Windows Firewall with Advanced Security (Guide for Vista)

No, direct Internet access should not be needed, unless of course you are using that for remote administrative tasks.
Some info on WMI:- http://msdn.microsoft.com/en-us/library/aa394582(VS.85).aspx


- Stem

 

I cannot confirm on my setup.

Have you any other security software installed that as network drivers installed? or any local proxy software?


- Stem

 

Hello Stem:

Right. I'm not doing remote admin. So I will remove WMI rules completly relying on no rule no www access. Are you okay with that?

What about the setting for the corresponding W7 service?

The MS write up implies it must be running as it feeds security centre etc. I've set it as manual for the moment.

 

Hi Escalader,

Personally I would change the rules to block and log any attempts it makes for internet access, but I am the curious type

I would leave the service on its default settings.


- Stem

 

OMG... lol you are right , i've just reinstalled avast recently...It is of course the webshield fault.

Thank you , i didn't even think about that

 

Hi Stem:

Now you have me curious so I'll block and log to see!

I set the service to manual rebooted and all W7 does is start it anyway. Thanks!

(more later)

 

You are welcome.
Good to hear you have found the issue.


- Stem

 

Updated svchost rules in response to Escalader's query in another thread.

My updated svchost rules in the screenshot

Remember that with All inbound connections are Blocked and Outbound connections that do not match a rule are Blocked enabled, Block rules supersede the Allow rules, which simply means when I want to download Windows updates, I temporarily disable the second and fourth Block rules, thereby allowing the wuauserv Allow rule to function (disabling the fourth rule actually allows it), then re-enable them when finished updating. The Remote access service needs network access for Windows updates to work, also. Remember when creating these rules, you need to choose svchost as the program, then the actual service it affects. Example (for Windows time service) is here. I've highlighted those services for clarity.

 

Hello Thread:

Does WSQMCONS.EXE need dns and tcp connection to the www?

 

Thanks for the updated rule! I hate svchost! (not news here)

Your rule set made me think about this a bit more.

I control the windows update process by turning on the services supporting it once a month on "patch tuesday"

So in this case I wouldn't need those rules?

The other thing is why do you need them blocked IF win7 FW allows access to www only by rule and if there is no rule blocks all access? But I may have the rationale wrong here?

 

I want to say a big thanks for this thread.

I overlooked it at time, but find this very usefull now that I might have a use for windows 2-way firewall. And I should add that the fw is better that I thought at first!

But my main concern is that I am not sure if I will trust microsoft enough to use solely their own fw to tame the OS' internal executables...
(does Stem say in the thread that he did test this?, sorry if I missed it as I am at reading the thread from the beginning right now.)

 

I'm not sure if disabling Windows update service would work to stop svchost attempted comms.

Good question and you are right, but svchost is an odd one to figure, because simply disabling Routing and remote access service rule still permits Windows update to work, but keeping it blocked prevents the updates search from working. Strange because the service is disabled by default??

 

I did not make extensive tests on Vista, but did not see any bypass to the rules enforced.
I do currently have win7 64 setup which is behind my gateway. It is using the win firewall, in the 3 months or so it as been there I have not seen any outbound that was not intentionally allowed.


- Stem

 

"Routing and remote access" is mainly for internal routing. I use to use it on NT4 servers. Win XP brought in ICS, although limited, does automatically set up the internal routing for connection sharing,...well, most of the time. (I prefer CHX_NAT for XP internal routing).


- Stem

 

Thanks for info, Stem. It's odd that with it disabled, blocking it with the firewall interferes with Windows updates comms. I'll maybe check a little deeper sometime, especially the logs to see exactly what's going on.

 

Thanks for reporting those observations here, Stem.
Kinda reassuring.
Thanks also for this excellent thread.

Btw, what would be your advise about advantages of using L'n'S vs Windows' internal 2-way fw on 7x64?
-Edit- And would they both work well together, complementing each other efficiently?
Any over the top redondancy by doing so?

Is there that big a difference between the tweaks on Vista and 7 internal fws (I never had a touch on vista)?

And please note that I am interested only by pure firewalling here (I prefer use a separated HIPS, if ever needed). It's the reason why I decided to limit my choice between those two fws only.

 

What OS+sp? What exactly are you blocking?

I will try to find time to check, but health not good these days so cannot promise.


- Stem

 

I did install L`n`S onto win7 64 but found no boot protection. I did not investigate registry tweaks for L`n`S to see if boot protection could be enforced as I decided to use the inbuilt firewall on that setup.(boot protection is needed more so on vista/win7 to intercept the various broadcasts)

L`n`S would be easier for you to set up, due to the popups for application internet access/ easier log access for any blocked packets etc.

I would not use both.

I have not noticed any big difference.




- Stem

 

hmm, so LnS doesnt have boot protection, thats ufortunate

out of curiosity, does outpost, PCTools Firewall, or Comodo offer boot time protection? those are 3 firewalls im interested in so i was just curious if u knew?

thanks and sorry if its off topic

 

There is a registry entry for L`n`S that can be made to enable boot protection, but I did not check that on win7.

(EDIT: I found my notes on the reg entry for boot protection "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw
"BlockAllBeforeInit"=dword:00000001")

I only looked at outpost pro on vista(due to another thread/post) at boot time, there was a small window during DHCP where protection(inbound/outbound) was not in place.

I have been meaning to set up to check various firewalls on win7, but just not had the time.

- Stem

 

Thanks for your answers, Stem.

And it seems, from this post , that this tweak should also be working on win 7.

 

thanks for the reply stem, is boot protection really an important feature to have?

 

Anything svchost-network related, I guess. I know it's probably both overkill and unnecessary to block this particular service, but it isn't harming anything either, so I figure: "why not?" Oh, and take care of yourself; it goes without saying, health and family are most important.

 

Hi firzen771,

It all depends on your setup.

If you are on an home LAN and you know all the nodes(PCs) are clean, then it is not really a problem with no boot protection.
If connecting directly to the Internet, then some caution is needed, certainly at login.


- Stem

 

With the actual service disabled, as it is by default, then blocking it should not cause issue.
I will check it out on Win7 x64 as I do want to make win updates over the weekend on that setup.


- Stem