Setup Idea Default Deny Windows Firewall setup How To

Log-in security
    • Basic account password (insecure)
User Access Control
Always notify
Real-time security
n/a
Firewall security
Microsoft Defender Firewall
About custom security
n/a
Periodic malware scanners
Norton PowerEraser
Browser(s) and extensions
Any browser
Secure DNS
Quad9
Desktop VPN
n/a
Password manager
n/a
Maintenance tools
n/a
File and Photo backup
macrium reflect
System recovery
macrium reflect

Victor M

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
650
Start > All apps > Windows Tools > Windows Defender Firewall
Click on Windows Defender Firewall Properties on the center section.
Click on each profile (Domain, Private, Public) tab


  • change Outbound connection = Block
  • Specify Logging settings for Troubleshooting > Customize
  • Size Limit = 100000 KB
  • Log Dropped packets = Yes
  • Log Successful connections = Yes

HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next. Give the rule a name, eg "Allow service X".


HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".


HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark all profiles,next. Give the rule a name, eg "Allow out to port ### on server YYY.


HowTo Allow or Block a Package: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. Keep clicking Next button until you see "Allow the connection" and "Block the connection", select the one you want. Click next until you reach Finish, and name the rule. Then choose the rule just created and select Properties. Go to 'Program and Services' tab. Go to 'Application Packages' settings. Go to 'Apply to this application package' and select the package. OK. OK.

  • --------New Rules you have to Add--------------------
  • Outbound/ allow \windows\system32\svchost.exe
  • Outbound/ allow \windows\system32\svchost.exe TCP, Service: Windows Update
  • Outbound/ allow \windows\system32\DeviceCensus.exe (related to Windows Update)
  • Outbound/ allow \windows\system32\svchost.exe TCP, Service: Windows Time, UDP, remote port 123, remote ip: <your router's ip> (you will also need to modify Control Panel > Date and time > Internet Time)
  • Outbound/ allow C:\program files\windows defender\msmpeng.exe
  • Outbound/ allow \windows\system32\AuthHost.exe (for MS Account setup, Mail, Calendar)
  • Outbound/ allow \windows\system32\smartscreen.exe (so that Windows does a reputation check on downloaded files before running)
  • Outbound/ allow \windows\system32\WWAHost.exe (for MS Account sign in)
  • Outbound/ allow program <Firefox/Chrome/Opera, whichever browser you use> Remote ports=TCP 80,443
  • Outbound/ allow MS Chromium Edge (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe), Remote ports=TCP 80,443
  • Outbound/ allow program \users\<userAccountName>\appdata\local\microsoft\onedrive\onedrive.exe. (if you choose to use OneDrive, each account that uses OneDrive needs a rule )
  • Outbound/ allow Core Networking DNS (TCP-HTTPS): TCP, Remote Port 853 and 443, Remote ip: 9.9.9.9,1.1.1.1
  • --------Rules you have to Modify-------------------------
  • Outbound/ allow Core Networking - Dynamic Host Configuration Protocol (DHCP out), Remote ip: (as found by DHCP Server in ipconfig /all)
  • Outbound/ allow Core Networking DNS (UDP-out): UDP, Remote Port 53, Remote ip 9.9.9.9, 1.1.1.1
  • --------Existing Rules to leave as is--------------------
  • Outbound/ allow Windows Defender SmartScreen (packageMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy")
  • Outbound/ allow Core Networking - Dynamic Host Configuration Protocol (Ipv6-DHCP out)
  • Outbound/ allow Core Networking - IPv6 (IPv6-Out)
  • Outbound/ allow NcsiUwpApp (Network Connectivity Status Indicator Universal Windows Platform App)
  • Outbound/ allow Recommended Troubleshooting Client (HTTP/HTTPS Out)
  • Outbound/ allow Windows Security (SecHealthUI)
  • --------Then you do this---------------------------------
  • Outbound/ Disable all other Outbound rules with a Green Dot ( which means they are active ).

