Windows Firewall with Advanced Security (Guide for Vista)

Discussion in 'other firewalls' started by Stem, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thanks for finding that.


    - Stem
     
  2. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    alright, thx, ill be on a university network so i guess it would be nice to have this function
     
  3. wat0114

    wat0114 Guest

    Thanks Stem. I tried again and took some screen shots. With three of the svchost Block rules disabled and out of the picture, leaving only the Routing and Remote access service "Block" rule enabled, wuauserv seems clearly to be blocked when I attempt Windows update scan. PID 920 is blocked and the only service spawned by that svchost process that appears related to Windows updating is wuauserv. Please note the svchost - wuauserv service "Allow" rule is enabled as well.
     

    Attached Files:

  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi wat114,

    From the log I take it that your ISP is running IPV6 across its network.
    If it is directly related to IPV6 I cannot check, as my ISP is not using the protocol (it struggles with IPV4 lol).


    - Stem
     
  5. wat0114

    wat0114 Guest

    I have no idea o_O How can you tell from the log? I'm also connected to a home router (ISP-supplied D-Link on Telus' DSL).
     

    Attached Files:

  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Ignore that, for some reason I thought Protocol 6 was IPV6, I only realised what I had done when I came back to forum. :D


    I just made win7 updates, and yes, you are correct. If the router service is directly blocked, then that blocks win updates. I just did not have a rule to specifically block(or allow) the router service.


    - Stem
     
  7. wat0114

    wat0114 Guest

    Thank you for confirming. Maybe it's a bug then, because that "Block" rule is for the specific Routing&Remoteaccess service, which of course is disabled.
     
  8. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Hi wat0114

    Not a bug, I would say rather that missconfigured.

    First you should configure service and Loacal Area Connection .

    Go service,

    1. stop DNS Client ==> Startup Type: Disabled

    2. Windows Update ==> Startup Type: Manual

    Open a command window as administrator and type the following commands:
    ipconfig /flushdns

    Open Loacal Area Connection

    configure something like this: Untitled1.png


    Open Windows Firewall with Advanced Security

    1. Occurs if all inbound connections are blocked and outbound connections that do not match a rule are blocked

    2. Delete all default (you can restore Default Policy if you need it) and your custom rule.All !

    3. Creates new Outbound Rules (separate UDP/TCP for same app.) something like this: Untitled.png

    For Windows Update rule (both UDP/TCP) select svchost as the program, then the service Windows Update-wuauserv
    No more unsolicited/auto outbound connection !

    I wish you a very beautiful day...
     
  9. wat0114

    wat0114 Guest

    Thank you for your time sparviero! However, I'm not so sure I want to go that route, disabling dns service then assigning separate dns rules for every Internet venturing app, although I've done that in the past with 3rd party firewalls. I know for sure my current svchost ruleset blocks it unless I disable two of the Block rules,so I think I'll stick with it for the time being. Take care :)
     
  10. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    wat0114 just pay attention that, when you block a service, windows firewall seems to block also the services and drivers that it depends on to run properly.

    When you block "Routing and remote access" is also blocked the service "Remote Access Connection Manager"(RasMan), and cause "Windows Update" to fail (have not figured why though).
    Same if you block ICS or RasAuto.

    If you deactivate "Remote Access Connection Manager" windows update will proceed without problems.;)

    Panagiotis

    edit: 10 minutes ago it worked and now it doesn't.o_O Probably because both depend on "Remote Procedure Call (RPC)" service.
     
    Last edited: Sep 25, 2010
  11. wat0114

    wat0114 Guest

    Interesting how one action influences another. I never before thought of the dependencies of a service possibly having an effect on the firewall rules. Thank you for the information, Panagiotis!
     
  12. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    You are welcome. :)
    I edited my previous post. before you replied. It seems to be caused by the "Remote Procedure Call (RPC)" service.

    Panagiotis
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is the "Routing and remote access" that depends on "Remote Access Connection Manager" not the other way around.
    If any services/system components depended on the "Routing and remote access" service, then they would have problems as that service is disabled by default.


    - Stem
     
  14. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    o_O Actually I said the same thing...
    "...when you block a service, windows firewall seems to block also the services and drivers that it depends on to run properly." => "Routing and remote access" depends on "Remote Access Connection Manager"....

    Panagiotis
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here are my current settings for w7 64 bit update services.

    These x@+n services are like a project planning network with many dependences. If I had the time and energy I could produce a network chart/diagram depicting every one.

    It's possible to disable one then without being aware of the downstream dependences kill a few other services you really need!

    Be real careful. :D
     

    Attached Files:

  16. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Hi wat0114

    If you started with this configuration:

    Global blocked rule is being used, now is needed the permission rules, no other that block again.

    Because you make firewall rules that have apparent conflicts, it is important to understand the order in which the rules are processed.

