firewall and VFC will work fine, inbound and outbound. If you don't want outbound control there should be an option in VFC to turn it off.
     
  12. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Ok great, exactly the response I needed. No i do need outbound protection but it is currently turned off from windows firewall itself because of some problems, but is turned on from VFC and I thought it was turned on but not working fine. Now I know it does work fine ;)

    Thanks dude.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Interest thread.

    The main problem with Windows firewall outbound protection, is that, it is not as straight forward, as it could be. But, this is something you people already are aware of.

    To set outbound rules for every application we use, that may need Internet connection, is a time consuming task.

    Microsoft, considering that we're talking about, mostly, home users, could make things a lot easier, by, for example, setting outbound/inbound rules with (safe) predefined rules (presets) of know and digitally signed applications.

    Why do I say this? Well, Windows does have a firewall, doesn't it? It offers inbound and outbound protection, doesn't it? So, its safe to assume that every Windows home user should be able to use this firewall in it's full capability, without having to spend hours setting rules, knowing which processes need access to the Internet.

    I must say that I don't mind spending this time to set my machine to be protected with Vista's firewall, but would I set it like that to every other machine of my family members, or even friends if they asked me? Heck no! I'm not a mean person, but as I said, it is a time consuming task, and in no way I'd be spending hours and hours setting something, which can be easily done with third-party firewalls - this is where they actually stand ground.

    Third-party firewalls (I guess not all of them.) allow their users to set it to automatically create rules for known and digitally signed applications, based on presets.

    Why doesn't Microsoft do it? And, for example, send information to Microsoft about the processes and what rules users may have set, check them and see if something could be changed to make them safer, and they redistribute them to other users? (If they decide to be part of this community-service.)

    I don't understand why things need to be so complicated for the casual user.

    A simple block all connections, unless allowed, either by the user or based on preset rules, would make their lives so easier, and make their systems safer. A preset rule is better than a rule created on their own.

    But, maybe I'm seeing this all wrong.
     
  14. faustobucci

    faustobucci Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    1
    Windows Error Reporting

    Hi,

    Thanks for the guide! I have a question: how can I set up an outbound rule to allow Windows Error Reporting? (I'm using Windows 7).

    Thanks a lot
     
  15. Beer Dog

    Beer Dog Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    45
    Stem, thanks for putting together this valuable guide. Much appreciated!

    After blocking all outbound connections and setting a rule to allow IE7, I'm unable to connect to the internet. I'm running Vista Ultimate x64 and Kaspersky AV. I created two rules to allow IE7, one for iexplore.exe in Program Files and one for iexplore.exe in Program Files(x86). I have tried turning off KAV, thinking that it might be a problem, but I still can't connect. As soon as I unblock outbound traffic in Windows Firewall, it all starts working again.

    What am I doing wrong?
     
  16. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    Hi Stem, first of all thanks for the great guide!

    I'm connecting via school network and I must first enter my username and password through an internet browser to get internet access. Yet when the outbound protection is on, the login page doesn't load. I don't have any idea which rule I should add. Can you (or anyone) give a solution please? If you need any further info, let me know and I'll post them as well.

    Thanks.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To all,

    In stead of asking X-men like capabilities of Stem to solve your problems, here is a way to deal with 90% of the issues when using Vista/Windows7 FireWall control 2-way.

    Procedure for 90% of the problems
    1. Set Vista/Windows FW to work in default (inbound mode).

    2. Download Windows7FireWall Control free (available for x86 and x64)

    3. Install it

    4. W7FWCtrl will aks you for every process seeking outbound connection. It also uses the Vista/Windows7 FW engine (in laymens terms), so it tracks down all programs in order to generate nessecary rules (in its own user interface - it will not create rules for the Vista/W7 FW).
    A)** open all your internet facing programs and programs relying on updates vi ainternet = Windows update and your AV update)
    B)** Write down all programs (including full path) which W7FWCtrl has in its own allowed programs list

    5. Uninstall W7FWCtrl

    6. Make Vista/Win7 two way (see Stem's first post)

    7. Add rules according to Stem's post for all the programs you have written down (see add a rule for a specific program)

    Procedure for the remaining 10%
    Perform steps 1 to 4A only. This offers less granular control (e.g. no port/protocol control), but is next best for you to work with. You can disable the Vista/Windows FW (since this only stops the service for starting stopping the FW GUI)

    Regards Kees
     
    Last edited: Sep 25, 2009
  18. mevcit

    mevcit Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    58
    Location:
    İstanbul, T?rkiye
    Hi Kees1958, thanks for your interest.

