How to prevent programs from adding exceptions to Windows 7 Firewall?

Discussion in 'other firewalls' started by ehy, Feb 5, 2013.

Thread Status:
Not open for further replies.
  1. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    Microsoft says on Windows Server 2003 library, that you cannot prevent a program from using the Windows Firewall API to add a port to the exceptions list. - http://technet.microsoft.com/en-us/library/cc758407.aspx

    Although I don't know how it's handled in Windows 7, but to me it still seems like that once you run a program with administrator rights, it can do whatever it wants to do with Windows Firewall. Basically Windows Firewall would then be totally useless if a program wants to leak some data. That is my worry. Do correct me if I'm wrong.

    What I'm trying to do is to block all connections with Windows Firewall except the ones I have specifically allowed, but that doesn't work unless there's a way lock down the firewall with other password. I'm using standard user account, but it doesn't solve the problem as I will have to run programs that need the administrator rights.

    Any suggestions please?
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    Use Windows Firewall Control. It has an option named "Disable the ability of other programs to add firewall rules" which if it is activated, it prevents other programs from adding new rules in Windows Firewall, even if they run with administrative privileges. I am the developer of this program and it has a lot of extra features that are missing from Windows Firewall. Give it a try. :)

    Otherwise, you can't prevent external applications from registering themselves into Windows Firewall if they run with administrative privileges.
     
  3. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    Thank you for suggestion, but Windows Firewall Control "Disable the ability of other programs to add firewall rules" doesn't seem to work. I tested this by installing TinyWall and it succesfully changed firewall settings. :( I can also manually access to Windows Firewall to change settings and Windows Firewall Control doesn't do much to prevent it.

    Hopefully there's real solution. :doubt:
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Windows firewall is very weak in blocking outbound traffic there are many ways it can be bypassed PCFLANK Leak test is another example. if you want stronger leak protection you have to use a 3rd party firewall instead.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    @ehy

    Short answer: Microsoft is right. You can't.

    Once you execute a program with admin rights, game's over. It has all the capabilities to tamper, disable or work around the firewall.
    Firewall with HIPS have a better chance (because of the HIPS component) but then again, there's limitations.

    Long answer:

    Windows 7 FW for inbound/outbound control

    Basically, what I'm saying is this: depending on outbound firewall to protect your data is like letting a burglar in your house and putting guards (and all sorts of fancy high tech system) to stop him/her from going out. Sure, it might work but you're putting a leap of faith in such a setup.
     
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    Don't use TinyWall and Windows Firewall Control in the same time because they both use the same Windows Firewall API and the same rules. That feature works. To test it, run a CMD window with administrative privileges and execute the following code:
    Then go to WFwAS or Manage Rules from WFC. This new created rule should not be there. If you disable that feature, this rule will be in the list of rules.

    Also, from Windows Firewall Control you can lock the access to Windows Firewall Control and also the access to Windows Firewall by setting a password. This will disable the ability to execute WF.msc or Window Firewall from Control Panel.

    There is a solution. ;)
     
  7. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    Yes, I wouldn't solely depend on outbound firewall. Antivirus & HIPS should primarily take care of the burglar, if I fail to trust something malicious.

    For me it would be enough if the firewall would just do its job, block the ports and not allowing anyone else to access it. I think that could be achieved if the firewall required additional password to lock it down, so just running programs as admin wouldn't unlock the firewall. Is it silly to ask why hasn't anyone done this to any software firewall? Or has someone? Or is some 3rd party firewall so well self protected that it would only take orders from my actions.

    I guess I have to consider some kind of hardware firewall, if software firewalls really can't handle their job.

    @alexandrud
    If that is a solution, what would stop other programs from also using the firewall API WFC and TinyWall use?
     
    Last edited: Feb 5, 2013
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When on Pro or Ultimate, export the firewall rules and import them to the Group Policy Editor.

