Preventing Auto-creation of Windows Firewall Rules?

Discussion in 'other firewalls' started by guest, Dec 3, 2014.

  1. guest

    guest Guest

    I don't know how, but some firewall rules keep automatically re-created, both for inbound and outbound connection rules. It looks like these are the rules for Metro apps. Is there a way to prevent these automatically added everytime I delete them?

    Thank you for the help.

    EDIT: In case this information is needed, my OS is Windows 8.1 Pro 64-bit.
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,227
    Location:
    Romania
    Windows Firewall Control with Secure Rules enabled. When activated, Secure Rules feature will automatically delete the rules created from outside of Windows Firewall Control.
     
  3. guest

    guest Guest

    Thank you for the suggestion, and I really appreciate it. But I was looking for a solution that disallows firewall rules from being automatically created without allowing any of them to touch my whitelist. I'm probably just being a bit too touchy but, I just don't like my firewall rules forcing me to allow connections when I don't want/need that to happen.
     
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,227
    Location:
    Romania
    This is how Windows Firewall works. Any software that has administrative privileges can add/delete/modify the firewall rules. Windows Firewall by itself does not provide a mechanism to disallow the creation of new rules.
     
  5. guest

    guest Guest

    I see, thanks. So it seems that I can't rely on Windows Firewall to lock things up. :(
     
  6. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,227
    Location:
    Romania
    You can rely on it, if you do not execute all applications with administrative privileges. Let's assume that you have a malware on your computer. If it gets executed with admin privileges (e.g.: the user clicks on the Allow button in the UAC prompt), then it makes no difference which firewall you may have. But for your scenario, assuming that you don't want to use Windows Firewall Control, you can convert all these extra created rules to block rules. Then, they will not be recreated anymore and these programs will be also blocked in all scenarios.
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Actually there are a lot of ways to lock windows firewall rules:
    1) use regedit go to the key HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall and change itś permissions to read only.
    or
    2) use regedit go to the key HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall and change itś permissions to be modified by only one admin acccount.
    or
    3) if you have pro, ultimate, activate srp and use the software restriction policy and activate itś firewall rules.

    Panagiotis
     
  8. guest

    guest Guest

    @alexandrud
    I have been thinking about it, but was not sure if things would stay the way they are because I've seen cases where my configurations got suddenly changed by the OS.

    @pandlouk
    It is nowhere to be found in HKLM\SOFTWARE\Policies\Microsoft.
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    @pandlouk
    It is nowhere to be found in HKLM\SOFTWARE\Policies\Microsoft.[/QUOTE]
    Sorry, the key HKLM\Software\Policies\Microsoft\WindowsFirewall contains the settings/rules created through group policy.

    The correct one is
    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\

    Panagiotis
     
  10. guest

    guest Guest

    The "DoNotAllowExceptions" value in each network profiles?
     
  11. guest

    guest Guest

    I tested it by disabling those auto-created rules and after a few while, they got re-enabled. I'll try to set them to "Block" and see if Windows will also automatically set them back to "Allow".
     
  12. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I wonder if you can set permissions on Windows Firewall that only a specific user or administrator can modify rules.
     
  13. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    357
    Just disable Windows firewall and start using better one.
     
  14. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I think Windows Firewall is a good firewall it just needs blocked outbound connection notifications to help with setting it up.
    I have enabled logging in the firewall and have been looking for a way to use task scheduler to create an "on event rule" to display a message when an event is logged by the firewall but so far I have not been able to do this because I couldn't find the Windows Firewall logs in its list of stuff you can schedule also I don't know what the event ID's are.
    Having said that I don't believe I have ever accomplished a single thing using any of Microsoft's Administrative crapware. I always end up getting frustrated with the obstructive nature of it and give up which is probably what Microsoft intended to happen when they implemented it.

    EDIT
    Well I actually found something useful I should probably start a new thread about this..
    You can find the blocked outbound connections in event viewer. In Vista it is in the security event logs and is event ID 5157 and it is called "Filtering Platform Connection" of course they don't call it Windows Firewall, that would make it too easy to find.
    The good news is the event viewer does show all the relevant information including the application that was blocked, whether the connection attempt was inbound or outbound, its location on the hard drive, it's process ID and the IP address, protocols and ports involved in the attempted connection.
     
    Last edited: Apr 5, 2015
  15. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    In Windows 10, modifying the permissions on the reg key HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\ has no use. You have to leave NT Serivce\MpsSvc permissions alone because if you delete that, then Windows Firewall with Advanced Security doesn't work. But if you have that permission, then when updating apps, the firewall rules gets changed from Block to Allow.
     
  16. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi Pandlouk,

    I am looking at the permissions for the registry key yuu gave again. Should I remove the rights for Creator Owner ?
     
    Last edited: Jun 26, 2016
  17. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,227
    Location:
    Romania
    The same info is loaded and displayed in Connections Log by Windows Firewall Control with the possibility to create new firewall rules directly.
     
  18. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    That depends on how many admin accounts you have on the system before modifying that key permissions. E.g. if you have multiple admin accounts and installed/updated lots of apps with different accounts It could be usefull to remove the write permissions from the creator owner. If you only had 1 admin account just use that account for administrating the firewall and create a second admin account for everything else e.g. updating apps or installing apps that you do not wish to create new firewall rules, and for other tasks that need administrator rights.

    Panagiotis
     
  19. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    What I want to do is prevent apps like Edge from creating Allow incoming rule. And stop other Win Store apps from doing that too.
     
  20. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    For that the easiest way is to convert them to block rules. The apps will recreate allow rules but since the block have the precedence, the allow ones won't work.
    For win10 I don't recommend the reg modifications. Microsoft constantly changes the effectiveness of registry modifications with every update and you can never be sure if the modifications will be effective or that it won't break things with a newer update.

    Probably is best to use Binisoft's Windows Firewall Control.

    Panagiotis
     
Loading...