how to lock Windows FW rules

Discussion in 'other firewalls' started by rm22, Jul 13, 2015.

  1. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    I've been using 3rd party firewalls & just recently have been playing around with WFW - i was surprised to see there is no way lock the firewall rules - apps can freely add/change rules when installed or updated - even in a SUA with UAC on Max which i thought would force a prompt to be issued...

    What are the options for doing this in Windows 7 home premium? I've read i can use a controller, like Tinywall or WFW Control, but i wasn't planning on setting outbound rules right now - so is there another option or should i just use a controller and allow all outbound connections?

    Thanks
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    It has been quite a long time since I have used Windows firewall with default settings, so I don't remember if it adds rules for incoming (server type) connections. I remember it prompting, but maybe as you say it adds also some programs itself.

    Anyways if you are not willing to control outgoing connections, I would not worry too much about possible incoming ones either. I think you can disable them from the allowed list.

    TinyWall will yes lock the rules. It removes all default/your own windows firewall rules and puts it's own set of rules. You can't even make rules outside TW controller. In some cases it would be nice to be able to do so, because TW does not offer control to all Windows firewall options. In my usage I have not really found the need for that much flexibility.

    I don't know how WFW control works, I have not found the need to change from TW, to know if it locks the rules or allows some automatic adding.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    How to PROPERLY use UAC:

    * Create ONE account called Admin (example) and give it adminstrative privileges;
    * Set a good passphrase for this Admin account;
    * Change UAC to Max if you want;
    * Create another account for your user. This account is a regular account and can't do anything without the "Admin"'s accout passphrase.

    After this, use the REGULAR account at all times, and everytime a windows change has to be done the system will ask for the admin passphrase. This applies to the Firewall configuration.
     
  5. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    right, i disable them and then they just add themselves back on the next update... had 11 new additions with the last round of software updates.

    Thanks for the instructions, but this is already how i have it setup - apps can freely change/add firewall rules during install/update - there is no prompt
     
  6. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    Just to clearify - Tinywall and WFC are both controllers for outbound rules - while they also block automatically made inbound rules, i thought inbound rules are still manually set in the WFW GUI. Is this not correct?
     
  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    See if you can this pic on the page http://windows.microsoft.com/en-us/windows/understanding-firewall-settings#1TC=windows-7
    Unfortunately my Windows is in finnish language so i can only refer with a pic/external link. Selected is the prompting option, but the first option if checked should prevent all incoming connections, in Windows firewall.

    Now since TinyWall takes total control of the Windows firewall, this option does not matter any. TW sets all the inbound rules too and you must also add your server type of program rules with TW user interface if you have any need for such connections.

    These are the TW basic rules and some of them can be unticked too as a special exception:
    http://www.saunalahti.fi/~jarmos3/TinyWall_rules_215.jpg

    So it is a tight set. All the default incoming connection Windows firewall tules have been deleted. Well not exactly deleted, taken out of operation and you can't make them working. See windows firewall advanced settings. Might help to see those disabled rules in case you have a need to produce some of them with TinyWall UI.
     
    Last edited: Jul 14, 2015
  8. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I don't understand; if you allow a program to make system changes (UAC), then you're allowing it to make system changes.

    If you don't trust an app to talk on the network, then why are you giving it full access otherwise?

    If you want to run it but prevent it from talking on the network (I cannot fathom this being a regular thing), you can always do so manually without being prompted to allow the other 99%.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    WFC will block all rules (both inbound and outbound) that are made by third party apps, at least if you enable the "Secure Rules" option. So with this option you won't have to worry about applications trying to bypass the Win Firewall.
     
  10. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    OK - thanks guys, i think i'm good to go. I guess it's been awhile since i looked at these controllers - i did know they controlled inbound/outbound at some point :)
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Since using WFC, I haven't even looked at third party firewalls, although I do miss outbound alerts. For a while I tried SpyShelter Firewall, which works alongside the Win Firewall, but I had some troubles with it.
     
  12. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    $10 gets you this with WFC doesn't it?

    also looking at WSA - it looks like it is only an outbound firewall and would not lock WFW rules like WFC does since it looks like it is totally separate
     
  13. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    Try GlassWire
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes correct. And I'm not sure if WSA can lock down the rules, you would think that it does have this ability. I recommend both TinyWall and WFC, cool thing about them is that they don't interfere with third party firewalls.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Like I said, it has to be improved quite a lot, it's currently not worth it IMO.
     
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    For 7 premium there are 2 ways to lock FW rules:
    1st) use regedit go to the key
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
    and change itś permissions to read only.
    2nd) use regedit go to the key
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\
    and change itś permissions to be modified only by one specific admin acccount. (do not use that account when installing or updating apps).

    Panagiotis
     
  17. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    thanks, good to have another option
     
  18. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    you mean running 2 firewalls together - what is the benefit?
     
  19. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    They are both front-ends for Windows Firewall, so technically you use only one firewall: the one that is built-in in Windows.
     
  20. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    right, but i believe @Rasheed187 is implying WFC (or Tinywall) & 3rd party firewall together - that makes 2
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    There is no big benefit, but it's nice to know that with some tools (like SpyShelter Firewall), you don't have to disable the Win Firewall. So if for some reason it fails to block outbound access, you can still rely on Win Firewall. And of course vice versa. But TinyWall and WFC are just controllers, so this all is no surprise.
     
  22. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    Two firewalls are less likely to provide redundant protection and more likely to create conflicts (and will create more overhead) that leave you with no protection at all. "Shotgunning" is not a sound security principle: pick one effective product for the task it was designed for.

    @Rasheed187 makes a good point in that firewall products are frequently misunderstood to all be firewalls (and their brochures don't help).
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Actually, I don't believe that was my point. I was just trying to say that WFC and TinyWall are great tools to manage and lockdown the Windows Firewall. If you want to get alerts about outbound access, you may want to use a third party app like SpyShelter who doesn't interfere with the Win Firewall, and works independently.
     
  24. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I don't think SpyShelter is even a firewall; I think they are using the term generically with what their product does: http://www.pcmag.com/article2/0,2817,2484664,00.asp

    ...which is what I was agreeing with and expanding upon.
     
  25. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    142
    How can you trust MS/NSA for a firewall? Unbelievable, not really in this upside down world.
     
Loading...