Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Access Denied

    Access Denied Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    927
    Location:
    Computer Chair
    Thank you once again. Hands down the best firewall (control) I have used in my years and that is saying something. I am 40+ :D
     
  2. yeL

    yeL Registered Member

    Joined:
    Aug 10, 2015
    Posts:
    280
    Would it be possible to have an option to auto refresh logs when the "Connections Log" window is open?
     
  3. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    2nd that :thumb:
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    There is no auto refresh in Connections Log because loading the entries can take much longer than the specified interval. Just press F5 to refresh the entries.

    Note that this is a log for past items, not an active connections monitor.
     
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
  6. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    alexandrud did you find a way to firewall individual windows services, especially Group Policy Client which is hosted by an instance of svc host, usually along with two other services. I was unable to do this by creating a SID for Group Policy Client in the way Microsoft Documentation describes to firewall individual services because Windows refused to apply the SID to Group Policy Client. I also wondered if you discovered any Windows processes that bypass the firewall.
     
    Last edited: Jun 24, 2017
  7. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Would you be kind enough to share the link to the MS documentation as I'm keen to know more?
     
  8. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
  9. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    It is known as Windows Service Hardening It was a few years ago when I attempted to firewall Group Policy Client because my suspicion was a backdoor used to change security settings on a machine by an attacker sending security template over the internet. Acting as a domain controller if you will. I used several references like this one
    https://technet.microsoft.com/en-us/library/cc947797(v=ws.10).aspx
    I used the tools in Windows Defender, Netstat and process exploret to identify the PID of the service and the instance of svchost that hosts it along with two other services. The two other services are required for internet connectivity. This prevents you from firewalling that instance of svchost. You cant turn off Group Policy Client in Windows Services and if you disable it in the registry Windows wont load any user accounts. MS made sure GPC is always on
     
    Last edited: Jun 24, 2017
  10. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    You'll see how you are supposed to be able to firewall an individual service in the technet article. You assign a SID to it and use the SID in the firewall rule but Windows wouldnt apply a SID to Group Policy Client.
    So,
    You cant turn it off
    You cant disable it
    You cant prevent its connection to the internet
    Sounds like something the nsa would do cough cough... I meant MS ;)
     
  11. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +1 :thumb:
     
  12. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Many thanks for sharing the the link and your explanation.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    And a thanks to you askmark for posing the question which offers explanation to the details on that.

    Very enlightening and helpful to pick up any pointers like that which are useful to stay as up to date on our own machine's workings, especially firewall travel.
     
  14. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    You are welcome. I would be interested to know if the same condition persists through W10 should anyone with a W10 machine have the time to check into it
     
  15. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Hi I have just tested W10 and was able to create a firewall to block all outbound access from the Group Policy Clent service (gpsvc). I did receive a warning about not messing with the hardening built in for windows services but it allowed me to continue on and create the rule.
    I also didn't have to do anything with SID's beforehand the option to select gpsvc was already available.
     
  16. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I think if you do a little more research into this you will find that the firewall will accept the rule but it will have no effect unless you use an SID.
     
  17. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    I just followed the method in your link. I'm not sure what else I can do differently. Any suggestions welcome ;)
    BTW which version of Windows are you using?
     
  18. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I'm not using Windows but when I did it was W7.
    MS may have changed it in W10. I couldn't find any documentation about it for W10.
    The relevant section for doing it in W7 is:

    If the executable file is a container for a
    single service or contains multiple services
    but the rule only applies to one of them,
    click Customize, select Apply to this
    service, and then select the service from the
    list. If the service does not appear in the list,
    click Apply to service with this service
    short name, and then type the short name
    for the service in the text box. Click OK, and
    then click Next

    Important
    To use the Apply to this service or Apply to
    service with this service short name
    options, the service must be configured with
    a security identifier (SID) with a type of
    RESTRICTED or UNRESTRIC
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    1. All services have a SID, including WFC service. For your example with Group Policy Client service you can use sc showsid gpsvc to view the SID.
    2. To be able to create a firewall rule specific for a Windows service, a service SID type must be either unrestricted or restricted. Most default Windows services are set to unrestricted. To see the SID type of a certain service you can use sc qsidtype gpsvc. This specific service has the SID type set to none.
    3. To set the SID type you can use sc sidtype gpsvc unrestricted. However, this service does not support such a change and it gives an access denied error. Now, please ask Microsoft why they don't let you change the SID type of some of their Windows services.

    Anyway, what kind of rule do you want to create ? What is the final purpose ?
    svchost.exe is not digitally signed, and most Windows executable files are not. Making the assumption that an unsigned software is probably bad, otherwise why they don't sign it, is not a reason to give a false positive. Even bad guys can steal someone's identity and create a valid digital signature to sign malware. This doesn't mean a digitally signed application is 100% safe.
     
    Last edited: Jun 26, 2017
  20. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Yes that is what I thought. I believe gpc can be used by an attacker to change security settings on the victim's machine. I was suspicious that gpc has a listening port open to the internet for this purpose. The fact that we now know for sure that Microsoft made it impossible to disable or even firewall this service should raise a red flag.
     
    Last edited: Jun 26, 2017
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    It doesn't work this way. By default any inbound connection without an allow rule is blocked. So, if you delete any inbound rules that you have for svchost.exe then svchost.exe should not accept any inbound connection, not from local LAN and not from the Internet.
    1. I do not have any inbound rules in my rules set.
    2. I have my Security log set to 200MB instead of the default 20MB.
    3. I have records since 17.06.2017, so, from the past 9 days.
    4. I checked in Connections Log the recently allowed connections, and there is no connection from outside my network. Only some 127.0.0.1 and some multicast items from my router.

    I don't think your statement is true. Microsoft made impossible this probably because on a network environment where you use a domain controller a network administrator may use group policy editor to set settings on the entire network. Or maybe they just left it this way with no intended purpose. Who knows.
     
  22. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    You are right my statement is not true but only because it is unproven. Consider these facts.
    1. Group Policy Client should not be connected to the internet at all. As you rightly said it is for use on a network with domain controller
    2. Inbound connection is blocked by default yes but only if outbound connection does not initiate
    3. The GPC vulnerability was reported to Microsoft years ago but instead of preventing the spurious connection to the internet they released a patch so GPC would require authentication. Authentication from who? It took Microsoft 18 months to release that patch, the longest ever for a security update
     
  23. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    4. Microsoft made sure GPC cannot be turned off or firewalled even by hardware firewall because GPC shares its port with 2 other services required for internet connectivity, thanks to svchost.

    This has all the hallmarks of a backdoor. The difficulty lies in proving it.
     
  24. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    What about blocking svchost.exe and then picking a specific Service from the drop down Service menu?

    Seems like a no-brainer, maybe I am missing something?
     
  25. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    You have to dig deep to find the information on this, from the microsoft documentation:
    If you dont change the SID type from NONE to RESTRICTED or UNRESTRICTED the rule will have no effect. If you try to change it: ACCESS DENIED
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.