Windows 11: What processes necessarily need connection or access to the network?

Thank you @TairikuOkami and @alexandrud, you both are right.
I tested it, and 127.0.0.1 etc as "remote address" bypassed my own firewall golden rule: "deny all by default".
In my context, DNSCrypt uses 127.0.0.1, so by allowing it, the firewall is annulled, everything passes directly to DNSCrypt, no firewall function.
It was a valid question and experiment, I learned a lot, also it was an opportunity to confirm that DNSCrypt forces TCP 443 and UDP 53 for almost everything (which is great as a firewall complement).
Thank you once again.

 

Hi @alexandrud,

As the Biniware Dev, please allow me to share with you the same question I made to other firewall software Devs. Please, it''ll be great if by chance you can reply me.

Thank you in advance!

My goal is to harden privacy/security firewall (software), using a minimalist setup with the best possible result:
1) Deny all internet access by default
2) Allow few Windows processes (Windows update + Time) and specific apps/programs
3) All allowed stuff uses only TCP OUT 443
4) Disable DNS-client Windows service => Enable DNSCrypt => This forces me to use UDP IN 53 for allowed stuff
5) Firewall rules can't use IPs (I need this setup to work in a group with people who live in different countries, and who know almost nothing about firewalls)

Please, my questions for you:

a) Would you improve anything in my setup described above?

b) Based on my ignorance, I found only two alternatives to build my setup: DNS-client Windows service "enabled" or "disabled". The first alternative is easier to configure, but requires the use of svchost, and it opens privacy/security risks. The second alternative is more difficult to configure, requires UDP IN for all allowed apps/programs, but does not use svchosts, and minimizes privacy/security risks.
Which of the two alternatives would you choose?

c) Which firewall rules would you choose to harden privacy/security?

d) Can your WFC (Windows Firewall Control) software achieve what I'm looking for (or something similar)?

 

@Decopi These are all my firewall rules:



Red - Rules related to my work
Blue - I enable those when I have to print something on my network printer
Orange - I enable those when I have to connect to another machine from my local network, not so often.

Windows Update - I enable this rule once a month when I remember to check for Windows Updates.

- The only enabled rules are for DNS, DHCP and Windows Time. Please note that these svchost.exe rules are targeted to specific services.
- I do not have any inbound rule at all because this is my own laptop and I don't want incoming connections to my machine. By default, all inbound connections are blocked in Windows Firewall, unless you create an inbound allow rule.
- I use Medium Filtering profile which means outbound filtering is enabled in Windows Firewall, therefore any outbound connection without an explicit allow rule is by default blocked.

With this rules set I can perform my daily tasks without problems.

I use an offline user account and I don't use Microsoft Store. If you need to use these two, then you can't get away without enabling svchost.exe connections, the rule named "WFC - Windows Update".

From my experience, if something goes wrong, is the user in 100% of cases. Use common sense, download and install programs/games only from known sources, avoid obscure websites and use an ad blocker like uBlock Origin in your browser.

 

Amazing answer @alexandrud ... thank you!
Great explanations, very useful for me.
I read the WFC guide (good stuff), where I found a basic minimum configuration, but your post to me is even better, more complete, exactly what I was looking for.
It's excellent your logic of grouping rules with colors according "frequency of use (Windows update etc), or specific needs (network / printers etc)". Very pedagogic.
Many users in this forum already helped me a lot. But your post was "the cherry on the top" because confirmed me the right way to harden firewall rules.

Unfortunately I can't automatically copy and apply your setup. I use DNSCrypt for several good reasons (not just DNS cryptography). On the negative side, this affects many of my firewall rules, where for example I have to use UDP IN for most processes/apps/programs.

Changing subject, please if possible, my last two questions:

1) Your setup makes all sense! It's logical! In my mind, it should be the "default setup" for any firewall software. So, why hardly anyone hardens firewall rules? Even on the internet it's not easy to find tutorials for hardening firewall rules, why is that? I found a firewall software, whose marketing alleges a supposed "privacy focus", but this software doesn't include firewall rules, IN connections are not blocked by default, OS Windows connections are not restricted by default, etc. Why they don't do that? Why firewall ports are not restricted as an extra privacy/security layer? Why protocols, ports, direction are allowed for any OUT connection? I understand that hardening firewall may break stuff, or average users are too lazy and don't want to do that etc. But my question goes beyond these issues. I try to understand, regardless of whether it's easy or difficult... is hardening firewall rules useful or useless for privacy/security? Am I missing something?

