If I'd typed my post out first in wordpad or something, I might have seen your post come in just before mine..
Start, Run, type in 'gpedit.msc' without quotes, navigate as in this screenshot, do not touch the first 4 paths. Add new rules and exceptions to, for instance, some programs in Program Files, some temp folders, data drives, etc.
I allow SSM to monitor registry but never changed any default checked permissions. No skills. Alerts are infrequent, occasional Allows needed for some updates. This total rewriting of 4 values/line for all rules there took me by surprise. I think sloppy Win routine-why rewrite the whole thing when you add one path Thanks for the comprehensive list of DMR links. I did read some of them few months ago and that and cryptolocker info is what triggered me playing with gpedit. I might try DMR but hesitating because I so hate adding programs when Windows can do it for me, and I suspect DMR might be the same thing.
I have no idea if SRPs and DMR use the same mechanisms or if they enforce the same restrictions. Other readers here who rely on SRPs would be much more qualified to answer that question. (HINT, HINT) If the mechanisms and restrictions each imposes are the same, it's just duplication. If they work differently, they could very well complement each other, much like the special permissions and parent-child settings of SSM can complement Windows built in security features. I don't know how application specific SRPs can be, if the user can specify different restrictions for each attack surface application, or if the settings/restrictions are more global in nature. One potential advantage I see with using DMR is the ability to change settings for an individual app by just adding or removing a letter in the shortcut. Definitely easier and faster than using the policy editor for experimenting. Exceppt for answering questions posted in the forums, I almost never use XP. Learning SRPs, SIDs, groups, etc hasn't been high on my list of things to do.
Ah the Group Policy area. That one can go on the back burner for me. When I was "exploring my system" by going through menus and what not, I came across that, and I thought it was like a rabbit warren of possibilities, too time consuming at the very least, well for me that is. I've got most components in place, with just a few basic preliminary settings. Except for how Ive always had Kerio working, these tools are not working together in a chain yet. I've organized these tools with shortcuts in their own folder on the desktop. Ive spent sometime trying to find this and come up empty handed. I don't trust M$ bloatware either and I don't even want to run the Process Explorer I just downloaded. I saw a torrent, but no thanks. OK so I'm following instructions back in page 1 for initial firewall settings. Last night I tried disabling the 7 circled entries in post #23. Generic Host Process for Win32 Services which you said "has to go" had Kerio give me an alert after rebooting. I made a rule to deny. I see there's a replica of 2 or 3 of these throughout my ruleset. Anyway it was late and I didn't try to go online. Booted up this morning and couldn't get online, so re-enabled them all and rebooted and got online OK. Ive done a screenshot of my ruleset. At this point I'll PM that to you Noone rather than in an open forum.
Regarding Generic Host Process for Win32 Services, have you disabled the DNS client service? I'd need to see the alert that Kerio gave to determine what service your system wants to use, and where those rules are in relation to others like the DNS and DHCP rules. Regarding the Pre-Microsoft versions of the Sysinternals Utilities, it might not be available except as a torrent. The newer versions do work, although compatibility with the older versions of Windows started disappearing right after MS bought them, just like it does on everything else they buy. I've seen no evidence that the new versions hide anything as far as official spyware or anything like that. I just don't see a reason why half of the doubled in size right after MS bought them, so I have to wonder what all of the extra code is for.
I didn't disable the DNS client service but stopped it. I was doing so much fiddling around yesterday I cant remember exactly when I did that. Anyway, I'll do that now and see if Kerio throws up another dialog box. If it does then I'll get a screenshot. With all the evidence each of us weighs up when we need to make a choice about something, there comes a point where you say, true or false. Is M$ putting/leaving holes/vulnerabilities etc in their products? I have no trouble at all saying yes. Therefore I have no difficulty believing the ongoing bloatware could be harboring any number of things. Considering how HUGE MS is that ought to be a real concern and we all know they're not the only ones by any means.
Question from post 23 noone_particular said: How do I obtain these ip addresses and how many DNS servers do you usually have?
Here's a log of what I've done this morning regarding trying to reproduce behaviour causing Kerio to give an alert : Boot > Unchecked noones circled rule (on post 23) for "Generic Host Process for Win 32 processes" entry in Kerio > Plugged in router > Kerio throws about 6 Dialog Boxes and I deny all (I don't make rules) > got 4 screengrabs, > noticed the "limited connectivity" dial bx in taskbar so no getting online > tried recycling the router x 2, no go > try checking Kerios entry again, recycled router, no go. > reboot > can get back online again.
