Advice Request [Discuss] Recommendation for Which Ports and Windows Services should be blocked via Windows Firewall?

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 823865

i read that there is specific policy could be adjusted to make windows firewall pop notification about any program try to connect the internet.
No, there is only a setting to alert when an connection is incoming.


you do not need to use TinyWall to have good firewall protection nor a front end like WFC to control Windows Firewall Control
in fact, programs like that are crutches that you come to depend upon to do stuff you should figure out and learn this stuff on your own
such programs keep you in ignorance
+1, people relies too much on 3rd party software instead of learning the basics of tools shipped with their OS.

i exported policy (.WFW) after being created by Tinywall not the exported rules from Tinywall itself
i mentioned it in another thread long time ago.

Lazy way:
1- install Binisoft WFC.
2- clear the Windows Firewall rules.
3- install WFC default rules.
4- launch every of your internet-facing apps, allow them; do some reboot (or keep WFC for few days) to be sure some services/processes are triggered.
5- export the .wfw policy.
6- remove WFC.

job done, you have most of the basic rules now. And if you like "default-deny" firewall setup, block all outbound connection in WinFW w/Advanced settings.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
+1, people relies too much on 3rd party software instead of learning the basics of tools shipped with their OS
I just found performance monitor trough which you can know which program try to connect to the internet however )using network tab) it is main disadvantage that it is silent and doesn't have notification capabilities
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 823865

I just found performance monitor trough which you can know which program try to connect to the internet however )using network tab) it is main disadvantage that it is silent and doesn't have notification capabilities
Outgoing notifications is a feature pushed by security vendors.
Firewalls never meant to block outgoing connections.
If you install a software, mean you trust it and there is no reason why you should block its connections.
Reason I block all outbound connections except those from apps I personally whitelisted, so I don't need any connection monitoring tools. I can create allow rules on the fly if needed.
I guess you lock your house's door to prevent unwanted people to get in, not to prevent people you let in to get out.

Not saying, if you got a notification for a unknown/malicious program calling home then it means it was allowed to run, and your security strategy and solution failed to protect you.
 

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
Outgoing notifications is a feature pushed by security vendors.
Firewalls never meant to block outgoing connections.
If you install a software, mean you trust it and there is no reason why you should block its connections.
Actually it's hard to agree...in this article "A History and Survey of Network Firewalls" we can see that otbound traffic is...rather was in the past...as important as inbound.
The fact that MS was not smart but maybe to lazy releasing own firewall later than 3rd developers (2004) and it offered inbound traffic controll only can't be the base to discuss what firewalls mean. Kerio on my XP informes in his manual

"Kerio Personal Firewall 2.1
User's Guide
Kerio Technologies


Copyright © 1997-2002 Kerio Technologies. All Rights Reserved.

(...)
Kerio Personal Firewall is a small and easy to use system designed for protecting a personal computer against hacker attacks and data leaks."

and similar words we could find in guides of other personal firewalls from that times. Here are another examples - two article on Symantec pages from 2003
They were much wiser than MS :)
 

Syrinx

Level 1
Dec 31, 2019
12
If you truly want to control the default windows firewall and you have a pro or higher edition of Windows I strongly suggest you use the Group Policy version instead. Particularly if you are on windows 10. There are options in there that allow you to disable the application of standard firewall rules via 'Apply local firewall rules' and setting it to NO.
Using Group Policy this was allows you to have a type of 'secure rules'. If anything you install or have installed tries to create firewall rules they will be allowed to do so but they won't get applied. This is great if you have any MS Store Apps (AppX/Metro) as they make their own rules upon every install/update along with a growing number of normal softwares ^^
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
For average Joe it's enough ;)
Also it's more secure then external ones as it doesn't increase the attack surface
Sophisticated malware easily disable Windows-Firewall or using injections into svchost.exe, in case of your AV missing all about specific malware...
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
this is my current outbound connections ...
Do you really need Windows Time being updated daily? It is a service running on every computer, so it is easily exploitable.
I update it manually and I have allowed only UDP via port 123. I tried to limit IP ranges as well, but they change too often.
Sophisticated malware easily disable Windows-Firewall or using injections into svchost.exe, in case of your AV missing all about specific malware...
Well, once malware is up and running hidden and elevated, disabled Windows Firewall is the least of user's concerns.
Windows Firewall serves more for prevention than for stopping the malware, like to block it from downloading a payload.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Well, once malware is up and running hidden and elevated, disabled Windows Firewall is the least of user's concerns.
Windows Firewall serves more for prevention than for stopping the malware, like to block it from downloading a payload.
I wrote my reply to different context, "Avarage Joe" always using by default Windows-Firewall, so all outbound connections are allowed by default, in this case W10FW is unable to block downloading payloads.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
I wrote my reply to different context, "Avarage Joe" always using by default Windows-Firewall, so all outbound connections are allowed by default, in this case W10FW is unable to block downloading payloads.
In that context, malware does not even have to bother disabling it, because it is not blocking anything, it is only pretending to be a firewall. :sneaky:
 
