Serious Discussion Laptop in an Internet cafe.

[Andy Ful]

By the way, there are enabled firewall rules for Network Discovery in the public profile. And SSDP is active, doesn't seem to matter whether you are using the public profile. I guess discovery type of things don't matter much if it doesn't automatically connect. Maybe they don't reach out and touch someone, but what if an attacker touches you?

I use Public profile:



Network Discovery is configured to Allow the connection, but it is not enabled.
Anyway, my settings are not default. After applying the Restore Default Policy, Network Discovery is enabled only for the Private profile (as expected).



Post updated.

 

[Victor M]

That's odd - my firewall says some are enabled? And I didn't touch those rules. They were there when I got there.

Something is wonky then, I have done a 'reset to default rules' in the past. Maybe those restore-to-default rules are wrong?

EDIT. I did a restore-to-default-rules just now. And some network discovery rules are enabled. So I'll blame myself for forgetting to check everything before modifying and exporting the profile. If your rules are out-of-the-box, then the restore-to-default-rules are wrong for the public profile. It is not the first time that the restore-rules are wrong. I remember one time, forgot which version, it restored rules from a previous version - some feature was removed by then and yet the restored-rules have rules for it.

 

[Victor M]

Anyways, now that that is cleared away, the point is that firewall rules are important to check. Maybe one doesn't have a set of tight rules suitable for cafe use. PCI-DSS reminds us to check our firewall rules every 6 months . But I guess they missed out on the fact that laptops go places. I just finished an self-audit a month or two ago and there were no audit provisions to take care of that issue.

I guess the lesson here is to make use of network firewall profiles to have different rules for different environments. But since Windows doesn't prompt one to choose a firewall profile upon install finish, many people will not know to use the different profiles.

Plus of course to remember also to change the profile when the environment changes.

 

[Andy Ful]

I updated my previous post (added the screenshot of default settings).

 

[TairikuOkami]

Anyways, now that that is cleared away, the point is that firewall rules are important to check.

I remove firewall rules at shutdown, in case they were changed by windows updates or apps and I add my own.

Spoiler

netsh advfirewall set allprofiles state on

rem Block all inbound network traffic and all outbound except allowed apps
netsh advfirewall set DomainProfile firewallpolicy blockinboundalways,blockoutbound
netsh advfirewall set PrivateProfile firewallpolicy blockinboundalways,blockoutbound
netsh advfirewall set PublicProfile firewallpolicy blockinboundalways,allowoutbound

rem Remove All Windows Firewall Rules
netsh advfirewall firewall delete rule name=all

rem Windows Firewall Block Rules
netsh advfirewall firewall add rule name="TCP Block" dir=out action=block protocol=TCP remoteport=1-42,44-79,81-442,444-586,588-852,854-992,994-1024,1025-3073,3075-5227,5229-27014,27051-65535
netsh advfirewall firewall add rule name="UDP Block" dir=out action=block protocol=UDP remoteport=1-122,124-442,444-1024

netsh advfirewall firewall add rule name="Brave TCP" dir=out action=block protocol=TCP remoteport=1-442,444-5227,5229-65535 program="%LocalAppData%\BraveSoftware\Brave-Browser\Application\brave.exe"
netsh advfirewall firewall add rule name="Brave UDP" dir=out action=block protocol=UDP remoteport=1-442,444-65535 program="%LocalAppData%\BraveSoftware\Brave-Browser\Application\brave.exe"
netsh advfirewall firewall add rule name="Edge TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
netsh advfirewall firewall add rule name="Edge UDP" dir=out action=block protocol=UDP program="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
netsh advfirewall firewall add rule name="LibreWolf TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="%ProgramFiles%\LibreWolf\librewolf.exe"
netsh advfirewall firewall add rule name="LibreWolf UDP" dir=out action=block protocol=UDP program="%ProgramFiles%\LibreWolf\librewolf.exe"
netsh advfirewall firewall add rule name="OneDrive TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="%ProgramFiles%\Microsoft OneDrive\OneDrive.exe"
netsh advfirewall firewall add rule name="IceDrive TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="%LocalAppData%\Temp\IcedrivePortable\Icedrive.exe"