Setup Idea Stop Intrusions - Firewall Rules

Last updated
Mar 19, 2024
How it's used?
For home and private use
Operating system
Windows 10
Other operating system
Windows 11
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Evaluation mode
Network firewall
Enabled
Real-time security
Inbound Firewall Rules for any brand of firewall
Firewall security
Microsoft Defender Firewall with Advanced Security
About custom security
Xcitium OpenEDR alerts revealed these attacks
Periodic malware scanners
Kaspersky
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
N/A
Secure DNS
N/A
Desktop VPN
N/A
Password manager
N/A
File and Photo backup
N/A
System recovery
N/A
Risk factors
    • Browsing to popular websites
Computer specs
N/A
Recommended for
  1. All types of users
  2. Inexperienced users
  3. Experienced users
  4. Multi-user devices
  5. Financial banking or trading
  6. High-end or medium spec PCs
  7. Low spec PCs
  8. Air-gapped or offline systems

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
452
Hi Everyone,

Hackers often manipulate or exploit Windows system programs and services, like SVCHOST , TASKHOSTW, File EXPLORER and RUNTIMEBROKER. They can do it because Windows Firewall defaults to allow all Outbound traffic, and some of these do send out and receive returning traffic. In short, these 4 programs accept traffic, and a hacker can manipulate the ip address header to slip thru.

In my Xcitium EDR Alerts, I can see SVCHOST and File Explorer invoking Powershell, and TASKHOSTW trying to manipulate Registry. These invocations are malicious.

My first solution was to use Xcitium's HIDS to Block Powershell from starting until I need to use it, then I would disable that block rule and re-enable when finished. However, that does not stop the malicious registry modifications. In short, the ways that these 4 programs can be used by hackers are infinite; invoking Powershell and changing registry are only 2 variants.

Now I have come up with a better solution. That is to make Firewall Incoming Block Rules to Block traffic to these 4 programs. Windows can do without these 4 programs talking to the Internet.

So, open File Manager and Search for all instances of SVCHOST, TASKHOSTW, EXPLORER and RUNTIMEBROKER. There are Many instances of these 4 programs scattered throughout Windows sub-folders. Right click on each item found by search and choose 'Copy as Path'. And paste it in the Inbound section Firewall Rule creation wizard, and make a Block rule. It is a laborious exercise and takes time to make all the rules. But you will stop the majority of hacking attempts.
 
Last edited:
F

ForgottenSeer 109138

If not behind a properly secured router without port forwarding one could add closing certain ports to this list as well... A couple examples...

Port 135: exposes Remote Call Procedure and it can be abused to obtain information or a foothold on your system if the threat actor gets behind your router. Port 135 should never be exposed to the internet.

Port 139 is absolute crap and should be shot dead on sight. It is for SMB over NetBIOS (which should be disabled itself). Threat actors routinely scan for open port 139 on the net. Then they abuse it if they get behind the router onto the LAN and LAN port security is lax.

Port 445 is SMB over IP. The idiotic thing shouldn't be enabled by default either. The EternalBlue exploit used 445 to move laterally and vertically in networks.

One could work on researching security for ports 135, 139, and 445 for a month and wouldn't even scratch the surface.
 
F

ForgottenSeer 109138

@Practical Response

In Group Policy. filter for RPC to display them. Then for connections I specify Kerberos authentication, which is not available in a home network, thus it will fail. There are other settings.

For NETBIOS, I disable the NETBIOS service by changing the Start value to 4 in the Registry. The only time I need this service is when I want to rename the PC.
How do you address RPC clients that use the named pipe protocol sequence.

Matching all services against known exploits against those services is easily done by hackers and thus the port 135 should not be exposed and blocked.
 

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
452
Group Policy > Local Policy > Security Options > Network access: Named Pipes: --- all default pipes are removed.

As I understand it, port 135 is used by DCOM. And I disabled DCOM in Windows Tools / Component Services. So there is nothing behind that port, or so I think. I forgot the details of what I decided years ago - I will add an inbound block rule now.
 
F

ForgottenSeer 109138

Group Policy > Local Policy > Security Options > Network access: Named Pipes: --- all default pipes are removed.

As I understand it, port 135 is used by DCOM. And I disabled DCOM in Windows Tools / Component Services. So there is nothing behind that port, or so I think. I forgot the details of what I decided years ago - I will add an inbound block rule now.
Port 135 exposes where DCOM services are running and how attackers can find exploits matching those services. Blocking it is the best method.
 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
568
This won't break Windows updates? I thought what you did here:


...might be a better solution, if not more involved to setup. Isn't Default-deny, the way you did so there, and just create allow where necessary the most robust way to handle firewall rules?
 