    That's a well-known way, but Vista Firewall Control gives so basic info about rules (even the plus version). The login page loads through an internet browser and Vista Firewall Control will just ask me to allow connection for that browser or not. That won't help me at all. By the way I'm not searching for an X-man, the thread was opened by Stem (who stated that we can ask questions, on the first page) and I already said "Can you (or anyone)...".

    After a few attempts, I've realised that when I restrict outbound connection of my internet browser with TCP protocol onyl (without remote port restrictions - 80, 443), the login page loads. So now I should figure out what port numbers I should add to the remote port restriction area beside the ports 80 and 443.

    Edit: Finally I solved the problem. Normally before the login page loads, a link appears and says "redirecting", then redirects to the login page. When I looked at the "redirecting" link carefully, it was like http://"IP Address":3990/..., this is a very long URL (actually "IP Adress" is not my exact IP address, the last 3 digits are different but the whole link includes my actual ip address, too). And I added port 3990 (as it appears in the URL between the colon and the slash) to the remote port restriction area in my internet browser rule for outbound. Now the problem doesn't occur. :)
     
    Last edited: Sep 25, 2009
  19. wat0114

    wat0114 Guest

    Kees, this is an excellent idea! Actually, minutes before seeing this post I had manually set up some rules as per Stem's initial posts in this thread for outbound control. A little while later I installed the free Vista fwc just for kicks, and it alerted me about Java requiring outbound access for updates checking, so, of course, this meant I needed to add it to the list of applications requiring this. So I will do as you suggest and remove the vista fwc once I have everything listed.

    BTW Stem, nice thread :thumb:

    *Edit*

    does anyone know if it's possible to add a "list" of programs to a rule, or is it necessary to create a rule for every individual program being restricted to outbound? This latter method seems the only way possible :(
     
    Last edited by a moderator: Oct 15, 2009
  20. wat0114

    wat0114 Guest

    Stem, Seer, or anyone else, could one of you please check these rules and advise if something needs work? Thank you! I really like this firewall; it's a labor-intensive endeavor to get it set up, but I feel it's worth it given how much faster surfing is using it instead of any 3rd party offering I've used, and no buggy behaviour either :)
     

    Attached Files:

    Last edited by a moderator: Oct 19, 2009
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Wat0114,

    Looks OK to me. :thumb:


    - Stem
     
  22. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I'm surprised software why vendors simply don't build of the firewall kernel in Windows? Why reinvent the wheel if you can add to it?

    Anyway, Microsoft could simply provide those primitive popups for the firewall, given the fact that the firewall has almost zero HIPS like leaktest ability....they already have published an good antimalware program....might as well add some more basic functionality to the firewall.
     
  23. wat0114

    wat0114 Guest

    Thanks Stem! I'm modifying here and there by adding the email server's ip address as well as a couple more software update rules, but otherwise it's pretty much final.

    This is a great thread you created and imo the Vista fw is a deserving candidate for those looking for decent packet filtering and as you mention it has, and basic program control while doing less to slow browsing, no impact on the system (already built into Windows) without introducing the bugginess so many 3rd party fw's cause.

    There is Vista/Win 7 firewall Control, where the free version even came in handy for me for part of the rules creation process. I agree MS could do better by adding some functionality to the fw to make it easier to set up for two-way control. As for HIPS, there are several 3rd part products to choose from. Not everybody wants HIPS functionality in their firewall.
     
  24. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Yes, it's quite alright, but if I wish to nitpick...
    why allow torrent full inbound? Configuring a single TCP/UDP port would be sufficient, at least I always have it setup that way. And where are it's outbound rules (need to be setup quite openly)? Also, utorrent will use remote UDP port 6771 for LPD (Local Peer Discovery) on a LAN, which in your case is not needed, but thought I should mention it anyway. So these attempts will be blocked.
    I am also curious why WMP needs outbound UDP.

    What do you mean? Install a second firewall that add features to Windows Firewall? Or...

    Well, basic firewall functionality is already there. I would rather suggest better protection on LAN than adding popups for applications. As for the leaktests, this path is a never ending one.

    Cheers,
     
  25. wat0114

    wat0114 Guest

    Thanks Seer and no problem nitpicking; if something can be improved I'd like to know :)

    The torrent I haven't used for some time so I still haven't gotten around to tightening the rules. I had used the "auto-create rules for Windows firewall" from the the torrent options menu, so that's probably why they are so lax. It enabled an "edge traversall" option in the rules to bypass the router. Maybe this is not needed and too lax? It does listen on port 14588 so maybe I need to restrict the inbound to that port?

    As for WMP udp, that is a built-in core networking rule; I wasn't sure whether I needed it or not so I left it until further feedback, so I will try disabling it.

    Thanks for the feedback!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.