Windows Firewall with Advanced Security (Guide for Vista)

Yes, I would say so, although I'm no expert at all on typical malware outbound connection attempts. All I know is that the ports I've restricted my browsers and other apps to are the only ones required for normal day-to-day Internet connectivity. Why leave other doors wide open if their not needed?

 

I decided to revise the firewall rules. There's been some time. I had forgotten about a few rules I was playing with, as a way of learning more about it, and left them enabled. They're not needed in my setup, though, such as rules related to IPv6, including IP-HTTPS, teredo...

My Internet device does not support IPv6, and IPv4 access is just fine, and it will be for quite some time. When it stops working, then it means I need to get a new device... and, I'll be older

I'll also have to create rules explicitely blocking other apps, because they keep enabling rules allowing them, when I upgrade them. Block rules take precedence, so... hopefully that will do the trick... unless they go behind my back and delete them.

 

It will work on your system, but you have to translate the auditpol.exe SubCategory parameters into their Finnish equivalents.

See this post where I helped somebody with the same issue who was using the French version of Windows: https://www.wilderssecurity.com/showpost.php?p=1846199&postcount=5

 

Thank you, I will definitely try this one out!

 

Someone has asked me for my rules, so here they are in text format. The program path, where applicable, is included, including the service - also where applicable. Also included are recently added "Call of Duty - World at war" outbound and inbound rules, and a couple Google Chrome rules (I don't use Chrome any more but did a while ago). There might be some mistakes, hopefully not, because I've been watching the hockey game tonight. Canucks just won 1-0 in game one

...I'll go over them tomorrow and make corrections if required.

EDIT - 06/06/2011

Some more fine-tuning. These should be more or less final.

 

Thanks for the rules.
I've got a question about it : the rules by default (for core-networking for example) are powerless ? Why do you changed it ? You want to know each rule used by the firewall ?
I asked that because i don't understand all the rules and i hope that rules by default are enough.

 

You're welcome. No, core rules, at least not all of them, are not powerless, and you'll even see I've used some of them. Others, however, especially for the browsers, CoD, utilities that can search for updates, and email, are tightened up a bit with port restrictions, and even ip restrictions for email. I could even restrict such as MBAM and IMGBurn, for example, to specific ip's, but that may be getting carried away.

 

A tip. If you're running some application that creates rules allowing communication, but you'd like not to allow them, you should do two things.

1. Disable the rules for those applications (Not really needed, because of 2.)
2. Create a new rules specifically blocking either outbound/inbound communication for that application. That is, create a new rule and name it differently, and then block the process in question.

Don't simply disable the rules created by the applications, otherwise an upgrade will enable them, and you'll have to always disable them again.

Windows firewall will first look for a block rule, only then for an allow rule. So, even if an application enables a rule allowing communication, the block rule will block it.

 

I was afraid about my configuration : i used windows firewall rules for icmp, etc... and personal rules for others programs.
Thanks for the precisions

 

Even if you open incoming ports for ICMP, do you also have to do the same on the router if you use one?

 

Probably, and this is a tricky one for me anyway with CoD although not so much with icmp because CoD doesn't seem to need so much as it does incoming udp protocol (my son plays it), so CoD recommends not to use a router, or to port forward the necessary ports. My router is an awful, user unfriendly, unit provided by my ISP, which is also used to route tv services through it. I haven't yet figured out the solution, so temporarily, at least, I've place my machine on the DMZ, using Win fw to protect it. No problems so far. This affords the multiplayer functionality to work quite well. I'm not even sure I need those inbound rules, unless I host a LAN or server, which I don't intend on doing. I'll have to figure this out along the way, as this is the first time ever I've installed and ran a game of this nature.

BTW, CoD does create its own fw rules upon installation. Too wide open for my liking, so I've restricted them to specific ports as needed, not easy to do because I kept having to search for and record dropped packets, then create and constantly modify the rules until I got them just right.

 

Is someone using Mozilla Thunderbird? Could you share you rules?

The reason I'm asking is that a relative uses Mozilla Thunderbird. Right now, Windows firewall is only protecting against inbound comms. In other words, Windows Firewall with Advanced Security is not enabled.

It took me quite some time to have the chance to install Chromium and apply my security tweakings. Asking to let me make use of WFAS would be overwhelming.

So, as soon as I can I'll enable WFAS, and after all the rules, my relative will have no concerns about things not having enough permissions.

Unfortunately, I use the web browser to access my e-mail, and I can't test stuff right now.

If anyone could share what rules you created for Thunderbird, it would be great. By the way, it's a Gmail account that is used. POP connection.

I know POP server is on port 995... But, I don't know what other rules Thunderbird would need to properly function. Including inbound comms, if it needs them.

