Windows Firewall with Advanced Security

Discussion in 'Application Software' started by shewolf, Dec 16, 2015.

  1. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #1 shewolf, Dec 16, 2015
    Last edited: Apr 4, 2016
    For average +/- and other. :p

    To simplify life with built in Windows firewall these two simple code block internet access for all *.exe or *.dll file in a specific folder and sub-folders.

    Save code as extension of *.bat, copy *.bat to the desired folder and run as admin.


    1. --- block internet access for all *.exe and *.dll file in a specific folder ---

    @echo off
    cls
    SetLocal EnableDelayedExpansion
    pushd %~dp0
    for %%a in (*.exe) do (
    netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%cd%\%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes
    )

    2. --- block internet access for all *.exe and *.dll file in a specific folder and sub-folders ---

    @echo off
    cls
    SetLocal EnableDelayedExpansion
    for /r "%~dp0" %%a in (*.exe) Do (
    netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes
    )

    3. --- usually is enough to block *.exe file, but if you feel the need to block and *.dll file, edit and change code (*.exe) --> (*.exe, *.dll).

    4. --- open --> Start, click All Apps (Programs), click Administrative Tools, and then click Windows Firewall with Advanced Security,
    or at the command prompt type: wf.msc and enjoy your newly created firewall rule.


    @Echo Off
    cd %systemroot%\system32
    call :IsAdmin


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DHCP" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|LPort=68|RPort=67|LA4=0.0.0.0|RA4=255.255.255.255|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dhcp|Name=VPN_DHCP|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|RPort=53|LA4=10.4.0.0-10.9.255.255|RA4=8.8.4.4|RA4=8.8.8.8|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dnscache|Name=VPN_DNS|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS_Block" /t REG_SZ /d "v2.25|Action=Block|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|IFType=Lan|IFType=RemoteAccess|App=%%SystemRoot%%\System32\svchost.exe|Svc=Dnscache|Name=VPN_DNS_Block|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_LOCALNETWORK_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|RA4=LocalSubnet|RA6=LocalSubnet|Name=VPN_LOCALNETWORK_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_RESOLUTION_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Program Files\OpenVPN\bin\openvpn.exe|Name=VPN_RESOLUTION_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Chrome\App\chrome.exe|Name=VPN_INTERNET_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Firefox\Bin\Firefox\firefox.exe|Name=VPN_INTERNET_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|LA4=10.4.0.0-10.9.255.255|App=C:\Program Files (x86)\Internet Explorer\iexplore.exe|Name=VPN_INTERNET_OUTBOUND|" /f
    Exit


    :IsAdmin
    reg.exe query "HKU\S-1-5-19\Environment"
    If Not %ERRORLEVEL% EQU 0 (
    Cls & Echo You must have administrator rights to continue ...
    Pause & Exit
    )

    Rule that excludes non-VPN (OpenVPN) traffic with Windows Firewall and permit only VPN traffic

    If you are interested know more you should ask. :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. bludgard

    bludgard MDL Member

    Jan 4, 2011
    210
    54
    10
    Forgive my density; but is running the script from within the desired directory enough? Or does one point firewall rule to the .bat file? A bit confused on this.... :confused:
    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #3 shewolf, Dec 17, 2015
    Last edited: Dec 17, 2015
    (OP)
    1. --- block internet access for all *.exe and *.dll file in a specific folder ---

    @echo off
    cls
    SetLocal EnableDelayedExpansion
    pushd %~dp0
    for %%a in (*.exe) do (
    netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%cd%\%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes
    )

    It is enough to copy this *.bat (above) file to desired folder where *.exe or *.dll file is that you want to block internet access.
    Example, copy *.bat to "C:\Program Files (x86)\Internet Explorer" or "C:\Program Files\Internet Explorer" for 64-bit.
    Right click on it and "run as administrator", script will create block out firewall rule for all *.exe in "C:\Program Files (x86)\Internet Explorer" folder.