2) Please, what is your opinion about Netbios? Multicast? IPV6? Allow firewall rules connections? Disallow these connections?

Once again, thank you in advance!

 

@Decopi How about these ?



- DNS rule for DNS Client service from Windows disabled.
- One outbound rule for dnscrypt-proxy.exe so that it can send the requests. I do not know why you need UDP inbound access in your scenario. Again, you connect to the Internet, not vice-versa. Inbound access is required for server applications in general, unless you host your own DNS server. But even in this case, your inbound connections should be allowed only from devices located on your LocalSubnet so that only your own devices can connect to your own hosted DNS server.
- While using DNSCrypt helps you with hiding your DNS requests, it does not hide your IP address. Notice that there is another rule that I have created, in my case for mbvpnservice.exe which is the client for Malwarebytes Privacy VPN application. This helps hiding the IP address too.

With this setup, DNSCrypt started and working and a Wireguard based VPN I can still use Windows Firewall to allow/block processes from accessing the Internet. Indeed, with some VPN providers, Windows Firewall is useless since all rules will be ignored once connected through their VPN.

 

Wowwwwwwww... thousand thanks to you @alexandrud!
I'm speechless. You kindly took time to test my own scenario... priceless! Thank you Man, honestly, thank you from the bottom of my heart. Your help is being incredibly useful for me.

I can't answer you "why", probably is due to my firewall software, but all my allowed apps/programs (including DNSCrypt) are requiring me UDP IN. If I don't allow UDP IN, everything breaks.
It's time to me to test your WFC! On this weekend I'm going to install your WFC, and I'm going to reproduce exactly the setup you sent me today. I'll be back to you in this forum with my results. If this setup works for you, then it must work for me, and it'll confirm that probably my UDP IN issues are related to my firewall software. Please @alexandrud give me some days, and I'll share with you my results.

Until then, please, do you have any opinion about:
- Netbios?
- Multicast?
- IPV6?
- Remote address 255.255.255.255 port 67?
- SSDP? (UDP IN/OUT 1900). Remote address 239.255.255.250 port 1900 (if I don't allow UDP OUT, all chrome browsers are not working: Google Chrome, Opera, MSedge)?
- UPnP? (TCP IN/OUT 5000)?
- RPC (TCP/UDP 135)?
- Etc?

To allow firewall rules connections for them? Or to block?

 

@Decopi I am not a network guru that has all the answers

 

@alexandrud, don't be modest, you have not all the answers , but you're a kind of Guru

Please, abusing from your patience, if possible, I request you to export your last WFC settings and share with me the file. I'm not lazy, but I prefer directly to import your exported file, in order to avoid mistakes from my side. I want to test exactly same WFC settings as you tested. Thanks Guru!

PS: I'm going to install your WFC. I never used it before. Please, it'll be great if you can share with me your exported file with all the needed settings for my test. Thks!

 

Never ever trust windows own firewall, many malwares targets windows firewall to make a outbound rule during boot stage(s)
Its highly recommended to use third party firewall, because they are not based on windows own firewall which many malwares can abuse in many ways.
Like Comodo, Symantec, Zonealarm uses their own fw driver. Most of the malwares are coded for abusing windows fw one way or another.

 

i have the kasperksy fw in my av engine from them i think its enough ?

 

any other granular firewall like windows firewall is "enough". about kaspersky or other antimalware programs - at least some have to convince users to let this buggy and vulnerable software installed. windows firewall is already there and a masterpiece of system integration. create rules with ease, export and import them (need same preliminaries of windows 10).

WFC ofc is not wrong, for my needs i use sphinx firewall (w10fc, paid) which offers a zone model to handle groups of rules which i can assign to programs. w10fc works on top the windows firewall with its basic settings (i already have additional own rules there). it has self protection and it has no access for limited users like windows firewall do not offer.

users with admin rights are the biggest mistake. in such cases a firewall is nice, but not effective because settings can be changed within a finger snip.

 

Hi @alexandrud,

Thank you for your exported settings file!
I installed WFC, imported your settings and... everything worked like a charm. No UDP IN, nothing broken, everything went well.

