- Oct 3, 2022
- 380
Start > All apps > Windows Tools > Windows Defender Firewall
Click on Windows Defender Firewall Properties on the center section.
Click on each profile (Domain, Private, Public) tab
HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next. Give the rule a name, eg "Allow service X".
HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".
HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark all profiles,next. Give the rule a name, eg "Allow out to port ### on server YYY.
HowTo Allow or Block a Package: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. Keep clicking Next button until you see "Allow the connection" and "Block the connection", select the one you want. Click next until you reach Finish, and name the rule. Then choose the rule just created and select Properties. Go to 'Program and Services' tab. Go to 'Application Packages' settings. Go to 'Apply to this application package' and select the package. OK. OK.
Note: I use the DNS Servers 9.9.9.9 (Quad9's malware sites blocking DNS) and 1.1.1.1 (CloudFlare's DNS - the fastest) You will need to change your DNS Servers in Network Adapter > IPv4 Properties if you choose to use them.
Side Note: You can disable several rules at once by clicking on the first line, and Shift-clicking on the bottom line, then right-click and choose Disable
Some Win apps (like those downloaded from the Store) install Inbound allow rules to itself. When you install an app, you should check the Inbound rules to see if any new rules have appeared, and disable those if you don't want inbound traffic to that app. Note that an inbound rule to an app essentially makes that application a server. That is, it will accept any transmission to itself all the time, and can be exploited
Together, these firewall rules implement the Default Deny firewall principle. And each firewall rule aims to be very specific: it specifies the ports to use, and it specifies the ip address to use. (except when I don't know, like where the smartscreen servers are, MS does not publicize these things) This is so that they cannot be misused by malware; a overly wide rule will just allow DNS to go outbound. But to where? Malware and hackers will use a default wide rule to use as a back channel to communicate with it's server. I am being slack here, a good firewall administrator will scour the firewall logs to see exactly where the nearby MS servers are and specify them in his/her firewall rules. But the default Outbound Allow All policy is a definite no-no.
However, I should add that an Outbound Default Deny policy requires work to add rules for every program you install that requires access. For people who try out lots of programs for fun, this would induce some, err, hardship. A Default Deny policy is best for those who demand security and don't change their configuration lightly.
Hackers have ways to get around Outbound Deny. One way is to use DLL Injection to an already allowed app. The way around this is to only allow the absolutely necessary things to go outbound, and disable built in Windows features where possible. Here are a few examples. a) You can assign manual ip address in Network Adapter IPv4 Properties. Then the DHCP rule for fetching an ip address for your machine from the router can be disabled. b) IPv6 can be disabled totally. You risk not reaching a web site using that protocol, but chances are slim, because since the creation of NAT routers, many gov and corp internal machines can now use private IPv4 addresses that are not routable on the internet ( 192.168.x.x, 172.16-32.x.x, and 10.x.x.x ). So the IPv6 outbound rule can be disabled. c) MS Edge rule. MS Edge runs automatically and invisibly upon every login. If you use a different browser, then this rule can be disabled. The MS Edge rule was included above only as a backup in case your favorite browser misbehaves. d) SmartScreen rule can be disabled if you use VoodooShield. VoodooShield has it's own reputation checker, and on top of that, your browser may have it's own downloads reputation checker; so SmartScreen can be deemed optional, it is up to you.
Click on Windows Defender Firewall Properties on the center section.
Click on each profile (Domain, Private, Public) tab
- change Outbound connection = Block
- Specify Logging settings for Troubleshooting > Customize
- Size Limit = 100000 KB
- Log Dropped packets = Yes
- Log Successful connections = Yes
HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next. Give the rule a name, eg "Allow service X".
HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".
HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark all profiles,next. Give the rule a name, eg "Allow out to port ### on server YYY.
HowTo Allow or Block a Package: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. Keep clicking Next button until you see "Allow the connection" and "Block the connection", select the one you want. Click next until you reach Finish, and name the rule. Then choose the rule just created and select Properties. Go to 'Program and Services' tab. Go to 'Application Packages' settings. Go to 'Apply to this application package' and select the package. OK. OK.