    If you want to block all *.exe or *.dll i same root directory and in all sub-folder in the same root directory ( example C:\Program Files (x86)\Internet Explorer) then copy the latter *.bat to the desired directory.

    2. --- block internet access for all *.exe and *.dll file in a specific folder and sub-folders ---

    @echo off
    cls
    SetLocal EnableDelayedExpansion
    for /r "%~dp0" %%a in (*.exe) Do (
    netsh advfirewall firewall add rule name="Custom Block - %%~na" dir=out program="%%a" action=block description="Rule created by Shewolf on 12/16/2015 04:07:56. Do not edit rule by hand" enable=yes
    )

    Script (2)will create block out firewall rule for all *.exe in "C:\Program Files (x86)\Internet Explorer" folder and all *.exe or *.dll file in all sub-directory if there are in themselves. I do not know if I was clear enough, but they are always available to clarify if things are not clear. :g:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #4 shewolf, Dec 17, 2015
    Last edited: Jun 29, 2017
    (OP)
    Visual example, if you run first *.bat file from "C:\Program Files (x86)\Internet Explorer" and then open wf.msc you'll see these three block/out /exe auto created firewall rule.
    1. --- block internet access for all *.exe and *.dll file in a specific folder ---

    If you run second *.bat file from "C:\Windows\SystemApps" and then open wf.msc you'll see these eighteen block/out sub and sub-sub folder/exe auto created firewall rule.
    2. --- block internet access for all *.exe and *.dll file in a specific folder and sub-folders ---
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. kuroda

    kuroda MDL Senior Member

    Aug 25, 2012
    376
    28
    10
    ...If i want reverse the process... I how do?...^^
     
  6. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10

    Then open wf.msc, right click on firewall rule you do not want and delete it. :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. bludgard

    bludgard MDL Member

    Jan 4, 2011
    210
    54
    10
    So no need to use Firewall UI to create rules... got it.
    I really like this idea as although the .exe may be blocked; there may be other "callers" that run independent of that .exe. This script basically blocks the other potential "callers" without the need to create a rule for each and every possibility.
    Time saver and efficient.
    Thanks, shewolf. Nice piece as my lazy ass hates the arduous task of identifying/creating rules for potential offenders.
    Much love to ya! :wub:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #8 shewolf, Dec 18, 2015
    Last edited: Jan 9, 2016
    (OP)
    ---"" :eek: ""---
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #9 shewolf, Mar 21, 2016
    Last edited: Apr 4, 2016
    (OP)
    @Echo Off
    cd %systemroot%\system32
    call :IsAdmin


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DHCP" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|LPort=68|RPort=67|LA4=0.0.0.0|RA4=255.255.255.255|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dhcp|Name=VPN_DHCP|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|RPort=53|LA4=10.4.0.0-10.9.255.255|RA4=8.8.4.4|RA4=8.8.8.8|App=%%SystemRoot%%\system32\svchost.exe|Svc=Dnscache|Name=VPN_DNS|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_DNS_Block" /t REG_SZ /d "v2.25|Action=Block|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|IFType=Lan|IFType=RemoteAccess|App=%%SystemRoot%%\System32\svchost.exe|Svc=Dnscache|Name=VPN_DNS_Block|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_LOCALNETWORK_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|RA4=LocalSubnet|RA6=LocalSubnet|Name=VPN_LOCALNETWORK_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_RESOLUTION_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Program Files\OpenVPN\bin\openvpn.exe|Name=VPN_RESOLUTION_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Chrome\App\chrome.exe|Name=VPN_INTERNET_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=21|RPort=53|RPort=80|RPort=443|LA4=10.4.0.0-10.9.255.255|App=D:\Software\Firefox\Bin\Firefox\firefox.exe|Name=VPN_INTERNET_OUTBOUND|" /f


    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "VPN_INTERNET_OUTBOUND" /t REG_SZ /d "v2.25|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|LA4=10.4.0.0-10.9.255.255|App=C:\Program Files (x86)\Internet Explorer\iexplore.exe|Name=VPN_INTERNET_OUTBOUND|" /f
    Exit


