Windows Firewall w/Advanced Security: An option worth consideration

Discussion in 'other firewalls' started by wat0114, Oct 11, 2017.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    A member of this forum recently asking me about my ruleset for this firewall has re-kindled my interest in this often underappreciated firewall, which for the last few years I had enabled only for basic inbound protection, so I decided to re-enable Outbound protection allowing applications network access only when an applicable rule exists.

    This firewall has excellent network filtering capabilities and really can be a viable option for those who simply want program control to the Internet without the process protection (HIPS) that are often included in 3rd-party options, and don't mind putting in the extra effort it requires to set up application rules. It's already built into Windows so there is no added potentially buggy software which can cause system instability, conflicts or crashes.

    There is an excellent older and locked thread on it here that applies to Windows Vista and 7. I'm not too sure if all these options are available on Win 10 or any Windows Home versions.

    In my case I'm using Win 7 Ultimate. My current Outbound ruleset which I thought to share is attached below. To generate the firewall's ruleset, open a command prompt as Administrator and type:

    Code:
    netsh advfirewall monitor show firewall rule name=all dir=in >path_to_directory\filename.txt
    Use dir=out for saving Outbound rules to a text file.You can view firewall Audit Success or Fail attempts by enabling IPsec as described here. I highly recommend this be enabled so you will know how your trusted programs such as web browsers and email clients require network access. Of course you can also create rules to secure DNS queries, ICMP requests, and such. Again, I don't know if this will work on Windows versions below Pro, Enterprise or Ultimate.

    Anyone who wants to share their thoughts and experience, by all means please do so.
     

    Attached Files:

    Last edited: Oct 13, 2017
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    Using Windows Firewall w/advanced settings since Win8, i block all connections (In & Out) on all profiles, and created allow rules on the fly in less than a minute. Not so hard to do if a user is willing to spend some time to learn it.

    Actually using Binisoft WFC, to fasten the process but still let all connections blocked.
     
    Last edited: Oct 11, 2017
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    That's a good idea using a 3rd-part fw to create rules, especially if you're gaming and your games use numerous servers. I did that a few years ago using Jetico fw. Afterwards it's a matter of replicating the rules in Windows fw, except in your case better because Binisoft does it for you.

    BTW, I use the Public profile always with its default set of Core rules, and notice I tie svchost process to its specific service for each rule such as wuauserv.exe for updates, DNS Client for DNS queries and W32Time for the time service.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    Latest and probably finalized rulesets for both incoming and outgoing rules, using the Public profile...

    As an added extra, I included the specific program file's path for each Outgoing rule. You'll see I've even restricted the Microsoft update rule for svchost - wuauserv.exe service to a wide range of MS Update server IP addresses. I build upon the list whenever I discover blocked connections upon running the Windows update service.
     

    Attached Files:

    Last edited: Oct 13, 2017
  5. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    512
    Location:
    Land o fruits and nuts
    i like your thinking, would block rules be everything, or just public?
    How does win FW treat that?
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    Block rules can be created for any of the profiles or all of them. The option is available under the Advanced tab of the specific rule selected. Actually if you block either inbound, outbound or both by default, then you really don't have to create block rules, since only a defined allow rule will allow the connection. The block SMB ports in the outbound rules was already one of the pre-defined default rules, along with the "Core Networking" rules, included in all the profiles, so I just left it alone.

    Btw, if you use the firewall, it's a good idea to check through the rules that you are using for the profile you've selected. Some programs upon installation will generate rules "behind the scenes" without you knowing unless you go looking for them. Some might be necessary but are often too permissive or not necessary at all. Google Chrome browser of late does this by creating multicast UDP rules in the Inbound rules used for a service called Chromecast, used for streaming media between a device such as an iPhone or iPad and your TV. I don't need it so I disabled the rules, as well as the option under chrome://flags.

    chrome_multicast_fwrules.PNG
     
  7. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,080
    Be aware some windows services bypass windows firewall. I don't know if any malware exploites that or not...
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,513
    Location:
    Slovenia
    Thanks for that. I Always wondered what is this rule for or if it should be disabled.
     
  9. petok

    petok Registered Member

    Joined:
    Jan 11, 2015
    Posts:
    23
    What is this rules mDNS (UDP-Out) is good disabled or enabled?
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    You're welcome. I disabled mine yesterday, and so far nothing seems broken.

    I don't see those in my Outbound rules, either in the enabled or disabled rules?? Are they tied to Chrome?
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Why not simply use WFC, or is this any different than your method?
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    For me and the relatively basic setup of Internet-facing programs I use, I prefer to create the rules manually without 3rd-party aid. The big difference being is that my method is done without an additional program installed and running on the system.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    OK I see. I think it's a shame that M$ made it so hard to manage the Windows Firewall, without WFC I would have been using a third party firewall. My approach is very simple, I auto-block all apps and most system processes from outbound and inbound access, unless they need it to function.
     
  14. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    422
    Location:
    Italy
    For needed rules you can check the link in my signature
     
  15. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,931
    Location:
    Mexico
    Thanks for that guide. It seems quite comprehensive, amazing.
     
  16. petok

    petok Registered Member

    Joined:
    Jan 11, 2015
    Posts:
    23
    Is from system Windows 10, but I disable rule for now and will see next day.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    I agree it would be great if one could create rules on the fly from pop-ups, but as I remember seeing somewhere in these forums, 3rd-party vendors might complain about unfair competition. On my Windows 10 gaming machine that my son primarily uses, I confess that I would have to use a 3rd-party product to create rules because they would be far more extensive than on my Win 7 laptop.
     
Loading...