Windows 10 Outbound Blocking Rules

Discussion in 'other firewalls' started by npw, Apr 21, 2020.

  1. npw

    npw Registered Member

    Joined:
    Apr 19, 2020
    Posts:
    7
    Location:
    US
    Using Windows 10, I have Windows Defender Firewall with Advanced Security configured to block outbound connections. I have my web browser and some other programs working properly to access the internet. Problem is I would like to be able to use "Windows Update" for the recommended security updates from Microsoft, but am not able to get it working unless I provide full access to SVCHOST.EXE. I would prefer to only permit required services for SVCHOST.EXE to allow Windows Update to operate correctly.

    Is it possible to have Windows Update working without permitting SVCHOST.EXE (and all services) full access to the internet?
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    If you don't care about remote host IP addresses, then allowing svchost.exe to remote TCP, Ports 80 & 443 should suffice. OTOH, if you really want to go to town and restrict how svchost connects, you could add some or many of the recently updated Microsoft Pubic IP space addresses available from here as a csv file download:

    https://www.microsoft.com/en-us/download/details.aspx?id=53602

    Windows firewall will accept the CIDR format they're listed in.
     
  3. npw

    npw Registered Member

    Joined:
    Apr 19, 2020
    Posts:
    7
    Location:
    US
    Thanks for the response. Yes, I had SVCHOST.EXE limited to TCP, Remote Ports 80 & 443, and Windows Updates works fine. But, wanted to block all services except for the ones required for Windows Update (eg. wuauserv, BITS, DoSvc) to work properly?

    The Microsoft Public IP Space file looks like it might work for my purpose, but I would still prefer do just identify the required services. If I did use the "msft-public-ips.csv" you suggested, what is the best way to import the 200 entries into the firewall?
     
  4. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    BITS is used for more than just windows updates, so blindly allowing all BITS traffic to all destinations without knowing the content of a BITS job won't help with security.

    As you're probably aware, issues around controlling svchost outbound access are as a result of Microsoft's design. They created a wrapper service which allows many libraries and third party applications to send/receive via the same exe but provided little way to differentiate between this traffic. If you're serious about restricting svchost outbound access then you need to be willing to put in a little research/work along the way as you're working against the OS unfortunately.

    If you go the MS public IP's route, you may find powershell helps to bulk create/remove rules:
    https://www.google.com/search?q=windows 10 powershell add firewall rule

    If you want to go completely overkill and can get hold of Windows Server you could roll your own WSUS server either as a physical machine or a virtual one (requires a lot of HD space). It's no quick fix but would mean svchost would never need to connect to the internet for updates at all, only the LAN. With reg tweaks this can be done without needing a domain and can serve multiple PC's.

    Good luck.
     
    Last edited: Apr 22, 2020
  5. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    @ npw
    RohIN states this well. Host Process for Windows Services, svchost.exe, is argument driven, as an example svchost.exe netsvcs -p for the Microsoft Store Install Services.

    Disabling the unwanted services was my solution. Others launch from a task and I disabled 'em in Task Scheduler. An anti-telemetry product squelches some outbound activity as well; I prefer O&O Shutup.

    When I built my new Win10 Pro system in February, I spent the better part of a week taming svchost and when monitored in a tool like NirSoft's CurrPorts, svchost got considerably quieter once I got done. Yet I still have 60+ instances of svchost.exe in Task Manger, which is OK by me.

    Using the Microsoft Pubic IP space addresses seems to be the best bet for your expressed purpose.

    Good luck.
     
    Last edited: Apr 22, 2020
  6. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    Not having personally tinkered with this, so pardon my ignorance, cannot these IPs be implemented in the hosts file as a solution? Or does someone manage a hosts file for that purpose much like the ad blocking ones? It's been about 15 years since I worked with the hosts file side of things...
     
  7. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    By that is it meant allowing svchost.exe to ONLY remote TCP, Ports 80 & 443? That would block DNS and mDNS, to name just two. No? Just thinkin' out loud. Sorry. :)
     
    Last edited: Apr 22, 2020
  8. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    I don't use this solution either for the record.
    @wat0114 Is suggesting a solution to "allow" svchost access to only Microsoft addresses so that windows can update without allowing access to the rest of the internet. To my knowledge the hosts file tends to be used as more of a DNS sinkhole if you want to override DNS and block access to a specific hostname.
     
  9. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    Oops. That's right. The old, decrepit brain cells had my memory bass ackwards for that. Thanks!
     
  10. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    :D Happens to us all. I agree though that if DNS Client service is enabled extra rules would need to be added to allow DNS traffic to a users DNS server/s of choice... Also NTP traffic I believe uses svchost? The bonus is that this could be done securely without granting access to the rest of the internet.
     
  11. npw

    npw Registered Member

    Joined:
    Apr 19, 2020
    Posts:
    7
    Location:
    US
    Thank you for all the useful suggestions :)

    Yes, understand other programs may use BITS, but thought I read somewhere it was needed for Windows Update.

    Yes, well said "Microsoft's design :(

    I did manage to get the list imported, but sadly Windows Update still does not work even with the Microsoft Public IP Space permitted. :( Windows Update does work if I don't restrict by IP, but with the full list, it does not work.

    Yes, had thought of that, but not going there!

    SVCHOST.EXE for TCP, Port 80 & 443 is to get Windows Update to work properly.

    I do have another independent rule for SVCHOST.EXE (Dnscache) UDP, Port 53 and just 2 IP addresses for DNS purposes.
     
  12. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    As mentioned previously, this is not a solution I use so @wat0114 may be more helpful here. If you want to investigate on your own you could try enabling Windows firewall logs:
    https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/

    And download DNSQuerySniffer:
    https://www.nirsoft.net/utils/dns_query_sniffer.html

    The firewall log should hopefully show you which outgoing connection attempts were blocked and the destination IP's. You can then search for the IP in DNSQuerySniffer (you may need to flush DNS cache before testing) to find the associated domain name queried which should give you a good idea as to it's purpose and whether it relates to Windows updates. Once you have that information you can check the IP against the list linked to by wat0114 to see if there's an issue with your rules or whether the address is missing from the list.

    On my Windows 7 machine many update related DNS queries resolve to akamai CDN addresses within my ISP's network or nearby countries... These obviously aren't covered in the lists so I assume either there's trick to use Microsoft update servers directly or more firewall rules would be needed to cover local akamai IP's? *shrug*

    I've not checked on Windows 10, and not investigated any further with Windows 7 sorry.
     
  13. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    Got it. I don't have much hands-on with Windows Firewall. The only rule I built is to block ins and outs for the LAN IPs used by IoT devices and my Roku Ultra and Blu-ray player.

    Sunblelt/Kerio, PC Tools, Comodo and my all-time fav, Online Armor were my choices over the years in Windows 2000 and XP and rule building was great fun. But after a few years into Win7 I decided to hand it over to Windows Firewall, work with application blocking products and settled on GlassWire. So now I just click on stuff like c:\program files\windowsapps\microsoft.zunevideo_10.20011.10711.0_x64__8wekyb3d8bbwe\video.ui.exe and c:\program files\windowsapps\microsoft.office.onenote_16001.11126.20076.0_x64__8wekyb3d8bbwe\onenoteim.exe and be done with it. GW's "Ask to Connect" feature on apps' first outbound attempts makes it easy and it builds Windows Firewall rules named like {Glasswire.app.out_114} Setting GW to OFF disables all its rules without affecting user built and Windows' native rules should that need arise.

    Anyhow, I understand what you're trying to do and I think if it could be done there would already be popular acclaim and distribution for the process to get it done. But, in Win10, it's not nice to fool with Mother Nature svchost.exe. :doubt:

    Even with all the effort I put into my setup, for the month of April so far, here's what GlassWire has logged for svchost.exe:
    GW4WS.jpg
    Clicking on that More item opens a little window where one can scroll through those 103 other hosts which include the likes of settingsfd-geo.trafficmanager.net, r4.sn-a5mlrn7r.gvt1.com and, of course, Google. There's no way to tell which is using what svchost.exe arguments (and I don't believer there is a tool or utility that can do that). And yeah, well over 100 IP addresses...

