@Andy Ful
Do blocking outbound connection of lolbins also block legitimate traffic or just useless telemetry?
Do blocking outbound connection of lolbins also block legitimate traffic or just useless telemetry?
FirewallHardening tool
- Thread starter Andy Ful
- Start date
- Feb 25, 2017
- 2,597
You can always check what's blocked if you enable "logging". I've been using the tool for months without any issues so far.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
As it is mentioned in the FirewallHardening Help, the outbound connections are blocked by Windows policies. All outbound connection of the LOLBin is blocked.
What I meant is, is the legitimate traffic from LOLBins important for windows normal functionality or just something not important.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
What is unclear in the: All outbound connection of the LOLBin is blocked?
Yes, I should write:
All outbound connections of the LOLBin are blocked.
Last edited:
The question was not about whether all traffic is blocked, but if some of the traffic is IMPORTANT for windows functionality.What is unclear in the: All outbound connection of the LOLBin is blocked?
Yes, I should write:
All outbound connections of the LOLBin are blocked.
Do we have any idea why they connect to Microsoft servers and what they do with it and if so connection to Microsoft's ip addresses could be whitelisted along with their port they are using.
JustInTime
Level 2
- Feb 21, 2022
- 59
Along with firewall hardening I use Simplewall to block all connections, only allowing Apps I use like browser and F-Secure and haven't faced any issue regarding Windows functionality.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
I do not understand you. If all outbound connections of the LOLBin are blocked, that means that also some IMPORTANT connections can be blocked.
The outbound connections of LOLBins blocked by "Recommended H_C" are not "MPORTANT for Windows functionality". Some others can be important, but It depends on what you mean by "IMPORTANT for Windows functionality". Are Windows telemetry IMPORTANT? Are IMPORTANT the Windows Explorer connections to Cloudflare? Are ...., etc.
I do not know. If you do not know too, then unblock the particular LOLBin (use the FirewallHardening Log to see blocked events).
I mean that if any problems can happen to windows functionality by blocking lolbins outside connection.
- Apr 5, 2021
- 621
As a home user you should require very few ports opened outbound, TCP and UDP protocols for your Internet needs. In my case I have HTTPS (443, DNS (53), email (465, 995), Time (123), 80 & 8080 for rare needs on both IPv4 and IPv6. It is actually questionable if I need 5353, but for some reason, can't remember why, I felt the need to allow it. The following are outbound allowed (inbound and outbound blocked by default) on my Linux desktop:
That's why you should check the blocked connections log and have a working backup. No dev can guarantee you a 100% problem free experience. You can always be one of the 0.5% exceptional cases (number made up).
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
You will not get the right answer to unclear questions. Please do as follows:
- Apply the FirewallHardening Block List "Recommended H_C".
- Forget about other LOLBins, because no one can be sure if some of them can on your computer cause any problems with Windows functionality (whatever that means).
Last edited:
- Apr 5, 2021
- 621
@Azazel
I think I understand your question, and it actually made me curious to view the list of LOLBins being blocked in FirewallHardening.
if you look at the list of LOLBins blocked in FirewallHardening, it can be seen that Andy has carefully chosen only those that will not break Windows functionality when they are blocked. Microsoft in their infinite wisdom has created an absolutely mind boggling myriad of rules in latest Windows versions for both inbound and outbound networking, most of which are not required for most home users. Things were so much simpler in XP days, made increasingly more complex with each Windows release since then.
As @Kongo mentions above, keeping logging enabled, especially if you perceive network breakage for something is happening, can be very useful for narrowing down the problem.
I think I understand your question, and it actually made me curious to view the list of LOLBins being blocked in FirewallHardening.
if you look at the list of LOLBins blocked in FirewallHardening, it can be seen that Andy has carefully chosen only those that will not break Windows functionality when they are blocked. Microsoft in their infinite wisdom has created an absolutely mind boggling myriad of rules in latest Windows versions for both inbound and outbound networking, most of which are not required for most home users. Things were so much simpler in XP days, made increasingly more complex with each Windows release since then.
As @Kongo mentions above, keeping logging enabled, especially if you perceive network breakage for something is happening, can be very useful for narrowing down the problem.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
FirewallHardening 3.0.0.1
Added new certificate - no functional changes.
Added new certificate - no functional changes.
Hi @Andy Ful !
First of all, thank you very much for your software!
Please if possible, I would like to ask you a favor: At your your FirewallHardening, how can I see the firewall rules? Please, I would like to take a look at all the firewall rules that FirewallHardening uses.
For example, FirewallHardening has rules for LOLBins, MSOffice, Adobe, Recommended H_C, and External Block List. Please, if possible, how can I get a list of those rules?
Thank you in advance!
- Feb 25, 2017
- 2,597
Go to your firewall settings, then advanced settings and then to outbound rules. There you can see all the Firewall Hardening rules that are applied:
Thanks @Kongo .
Yeah, I was already aware of the way you presented to visualize the rules.
But for reasons that are irrelevant now and that are not worth mentioning now, I don't use Windows Firewall, and I even have it blocked at the regedit level.
But even if I had the WF active, to be able to fully view and manipulate the rules, I would have to export them from the WF to another file. And I can do it! But I preferred to ask @Andy Ful first, because maybe he already has a simpler way of looking at the rules.
Thanks @Kongo anyway!
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
You can use the <Save> button under "External Blocklist". This will export the current rules to the text file.
@Andy Ful , thanks for your contact.
I already knew about the "save" button, but it only saves the "path" of the executable that was blocked.
My interest, and what I asked you, please if possible, is to see the list with all the "rules" (not just the paths), and by "rules" I mean the list of all the full commands (for LOLBins, MSOffice, Adobe, Recommended H_C etc). I can do that by exporting FirewallHardening rules from Windows Firewall. But as I explained on previous comments, I prefer to ask you first, because maybe you already have a simpler way of looking at the rules.
Thanks again.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,592
Look into the Windows Registry and export the content of the below key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules
