Windows 7 Firewall Control Plus

I'm afraid I don't understand what you are saying. maybe you're been sarcastic or I miss something ...

My dear friend, that is exactly the problem I'm facing (not been able to have full control).
Running apps with or without admin rights should not be relevant whether firewall should alert me about inbound connections or not allowing some app to insert rules into firewall without any notification.
And it seems there is nothing I can do to change that.

No other firewall (that I know off) is working like that.

 

I've got the inbound block notification set top "Yes", always have, but I've not once seen a notification. It could be a result of sitting behind a router, so nothing on the outside world can attempt inbound anyway? @pabrate, you have more control than you think. After installing the app, check your rules and modify or delete any rule(s) the app may have created.

 

I wish that would help but alas.
If I delete or change rules that are inserted by app, it would revert back next time I run that app to the default ones app wanted in the first place.

 

No, I'm not trying to be sarcastic. I am only saying that you should be very carefull with the programs that want to run with admin rights. If you allow any program to run with admin then the program is in control of the OS and not you.

And for me this is something not accetable. The only programs that need to run with admin rights are imaging apps and similar that need direct disk access and security applications. Everything else like this particular example does not and should not need admin rights.

Microsoft made the folders "C:\Users\User\appdata\local" and especially "C:\Users\User\appdata\roaming" for this very reason. Why should this program ask for admin rights, only because it wants to update the logs in its program directory? (this is the real reason that needs admin rights and not because it has to control other apps).

Panagiotis

 

I agree 100% with pandlouk. Why, indeed, should any programs be permitted to dictate control on their machines. The user should be in full control.

 

This particular example needs to read logs (poker hand history) from history folder.
Never mind the example and this particular app , I get what you are saying and couldn't agree more.
However, firewall should be separate from all that and simple alert wouldn't hurt.
If that alert is left on purpose not to be functional because of noobs and average Joe's , then at least Microsoft should left it optional to be turned on via some complicated procedure with registry setting or something.
Why would be so impossible for a user to have a scenario where he wants app to run with admin rights but doesn't want that app to use inbound connections ? Leave it up for user to decide I say

Besides, for example .. what if I don't want to use UAC and at the same time want to use firewall ?
In that case I don't have full control over the firewall because any app can insert their rules in it.
That's all I'm saying, they should have made it to work separate from UAC.

 

It seems that you just don't get it.
When you run all programs in an admin account with UAC disabled you have 0 control of what happens on your pc.
The firewall should be the least of your worries.

Panagiotis

 

Maybe I speak Chinese and you Romanian.

I'm talking about options here buddy.
Let's paint a picture here, say we replace Windows built-in security features with Comodo.
I execute app, Comodo asks me do I want to run it with elevated priv. , I say YES , app runs and then Comodo Firewall asks me do I want to allow inbound/outbound access for it. Ok ?

Windows scenario with same app :
I execute app, UAC asks me about elevated priv. , I say YES, app runs and sets firewall access as it wishes. Firewall is mute.

Now, I'm talking about firewall, you are talking about admin rights and UAC.
Can't paint it clearer than that.

btw it doesn't matter, forget about it. I'm gonna forget it for sure

 

pabrate, the win7/Vista fw simply doesn't have all the hand-holding, alerting bells and whistles most 3rd party fw's have. With it you may be sacrificing convenience but gaining rock-solid stability in return. Take your pick.

 

Very true. I know what I am talking about... you don't.

-Windows firewall api is open to programmers. http://msdn.microsoft.com/en-us/library/aa366449(v=VS.85).aspx
Comodo interfaces are not.

-Windows firewall is a pure firewall.
Comodo is a full blown hips.

-I talk about admin privileges and you talk about UAC.
In case you don't know an OS can be run from a LUA(Limited User Account) too and not only from an Admin account.

ps. already forgotten.
Panagiotis

 

That's all I wanted to hear.
It's just not clear in win7 firewall configuration when those inbound alerts occur.
That's why I spent so much time trying to figure that out.
What I wanted was simple alert about incoming connection (no matter if that app is going to destroy MBR of HD after that)
Then the confusing part was after those rules are inserted, why I can't edit them and make those changes permanent.
That's just weird (configuration wise) , firewall is good, no doubt about that.

That's that, all is clear now, thanks and have a nice day

 

You are very interesting character , I must say that

Sorry if I offended your precious Windows firewall or maybe hurt your feelings in some way by asking is it possible from Windows firewall to alert me about incoming inbound , and how to prevent some app to bypass firewall and insert rules at it's own pleasure.

Instead simple yes or no, you are explaining me the dangers of running app with admin rights.

Thanks for the lessons though

 

Thanks... I guess...

I already explained that windows firewall will not alert you for rules already created by you or by an application for that matter.
And since you do know comodo, I do not remember that it alerts you for already created applications rules either (unless they changed the way it behaves). In matter of fact no firewall will do that.

 

pabrate, I don't know why I never thought of this earlier, but you mention the app re-creates the rule every time, so just create an identical "Block" rule and that will override the Allow rule it creates. it should work.

 

That's right, if you delete or edit those rules (for example put "Block" instead "Allow") rules are going to be re-created.

Tnx for the tip, I thought of that but I'm not sure how that would work (order of rules).
So if you know how that works in WinFirewall please do tell (See below what I mean)

So let's took that holdemindicator once again as example.
It creates two Allow rules , one for TCP and other for UDP.
If I create new two rules which are blocking incoming connections for that app , should they be above or below original ones ?

Once again, I think the main problem (for me that is) is that MS decided to allow other apps to insert their rules in firewall.
Another thing is that it would be a lot easier if there would be an option to Block everything Incoming , except for those apps which are added manually.
Of course, in that case any app that try to insert their rules in that configuration would not be possible to do that.

 

Verified that this am and you are correct.

The block will rules over the allow rules. Please see here.

Physically in the rules list it does not matter where they are placed.

I agree it would be beneficial if Win7 fw alerted to an app attempting to insert its own rules.

This I think is actually possible using the authenticated bypass option, using ipsec rules, but I don't know how that's accomplished because it's a feature I've never tried. Actually, it doesn't seem to be a feature for home computers.

 

Thank You wat0114.
I think I'll switch to built-in security features of Windows 7 pretty soon.

 

You're welcome and I hope all works out for you. BTW, I had another go at holdemindicatorsetup.exe and it at least seems to run just fine under an lua, after of course it's installed in an administrative account, plus it does not reapply the inbound rules under lua Strange, though, that it kept looking for a table non stop so I don't know if it's because a license is needed or other rules, such as outbound. For experimental purposes, I gave it all outbound access any protocol/ip but it still searched continuously for a table, and the logs did not reveal any blocks so maybe it did need a license??

 

It seems they updated it. When I tested it 3 days ago it would not run from LUA or from snadboxie with Drop Rights restriction.

Panagiotis

 

That is weird, I just downloaded latest version (I always have latest because I have license and it auto-updates) but for the sake of this I uninstalled it first and then installed it (under Admin) , and when I run it (under LUA), it asks for admin password to continue.

That 'looking for a table' message is normal, I have that one too (licensed) , it's looking for a poker table in order to attach itself to it so it can gather data.
Since you probably didn't load any poker table there you go
As I said before, you can block both inbound and outbound and it will work.
It only needs outbound when app is executed to check license key and updates.

 

I had configured Applocker to allow "Everyone" rights to run it, so that might explain why it ran under lua for me? When you supplied credentials to run it under lua, does it re-install the inbound fw rules?

 

Yes, it re-install rules.

I'm new to Applocker so I hope you can explain few things for me cause It seems it's not working for me.
I'm logged as LUA.
So I run Local Security Policy as Admin.
There it says I need to go to services and make Application Identity service to start Automatic and then Start the service. So I did that.
Next what I did was going to Executable rules and then I clicked on Auto-Generate Rules.
In that wizard I allowed everything on Program Files and Windows to run for Everyone (Hash Rules)
It created rules and holdemindicator was included as well.
I thought that was it and then I executed holdemindicator.exe , it runned but still asked for admin rights.
Then I executed some app which was in some other folder than ProgramFiles and Windows (just to test Applocker) but that app executed as well.
I thought maybe reboot is needed so I did that.
Same thing after reboot.

What am I doing wrong ?

 

OK, I figured Applocker (trick was to enforce rules).
Now that works as it should (tested).

But holdemindicator still requires admin rights.

Well, I don't know what to do here. I'm at opinion that if I'm using Applocker I don't really need then LUA and UAC.
I'm thinking about working under Admin account, UAC disabled, WindowsFirewall, DEP ON on ALL, SEHOP ON, MSE and Applocker.

What do you think guys ?

 

I would re-enable UAC, it compliments applocker under Admin account

 

pabrate, check the AppLocker logs under: Computer Management->Event Viewer->Applications and Services logs->Microsoft-Windows->Applocker... They may offer clues as to what's happening when something doesn't work as you think it should. BTW, holdemindicator runs a script as seen in the ss to install the inbound fw rules.