@Reality, First, when you boot, Windows broadcasts (to 255.255.255.255:67), begging someone for IP address. Your router should see the broadcast and reply with IP for your box. If you block that, you will not get IP, instead you will get a dead IP 169 somthing or other. You can check in cmd window: ipconfig /all. If you post the text of the alert it would be helpful, since all I can do is guess what you saw. It's in Kerio log. So first thing is to get the connection to the DHCP server in the router. You do need to allow UDP in/out local port 68 to router's port 67. (I assume here you're running DHCP service). Then, and only then, worry about the internet. Since TOR is in the picture I can't tell you more. Did you setup your TCP/IP protocol as described in post#40? That'll help you connect to the sites on the internet. You can/should in Kerio put those two DNS numbers or some TOR stuff for every internet-facing application. Or, for a quickie test, just make two global rules up top for svchost.
@Reality Could you post either a screenshot of the alerts or the protocol, port and IP type (local network, loopback, remote) that it asked for? It could very well be as act8192 mentions, the DHCP broadcast. Just to clarify a few things, what does your PC directly connect to, a router that you own or control, an ISP supplied modem, etc?
If you're using the DNS service supplied by your ISP, there's usually one or two. If you specify your own, you can have up to 4. This is done here: The loopback address shown in the lower right image is to accommodate DNS-crypt, which is not used with Tor. With Tor, you're using the exit nodes DNS servers, not your own. The other IPs listed in the DNS settings above are Open-NIC. On the lower left image, are your settings "obtain automatically" for both the IP and DNS?
OK thanks guys, was just preparing a post but checked in here first. I'll look at your posts noone then come back and answer shortly. Theyre all outgoing connection alerts, of: "GenericHP for Win32 services from your computer wants to send UDP datagram to xxxxxx (I *think* this is my router address) port 1900" .... and... 2 separate alerts of "GenericHP for Win32 services from your computer wants to send UDP datagram to 127.0.0.1 on ports 1060 and 1064 My router is a third party one. Like many people with this particular provider, I did have an ISP one but it was totally unreliable.
My drawing skills leave a lot to be desired, but hopefully this and the firewall rule details below it are what you were looking for. @Reality In the screenshot you sent of your rules, I didn't see any rules for loopback traffic. Does your browser prompt you for loopback connections? If not, you might have a global allow rule for loopback traffic. On the interface that displays the individual rules, click on the Microsoft Networking tab. If loopback rules exist there, disable or delete them. Unless you're running a network with several PCs, this section of Kerio isn't needed and can be disabled. If the loopback adapter was listed as a trusted address here, you'll start seeing prompts for loopback traffic. These rules assume that you've configured the various components as shown in post #11 of this thread. They all assume 127.0.0.1 as the standard loopback address. They assume that the default proxy port of Proxomitron is being used, port 8080. They require the SocksCap server port to be 9050, which is the default Socks listener port on Tor. They assume that the default control port for Tor, 9051 is being used. Was putting a little stress on this old box getting these. The host system running a Tor exit and VPC. VPC running XP. XP running a Tor client.
I hope this won't derail Reality too much. @noone_particular, if the computer is a laptop and you go to some library network, will the no-DHCP and static IP like yours work? I have my LAN in custom group, and in a wild place, Kerio alerts if dhcp job is allowed. Suggestions? Holy smoke, this TOR stuff is complicated! Thanks for the picture. That said, in case Reality still runs DHCP service like I do, here are my only svchost rules that I ever needed (actually one for win updates turned on once/month, but no longer needed) plus a log. 16-yr old laptop has a right to have a dead battery so time service needed.
I should have clarified this in the post above. The rules above are for use with 2 copies of Proxomitron. The first listed, called Socksprox is for use with Tor only and is launched via SocksCap. The 2nd, called Proxomitron is for normal internet usage. Only one can run at a time.
I'd expect a network such as that will require DHCP. A static IP might work if their network is using the same private IP range and if your static IP hasn't already been assigned to another user. On networks that you don't control, you'll probably have to allow it. I can't say for certain as I don't have a laptop.
