Windows Firewall with Advanced Security (Guide for Vista)

Just found an interesting article about ICMP rules; in this case for inbound control.

http://articles.techrepublic.com.com/5100-10878_11-5087087.html

I only had Destination Unreachable and Time Exceeded allowed. Not sure if others are really necessary, though.

Anyway, any of you might be interested in the article. Just thought of sharing it.

 

ICMP: echo reply, time exceeded and unreachable inbound is okay afaik. Echo request outbound only is advised. You will want echo reply inbound and echo request outbound as the only other two necessary. I'm not so sure there's anything wrong with letting broadcasts outbound (as I've done), as long as inbound are blocked. You have to be careful not to get carried away with too much blocking, but I guess for most individual home pc's, it's probably harmless. Stem or someone else can better answer this for sure.

My inbound rules attached as well. Certainly a lot of unnecessary ones because inbound is blocked by default, but, again, created for my own entertainment purposes.

 

Does win7 firewall has SPI?
I'm on a router with NAT but no SPI and/ firewall.

 

http://technet.microsoft.com/en-us/library/dd364480(WS.10).aspx

 

Just wondering if ICMP rules should be bound to specific ports? Maybe Stem will chime in.

 

Simple answer, no.

 

Okay thanks.

 

I'm wondering if you're asking because it's on Outpost rules (I'm asking because I've seen you starting a learning Outpost thread sometime ago)? If so, I don't see DNS connection rules, only the following:

Anyway, I'm also setting rules for Windows Firewall having as a start point Outpost rules, and for what I could understand that process belongs to Windows SQM Consolidator, which in turn is part Windows Messenger Service Quality Monitor (SQM). (http://www.greatis.com/vista/Utilities/w/wsqmcons.exe.htm)

Something related with Windows Live & MSN Messenger, by sending info how you make use of messenger: http://forums.techguy.org/windows-vista/620893-windows-sqm-consolidator.html

Maybe others will explain better, if I'm wrong. And, if I'm wrong, I'm just saying back what I've been reading, so don't be too harsh on me. lol

-Edit-

Which also makes me wonder why would there be any rules for Consent.exe (UAC) for

Does it really require Internet access?

The same would apply for these 3 rules, as well:

Why would Windows Search want to connect to Microsoft?

 

Hey, it makes me wonder, too, and I've been unable to find an explanation via Google as to why. I block it outright.

 

In the most recent OP learning thread Stem had me block these but I guess it depends on your needs:

Feedback.exe
Explorer.exe
Searchindexer.exe
Searchfilterhost.exe
Mobysync.exe
LSASS.exe
Winlogon.exe
Services.exe
Wmiprvse.exe

https://www.wilderssecurity.com/showthread.php?t=280548&page=4

 

Thanks for the link.

-Edit-

I guess that if no rules are even created, in Windows Firewall, then no need to even care for it (Except for Feedback.exe, which belongs to Outpost.), unless there are some inbound rules.

 

Why do you block it? With a block all connections out if not matched, won't it be blocked by default? Or, is there some other default rule (by Microsoft) that allows it?

I'm guessing UAC connects with Microsoft to provide them with information about the processes users either allow or deny permission? No idea.

P.S: I've noted that, in one of your posts that are behind, you block access to Remote Registry service. Do you find that necessary? Won't disabling the service suffice? Or, there's something deep beneath that service that still allows some sort of connection?

 

If they have access to the internet it is a possible open vector for malware the way I understood.

 

How did you end up with that rule for outbound? On all my profiles I have this (see picture). I want to have the same rule you have but I don't know how you did it. This don't make sense I found the setting in each profile and set to block outbound and then I had no internet connection. I'm using Public profile and it shows in the screen shot that Private is active. Does the order of the rules matter?

 

In mine, Public is active, and this is what I got





Just went to Proprietes and then chose to Block outbound traffic.

When I first set up my Internet connection (direct connection), Windows asked me what I wanted to apply to it: Domain, Private or Public. Public is mine.

 

Thanks moonblood, I found the problem.

 

What was it? If you could share, other who may be having the same problem could solve it. (And, I'm also curious. lol)

 

I'm using Jetico 2 fw lately.

I'm not sure. I haven't really looked at the ip address origins yet.

Maybe, maybe not. I just create the rule, again, simply to help me understand things better (hands on helps me this way) even if it's not necessary. It doesn't hurt anyway.

 

Oh, OK. Trying out other ones.

I get you. I do that sometimes. And, sometimes is a good way of learning what rules really are.

 

Actually used it before, just recently renewed the license on it and using it to aid me in finalizing the Win7 fw ruleset, which I'm so close to finalizing. It's difficult to accurately build all the rules with Win7/Vista's fw because of the lack of pop-up functionality. Jetico's light, apparently exceptional packet filtering capabilities, with detailed logging, and a serious, Spartan-like gui so I've always had an affinity for it

 

Yeah, Microsoft could make it a lot easier, for example, by having outbound blocked by default, and then create rules for well known and digitally signed applications, by checking hashes as well; and, giving the opportunity for advanced users to modify such rules.

Then again, third-party vendors would complain.

Anyway, I'm also doing the same using Outpost, in my case. I guess you know that by now, considering some of my previous posts regarding some rules. It helps a lot.

 

Some mind exercise.

Current situation: All inbound traffic blocked. This means what it means, all inbound traffic gets blocked.

Only as a mind exercise, imagine I'd block inbound to port 445. What would be the best way? Block to all programs and choose what port to block (445), or simply block inbound traffic to the Port itself? I'm leaning towards the second option. Am I correct assuming it?

 

I think your latter idea would work. If you see mine, 3rd rule from bottom inbound, I just used the built-in File and Printer sharing rule block to System.

 

Sure I can. I didn't realize that my profile was linked to when I installed the OS as you pointed out in your post so I changed it. Also, I had previously unchecked Domain and Private on all my rules cuz I was using Public profile; big mistake. I then went back and changed every rule to apply to all profiles and then blocked all outbound for all profiles and it works great.

I'm learning.... I so grateful that Stem worked with me on OutPost. That helped a lot. And now I found the hole I had so everything is good. I find it much easier using WF than OP so I'm going to stick to it.

I have the FW set to notify me if anything gets blocked with no rule.

 

I have all inbound connections blocked no exceptions. Port 445 (if I remember correctly is used for VPN's) is blocked outbound also.