Advice Request Hardening rules for Windows firewall

[notabot]

Hi, I want to harden my rules for Windows firewall ( not interested in vendor products for firewall). Where it gets tricky is

- blocking all incoming : this would also block connections to Microsoft services, does someone have experience if it’s ok to block everything incoming including ports that Microsoft services listen at ?

- blocking outgoing: again tricky due to MS programs that may want to reach home or want to send telemetry ( I’m fine with that if it’s a reasonably trustworthy western co eg MS, Intel, Nvidia phoning home for telemetry and updates ), if I block everything except browsers I’d also be blocking MS’ legitimate attempts to dial home.

Also is there a way to export the rules in a format such that the export is usable to import the rules on other machines?

 

[DeepWeb]

For blocking incoming and outgoing connections from Microsoft I would use a hosts file like this one:
https://www.encrypt-the-planet.com/downloads/hosts

Note this will break a lot more things than you might have thought. Windows 10 is extremely dependent on Microsoft's servers now.

 

[notabot]

For blocking incoming and outgoing connections from Microsoft I would use a hosts file like this one:
https://www.encrypt-the-planet.com/downloads/hosts

Note this will break a lot more things than you might have thought. Windows 10 is extremely dependent on Microsoft's servers now.

I don’t want to block phoning home to MS, I just want to reduce my PC’s attack surface

Outgoing stuff from MS I’d like to allow/whitelist

Do MS servers also use incoming connections ? - I’d be surprise if they needed this because how would this work behind NAT ?
They have services open on Windows but would blocking access to incoming connections break anything ?

 

[LDogg]

You could have a look at Syshardener!

~LDogg

 

[DeepWeb]

I don’t want to block phoning home to MS, I just want to reduce my PC’s attack surface

Outgoing stuff from MS I’d like to allow/whitelist

Do MS servers also use incoming connections ? - I’d be surprise if they needed this because how would this work behind NAT ?
They have services open on Windows but would blocking access to incoming connections break anything ?

I see your point. Well the update servers and Troubleshoot/Diagnostics, Cortana and licensing checks use incoming connections somehow.

Interesting. Hmm Well fortunately most malware is written by lazy and untalented programmers so Microsoft processes are the least you have to worry about. They will focus on easier ways to drop malware onto your computer. With the latest versions of Windows 10 anything that messes around in the kernel needs to be signed and validated with a trusted certificate or even a Microsoft certificate.

There is Fix Privacy which disables connections to telemetry and Cortana servers and leaves the most essential services like Windows Update alone
fix-windows-privacy by modzero

 

[TairikuOkami]

You can export/import policy via WF's GUI directly. Not sure how reliable it is, I just use cmd/bat, like:

netsh advfirewall firewall add rule name="Svchost DNS" dir=out action=allow protocol=UDP remoteip=156.154.70.2,156.154.71.2 remoteport=53 program="%WINDIR%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Svchost TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WINDIR%\System32\svchost.exe"

Windows updates certificates daily, you should not block that and also svchost is used for Windows updates, DNS requests and such.

 

[notabot]

You can export/import policy via WF's GUI directly. Not sure how reliable it is, I just use cmd/bat, like:

netsh advfirewall firewall add rule name="Svchost DNS" dir=out action=allow protocol=UDP remoteip=156.154.70.2,156.154.71.2 remoteport=53 program="%WINDIR%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Svchost TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WINDIR%\System32\svchost.exe"

Windows updates certificates daily, you should not block that and also svchost is used for Windows updates, DNS requests and such.

Thanks ! Does it treat incoming connections as just incoming or I can make separate configurations for each network interface. Eg different for 127.0.0.1 vs any other ip?

 

[TairikuOkami]

127.0.0.1 is considered as an outgoing connection, though you need to configure it as incoming in rules, if I recall it correctly. I guess that depends, what you pick as a remote computer/IP, I did not define any, since I have all incoming connections blocked, so it was allowing only local computer. I do not have any TCP loopback rules at the moment, it gave me quite a headache back then to get it working.

 

[notabot]

127.0.0.1 is considered as an outgoing connection, though you need to configure it as incoming in rules, if I recall it correctly. I guess that depends, what you pick as a remote computer/IP, I did not define any, since I have all incoming connections blocked, so it was allowing only local computer. I do not have any TCP loopback rules at the moment, it gave me quite a headache back then to get it working.

I’d like to block all incoming except if the source is the loopback interface, so that I can connect to servers I spin up locally but no one external can - is this something that’s easy to configure?

 

[TairikuOkami]

Trial and error. Allow all outgoing, log the traffic, create rules based on that, then block all outgoing and test. I use LiveTcpUdpWatch