    As soon as a network packet matches a rule, that rule is applied, and processing stops.
    For example, network packet is first compared to the rules.
    If it matches one, that rule is applied and processing stops.
    The packet is not compared to the other rules. If the packet does not match allow rule, then it is compared to the block rules.

    If it matches one, the packet is blocked, and processing stops, and so on.

    I wish you a very beautiful day...
     
  17. wat0114

    wat0114 Guest

    Hi sparviero,

    That is my default configuration as the Public profile is also active. I've taken your advice to heart and simplified the rules, purging most of the Block rules as a result. I get carried away sometimes creating all kinds of rules, maybe because it helps me better understand things and keeps me more or less sharp :)
     
  18. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Ok, since you are always more sharp ;), a beautiful and simple last aid.

    Windows provides advanced users with a flexible interface through which they may configure and monitor the system from one place, the Microsoft Management Console (MMC).

    Creating a Console File:

    Open Start ==> Run, type mmc. Microsoft Management Console starts with an empty root console.

    On the Console menu open File open Add/Remove Snap-in.

    Add or Remove Snap-in box starts, from Available snap-ins: Add> Selected snap-ins:

    Something like this:
    console.png

    Save as (ex. Security Control).

    Go Start ==> All Programs ==> Administartive Tools your <console name> or right-click on it and Pin to Start Menu or Taskbar

    Have fun and I wish you a very beautiful day...
     
    Last edited: Oct 4, 2010
  19. wat0114

    wat0114 Guest

    Very nice again sparviero, thank you :)
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'd like to know if any one is using Windows Live Messenger and which rules have you applied.
    I already got all rules writen in a paper, after checking them out with Outpost Firewall Pro.

    I want to give proper allow rules and deny rules (Which according to Outpost is one block rule.). But, actually, I'll also block remote assistance. I'm only looking for the basic rules which allows "conversation", and sending/receiving stuff.
    I want to deploy this into a family member, but to be honest, I'm not a user of Windows Live Messenger, and I can't ask him to test because his on holidays, and I'd like to have it all set before he arrives.

    Anyway, if anyone already has rules set in place, and wouldn't mind sharing, so I could give it a run and see if it fits the needs, it would be great. I don't want to give more permissions that it needs to be functional, nor less permissions and then having to check it all over again.

    And, WLM is just one of the quite few apps I need to look into, and would be a time saver, for sure.


    Thanks

    Edit: Hope you guys and girls understand what the rules are.
     
  21. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    can one import/export rules for Windows Firewall with Advanced Security for windows 7?

    i want to make every traffic denied except Windows Update and Internet Explorer.
     
  22. wat0114

    wat0114 Guest

    You're blocking a lot with that approach. What about dns, dhcp, application updates, etc...?

    It's possible to export/import the rules. See screenshot :) If required you can easily restore the default policy.

    @M00nBl00d, I don't use Live Messenger, but that rule set is probably excessive. Clearly, it is covering every possible scenario imaginable.
     

    Attached Files:

  23. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    I see. Can you create me a ruleset that will block everything but the 'most needed' rules for normal browsing in IE and able to do Windows Update.
    I can then modify the ruleset to whitelist the very few 3rd party apps I have.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, indeed. Most likely all that will be needed will be

    MSN Messenger file transfer: TCP; Outbound; 6891-6900; Allow (Pretty sure it is needed to transfer files... Makes sense, at least taking in consideration the rule's name. lol)

    Windows Live Messenger STUN connection: UDP; Outbound; 3478; Allow (Stateful Inspection)
    Windows Live Messenger STUN connection: UDP; Outbound; 3478; Allow

    STUN seems to be needed
    Source: https://secure.wikimedia.org/wikipedia/en/wiki/STUN

    Windows Live Messenger HTTPS connection: TCP; Outbound; HTTPS; Allow
    Windows Live Messenger HTTP connection: TCP; Outbound; HTTP-83; Allow
    Windows Live Messenger DNS UDP connection: UDP; DNS SERVERS; DNS; Allow (Obvious reasons)
    Windows Live Messenger Block 1900 port: UDP; 1900; Block

    I'll try to set those rules, and then see if my family members is able to work just fine with it, which I think he will. Those rules seem to be all that is actually needed. No webcam, no remote assistance...
     
  25. wat0114

    wat0114 Guest

    Attached is a ss of my latest rules, built in part with the aid of rules I created using Jetico fw. You can create your IE or other rules based on mine if you like. You may need some "Core" rules at least for dhcp and dns. If you are not on a network, choose "Public" as the active profile and "All inbound connections are blocked" and "Outbound connections that do not match a rule are blocked". This way you will not actually have to create block rules, because anything without a rule will be blocked by default. I have created some block rules just because I like to do this sort of thing, rather than out of necessity :)

    Those rules look good and might just work. You may only need HTTP 80, rather than 80-83 but not entirely sure.
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.