Windows 11: What processes necessarily need connection or access to the network?

By default, my Firewall is set to block all connections or access to the network. Specific programs and apps have specific rules that create exceptions.

For example, in the case of Windows 11, "MoUsoCoreWorker.exe" has access to the network (in order to allow Windows Updates). The same with "svchost.exe", necessary for connections to the network.
But after 1 month, I see that there are almost 50 different Microsoft processes trying to connect to the network.

Please my question: Specifically for the Windows 11 OS (excluding apps, Windows Defender and Programs), what are the Microsoft processes (names, no IPs) that necessarily need connection or network access? For example, all Windows Update processes (including drivers, office etc) I want them with access to the network/internet.

Thank you very much

 

Probably just svchost.exe and System (if you need access to another device on your LAN). This is not specific to Windows 11, but to Windows 7 or newer, it is the same story.

 

Hi, by "System", what process do you mean? Please, I need the exact process name. Thanks

 

"system" has no file extension.
maybe you should look into the other rules coming from windows itself where "system" as program to understand what "system" is. eg core network, or file and printer sharing.

 

Thanks. I understand what "System" means and its context in the answer above. But I'm not going to use Windows as a reference (for Windows, System or not, all processes need network connection). At Windows Firewall, almost every Microsoft process is allowed.

 

C:\Windows\system32\ntoskrnl.exe used for ICMP like ping and such.

There is also C:\windows\system32\consent.exe used by UAC to verify digital signatures.

 

Great! Thanks!

 

and the predefined rules have reason to exist like this.
refining is not the matter, but deleting or disabling rules where not been fully understood will make your windows unstable and not working as expected.

i think you want to harden your windows but from my view this ever was the wrong way.

eg the ICMP rule is disabled by default, but ICMP with core networking/file+printer is mandatory. it does not matter which process is perfoming this, if you block it, network will almost be dead.
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

 

the only process that needs access is your browser, /thread
but first you need to be connected right? so

for alot of ppl DHCP, DNS would be necessary for automated approach to wifi connection

then all the programmes like AV and whatnot.
inbound off (globally), outbound only programmes that need to udpate and security programmes (if you use them)

one thing is that malicious process can veil themselves as legitimate ones (process hollowing, doppelgänging), so..
some memory inspection or anti-exploit is not bad idea if you fear those

now loopback: you can disable , but some programmes need it,

occasionally "windows update" and maybe svchost, but you can side-load updates too, and skip the "windows update" and svchost process entirely (WU is associated with several potential LOLBINS like BITS admin), its a potential pain in the ass if you have several computers, if its only one then not so much

 

Thanks.
After asking lot of people, and after receiving lot of help, the conclusion seems to be that limiting internet/network access to processes/programs may help privacy, but not security. Firewall itself (alone) is quiet inefficient against malwares/virus. As you perfectly said, malicious processes can veil themselves, for example using svchosts.exe and other system processes (that users, yes or yes, need to keep open in order to allow browsers to work).
Yeah, it's possible to harden the firewall, but that is not for average users, and as you said, that also is too much work if you have several devices.

 

Unless you limit ports and IP ranges as well. Like when you setup DNS to connect only to DNS servers. Limit svchost to connect only to trusted CDN and MS servers and etc. Based on the articles about botnets, this actually helps.

 

True. But as I said, hardening firewall is not for average users, and it's ton of work if you have lot of different devices.

That said, before asking for help I googled the subject, and you appeared several times in different forums, always with great answers. It seems that for a long time you tried to do what I want to do now, hardening firewall in the simplest possible way, starting with a deny rule blocking everything, and allowing only the minimum necessary for Windows Update/Time/Etc and Browsers. If that is the case, please I would like you to share with me the details of your firewall setup. Thanks in advance.

PS: I already hardened my firewall based on the help I received here and other forums. But I still have doubts about my browsers and svchosts rules, they're restricted to specific ports, but IN/OUT is allowed, so malicious processes perfectly can exploit that way... it seems that firewall hardening for browsers and svchosts is not easy (using just firewall).

 

Can't you just disable telemetry?

 

In my opinion, just by changing the network control method from windows firewall to
Windows Filtering Platform (WFP) improves security a ton
for instance, windows firewall will allow outbound if the process is trusted, WFP based programme (or even a programme based upon windows firewall, just that WFP is more modern so to speak) will tell you that the programme wants to connect no matter if trusted or not
but yeah in the end I agree with your comment, just I would not rely on Windows Firewall at very least (minimum security) because for one reason the LOLBINS had been proven effective as they circumvent the trusted process security barrier
or if you want to use Windows Firewall do at least a Hard Configurator tweak or similar to the firewall, you can try No Virus Thanks Sys Hardener, its very simple
but if you use PC the correct way you most likely dont need all that. At the very minimum: inbound off (globally) and network public, probably that

 

Yeap! And this is good for privacy. But the focus of my question is security.

 

I would buy Blackfog if you need programme to decide for you for network related stuff, its privacy oriented and security oriented, can;t vouch on how effective it is because there are no official tests, but its worth a try & has original approach

 

Thanks again for your replay.

My challenge is to find a 100% pure firewall (Windows Firewall or third-party firewall software), minimalist configuration with maximum security protection, allowing IN/OUT Windows Update/Time/Etc + Browsers.

The problem is that even with my current firewall hardening, malicious processes still have access to the internet/network (svchosts etc). And I'm starting to conclude that there is no such 100% security firewall solution against allowed IN/OUT processes. If my conclusion is confirmed, then my next step is going to be to find the second security layer, always with same characteritic (minimal settings => maximum security). But before going to the second layer, I still need to learn some stuff about firewall, IPs and similar settings.

Thanks. Yeah, I have lot of possible complements to the firewall settings. But first, I still want to be sure what can or can't do with simple free firewall solutions.

 

Try my firewall. It allows to filter svchost's processes by service names.

 

Take a look at TinyWall.

 

Don't take a look Switch to some obscure Linux distribution and you're set.

 

I still say take a look. You might also take a look at alexandrud's https://www.binisoft.org/wfc

 

Yeap, these are 3 alternatives... and I'm analyzing/testing all of them + another (several) similar software. Thank you both for your help.

 

Bottom line... you're right.
But in real world you must be prepared to interact with a majority of users that have Windows.
This is the case of my current post here in this forum, I'm asking help for my own case, but I'm also asking help because I need a solution for other Windows users.
Anyway, thank you.

 

which kind of supporter are you?
the majority of home users do not need a firewall nor to know how to set it up.
in case you are not in da house you need to set it by remote.

for specific events you can send them a powershell line which is executed
http://woshub.com/manage-windows-firewall-powershell/

 

I am a Physicist, I have good computer skills, I work with a large group of colleagues, and for reasons not worth addressing now, we need strong cyber protection in "privacy", but even more especially in "security".

Also for reasons that are not worth detailing now, we do not want to hire specialists, we want to find our own solution.

We do not need alternatives with remote access etc, but we do need simple, minimalist and portable solutions.

Windows Firewall does not serve our needs, and we are testing third-party firewall software. My request for help in this forum is related to ways to harden a third-party firewall software (it doesn't matter which one, the software is irrelevant), focusing in security, focusing in those processes that have IN/OUT allowed connections to internet/network, and can be exploited by malicious processes.