Advice Request Hardening rules for Windows firewall

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Hi, I want to harden my rules for Windows firewall ( not interested in vendor products for firewall). Where it gets tricky is

- blocking all incoming : this would also block connections to Microsoft services, does someone have experience if it’s ok to block everything incoming including ports that Microsoft services listen at ?

- blocking outgoing: again tricky due to MS programs that may want to reach home or want to send telemetry ( I’m fine with that if it’s a reasonably trustworthy western co eg MS, Intel, Nvidia phoning home for telemetry and updates ), if I block everything except browsers I’d also be blocking MS’ legitimate attempts to dial home.

Also is there a way to export the rules in a format such that the export is usable to import the rules on other machines?
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
For blocking incoming and outgoing connections from Microsoft I would use a hosts file like this one:
https://www.encrypt-the-planet.com/downloads/hosts

Note this will break a lot more things than you might have thought. Windows 10 is extremely dependent on Microsoft's servers now.

I don’t want to block phoning home to MS, I just want to reduce my PC’s attack surface

Outgoing stuff from MS I’d like to allow/whitelist

Do MS servers also use incoming connections ? - I’d be surprise if they needed this because how would this work behind NAT ?
They have services open on Windows but would blocking access to incoming connections break anything ?
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I don’t want to block phoning home to MS, I just want to reduce my PC’s attack surface

Outgoing stuff from MS I’d like to allow/whitelist

Do MS servers also use incoming connections ? - I’d be surprise if they needed this because how would this work behind NAT ?
They have services open on Windows but would blocking access to incoming connections break anything ?
I see your point. Well the update servers and Troubleshoot/Diagnostics, Cortana and licensing checks use incoming connections somehow.

Interesting. Hmm Well fortunately most malware is written by lazy and untalented programmers so Microsoft processes are the least you have to worry about. They will focus on easier ways to drop malware onto your computer. With the latest versions of Windows 10 anything that messes around in the kernel needs to be signed and validated with a trusted certificate or even a Microsoft certificate.

There is Fix Privacy which disables connections to telemetry and Cortana servers and leaves the most essential services like Windows Update alone
fix-windows-privacy by modzero
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
You can export/import policy via WF's GUI directly. Not sure how reliable it is, I just use cmd/bat, like:
Code:
netsh advfirewall firewall add rule name="Svchost DNS" dir=out action=allow protocol=UDP remoteip=156.154.70.2,156.154.71.2 remoteport=53 program="%WINDIR%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Svchost TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WINDIR%\System32\svchost.exe"
Windows updates certificates daily, you should not block that and also svchost is used for Windows updates, DNS requests and such.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
You can export/import policy via WF's GUI directly. Not sure how reliable it is, I just use cmd/bat, like:
Code:
netsh advfirewall firewall add rule name="Svchost DNS" dir=out action=allow protocol=UDP remoteip=156.154.70.2,156.154.71.2 remoteport=53 program="%WINDIR%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Svchost TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WINDIR%\System32\svchost.exe"
Windows updates certificates daily, you should not block that and also svchost is used for Windows updates, DNS requests and such.

Thanks ! Does it treat incoming connections as just incoming or I can make separate configurations for each network interface. Eg different for 127.0.0.1 vs any other ip?
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
127.0.0.1 is considered as an outgoing connection, though you need to configure it as incoming in rules, if I recall it correctly. I guess that depends, what you pick as a remote computer/IP, I did not define any, since I have all incoming connections blocked, so it was allowing only local computer. I do not have any TCP loopback rules at the moment, it gave me quite a headache back then to get it working.
 
  • Like
Reactions: notabot

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
127.0.0.1 is considered as an outgoing connection, though you need to configure it as incoming in rules, if I recall it correctly. I guess that depends, what you pick as a remote computer/IP, I did not define any, since I have all incoming connections blocked, so it was allowing only local computer. I do not have any TCP loopback rules at the moment, it gave me quite a headache back then to get it working.

I’d like to block all incoming except if the source is the loopback interface, so that I can connect to servers I spin up locally but no one external can - is this something that’s easy to configure?
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Trial and error. Allow all outgoing, log the traffic, create rules based on that, then block all outgoing and test. I use LiveTcpUdpWatch
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top