    :IsAdmin
    reg.exe query "HKU\S-1-5-19\Environment"
    If Not %ERRORLEVEL% EQU 0 (
    Cls & Echo You must have administrator rights to continue ...
    Pause & Exit
    )

    Rule that excludes non-VPN (OpenVPN) traffic with Windows Firewall and permit only VPN traffic

    If you are interested know more you should ask. :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. slayer9450

    slayer9450 MDL Member

    Aug 3, 2015
    144
    63
    10
    Nice idea for a thread, but IMO, with the advent of Window 10 anything other than a whitelist/deny-by-default strategy is a fruitless endeavour. A blacklist strategy requires constant maintenance. You always have to be on the lookout for the next thing that Microsoft does and they sure as hell won't come out and announce it whenever they add a new data collection mechanism.
     
  11. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #11 shewolf, Mar 23, 2016
    Last edited: Dec 6, 2017
    (OP)
    Yes good idea
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #12 shewolf, Jun 9, 2017
    Last edited: Dec 6, 2017
    (OP)
    Firewall Utility
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. achat

    achat MDL Novice

    Feb 20, 2017
    21
    1
    0
    I think the Microsoft spy fame is a bit exaggerated.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #14 shewolf, Jun 11, 2017
    Last edited: Dec 6, 2017
    (OP)
    If you want to have an uninstaller for that utilities (not necessarily needed)
    :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #15 shewolf, Jun 12, 2017
    Last edited: Dec 6, 2017
    (OP)
    How to use:







     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #16 shewolf, Jun 12, 2017
    Last edited: Aug 1, 2017
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    I need another feature: Block Internet + Allow Lan
    (Especially useful on Windows File Explorer, to restore expected function.)
     
  18. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    279
    799
    10
    #18 shewolf, Jun 17, 2017
    Last edited: Jun 19, 2017
    (OP)
    Scope

    Block Internet

    --- set the Remote IP address to "These IP addresses"
    --- select "Internet" under the list of "Predefined set of computers"
    --- set the Action to "Block the connection"

    Allow LAN

    --- set the Remote IP address to "These IP addresses"
    --- select "Local subnet" under the list of "Predefined set of computers"
    --- set the Action to "Allow the connection"

    Make sure to check the correct profile that is assigned to the network card that you want this rule to work on.
    The rule is active immediately.

    Capture.JPG , Capture2.JPG
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    Thank you!
    So far, I've used the Internet block on explorer.exe and searchui.exe (still works on lan).
    And, I've used the complete block on sihclient.exe and backgroundtaskhost.exe.
     
  20. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    So, I'd like a Set Firewall Rules submenu that looks like this:

    Block Outbound Internet
    Block Outbound Telemetry on 443
    Block Outbound All
    Block Inbound All
    Show Adv.Firewall Console
    Allow Outbound Local Subnet
    Allow Inbound Local Subnet
    Allow Outbound All
    Allow Inbound All


    The least secure options are then at the bottom of the list.
    The more useful options of blocking internet misuse, are at the top, inviting one to click.
    Block and Allow sections were divided for "hinting" that these are separate firewall rules.

    That entry Block Outbound Telemetry on 443 means Block Outbound Internet on only port 443, but it can be named for function because it stops explorer.exe. searchui.exe, dashost.exe, sihclient.exe, diagtrack, and cousins, from sending reports to microsoft (its always on port 443), without blocking useful functions.

    The Allow Local Subnet menu items (not applied to public zone) are a good choice for file explorer, searchui and svchost (including lan file browsing, search nas files, and wireless printer management).
    In the case of svchost, adding an explicit allow local subnet rule tends to streamline it down to what is suitable for a lan. It no longer served as a back door to the internet. Well, for an allow rule, that's a nice surprise.

    Yes, I'd love a right-click firewall submenu like that (top of this post), but I'm not good at coding.