F

ForgottenSeer 109138

For those looking for a list of ports to block, the SANS Institute recommends at least blocking outbound traffic using the following ports:

-MS RPC TCP, UDP Port 135
-NetBIOS/IP TCP, UDP Port 137-139
-SMB/IP TCP Port 445
-Trivial File Transfer Protocol (TFTP) UDP Port 69
-System log UDP Port 514
-Simple Network Management Protocol (SNMP) UDP Port 161-162
-Internet Relay Chat (IRC) TCP Port 6660-6669
 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
814
If not behind a properly secured router without port forwarding one could add closing certain ports to this list as well... A couple examples...

Port 135: exposes Remote Call Procedure and it can be abused to obtain information or a foothold on your system if the threat actor gets behind your router. Port 135 should never be exposed to the internet.

Port 139 is absolute crap and should be shot dead on sight. It is for SMB over NetBIOS (which should be disabled itself). Threat actors routinely scan for open port 139 on the net. Then they abuse it if they get behind the router onto the LAN and LAN port security is lax.

Port 445 is SMB over IP. The idiotic thing shouldn't be enabled by default either. The EternalBlue exploit used 445 to move laterally and vertically in networks.

One could work on researching security for ports 135, 139, and 445 for a month and wouldn't even scratch the surface.
@Practical Response thank you for your above post #9, as well as this one.

Whoever answer these question, please be gentle...lol, as I am a "normal", "average" user.
Do I close those ports manually through Windows Firewall settings? I have a cheaper Linksys router, can those ports be closed in those settings to cover all the PCs connected through that router?
2024-03-23_9-40-21.jpg

A thread on Neowin mentioned that Linksys by default denies all inbound connections...but I suppose if there was malware connecting outbound, would open up a "blocked" port? See this post and the following reply.

Is it something where I reset Windows Firewall to its defaults, block those ports in Windows, then monitor all the new outbound connections via GlassWire (free version)? Would a better router like an Asus, which may get more firmware updates than my Linksys according to Bot, be better?

I'm not looking to spend over $200.00 for a router and I'm not interested in using one of the fantastic hardening tools from here or WFC. I need to keep it understandable for me, with less possiblity of glitches from using the wrong settings etc. TIA :)
 
Last edited:
F

ForgottenSeer 109138

@Practical Response thank you for your above post #9, as well as this one.

Whoever answer these question, please be gentle...lol, as I am a "normal", "average" user.
Do I close those ports manually through Windows Firewall settings? I have a cheaper Linksys router, can those ports be closed in those settings to cover all the PCs connected through that router?
View attachment 282417

A thread on Neowin mentioned that Linksys by default denies all inbound connections...but I suppose if there was malware connecting outbound, would open up a "blocked" port? See this post and the following reply.

Is it something where I reset Windows Firewall to its defaults, block those ports in Windows, then monitor all the new outbound connections via GlassWire (free version)? Would a better router like an Asus, which may get more firmware updates than my Linksys according to Bot, be better?

I'm not looking to spend over $200.00 for a router and I'm not interested in using one of the fantastic hardening tools from here or WFC. I need to keep it understandable for me, with less possiblity of glitches from using the wrong settings etc. TIA :)
As noted at the top of post 9 "it not behind a properly secured router" , getting one is indeed good advice even from "@Bot".
Its estimated around 83% of default ISP routers are not kept up to speed with firmware updates and therefore have exploitable vulnerabilities. Obtaining a router that will be updated as it should be is definitely in ones best interest.

With closing ports or denying connections, doing so from windows firewall will work "for that device" only. If you are concerned about the network level doing so via the router firewall is the best option. To simplify things obtaining the more secure router is the best option.
 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
568
Hi @Jonny Quest

A good NAT router with blocking inbound by default is important as noted above. If your device is a laptop that you use outside your home on occasion, then you will want your Windows firewall security to be improved. You can easily achieve that with one of Andy Ful's tools such as Hard_Configurator or WHHL Light. Go to the FirewallHardening module and add Recommended H_C, MS Office and LOLBins to the Block list. You should be fine then.

If you really want to go more hardcore, but not really for the faint-of-heart imo, with securing the firewall, you could check out Victor M's thread here:


or you could also try Windows Firewall Control by Binisoft and just go with the default setup. There's an update thread here:

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top