I don't know how, but some firewall rules keep automatically re-created, both for inbound and outbound connection rules. It looks like these are the rules for Metro apps. Is there a way to prevent these automatically added everytime I delete them? Thank you for the help. EDIT: In case this information is needed, my OS is Windows 8.1 Pro 64-bit.
Windows Firewall Control with Secure Rules enabled. When activated, Secure Rules feature will automatically delete the rules created from outside of Windows Firewall Control.
Thank you for the suggestion, and I really appreciate it. But I was looking for a solution that disallows firewall rules from being automatically created without allowing any of them to touch my whitelist. I'm probably just being a bit too touchy but, I just don't like my firewall rules forcing me to allow connections when I don't want/need that to happen.
This is how Windows Firewall works. Any software that has administrative privileges can add/delete/modify the firewall rules. Windows Firewall by itself does not provide a mechanism to disallow the creation of new rules.
You can rely on it, if you do not execute all applications with administrative privileges. Let's assume that you have a malware on your computer. If it gets executed with admin privileges (e.g.: the user clicks on the Allow button in the UAC prompt), then it makes no difference which firewall you may have. But for your scenario, assuming that you don't want to use Windows Firewall Control, you can convert all these extra created rules to block rules. Then, they will not be recreated anymore and these programs will be also blocked in all scenarios.
Actually there are a lot of ways to lock windows firewall rules: 1) use regedit go to the key HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall and change itś permissions to read only. or 2) use regedit go to the key HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall and change itś permissions to be modified by only one admin acccount. or 3) if you have pro, ultimate, activate srp and use the software restriction policy and activate itś firewall rules. Panagiotis
@alexandrud I have been thinking about it, but was not sure if things would stay the way they are because I've seen cases where my configurations got suddenly changed by the OS. @pandlouk It is nowhere to be found in HKLM\SOFTWARE\Policies\Microsoft.
@pandlouk It is nowhere to be found in HKLM\SOFTWARE\Policies\Microsoft.[/QUOTE] Sorry, the key HKLM\Software\Policies\Microsoft\WindowsFirewall contains the settings/rules created through group policy. The correct one is HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\ Panagiotis
I tested it by disabling those auto-created rules and after a few while, they got re-enabled. I'll try to set them to "Block" and see if Windows will also automatically set them back to "Allow".
I wonder if you can set permissions on Windows Firewall that only a specific user or administrator can modify rules.
I think Windows Firewall is a good firewall it just needs blocked outbound connection notifications to help with setting it up. I have enabled logging in the firewall and have been looking for a way to use task scheduler to create an "on event rule" to display a message when an event is logged by the firewall but so far I have not been able to do this because I couldn't find the Windows Firewall logs in its list of stuff you can schedule also I don't know what the event ID's are. Having said that I don't believe I have ever accomplished a single thing using any of Microsoft's Administrative crapware. I always end up getting frustrated with the obstructive nature of it and give up which is probably what Microsoft intended to happen when they implemented it. EDIT Well I actually found something useful I should probably start a new thread about this.. You can find the blocked outbound connections in event viewer. In Vista it is in the security event logs and is event ID 5157 and it is called "Filtering Platform Connection" of course they don't call it Windows Firewall, that would make it too easy to find. The good news is the event viewer does show all the relevant information including the application that was blocked, whether the connection attempt was inbound or outbound, its location on the hard drive, it's process ID and the IP address, protocols and ports involved in the attempted connection.
In Windows 10, modifying the permissions on the reg key HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\ has no use. You have to leave NT Serivce\MpsSvc permissions alone because if you delete that, then Windows Firewall with Advanced Security doesn't work. But if you have that permission, then when updating apps, the firewall rules gets changed from Block to Allow.
Hi Pandlouk, I am looking at the permissions for the registry key yuu gave again. Should I remove the rights for Creator Owner ?
The same info is loaded and displayed in Connections Log by Windows Firewall Control with the possibility to create new firewall rules directly.
That depends on how many admin accounts you have on the system before modifying that key permissions. E.g. if you have multiple admin accounts and installed/updated lots of apps with different accounts It could be usefull to remove the write permissions from the creator owner. If you only had 1 admin account just use that account for administrating the firewall and create a second admin account for everything else e.g. updating apps or installing apps that you do not wish to create new firewall rules, and for other tasks that need administrator rights. Panagiotis
What I want to do is prevent apps like Edge from creating Allow incoming rule. And stop other Win Store apps from doing that too.
For that the easiest way is to convert them to block rules. The apps will recreate allow rules but since the block have the precedence, the allow ones won't work. For win10 I don't recommend the reg modifications. Microsoft constantly changes the effectiveness of registry modifications with every update and you can never be sure if the modifications will be effective or that it won't break things with a newer update. Probably is best to use Binisoft's Windows Firewall Control. Panagiotis