WIN 7 FW Cryptograhic Service Issue

Discussion in 'other firewalls' started by itman, May 26, 2012.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I have tried various WIN 7 firewall outbound monitoring software add-ons and they plus native WIN 7 firewall outbound blocking and all have the same problem.

    When using IE9 and I assume this also applies to earlier versions, WIN 7 firewall cryptographic service dials out to validate certificate authorities. I know it is CAs since I have checked the IP address it is trying to connect to. I have watched it do these connects using cryptograhic service however WIN 7 firewall plus the add-on's to it I have tried all block these CA validation dial outs. I have always created an outbound rule for cryptographic service, TCP ports 80, 443.

    Is this a bug in WIN 7 or do one of those three sub-services cryptographic uses have to be set up as an outbound firewall rule? If the later, what the heck is the name of the service?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I found a postings by Heimdall in this forum on this subject.

    Solution appears to be to either turn off CA root checking via Group Policy. I would imagine setting off the CA checking setting in IE advanced settings would accomplish the same thing. Neither of these are a good solution to me since I have already encountered rouge CAs on occasion. What Heidall does personally is allow the IP addesses for the encountered CAa. This is a pain since there are many and each IP has to throughly checked out. I believe he went though the CA certificates and extracted their urls and retrieved their corresponding IP addresses and built his firewall allow IP list for svchost.exe from that. That is a pain.

    Hopefully, someone will come up with a better idea.

    Also a classic example of why MS has outbound blocking for the Vista/WIN 7 firewall turned off by default.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    After I posted this, I viewed a uTube video from the developer of Windows Firewall Control. Very interesting indeed. Appears he is the only one of these add-on Windows firewall software to recognize a global svchost.exe individual rule must be created listing the IP addresses of the Certificate Authorities separately. I might give that software a shot.
     
Loading...
Thread Status:
Not open for further replies.