    After that rules appear twice in firewall control of control panel (even elevating to admin, won't enable you to change the GPO-rules). You can still change the initial (exported) rules (problably also through the API), but Windows uses the GPO-rules. So any change throug API or Firewall control does not have any impact on (the imported) GPO-rules.
     

    Attached Files:

    Last edited: Feb 5, 2013
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    As long as UAC is set to max, you should get a warning that a program is about to modify the firewall w/advanced settings ruleset, when it's being installed, even with admin rights. I remember a few cases where I got one, although I can't remember the context of the warning. Anyway, after the program's installed one could, as Kees seems to suggest, is import a previous saved configuration. One could also go in and manually remove or modify the rule. If it's a legitimate program you're installing and it creates a firewall rule, then it's a very good chance it's because it's needed. Now that I remember, uTorrent does this. I went in afterward and modified the rules to my prefernece, tightening them up some.
     
  10. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @Kees1958
    Nice, this is interesting though I don't know if a program could also mess with group policies, but it looks promising. I would investigate this further, but sadly I have Home Premium and it would be too costly to upgrade just for the shot. :(

    @wat0114
    I think Windows Firewall only prompts when it's able to block a program and doesn't prompt when the program allows the connection by itself. And it really doesn't serve a purpose to manually changing the rules after the program has already used the open connection. Once is enough for the leak.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    We might not be on the same page? I'm talking about during the installation of a program, one that deliberately during the installation attempts to create firewall rules for itself.
     
  12. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @wat0114
    If this is not what you mean then I don't know:
    http://images.knowhow.com/Computing/Windows_Firewall_Block_Prompt.png

    And I didn't get this when I installed Windows Firewall Control for example. I have max. UAC + SUA. My default firewall policy is to block everything that hasn't been precisely allowed, so it doesn't give this block notification, should it? I have not seen or heard of other prompts Windows Firewall would give.

    EDIT: I do get the UAC prompt of course, but I don't see a word of program saying that it's changing rules to firewall.
     
    Last edited: Feb 5, 2013
  13. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    Internet-bound programs will always request firewall access and if you know you installed them, grant them access.

    If you don't know you did or you didn't - you can deny access and investigate what seeks access to the Web.

    As a rule, legitimate programs or services should have access, any program that seeks to control your computer should be denied it.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Okay I see what you mean. I believe those alerts are only triggered when an inbound network connection attempt is made to a program.


    Right, if you have Win firewall w/advanced security to block all outbound attempts for which no rule exists, it will not alert you to programs attempting outbound comms when no rule of such exists for it.

    That makes sense to me; the alert that a program creating firewall rules for itself during its installation, such as uTorrent, are vague at best from what I remember seeing. I believe there arefew common programs that do this, but it is something to watch out for when installing programs that might create their own firewall rules.
     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    What makes you think that malware wouln't also try to defeat other firewalls, like Kaspersky, Comodo, Outpost, etc ? Once a program gets administrative privileges, it can modify anything on your computer. It is up to the user to know which programs he executes. There is no buletproof security solution. I agree that Windows Firewall can be defeated, but if you don't stay all day on warez websites and downloading and installing patched, cracked, hacked programs, then I think Windows Firewall offers the optimal security solution. If you are browsing the Internet for trouble, then no firewall or antivirus can help.
    Yes, but this solution doesn't work on all versions of Windows. Also, these rules don't apply in a domain location, unless you are the Administrator of the network. The rules saved in gpedit.msc are also saved in Windows Registry in some specific keys, so I think they can be also deleted manually and removed.
    That notification is showing only if a signed application requests inbound access to your computer. When you installed WFC, you didn't see a notification like that because WFC doesn't request inbound access. Windows Firewall does not provide notifications if a new rule is added, so this is normal.
     
  16. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @alexandrud
    Nothing makes me think that malware wouldn't try to defeat other firewalls. But as harder it is to defeat, more likely Antivirus & HIPS would step in. Neither did stop WFC from adding firewall rule after install was permitted to start.

