Discussion in 'Application Software' started by shewolf, Dec 16, 2015.
First go play with WFN (Windows Firewall Notifier)
Like where this is going. Great stuff for me, anyway. Thanks and cheers. As posted earlier: Lazy and love the click-thing.
I've tried both WFN and WFC. The logging is quite informative. WFN's map feature is more informative.
They both also feature a huge user interface, so that the excellent software is also reliant on excellent users, and those users are very rare. After spending a long time with it, I was able to secure one computer.
It seems that it would be a much faster 'head-start' and probably more 'accessible' to pre-load a few vital firewall rules (Just the basics, such as don't disable lan functions in private zone, don't block the internet browsers, and do adjust the scope of few 'leaky' microsoft rules to local subnet instead of world), flip the switch to block outbound by default (thus allowing security), and then that firewall menu enhancement mentioned at post#20 (for ease of use). So, then it just takes a click to secure the computer in 2 seconds flat.
Am I just dreaming, or is it actually possible?
I explain to you when I have a little more time, you deserve it as the only one concerned.
Another useful thought:
--- save as *.bat. place in examp. "FirewallRule" folder and run when you need.
Access to this post is restricted!
You're trying to open the post, written by @shewolf,
but unfortunately it was marked as a draft (by the user himself or the UFO)
You need to login to view this posts content.
File was deleted by user.
It has been updated
Sorry for the delay. So far, I got the external logging, for proof. This is with a tiny linux router running Tomato, with the logs switched on (for the Wan port). The router has only 1 client, a Windows 10 box, not quite freshly loaded (an upgrade install that ought to be "reset" to defaults before testing further). The router's logs show "leaks" (unasked-for comm) all on port 443.
Purpose: Identify, proof, and then script, the few Windows Firewall settings it would take to secure Windows 10.
I'll be trying out the firewall menu to generate some Windows firewall rules, with the goal of reducing the router's log to zero leaks.
For some Windows files, I have noticed that it is necessary to generate both an Allow (for lan-only) and a Block (port 443, at least) before the Windows Firewall is effective. I guess that specifying an Allow of limited scope (lan-only) serves to overwrite a poorly documented default Allow of unlimited scope. Perhaps it will be possible to document if/when that applies.
If you want to have full control over network connection, follow:
1. Delete all default Windows Firewall rule
netsh advfirewall firewall delete rule name=all
2. Block all in/out connections that do not match a rule.
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
Now you're cut off from any connection.
The next is, you have to make permissions firewall rule in/out for desired apps/service one by one.
3. Reverse, restore or reset Windows Firewall settings to defaults when you need it again
netsh advfirewall reset
I was aiming to find out the bare minimum number of changes (especially Windows firewall rules) that it would take to remove the "leaky" behavior of Windows 10. There was very little to it.
Very near to "fresh install" default conditions were used to test this. I reset (reinstall) windows 10 to default, uninstalled app installer, tips, 3rd party apps, and installed WFC (because informative logging) with the "recommended" changes turned off (still have the default firewall rules).
And then, much to the point, added "just enough" New firewall rules, mostly made with your right-click menu. That menu works great!
Block443out, AllowLocalSubnetIn, AllowLocalSubnetOut applied to:
C:\windows\explorer.exe (its traffic is possibly onedrive and similar purpose)
AllowLocalSubnetIn, AllowLocalSubnetOut applied to:
C:\windows\system32\svchost.exe (specifying allows was necessary for logging accuracy)
Block443out applied to:
BlockOutbound applied to:
C:\windows\system32\browser_broker.exe (it doesn't actually need access)
C:\windows\system32\wermgr.exe (alternatively, alter its scheduled task)
C:\Windows\System32\usoclient.exe (alternatively, alter its scheduled task)
C:\Windows\System32\sihclient.exe (alternatively, alter its scheduled task)
Network, De-selected link-layers, lldap and ipv6 (so nt kernel quit talking with akamai on port 8).
With WF.msc, changed the scope for Cortana and Feedback's default firewall rules to local subnet (instead of planetwide).
With WF.msc, changed the allow rule for DiagTrack to block.
In an admin cmd window, sc delete dmwappushservice and sc delete diagtrack
To check store function, I installed Adblock Plus, which worked fine.
Checked Windows updates, and that still works fine.
All entries in the external Linux router's logs are accounted for in the Windows firewall logs.
Securing svchost.exe requires specifying allows, and firewall mode changed to block outbound by default.
Windows firewall is proofed to be effective at removing windows leaks and telemetry.
Also, this is a good idea for testing. I'll pretend it is for a traveling laptop.
I can proof the results with the Linux router's log. Will report back afterwards. . .
It turns out that even though the approach (delete all firewall rules + set to block by default) was more specific and far more streamlined, according to the Linux router's logs, what was achieved did not differ (from my minimal changes example, tinywall or WFC on medium).
And, here's why:
svchost allow--if the scope is unrestricted then security is poor; or, if the scope is restricted, then app store fails.
To get a working app store, allowing svchost onto the internet, presents a potentially leaky situation that could be resolved with some labor, such as:
Disabling a few services, and
Depleting all scheduled tasks that use the Internet (more specifically setting those tasks not to trigger at startup, not to trigger at login, not to trigger on timer and not to repeat). This takes a lot of doing.
Alternatively, it would be possible to toggle the scope of svchost between planetwide vs local subnet, as a sort of on/off switch.
This sounds wonderful! However, the hosting delivered "graphics," instead of your files. Is there another source to download FireWallRulesParser?
netsh advfirewall firewall add rule name="Core Networking - DNS (UDP-Out)" dir=Out action=Allow program="%SystemRoot%\system32\svchost.exe" protocol=UDP remoteport=53
netsh advfirewall firewall add rule name="Core Networking - Group Policy (NP-Out)" dir=Out action=Allow profile=Domain program="System" protocol=TCP remoteport=445
"System" - "Core Networking", there are dozens I do not know what you need. Run script above and choose what you need is not that hard ?