    So, this Privacy forum is one of several I watch with RSS and look forward to your success. Good luck.
     
    Last edited: Apr 23, 2020
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Did you check that the MS public IP addresses correctly populated in the Remote IP address window under the Scope tab? For example, they should be listed individually as follows:


    8.12.0.0/16
    8.254.0.0/16
    13.107.0.0/16
    64.18.0.0/16
    and so on...

    Also, they were correctly imported to the correct firewall profile you are using?
     
  15. npw

    npw Registered Member

    Joined:
    Apr 19, 2020
    Posts:
    7
    Location:
    US
    Thanks RioHN, overlooked your comment about not being a solution you used.

    Yes, I enabled logging and reviewed the the various SVCHOST.EXE / Process ID entries to try and identify the specific associated service, which I would then permit through the firewall, but was never able to get Windows Update to work.

    As you indicated, if I am going to use the Microsoft Public IP Space addresses (which not sure it would work), there most likely would be CDN's involved which would interfere with my success using IP addresses.

    Yes, all appeared to import correctly.
    upload_2020-4-24_0-12-18.png

    Based on my attempts so far and RioHN and Surt responses, it seems this is looking like a futile attempt since Microsoft's design is working against my wishes.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    As @RioHN suggested, you should enable logging. Those MS IP addresses worked for me, and I only used a little over half of them. They might be region-specific, so you may need a different list. Having not used Windows for months now, I can't be as much help as i"d like.
     
  17. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    Did you try allowing all svchost connections out to the ranges in the list provided by wat0114? Don't worry about which service is using which instance of svchost, you can deal with that later, for now you just want to see whether the list works. If it doesn't work then ideally, and as already suggested, you need to check logs to see what destination IP/s Windows is failing to connect to during the update process.

    I'm thinking this may still be possible even with CDN's involved, but I'd need to test the idea first as my current understanding of how CDN's work is limited.
     
  18. npw

    npw Registered Member

    Joined:
    Apr 19, 2020
    Posts:
    7
    Location:
    US
    Before my initial post to this thread, with inbound/outbound firewall blocking I had the outbound firewall to allow full outbound (TCP, remote 80, 443) for all services on SVCHOST.EXE and Windows Update works.

    I then enabled only "wuauserv" service instead of ALL and Windows Update fails. I enabled logging and started adding various services (BITS, DoSvc, and several others) as I identified them being blocked. Could not get Windows Update to work with several services permitted, but if I allow ALL services, then it works properly.

    My initial question was what services are required with SVCHOST.EXE to permit Windows Update to work properly with outbound firewall blocking?


    ------------------------------------------------------------------------​

    So, now to the latest posts...

    Yes, I have ALL services for SVCHOST.EXE permitted for the full Microsoft Public IP Space address list and Windows Update does not work. If I change remote IP to ALL, it will work.

    :thumb: Thank you all for your suggestions, I do appreciate your help. :thumb:

    wat0114 - "Having not used Windows for months now"

    Was hoping the post would be seen by someone running Windows 10 that had already configured outbound blocking while still allowing Windows Update to work properly. Can anyone test today to verify their solution is working. Should be able to disable all outbound rules except for UDP/DNS and SVCHOST.exe?

    Mine works with just those 2 rules, but as soon as I trying to restrict SVCHOST.EXE to specific Services, it fails. I create an additional rule to allow each service (wuauserv, etc) I see being blocked in the log, but no luck unless I go back to ALL services.

    ------------------------------------------------------------------------​

    As Surt said - "if it could be done there would already be popular acclaim and distribution for the process to get it done"

    Seems that based on "Microsoft's design", they just are not going to let me restrict SVCHOST.EXE services and still have Windows Update work properly.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    There have been discussions in these forums that restricting svchost to specific services in Windows 10 firewall does not work properly, but I don't really know for sure if that's the case or not.
     
