Windows Firewall with Advanced Security (Guide for Vista)

No idea. Dshield didn't provide that info. The URL you mentioned does mention it at the bottom... at least, something regarding it.

Anyway, I had to allow quite a few IPs. I just didn't bother checking them out anymore. I'm losing my patience with Windows firewall, to be honest. I can't possibly understand the design of restricting by IP only. I sincerely hope Windows 8 firewall changes that. I'm seriously thinking of going back to Outpost Firewall Pro again.

Today I had to allow IPs... tomorrow, I'll have to allow IPs... etc. What's the point of having outbound control, if it's a pain in the neck to deal with...

The same goes for so many other restrictions, like only allow a web browser to access the e-mail service domains... Impossible... and to track down IPs... well... also impossible, because they're always boucing.

I just don't think Windows firewall is worth the burden any more.

 

I feel your pain. Getting tired of it all myself. I'm behind a router with firewall so I may give in. I've spent a lot of time with this but like you say, MS, akamaitechnologies, Comodo, Verisign, Mcafee etc.., you research it, allow address or range and then they bump to another ip range. Although mine has tamed down alot since starting on this. I rarely get an alert now but heck, why should I, I've allowed practically the entire net,lol

 

Which totally defeats outbound traffic filtering, in the first place.

One thing I started to realize is something regarding Microsoft Security Essentials. To be honest, I still haven't tried to find out how deeply the two variables are connected (Windows Update and Microsoft Security Essentials). But, I have rules allowing Microsoft Security Essentials to look for updates via MpCmdRun.exe and to connect to any IP address.

After this IP fiasco thing, I started to notice that MpCmdRun.exe fails to connect to the Internet. Apparently, for what I could understand, MpCmdRun.exe would only try to connect to the Internet if Windows Update could not (which was the case, because the IPs were being blocked), but it would then be blocked...

Allowing the IPs (Windows Update), MpCmdRun.exe wouldn't try to connect, at all. Which does make me consider that this process only tries to connect when Windows Update cannot. Yet, it miserably fails doing it.

 

Is there any clue for what Windows processes/services would need to be allowed with manual rules if one would turn on the outbound blocking? I'm studying this thread, but haven't yet seen any lists, apart from the mention of Windows Update. I'm running Windows 7.

Also, it is needed for the programs to specify any port ranges, or would it be enough from the security perspective to, say, just allow Firefox outbound all and not bother with the ports? Or same with Steam games, which use many ports, both UDP and TCP? Firewalls like L'n'S require specific allowed port rules for games to work and I thought if WFW would be different in this matter?

I would like to thank about the guide, by the way, as it's comprehensive and very easy to read =).

 

For any browser I specify rules for, I like to restrict to the following remote TCP ports:

80, 443, 554, 1755, 1935

No problems with this approach yet

 

I haven't been able to figure out how to get Google Chrome through it (Win7). If the outbound is set at "Outbound connections that do not match a rule are allowed", it gets through just fine, but not default deny without a matching rule. When I look at TCPView, the only connections that I see are chrome.exe and sometimes GoogleUpdate.exe, and I've created rules for those processes. Those are the same processes that I see in Process Explorer too, except I'll see a rundll32 running with low integrity every now and then. Sometimes however, no google processes show in TCPView. I assume this has something to do with the proxy settings, but it's using the same proxy as IE, I think, and I can get IE through it just fine. If someone could help me out with this I would appreciate it.

 

Hi Kirk,

assuming you have Chrome installed in your user directory, these rules should work. Just replace the path where I've erased my name with your name. Note that it is two rules duplicated for both the administrator account and my user account, with the exception that with googleupdate.exe I've restricted it to specific ip address/CIDR masks in my users acount (not necessary to restrict this way, except I was just experimenting at the time).

 

Hey wat,

Thanks for the response. Ok, I matched yours except for the ip addresses and the different accounts. I still can't get through. Surely Prevx wouldn't have anything to do with this, would it? That's the only active protection that I'm using atm, and IE gets through just fine, and Chrome uses the same proxy settings as IE, right?

 

Could be Prevx is somehow doing it, but I've never used it before. Give me a few minutes to check in the vm, because I've not used Chrome in several months. Those rules are just left over from when I last used it but, who knows, maybe there's something still needed. Hang tight!