    I'll consider WFC again when there is a feature that will also block firewall API from further use. As it is now I have to disagree with the claim that it can disable the ability of other programs to add firewall rules.
     
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    I can disable Windows Firewall API but this will also disable Windows Firewall. If you enable that option and other programs will try to add a new firewall rule through Windows Firewall API or netsh command, they will be automatically deleted by Windows Firewall Control Service which monitors the rules. Anyway, the whole discussion here is wrong because a malware will not even try to add itself in the list of Windows Firewall exceptions. If the malware will gain administrative privileges, it will try to stop Windows Firewall service, and then it doesn't matter anymore what rules are there or not. Again, is up to the user to protect himself from himself by knowing which programs he executes.
     
  18. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @alexandrud
    I try to rephrase myself again. I have Antivirus & HIPS to prevent malware from doing the extreme methods like shutting down the whole firewall. I only want firewall to do its job when its enabled. If I say block all, it should block all and not take orders from something else (like TinyWall). For me it doesn't matter if the program is malware, "legit" or something between.

    "Again, is up to the user to protect himself from himself by knowing which programs he executes." - Haha, that would be good. If we all knew what the program will execute, we wouldn't execute it and there would be no need for any security softwares.

    We wouldn't have this discussion if you didn't make that claim about your WFC which simply isn't true. If "Disable the ability of other programs to add firewall rules" -feature doesn't disable ability of TinyWall (or programs like it) to add firewall rules or edit them, then your claim is false and therefore I have no trust for this program.

    So I have to take it like it's impossible to block firewall API from further modifications without disabling the firewall.

    If no one has solution I have to keep looking for solid standalone 3rd party firewall which is hard to find nowadays.
     
  19. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66
    To prevent? difficult at this level of communication, but prevent use ? easy !! if you choose the option Block all connections. With this setting programs on the Exceptions list are ignored, regardless of any firewall rules that explicitly allow the connection.
     
  20. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @Ring0
    I clearly stated in the opening post this: block all connections with Windows Firewall except the ones I have specifically allowed.
     
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,230
    Location:
    Romania
    The firewall it's doing it's job very fine. TinyWall is a special case because it installs a Windows service which runs under LocalSystem account, so it can manipulate Windows Firewall. I don't think this is the case for malware. Also, it works very strange because it imports over and over the entire set of rules in case an external program wants to add a firewall rule. WFC does the same, but it removes only the new unauthorized rules. TinyWall and WFC are incompatible because they work on the same set of rules. Maybe you are demanding too much from Windows Firewall and a 3rd party firewall will suit your needs better. Windows Firewall it's a good product, but like any product, it can't cover all scenarios.
     
  22. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66
    @ehy

    - you might have to note the difference !? what this WF setting determines

    - except the ones I have specifically allowed = Block (default)

    - block all connections, regardless of any firewall rules that explicitly allow the connection = Block all connections

    - do you ??
     
  23. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @alexandrud
    Perhaps it really was too much to ask for a working outbound windows firewall in 2013. :rolleyes:

    I'd suggest you atleast change WFC option name "Disable the ability of other programs to add firewall rules" to "Disable the ability of some programs to add firewall rules".

    Thanks anyway, I'll keep looking.
     
  24. ehy

    ehy Registered Member

    Joined:
    Feb 5, 2013
    Posts:
    12
    @Ring0
    Why do you tell me this? I'm not trying to block all the connections with exceptions ignored. I have told it many times. :cautious:
    The situation is little harder than what you think. :p
     
  25. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,559
    @ehy

    you can restrict the programs from modifying your rules either with group policy editor (for enabling/installing gpedit in 7Home take a look here http://www.askvg.com/how-to-enable-...home-premium-home-basic-and-starter-editions/ )
    or if you prefer you can do it directly from the registry by modifying the permissions of the registry keys (and their subkeys) to read only
    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy]
    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

    Panagiotis
     
    Last edited: Feb 10, 2013
Loading...
Thread Status:
Not open for further replies.