It would be a lot easier if it was Windows Live Mail, because one relative with WFAS uses it, so I'd just have to mimic the rules.


Thanks

 

Hi,

My rule for thunderbird : tcp out on 25, 80, 110, 443, 465, 587, 993, 995

No problem. I use a gmail account, 2 orange accounts and a hotmail account.

 

Thanks... I didn't need that many, though. My relative didn't need the laptop today, so I had some time to figure things out.

@ all

I'm having a little difficulty making Windows Live Messenger connect. The rules I've created are as follows:

I allowed outbound comms for process msnmsgr.exe to ports 80,443, 53, 1863 and to ports 1025-65535.

I also create rules for wlcomm.exe and wlidsvc.exe to ports 443.

Then, looking at Event Viewer, I noticed process msnmsgr.exe needed a rule for Link-local Multicast Name Resolution. So, I created that rule.

But, now I always get svchost.exe also trying to communicate with LLMNR as well.

Have you guys created such a rule? Or, did you bind it to some default rule? The only rules I found, so far, regarding LLMNR are for network detection, and they apply for private and domain profile. My relative has a direct Internet connection, which means Public profile.

The other rules are related to Files and Print sharing.

So, what rules have you created to make Live Messenger work properly?


Thanks

 

-edit-

I'm not really sure that the svchost.exe rule has anything to do with it. I also see that wlcomm.exe communications to DNS IPs are also blocked, despite the fact I created a rule allowing them.

 

I run into this with wlcomm every now and then. I travel around using different ISP's and notice that it will change with the area that I am at. I've gone ahead and opened it up in Advanced Security but allow individual addresses through Malware Defender as they popup.

 

I am not blocking wlcomm.exe. I'm allowing it, but it gets blocked There's nothing to open up in Windows firewall. Nothing that I'm able to figure out, anyway.

But, moments ago Live Messenger did give me a warning to verify if I have an account. I entered bogus info in the e-mail and password forms. But, now it shows the same messages, saying there's a problem with my relative's connection.

If I can't figure this damn thing out... I'll have to disable outbound control...

I can't possible understand why software vendors never provide all the needed info regarding firewall rules.

By the way, does it need any inbound rules?

 

My guess is that the svchost.exe rule (for Link-local Multicast Name Resolution) comes into play.

-edit-

OK. If I enter a real hotmail address and enter a bogus password, it will complain that they do not match. So, it can initiate the sign-in process. But, then won't be able to proceed with the communication, which I believe it's because wlcomm.exe is being blocked communication, even though allowed.

Could wlcomm.exe also need inbound rules? Can anyone share whatever Live Messenger created or yourself?

Thanks

-edit-

I reinstalled Live Messenger, and it did create the inbound rules, but not working either. It has got to do with the svchost.exe thing. I'll have to waste some time figuring it out, why it bloody needs it. lol

 

OK.

I tested in my own computer, under my Public profile. I only enabled rules for the Public profile. I'm able to sign in just fine.

So, I'm going to see if only enable the rules for the Public profile in my relative's system does the trick. I hope so.

Now, this does bring to the table the LLMNR. Apparently, Live Messenger needs it... for the Private profile. But, the LLMNR rule is enabled in Private profile. So... any thoughts why it fails? lol

 

I worded it wrongly. I just meant that I allow any address for port 80 and wlcomm with Advanced Security outbound. Malware Defender gets the single address one at a time as they popup. I do check the addresses out before permanently allowing them in MD.

I agree. Trying to keep it restricted as much as possible, it gets aggrevating for me at times since my knowledge of this is very limited.

 

After narrowing things down, I finally managed to make it work on my relative's computer.

When I first created the rules, I created the rules for wlidsvc.exe, which I thought I could restrict it to the Windows Live ID Sign-In Assistant service that either Windows Live Messenger or Windows Live Mail install on Windows.

First, let me say that we can't restrict wlidsvc.exe to that service, otherwise sign-in fails.

After I had created those rules, I copied & pasted them so that I could fasten things up to create wlcomm.exe rules.

I forgot to that I had restricted wlidsvc.exe to the Windows Live ID Sign-In Assistant service, hence preventing wlcomm.exe communications.

 

Hey,

Sry for my nooby question
Would it be recommended for normal user to add ''general rules'' for all connections in win 7 FW? Im new into this so please, gently

I do use windows 7 firewall control from binisoft.org that reports which connection to where is needed and il tweak it.. But im troubled about those general system wise FW rules.. Hopefully experts here can shed some light into my dilemma

 

Please which rules do you use for keeping flash up to date ?
I'm using the last version but it never check for updates and when i try to make an update it can't.

 

There are two of them...

 

Sorry... I'm going to try them. Thanks.