Windows Firewall with Advanced Security

Discussion in 'Application Software' started by shewolf, Dec 16, 2015.

  1. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    First go play with WFN (Windows Firewall Notifier)
    :eek:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. bludgard

    bludgard MDL Member

    Jan 4, 2011
    211
    54
    10
    Like where this is going. Great stuff for me, anyway. Thanks and cheers. As posted earlier: Lazy and love the click-thing. :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    I've tried both WFN and WFC. The logging is quite informative. WFN's map feature is more informative.
    They both also feature a huge user interface, so that the excellent software is also reliant on excellent users, and those users are very rare. After spending a long time with it, I was able to secure one computer.

    It seems that it would be a much faster 'head-start' and probably more 'accessible' to pre-load a few vital firewall rules (Just the basics, such as don't disable lan functions in private zone, don't block the internet browsers, and do adjust the scope of few 'leaky' microsoft rules to local subnet instead of world), flip the switch to block outbound by default (thus allowing security), and then that firewall menu enhancement mentioned at post#20 (for ease of use). So, then it just takes a click to secure the computer in 2 seconds flat.
    Am I just dreaming, or is it actually possible?
     
  4. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    I explain to you when I have a little more time, you deserve it as the only one concerned.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    #25 shewolf, Jun 26, 2017
    Last edited: Dec 6, 2017
    (OP)
    actually possible[00]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    #26 shewolf, Jun 27, 2017
    Last edited: Jul 2, 2017
    (OP)
    Another useful thought:

    ExportFirewallConfiguration:

    ImportFirewallConfiguration:

    --- save as *.bat. place in examp. "FirewallRule" folder and run when you need. :eek:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    #27 shewolf, Jun 27, 2017
    Last edited: Jan 29, 2019
    (OP)
    Access to this post is restricted!
    You're trying to open the post, written by @shewolf,
    but unfortunately it was marked as a draft (by the user himself or the UFO)
    :eek:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,135
    1,915
    210
    File was deleted by user.
     
  9. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    It has been updated
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    #31 Tuxcat, Aug 8, 2017
    Last edited: Aug 8, 2017
    Sorry for the delay. So far, I got the external logging, for proof. This is with a tiny linux router running Tomato, with the logs switched on (for the Wan port). The router has only 1 client, a Windows 10 box, not quite freshly loaded (an upgrade install that ought to be "reset" to defaults before testing further). The router's logs show "leaks" (unasked-for comm) all on port 443.

    Purpose: Identify, proof, and then script, the few Windows Firewall settings it would take to secure Windows 10.

    I'll be trying out the firewall menu to generate some Windows firewall rules, with the goal of reducing the router's log to zero leaks.

    For some Windows files, I have noticed that it is necessary to generate both an Allow (for lan-only) and a Block (port 443, at least) before the Windows Firewall is effective. I guess that specifying an Allow of limited scope (lan-only) serves to overwrite a poorly documented default Allow of unlimited scope. Perhaps it will be possible to document if/when that applies.
     
  11. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    If you want to have full control over network connection, follow:

    1. Delete all default Windows Firewall rule

    netsh advfirewall firewall delete rule name=all

    2. Block all in/out connections that do not match a rule.

    netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

    Now you're cut off from any connection.
    The next is, you have to make permissions firewall rule in/out for desired apps/service one by one.

    3. Reverse, restore or reset Windows Firewall settings to defaults when you need it again

    netsh advfirewall reset
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    #33 Tuxcat, Aug 9, 2017
    Last edited: Aug 9, 2017
    I was aiming to find out the bare minimum number of changes (especially Windows firewall rules) that it would take to remove the "leaky" behavior of Windows 10. There was very little to it.

    Very near to "fresh install" default conditions were used to test this. I reset (reinstall) windows 10 to default, uninstalled app installer, tips, 3rd party apps, and installed WFC (because informative logging) with the "recommended" changes turned off (still have the default firewall rules).
    And then, much to the point, added "just enough" New firewall rules, mostly made with your right-click menu. That menu works great!

    Block443out, AllowLocalSubnetIn, AllowLocalSubnetOut applied to:
    C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
    C:\windows\explorer.exe (its traffic is possibly onedrive and similar purpose)

    AllowLocalSubnetIn, AllowLocalSubnetOut applied to:
    C:\windows\system32\svchost.exe (specifying allows was necessary for logging accuracy)

    Block443out applied to:
    C:\windows\system32\backgroundtaskhost.exe

    BlockOutbound applied to:
    C:\windows\system32\browser_broker.exe (it doesn't actually need access)
    C:\windows\system32\wermgr.exe (alternatively, alter its scheduled task)
    C:\Windows\System32\usoclient.exe (alternatively, alter its scheduled task)
    C:\Windows\System32\sihclient.exe (alternatively, alter its scheduled task)

    Other steps:
    Network, De-selected link-layers, lldap and ipv6 (so nt kernel quit talking with akamai on port 8).
    With WF.msc, changed the scope for Cortana and Feedback's default firewall rules to local subnet (instead of planetwide).
    With WF.msc, changed the allow rule for DiagTrack to block.
    In an admin cmd window, sc delete dmwappushservice and sc delete diagtrack
    To check store function, I installed Adblock Plus, which worked fine.
    Checked Windows updates, and that still works fine.

    Results:
    All entries in the external Linux router's logs are accounted for in the Windows firewall logs.
    Securing svchost.exe requires specifying allows, and firewall mode changed to block outbound by default.
    Windows firewall is proofed to be effective at removing windows leaks and telemetry.
     
  13. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    #34 Tuxcat, Aug 9, 2017
    Last edited: Aug 9, 2017
    Thanks!
    Also, this is a good idea for testing. I'll pretend it is for a traveling laptop.
    I can proof the results with the Linux router's log. Will report back afterwards. . .

    Edit:
    It turns out that even though the approach (delete all firewall rules + set to block by default) was more specific and far more streamlined, according to the Linux router's logs, what was achieved did not differ (from my minimal changes example, tinywall or WFC on medium).

    And, here's why:
    svchost allow--if the scope is unrestricted then security is poor; or, if the scope is restricted, then app store fails.

    To get a working app store, allowing svchost onto the internet, presents a potentially leaky situation that could be resolved with some labor, such as:
    Disabling a few services, and
    Depleting all scheduled tasks that use the Internet (more specifically setting those tasks not to trigger at startup, not to trigger at login, not to trigger on timer and not to repeat). This takes a lot of doing.

    Alternatively, it would be possible to toggle the scope of svchost between planetwide vs local subnet, as a sort of on/off switch.
     
  14. Tuxcat

    Tuxcat MDL Novice

    Jun 14, 2017
    15
    12
    0
    This sounds wonderful! However, the hosting delivered "graphics," instead of your files. Is there another source to download FireWallRulesParser?
     
  15. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
  16. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    #38 shewolf, Aug 10, 2017
    Last edited: Jan 29, 2019
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. freesoft00

    freesoft00 MDL Novice

    Mar 2, 2013
    16
    2
    0
  18. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,017
    10
    #40 shewolf, Aug 12, 2017
    Last edited: Aug 12, 2017
    (OP)
    netsh advfirewall firewall add rule name="Core Networking - DNS (UDP-Out)" dir=Out action=Allow program="%SystemRoot%\system32\svchost.exe" protocol=UDP remoteport=53

    netsh advfirewall firewall add rule name="Core Networking - Group Policy (NP-Out)" dir=Out action=Allow profile=Domain program="System" protocol=TCP remoteport=445

    "System" - "Core Networking", there are dozens I do not know what you need. Run script above and choose what you need is not that hard ? :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...