    --------Rule you have to modify--------------------------
  • InBound/ allow Core Networking - Dynamic Host Configuration Protocol (DHCP in), from ip: (as found by ipconfig /all)
  • --------Existing Rules to leave as is--------------------
  • Inbound/ allow Core Networking - Dynamic Host Configuration Protocol (Ipv6-DHCP in)
  • InBound/ allow Windows Security (SecHealthUI)
  • --------Then you do this---------------------------------
  • InBound/ Disable all other Inbound rules with a Green Dot ( which means they are active )

Note: I use the DNS Servers 9.9.9.9 (Quad9's malware sites blocking DNS) and 1.1.1.1 (CloudFlare's DNS - the fastest) You will need to change your DNS Servers in Network Adapter > IPv4 Properties if you choose to use them.

Side Note: You can disable several rules at once by clicking on the first line, and Shift-clicking on the bottom line, then right-click and choose Disable

Some Win apps (like those downloaded from the Store) install Inbound allow rules to itself. When you install an app, you should check the Inbound rules to see if any new rules have appeared, and disable those if you don't want inbound traffic to that app. Note that an inbound rule to an app essentially makes that application a server. That is, it will accept any transmission to itself all the time, and can be exploited

Together, these firewall rules implement the Default Deny firewall principle. And each firewall rule aims to be very specific: it specifies the ports to use, and it specifies the ip address to use. (except when I don't know, like where the smartscreen servers are, MS does not publicize these things) This is so that they cannot be misused by malware; a overly wide rule will just allow DNS to go outbound. But to where? Malware and hackers will use a default wide rule to use as a back channel to communicate with it's server. I am being slack here, a good firewall administrator will scour the firewall logs to see exactly where the nearby MS servers are and specify them in his/her firewall rules. But the default Outbound Allow All policy is a definite no-no.

However, I should add that an Outbound Default Deny policy requires work to add rules for every program you install that requires access. For people who try out lots of programs for fun, this would induce some, err, hardship. A Default Deny policy is best for those who demand security and don't change their configuration lightly.

Hackers have ways to get around Outbound Deny. One way is to use DLL Injection to an already allowed app. The way around this is to only allow the absolutely necessary things to go outbound, and disable built in Windows features where possible. Here are a few examples. a) You can assign manual ip address in Network Adapter IPv4 Properties. Then the DHCP rule for fetching an ip address for your machine from the router can be disabled. b) IPv6 can be disabled totally. You risk not reaching a web site using that protocol, but chances are slim, because since the creation of NAT routers, many gov and corp internal machines can now use private IPv4 addresses that are not routable on the internet ( 192.168.x.x, 172.16-32.x.x, and 10.x.x.x ). So the IPv6 outbound rule can be disabled. c) MS Edge rule. MS Edge runs automatically and invisibly upon every login. If you use a different browser, then this rule can be disabled. The MS Edge rule was included above only as a backup in case your favorite browser misbehaves. d) SmartScreen rule can be disabled if you use VoodooShield. VoodooShield has it's own reputation checker, and on top of that, your browser may have it's own downloads reputation checker; so SmartScreen can be deemed optional, it is up to you.
 

Victor M

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
650
In accordance with PCI DSS section 2.5.5b, you should secure the apps and insecure protocols that are allowed through the network. And we can't trust that MS smartscreen, for example, is using a secure protocol. So, there is this free Malwarebytes Anti-Exploit, it is embedded in Malwarebytes AV but available as a permanent beta for free. You can add exe's for it to protect. So add all the applications that you allow thru the firewall to Anti-Exploit. I have let my red team on it and it works. Of course there should be other layers of security beyond that, because anything man made can be overcome with enough dedication and hard work. But it has proven it's worth to me.
 

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,165
It's a very lightweight option for interested users. Too bad it's not widely known in the wider community.
That was new to me, thank you both (@Victor M) for mentioning it.
 

Victor M

Level 14
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
650
MalwareBytes doesn't disclose how it functions. But I suspect it is like Windows Defender Exploit Protection. If you go to Windows Defender > App & browser control > Exploit protection > exploit protection settings > program settings and add program to customize, you will see all the different exploit protection techniques. When WD first revealed this protection they were tested and found to be not very reliable.
 
  • Like
Reactions: Alexai

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top