windows services and internet access.

Discussion in 'other firewalls' started by argus tuft, May 29, 2007.

Thread Status:
Not open for further replies.
  1. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Hi all,
    My question is questions are basically this:
    Which windows services actually require internet access in order to function properly?
    I use comodo fw, and so far, alg.exe, svchost.exe, and system all have pretty lax rules set, and I would like to tighten them up.

    Does svchost actually need to access any site other than windows update?
    I suspect not, if that is the case, what ip / ip range do I need to allow? ie, what;s the actual ip of http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

    As I see it, limiting svchost to accessing windows update would cut down on all those (for eg) "itunes.exe may be using svchost to connect to the internet" popups, as comodo would then automatically block any attempts to go to an ip that wasn't windows update.

    And what about alg.exe, and system? Is there any need to allow them access?

    Thanks, argus :)
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    svchost.exe would also need access for DHCP/DNS.

    alg.exe is used for ICS and I think the Windows Firewall. If you use neither it can be blocked.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    and Windows Updates :)
    You should make rules for DNS lookups, DHCP and Windows Updates and block the other instances of svchost.exe
     
  4. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    alg.exe can be turned off via Services if you are not using the Windows FW or ICS. One less thing to be concerned with and a few less K`s of memory used.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Well if you really want, you can deny all windows services access to the internet and then just work around the limitations.
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi argus tuft :)

    Svchost may also access to Network Time Protocol sites but this service is useless. (The PC clock keep the time and date: if not change the battery...)

    I you want to makes rules to allow Windows Updates to a specific range of IP addresses: good luck! This is almost unmanageable: there is different IP ranges including some non-M$ like akamai needed to access the updates...

    Worst: these IP ranges changes with the time... o_O

    And don't expect any documentation from the M$ clowns about this: they don't care.

    The best you can do is keep runnings only the needed services...
    Some hints here: http://www.theeldergeek.com/services_guide.htm

    and may be closed some useless open ports with "Windows Worms Doors Cleaner" : http://www.firewallleaktester.com/tools_list.htm

    :)
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    Don't use your firewall for blocking Windows services.

    Follow this advice.:D

    Cheers.
     
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi The Seer :)


    I hope so ! :D

    This morning I help a user on a MS News Group with a Fast User Switching problem... I ask him to give me the list of the services runnings on his PC.

    Almost all services was started automatically !!! :rolleyes:

    Including many of them related to local network and connections to a domain on a W server (the user have a standalone PC) !

    The Elder Geek web site is a reliable reference for this. Keep it in your favourites.

    Have a nice day.

    :)
     
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello. :)

    And the Black Viper is back! I have him in my favorites also.

    Cheers. :thumb:
     
  10. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi The Seer :)

    :thumb: Great News ! Finally he's back ! Super !

    Thank you for this information.

    :)
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello argus tuft,

    Such as "ALG" this is basically an FTP client, used by 3rd party(and windows) to download. I still need to find a reason to allow this.

    But please be carefull on the services you disable, as stoppping some may only be seen later for nothing more than being unable to defrag the HD, but, disable such as for example "Remote Procedure Call (RPC) Service" will stop you using your OS.

    If you are to follow this path of disabling windows services,... make backup, and only disable one service at a time (then check for possible problems).
     
  12. wat0114

    wat0114 Guest

    I would check out BV's Multiple Configurations page, especially if you want to tweak your services without worrying too much about getting overzealous.
     
  13. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    That's what we're told by MS. Windows Firewall runs perfectly fine with Application Layer Gateway service disabled on my machines.
     
  14. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Some where I read, :rolleyes: got the impression ALG was needed for (some) FTP transactions. Wrong? o_O
     
  15. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    I enlist the help of batch files.
    Most of the services are so useless, they only kick in once in a while. (wuauserv, spooler, workstation, server, etc...) So...disable them all, make a batch file, execute to turn them on and do what you need to do, then turn them off. In the mean time, your prescious RAM can be used for something more useful...pr0n? j/k
     
  16. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    Don't use FTP much so can't confirm or deny. Windows Firewall opens ports just fine for the applications set up on it without alg.exe running. That's all I need.
     