    Last edited: Apr 24, 2020
  20. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    If you're simply wondering what services are used when Windows 10 pulls an update then I've not investigated unfortunately, hopefully someone else knows... But I do wonder what your end goal is here? Added security? Reduced telemetry?

    If you're trying to increase security then there's limited benefit in the approach you're taking from what I can tell. I believe Windows utilises BITS to download background OS updates (so lets allow BITS out?).. BITS can also be used by malware on your system to download/upload files and communicate with remote malicious servers if required, bypassing your firewall rules. Allowing BITS unfettered outbound access is a security risk in itself unless you have software that monitors the creation of BITS jobs.

    In theory one way to negate this risk is to control what addresses services like BITS can connect to, hence the discussion we've been having and suggestions by @wat0114.

    In any case, I'll bow out and hopefully someone with knowledge on services needed for Windows update can help you further. Good luck.
     
  21. npw

    npw Registered Member

    Joined:
    Apr 19, 2020
    Posts:
    7
    Location:
    US
    End goal for me is to reduce outbound communications without my knowledge. Just looking for a balance between unplugging from the internet vs. the default Windows Firewall without outbound blocking. Unplugging from the internet is not going to happen, but seems like I should be able to enable outbound blocking using Windows Firewall

    But, when I enable outbound blocking, then I no longer get Windows Update patches, which could be a security issue.

    If I provide unrestricted outbound access to SVCHOST.EXE , then Windows Update works. If I try to limit SVCHOST.EXE to specific services (unsure which are necessary), then Windows Update fails.

    If I do not get any further in my research, which is seeming likely, I will provide SVCHOST.EXE full outbound access as I believe it has with the default Windows Firewall configuration and have Windows Update perform correctly.
     
  22. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    Well, in a way you can do that. Get an application blocker that works with Windows Firewall and block the executables you deem worthy of that attention. That'll handle whatever other processes that reach out to MS, which are legion. svchost isn't the only culprit.

    And then:

    Get an anti-telemetry/privacy application.

    I settled on GlassWire and O&O Shutup for those. While there are others that go above and beyond O&O's feature set, O&O pretty much takes care of the high-impact stuff. Either can be toggled off and on on-the-fly if necessary for troubleshooting. And GlassWire provides additional security by way of its allow/block challenge for a process's first outbound attempt and a bunch more:
    https://www.wilderssecurity.com/posts/2804423/

    Here are my settings for Windows Updates in O&O:
    O&O4WS.jpg
    As I'm running Pro, I've made alternate tweaks for update deferring. I usually wait 14-21 days after Bork Tuesday depending on panic reports.
    The others I set OFF are:
    Disable app notifications
    Disable SmartScreen Filter
    Disable Windows Defender
    Disable Network Connectivity Status Indication
    I'm still struggling with off or on for that disable automatic app updates setting.
    And I just noticed I should have that disable manufacturers' apps and icons turned on.

    Disable offending services.
    While it looks like you're already pretty savvy in this arena and it's a bit outdated, this is good staring point in case one isn't already familiar with services and Black Viper's work:
    http://www.blackviper.com/service-configurations/black-vipers-windows-10-service-configurations/

    Disable scheduled tasks.
    I searched the web and found some advice; some folks have just gone in and deleted everything.:eek:
    But it pretty much boiled down to the tedium of drilling through all the obscure settings after tackling the obvious.
    NirSoft's TaskSchedulerView is a HUGE aid.

    At this point in time with all my stuff running (174 processes in Task Manager, 63 svchost.exe) I've only nine persistent svchost connections, all to 0.0.0.0 with four listening. This was not the case upon booting up my new system for the first time in February! That said, at any time svchost can connect out for some reason and disconnect as you know. I did monitor/log those for a while and concluded there's nothing I can do about it and resolved myself to Microsoft's mercy.

    All of this, IMHO of course.

    Cheers.
     
    Last edited: Apr 25, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.