 

Ok, my rules that I used before changing them to match yours, allowed all ports and all protocols, which should cover it, right? I was just trying to get it through, because ports 80 and 443 weren't working originally. I got to step out for just a minute too, but I won't be long though.

 

Yes, that should work, and I just finished checking in the vm with latest chrome installed and the rules match exactly what I posted above, so they should have worked for you. However, maybe in your case try changing %USERPROFILE% to the literal path, similar to what I've used (C:\users\name\...) BTW, you made your rules as Outbound, right (looks like you have)?

 

You got it wat! It was the PATH! I'll remember this little lesson.

Thanks for the help wat, I really appreciate it.

 

You're welcome! I've seen that path anomaly in AppLocker as well.

 

What are those last three ports for? Something to do with updates etc?

 

No, streaming media. Port 1935 is more commonly seen than 554 or 1755, but I've seen on rare occasion the need to allow to the latter two, so I include them in my browser and media player rules.

 

Well that explains it, thanks for clarifying! Didn't take that into consideration at all.

 

You're welcome! Over very extensive testing with software firewalls, I've determined those remote ports can be included without exception in all my browser and media player rules.

 

Hi!

regarding ports 80, 443, 554, 1755, 1935


For the thread here is their IANA definitions available from the sticky at the top of the other FW's forum

 

Escalader, thanks for definition.

I've now switched to the WF with outbound default-deny, and pretty much all seems to be running well. I however have few questions left if anyone could have time to answer =).

First is what I asked earlier: are there more services related to Windows which need internet access and therefore their own outbound rule? I've now allowed Windows Updates through the guide on the front page, but after seeing with other firewalls that few other Windows services tend to connet on logon, I thought I'd check that here.

Also, how can I enable logs easily? For some reason, I can't see any activity in Event Viewer, either at Microsoft/Windows/Windows Firewall with Advanced Security/Firewall or Windows logs/Security. If I choose logging through the "main window", I can't access the log file without giving myself rights for that file every time, as it seemingly resets the security settings. Also, the log file doesn't give much information on things like what programs wants to connect. Is there any way to make this clearer?

And last: how can I prevent 3rd party programs making their own rules? It seems that atleast Steam games have some sort of ability to add own rules, as they have crowded the Inbound rules area. Is it the case that the rules are created without user content only when WF is off and if it is on, you have ability to deny them? As I haven't used WF on this installation before this and there are some pretty new programs.

Edit!: My Internet Connectivity Center (Windows 7) does show "partial connection" maybe 10 seconds after logon. It haven't done this before. Has this something to do with the service rules I asked about?

 

I've attached a ss of my collection of various rules regarding services and other rules that are at least somewhat non-standard, including those for java and flash.

If you need to tie a rule to a specific service, for example process svchost, then check out the first post (linked below) in this thread by Stem, and scroll down to "Adding Rules for svchost", and view the screenshots.

-http://www.wilderssecurity.com/showpost.php?p=1449570&postcount=1

Also, note some of my rules are "Core" rules, which are already built-in.

the link below takes you to Wilders member Sparviero's excellent description on how this can be done, although it may only work if you are running the Pro or Ultimate Win7 version.

-http://www.wilderssecurity.com/showpost.php?p=1717632&postcount=135

That may be hard to do, although you could go in afterward and delete or modify the rule to your liking.

 

Are those all your non-standard rules?

This would be the best thing ever! If it only worked . It seems that I do have auditpol.exe which is required for the command, but I'm getting error "0x00000057: Parameter isn't correct" (translated from finnish). Maybe someone knows if this is indeed related to my Home Premium lacking some features?

Yes, I can do that pretty easily, just wanted to know if there would be a feature to block that, as... well, malware could exploit it too .

Thank you once more!

Also, one question popped to my mind; are the ICMP rules required for normal connections? Should I just allow all ICMP events?

 

They're just some of the less conventional rules I have, in some cases the ones that aren't as obvious for some people, especially the java and flash ones.

 

Hi,

I wonder if it's really a security plus to configure each program with rules for ports.
Look'n stop which is probably the best firewall don't create this rules "by default", and it doesn't seems to be a security problem.

What do you think about ? Thanks.

 

I've seen several times in the past where dodgy connection attempts were made to different remote ports such as 81 or 82. These aren't necessarily used only by dodgy sites, but they are not mainstream ports either.

 

So it's really an argument for a better security and not only for geek.