F

ForgottenSeer 823865

I wrote my reply to different context, "Avarage Joe" always using by default Windows-Firewall, so all outbound connections are allowed by default, in this case W10FW is unable to block downloading payloads.
Which isn't the original firewall purpose, firewall are supposed to monitor traffic, not preventing download cradles or prompting the user to allow or deny access.
The user is supposed to set rules based on its system. By default and for obvious reason, Windows Firewall can't decide it for the user and have to allow any outgoing processes., however it does a decent job at blocking incoming connections. Which is its original purpose.
If WinFW was so bad like in XP, several security vendors won't rely on it.
Now most of them just implement outgoing prompts due to malware evolution but barely touch WinFW core design and traffic filtering mechanism.

Just look at corporate firewalls use, admins implement system/networks specific rules, they don't wait for pop up alerts lol, they even disable such noob features.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
firewall are supposed to monitor traffic, not preventing download cradles or prompting the user to allow or deny access.
Unfortunately security vendors present it as such: "You Are Protected by a firewall" and people believe it.
however it does a decent job at blocking incoming connections. Which is its original purpose.
"Thanks" to IPv4, virtually everyone is behind a router (I am behind 7), so now it mostly protects from threats/unsolicited traffic on a local network.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Which isn't the original firewall purpose, firewall are supposed to monitor traffic, not preventing download cradles or prompting the user to allow or deny access.
The user is supposed to set rules based on its system. By default and for obvious reason, Windows Firewall can't decide it for the user and have to allow any outgoing processes., however it does a decent job at blocking incoming connections. Which is its original purpose.
If WinFW was so bad like in XP, several security vendors won't rely on it.
Now most of them just implement outgoing prompts due to malware evolution but barely touch WinFW core design and traffic filtering mechanism.

Just look at corporate firewalls use, admins implement system/networks specific rules, they don't wait for pop up alerts lol, they even disable such noob features.
My first reply was only related to "Average Joe", for those users it's better to use 3rd-party firewall like Internet-Security by well-known vendors...

You don't need speaking like a teacher to me, I know more than enough about the real firewall purpose ;)
 
F

ForgottenSeer 823865

My first reply was only related to "Average Joe", for those users it's better to use 3rd-party firewall like Internet-Security by well-known vendors...
Average Joes will click "allow" to whatever fit their needs, whether it is malicious or legit, if they even care to read the alert.... Which make prompts basically as useless as prompt-based default-deny modules.
How many people (even corporations) get infected by some basic ransomware despite using a security solution?
The only ones who will benefit are those with some security awareness.

You should know that by now.
 

Syrinx

Level 1
Dec 31, 2019
12
You don't need speaking like a teacher to me, I know more than enough about the real firewall purpose ;)

@Umbra sorry but they are correct there. You do come across as rather demeaning by default. I'm not saying I disagree with you about anything in particular (it's bound to happen eventually, honestly but not here and now)

I know, I know..I'm a lowly level one not a 26 or 54 like you big boys so I should just shut up and suck whats shoved in my face....but no, sorry. That's not meh.
 
F

ForgottenSeer 823865

@Umbra sorry but they are correct there. You do come across as rather demeaning by default. I'm not saying I disagree with you about anything in particular (it's bound to happen eventually, honestly but not here and now)

I know, I know..I'm a lowly level one not a 26 or 54 like you big boys so I should just shut up and suck whats shoved in my face....but no, sorry. That's not meh.
if people can't handle a tone, i can't do much for them...i dont mind how you talk, i mind about what you are saying.
Well seems we have different characters ;)
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Average Joes will click "allow" to whatever fit their needs, whether it is malicious or legit, if they even care to read the alert.... Which make prompts basically as useless as prompt-based default-deny modules.
How many people (even corporations) get infected by some basic ransomware despite using a security solution?
The only ones who will benefit are those with some security awareness.

You should know that by now.
First that will be my last reply to You, but the following must be said by me:

You spoke once more to me like a teacher, that sounds very arrogant, it seems to be that Your EGO can't handle different opinions!

You as a former moderator at MT, you should be talking a bit more respectful to other people, but King Umbra prefer his style to communicate...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top