- --------New Rules you have to Add--------------------
- Outbound/ allow \windows\system32\svchost.exe
- Outbound/ allow \windows\system32\svchost.exe TCP, Service: Windows Update
- Outbound/ allow \windows\system32\DeviceCensus.exe (related to Windows Update)
- Outbound/ allow \windows\system32\svchost.exe TCP, Service: Windows Time, UDP, remote port 123, remote ip: <your router's ip> (you will also need to modify Control Panel > Date and time > Internet Time)
- Outbound/ allow C:\program files\windows defender\msmpeng.exe
- Outbound/ allow \windows\system32\AuthHost.exe (for MS Account setup, Mail, Calendar)
- Outbound/ allow \windows\system32\smartscreen.exe (so that Windows does a reputation check on downloaded files before running)
- Outbound/ allow \windows\system32\WWAHost.exe (for MS Account sign in)
- Outbound/ allow program <Firefox/Chrome/Opera, whichever browser you use> Remote ports=TCP 80,443
- Outbound/ allow MS Chromium Edge (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe), Remote ports=TCP 80,443
- Outbound/ allow program \users\<userAccountName>\appdata\local\microsoft\onedrive\onedrive.exe. (if you choose to use OneDrive, each account that uses OneDrive needs a rule )
- Outbound/ allow Core Networking DNS (TCP-HTTPS): TCP, Remote Port 853 and 443, Remote ip: 9.9.9.9,1.1.1.1
- --------Rules you have to Modify-------------------------
- Outbound/ allow Core Networking - Dynamic Host Configuration Protocol (DHCP out), Remote ip: (as found by DHCP Server in ipconfig /all)
- Outbound/ allow Core Networking DNS (UDP-out): UDP, Remote Port 53, Remote ip 9.9.9.9, 1.1.1.1
- --------Existing Rules to leave as is--------------------
- Outbound/ allow Windows Defender SmartScreen (packageMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy")
- Outbound/ allow Core Networking - Dynamic Host Configuration Protocol (Ipv6-DHCP out)
- Outbound/ allow Core Networking - IPv6 (IPv6-Out)
- Outbound/ allow NcsiUwpApp (Network Connectivity Status Indicator Universal Windows Platform App)
- Outbound/ allow Recommended Troubleshooting Client (HTTP/HTTPS Out)
- Outbound/ allow Windows Security (SecHealthUI)
- --------Then you do this---------------------------------
- Outbound/ Disable all other Outbound rules with a Green Dot ( which means they are active ).
--------Rule you have to modify-------------------------- - InBound/ allow Core Networking - Dynamic Host Configuration Protocol (DHCP in), from ip: (as found by ipconfig /all)
- --------Existing Rules to leave as is--------------------
- Inbound/ allow Core Networking - Dynamic Host Configuration Protocol (Ipv6-DHCP in)
- InBound/ allow Windows Security (SecHealthUI)
- --------Then you do this---------------------------------
- InBound/ Disable all other Inbound rules with a Green Dot ( which means they are active )
Note: I use the DNS Servers 9.9.9.9 (Quad9's malware sites blocking DNS) and 1.1.1.1 (CloudFlare's DNS - the fastest) You will need to change your DNS Servers in Network Adapter > IPv4 Properties if you choose to use them.
Side Note: You can disable several rules at once by clicking on the first line, and Shift-clicking on the bottom line, then right-click and choose Disable
Some Win apps (like those downloaded from the Store) install Inbound allow rules to itself. When you install an app, you should check the Inbound rules to see if any new rules have appeared, and disable those if you don't want inbound traffic to that app. Note that an inbound rule to an app essentially makes that application a server. That is, it will accept any transmission to itself all the time, and can be exploited
Together, these firewall rules implement the Default Deny firewall principle. And each firewall rule aims to be very specific: it specifies the ports to use, and it specifies the ip address to use. (except when I don't know, like where the smartscreen servers are, MS does not publicize these things) This is so that they cannot be misused by malware; a overly wide rule will just allow DNS to go outbound. But to where? Malware and hackers will use a default wide rule to use as a back channel to communicate with it's server. I am being slack here, a good firewall administrator will scour the firewall logs to see exactly where the nearby MS servers are and specify them in his/her firewall rules. But the default Outbound Allow All policy is a definite no-no.
However, I should add that an Outbound Default Deny policy requires work to add rules for every program you install that requires access. For people who try out lots of programs for fun, this would induce some, err, hardship. A Default Deny policy is best for those who demand security and don't change their configuration lightly.
Hackers have ways to get around Outbound Deny. One way is to use DLL Injection to an already allowed app. The way around this is to only allow the absolutely necessary things to go outbound, and disable built in Windows features where possible. Here are a few examples. a) You can assign manual ip address in Network Adapter IPv4 Properties. Then the DHCP rule for fetching an ip address for your machine from the router can be disabled. b) IPv6 can be disabled totally. You risk not reaching a web site using that protocol, but chances are slim, because since the creation of NAT routers, many gov and corp internal machines can now use private IPv4 addresses that are not routable on the internet ( 192.168.x.x, 172.16-32.x.x, and 10.x.x.x ). So the IPv6 outbound rule can be disabled. c) MS Edge rule. MS Edge runs automatically and invisibly upon every login. If you use a different browser, then this rule can be disabled. The MS Edge rule was included above only as a backup in case your favorite browser misbehaves. d) SmartScreen rule can be disabled if you use VoodooShield. VoodooShield has it's own reputation checker, and on top of that, your browser may have it's own downloads reputation checker; so SmartScreen can be deemed optional, it is up to you.