I was going to post (before my last one) a quick recap where I'm at and what I'm doing. TOR isn't in the picture right now. That will come later. Ive been going through this whole thread and tried to put in place things in a logical order. That has meant going to and fro a bit. Somewhere back 2 scenarios were spoken of which basically amounted to a chain of non TOR use and a chain of TOR use. I want to set up the non TOR chain first. Thats FF > Sandboxie > Proxomitron> Internet. Proxomitron isn't linked yet. I want to study your diagram noone, and it looks great, but first I need to go into the Local Area Network Properties and TCP/IP settings
From post # 63 What is Open-NIC. Yes, and all the fields remain empty. I enabled DNS client in services, tried again, nothing. Rebooted, nothing. Ideas?
No prompts. Kerio has been very "quiet" and I rarely get an alert. I had a check by "For MS Networking Use These Rules Instead of Filter Rules" No subcategories were checked. There was a trusted address. Disabled and now I see a prompt as you said. System wants to connect to System, with a 255 replacing the last section of my ip address, port 138. What do I do with this and those to follow? Also, I do like to network my PC and Mac but haven't done this since going off dial-up. Mainly because my router has taken my ethernet port and I can connect my Mac to a port on the router but I've never got around to doing that....Ive only been on BB less than 2 years (no choice in that).
act8192, sorry I havent been quicker in answering you. If you derail me, expect me to get you to hoist me back on track OK? . Yes and configured as you've said. I was looking at post #40 when I saw your post earlier.
The ruleset image I posted covers both. Both the normally launched instance and SocksProxy launched copy of Proxomitron use the same proxy port, 8080. The browser settings and its firewall rules don't change. Only one instance of Proxomitron can run at a time so there's no conflict for the port. The SocksCap launched copy, called SocksProx in the rules can only connect to the Tor socks proxy port. The rule immediately below that rule blocks all other traffic to/from SocksProx. This is how rule order fits in. The apps for which traffic is tightly controlled each have a very specific allow rule followed immediately by a block everything rule. The first rule that applies is used. If the specific permit rule for that application applies, it's used. If it doesn't apply, the "block everything rule" that follows for that app will apply. When traffic matches a rule, that rule is the only rule that will be applied to that traffic. When a rule allows a particular connection, no rule below that can block that same traffic. Once a rule blocks traffic, no other rule below that can allow the same traffic. The normally launched version, referred to as Proxomitron can connect to any IP. Because the Proxomitron rule is below the DNS rules, it's allowed to perform its own DNS. Regarding SandBoxie, it should not affect the firewall rules. Running the browser in SandBoxie makes it less useful if an attacker exploits it. It also prevents browser usage tracks from being added to your system. Proxomitron can be run in a sandbox but there isn't much to be gained from doing so. DropMyRights is sufficient protection for Proxomitron. Running Proxomitron in a sandbox will make it more difficult to save changes to its filters and blocklists unless you save the sandbox, which defeats the purpose of using the sandbox. Some interesting experimentation is possible with Proxomitron in SandBoxie but that's best saved until you're used to Proxomitron and your setup is complete. The last version of SandBoxie I used was 3.76. No idea how much has changed in regards to its networking requirements since then. Open-NIC is an alternative DNS service that doesn't censor or hijack results. See http://www.opennicproject.org/ The "system" traffic that you mention on port 138 is most likely NETBIOS. Unless you need it for file sharing between PCs, it can be blocked or disabled. Save this until we get your network settings and system firewall rules in agreement. I am working on another post for system rules and services that will cover NetBIOS, Microsoft Directory Services, UPnP, and SSDP. Much of this is also included in the Kerio learning thread. I need to see either screenshots of the alerts you're getting or the details that they contain. Is it for TCP, UDP, inbound or outbound, what ports, to what IP, etc. Without that, I can't tell what your system is asking for.
@noone_particular Working from post# 63 I'm not talking about alerts from Kerio. I have no ip addresses in the 2 lower screengrabs. Those fields are unpopulated. Thanks for your further explanations. I've got some more questions on the ruleset regarding non TOR browsing. Will come back to that. I did act8192's command prompt ipconfig /all and all those addresses are the same. That is, ip address; Default gateway; DHCP Server; and DNS servers.
What is your network setup? Do you have separate router and modem, modem only, etc? Which equipment is yours and under your control? With the gateway, DHCP, and DNS IPs all being the same, they're being set by the device your PC is plugged into. Time for me to call it a night.