  17. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ThunderZ :)

    Downloads are managed by Backgroung Intelligent Transfer Service for Windows updates. For ALG, as far as I know it's used for Windows Firewall and the Internet Connection Sharing.

    For sure ALG is used to transfer files downloaded by the BITS to the ICS server and then to the client PC in the ICS but is this can be describe as "an FTP" service ?

    "Hmgrmgrmgrm" dixit Marge Simpson...

    It seems that's correct :

    « Application Layer Gateway (ALG) Service

    This subcomponent of the Internet Connection Sharing (ICS)/Internet Connection Firewall (ICF) service provides support for plug-ins that allow network protocols to pass through the firewall and work behind ICS. Application Layer Gateway plug-ins have the power to open ports and change data (such as ports and IP addresses) embedded in packets. File Transfer Protocol (FTP) is the only network protocol with a plug-in that is released with Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.

    The ALG FTP plug-in is designed to support active FTP sessions through the network address translation (NAT) engine used by these components. The ALG FTP plug-in does this by redirecting all traffic passing through the NAT destined for port 21 to a private listening port in the 3000-5000 range on the loopback adapter. The ALG FTP plug-in then monitors and updates FTP control channel traffic so that the FTP plug-in can plumb port mappings through the NAT for the FTP data channels. The FTP plug-in will also update ports in the FTP control channel stream. »

    Ref.:http://www.microsoft.com/technet/se...ics/ServerSecurity/ref_net_ports_ms_prod.mspx


    Poeple of M$ are always funny and full of suprise !

    :rolleyes:
     
  18. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Thanks Climenole. At least now I know my memory :rolleyes: has not completely [MOVE]left me.[/MOVE] :D Now if I could always remember where I left it..... ;)
     
  19. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi charincol :)

    May be because ALG is used only with Internet Connection Sharing...
    Without ICS, ALG service seems to be useless.

    As usual, there is no clear statement from MS about this. They don't care!

    :)
     
  20. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi ThunderZ :)

    You're lucky ThunderZ to be a human being !

    Personnaly, I have no memory at all except Google and other search engines.

    I'm glued to this computer for a too long time and this transform me into a kind of zombie with an external brain.
    Is this what they call "bio-Technology" o_O

    Is there a life outside Internet? I have no idea...

    I'm going to ask this to Master Google !

    :rolleyes: :rolleyes: :rolleyes:
     
  21. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    A couple of months ago, I had a Win98 computer getting internet from a WinXP one that had ICS turned on and a wireless connection. I know that I had messed around with seeing if ICS would work without ALG, but I can't remember what the outcome was. I do know for sure that trying to run ICS without ALG won't hurt anything, so it's worth a try to turn it off and try to run with 1 less service.

    I'm shocked!:eek:
     
  22. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi charincol :)

    :D

    This is only an "auto-censored" comment about MS.

    This is nothing compare to many of my comment in the MS News Groups about their lacks.
    Anyway it seems they like to be "shocked" since I'm still in their mvp sect. :eek:

    :D
     
  23. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    It's been a little while since I had turned on the WinXP computer referred to above,(it was running my private World of Warcraft server used by me and my daughter, I just hadn't played in a while) and I checked if the ALG service was disabled. It is, and I haven't changed any network settings on it since the Win98 computer was getting internet access from it.

    Also, Black Viper says it's not needed after SP2. Application Layer Gateway service is another totally useless windows component wasting resources in most (if not all) Windows computers.
     
  24. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks everyone for your replies, I had no idea what I was up against!
    I've disabled the alg service, blocked [system] from any access, and basically let svchost do whatever it wants to. '

    Does explorer.exe need access?
     
  25. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi argus tuft :)

    Explorer.exe (the "Windows explorer") is always used to launch other programs including programes which connect to internet.

    Explorer.exe must be authorised by the FW to "access" in order to launch other programs but not directly to internet...

    :)
     
Loading...
Thread Status:
Not open for further replies.