I intensively tested WFC since past Friday, it's a totally intuitive software, very simple to use it, and lightweight.
Kudos for your work @alexandrud!

Of course, your software isn't for average users, but on the other hand it doesn't require tons of previous expertise.
With a basic knowledge is possible to manage software settings. Also, WFC is full of descriptions (which helped and taught me a lot about each setting options).
I'm far from being an advanced user, I define myself just as a fastlearner-average-user, and I had no problem configuring the setting options.

With regards specifically to my firewall rules context, the WFC settings you kindly shared with me are more permissive, mines (no WFC) are more restricted, and that's the reason why I needed UDP IN when I was using another firewall software. In short, the IN rules problem is not at the software, the problem are my restricted rules. Due to my ignorance I restricted too much stuff, and now I start to understand that too much restriction is useless. The right approach is to use "the minimum possible permissiveness" where all TCP/UDP IN is blocked, but TCP/UDP OUT must be permitted in a customized way (apps, programs, ports, protocols etc).

On the next days I'll try to build a kind of "hybrid" model based on your settings, @TairikuOkami settings and my own settings.
Wish me luck

Thank you once again!

 

loopback or localhost is used to communicate between different applications, e.g. server client scenarios, and so it;s necessary for some programmes to run and for debugging. A loopback allows to communicate within itself (so it does not need external connection) easing resources from the networking connection protocols while still using networking protocols. E.g., you can have an off-grid computer and loopback will work. Typically loopback traffic is processed by a TCP/IP stack without leaking to the network, but it can also lead to firewall rule bypass in some scenarios, e.g., you block access to chrome.exe and chrome.exe gets internet back magically due to "allow 127.0.0.1 for all apps" rule in SW, loopback bypasses the local network interface hardware.

 

@lucd, in case you're interested, I'm testing WVSX firewall.

In my context, two variables were critical: 1) DNS-client disabled and 2) DNSCrypt enabled.

With DNS-client disabled I have NO need to create firewall rules for SVCHOST (and that blocks dozens of uncontrolled svchost internet/network accesses).

With DNSCrypt, in addition to encryption, it replaces DNS-client with the benefit of forcing internet access to ports 443 (TCP), 53 (UDP) and rarely 80. As a bonus, DNSCrypt also blocks domains (allowing the use of wildcards), and also blocks IPs (which kills lot of Windows processes connected to the internet - CrazyMax Windows blocking list).

With regards to WVSX, the firewall is very basic, but it works in combo with the antivirus, so is more efficient. The firewall also allows the use of rules, and with one single "block all" rule the rest is easy, just allow "OUT" only programs user wants to connect. It's really an impenetrable barrier, nothing has IN/OUT internet access if it's not allowed by rule.

I've been testing this configuration for days, and nothing has broken.
DNSCrypt and WVSX are lightweight software, therefore the performance of the computer has not been negatively affected.

I'm very grateful to the participants of this forum who helped me, I learned a lot and it was very useful. One of my many learnings is not to use Windows Update / Windows Time on daily basis (most of MFST updates / upgrades happen once a month). The same for networks, if the user is not connected to any network, or doesn't use network printers etc, then there is no need to use network Windows processes all the time (these processes can be enabled only when necessary).

Yeah, it's not an alternative for average users. But in the other hand, let's be honest, it's not difficult to harden internet/network accesses.

 

All your forward-facing apps, even those that don't normally go online, must be granted access in order to phone home to download and self-install updates.

 

@alexandrud

How do you set notifications with this setup? Is Windows asking for access all the time?

 

Windows Firewall itself displays notifications for programs that want to listen on a port for incoming connections. From those notifications you will create inbound block/allow rules. For outbound connections, there are no notifications. There are several programs out there which can display notifications for outbound blocked connections.

 

But WFC can display outbound request notifications. So I am wondering how you have notifications set in WFC - Display, Learning, Disabled? Because all the various Windows processes must be asking for outbound access all the time. Or am I missing somehing?

 

I usually have them disabled once I setup my rules. I keep them set on Display and I just add svchost.exe and System in the notifications exceptions list so that those won't bother me anymore. I know that I already allowed what I wanted to allow regarding them and I am not interested in other notifications for these processes.

 

Thank you. That sounds like a really good approach. I have been mistakenly thinking that every request needed to be displayed and handled. Your posts in this topic have been most enlightening and would make a good addition to the WFC User Guide..