Setup Idea Stop Intrusions - Firewall Rules

Last updated
Mar 19, 2024
How it's used?
For home and private use
Operating system
Windows 10
Other operating system
Windows 11
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Evaluation mode
Network firewall
Enabled
Real-time security
Inbound Firewall Rules for any brand of firewall
Firewall security
Microsoft Defender Firewall with Advanced Security
About custom security
Xcitium OpenEDR alerts revealed these attacks
Periodic malware scanners
Kaspersky
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
N/A
Secure DNS
N/A
Desktop VPN
N/A
Password manager
N/A
File and Photo backup
N/A
System recovery
N/A
Risk factors
    • Browsing to popular websites
Computer specs
N/A
Recommended for
  1. All types of users
  2. Inexperienced users
  3. Experienced users
  4. Multi-user devices
  5. Financial banking or trading
  6. High-end or medium spec PCs
  7. Low spec PCs
  8. Air-gapped or offline systems
Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
Hi Everyone,

Hackers often manipulate or exploit Windows system programs and services, like SVCHOST , TASKHOSTW, File EXPLORER and RUNTIMEBROKER. They can do it because Windows Firewall defaults to allow all Outbound traffic, and some of these do send out and receive returning traffic. In short, these 4 programs accept traffic, and a hacker can manipulate the ip address header to slip thru.

In my Xcitium EDR Alerts, I can see SVCHOST and File Explorer invoking Powershell, and TASKHOSTW trying to manipulate Registry. These invocations are malicious.

My first solution was to use Xcitium's HIDS to Block Powershell from starting until I need to use it, then I would disable that block rule and re-enable when finished. However, that does not stop the malicious registry modifications. In short, the ways that these 4 programs can be used by hackers are infinite; invoking Powershell and changing registry are only 2 variants.

Now I have come up with a better solution. That is to make Firewall Incoming Block Rules to Block traffic to these 4 programs. Windows can do without these 4 programs talking to the Internet.

So, open File Manager and Search for all instances of SVCHOST, TASKHOSTW, EXPLORER and RUNTIMEBROKER. There are Many instances of these 4 programs scattered throughout Windows sub-folders. Right click on each item found by search and choose 'Copy as Path'. And paste it in the Inbound section Firewall Rule creation wizard, and make a Block rule. It is a laborious exercise and takes time to make all the rules. But you will stop the majority of hacking attempts.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: B-boy/StyLe/, Jonny Quest, Dave Russo and 4 others
Upvote 0 Downvote
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
If not behind a properly secured router without port forwarding one could add closing certain ports to this list as well... A couple examples...

Port 135: exposes Remote Call Procedure and it can be abused to obtain information or a foothold on your system if the threat actor gets behind your router. Port 135 should never be exposed to the internet.

Port 139 is absolute crap and should be shot dead on sight. It is for SMB over NetBIOS (which should be disabled itself). Threat actors routinely scan for open port 139 on the net. Then they abuse it if they get behind the router onto the LAN and LAN port security is lax.

Port 445 is SMB over IP. The idiotic thing shouldn't be enabled by default either. The EternalBlue exploit used 445 to move laterally and vertically in networks.

One could work on researching security for ports 135, 139, and 445 for a month and wouldn't even scratch the surface.
 
  • Like
  • Applause
  • +Reputation
Reactions: Trident, B-boy/StyLe/, wat0114 and 5 others
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
Victor M said:
@Practical Response

In Group Policy. filter for RPC to display them. Then for connections I specify Kerberos authentication, which is not available in a home network, thus it will fail. There are other settings.

For NETBIOS, I disable the NETBIOS service by changing the Start value to 4 in the Registry. The only time I need this service is when I want to rename the PC.
Click to expand...
How do you address RPC clients that use the named pipe protocol sequence.

Matching all services against known exploits against those services is easily done by hackers and thus the port 135 should not be exposed and blocked.
 
  • Like
Reactions: cryogent, B-boy/StyLe/, vtqhtr413 and 1 other person
Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
Group Policy > Local Policy > Security Options > Network access: Named Pipes: --- all default pipes are removed.

As I understand it, port 135 is used by DCOM. And I disabled DCOM in Windows Tools / Component Services. So there is nothing behind that port, or so I think. I forgot the details of what I decided years ago - I will add an inbound block rule now.
 
  • Like
Reactions: cryogent, B-boy/StyLe/, vtqhtr413 and 2 others
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
Victor M said:
Group Policy > Local Policy > Security Options > Network access: Named Pipes: --- all default pipes are removed.

As I understand it, port 135 is used by DCOM. And I disabled DCOM in Windows Tools / Component Services. So there is nothing behind that port, or so I think. I forgot the details of what I decided years ago - I will add an inbound block rule now.
Click to expand...
Port 135 exposes where DCOM services are running and how attackers can find exploits matching those services. Blocking it is the best method.
 
  • Like
Reactions: cryogent, B-boy/StyLe/, Victor M and 2 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
571
This won't break Windows updates? I thought what you did here:

malwaretips.com

Setup Idea - Default Deny Windows Firewall setup How To

Start > All apps > Windows Tools > Windows Defender Firewall Click on Windows Defender Firewall Properties on the center section. Click on each profile (Domain, Private, Public) tab change Outbound connection = Block Specify Logging settings for Troubleshooting > Customize Size Limit = 100000...
malwaretips.com malwaretips.com

...might be a better solution, if not more involved to setup. Isn't Default-deny, the way you did so there, and just create allow where necessary the most robust way to handle firewall rules?
 
  • Like
Reactions: Victor M, cryogent and B-boy/StyLe/
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
For those looking for a list of ports to block, the SANS Institute recommends at least blocking outbound traffic using the following ports:

-MS RPC TCP, UDP Port 135
-NetBIOS/IP TCP, UDP Port 137-139
-SMB/IP TCP Port 445
-Trivial File Transfer Protocol (TFTP) UDP Port 69
-System log UDP Port 514
-Simple Network Management Protocol (SNMP) UDP Port 161-162
-Internet Relay Chat (IRC) TCP Port 6660-6669
 
  • Like
  • +Reputation
  • Thanks
Reactions: vtqhtr413, ErzCrz, Jonny Quest and 1 other person
Jonny Quest

Jonny Quest

Level 16
Verified
Top Poster
Well-known
Mar 2, 2023
794
Practical Response said:
If not behind a properly secured router without port forwarding one could add closing certain ports to this list as well... A couple examples...

Port 135: exposes Remote Call Procedure and it can be abused to obtain information or a foothold on your system if the threat actor gets behind your router. Port 135 should never be exposed to the internet.

Port 139 is absolute crap and should be shot dead on sight. It is for SMB over NetBIOS (which should be disabled itself). Threat actors routinely scan for open port 139 on the net. Then they abuse it if they get behind the router onto the LAN and LAN port security is lax.

Port 445 is SMB over IP. The idiotic thing shouldn't be enabled by default either. The EternalBlue exploit used 445 to move laterally and vertically in networks.

One could work on researching security for ports 135, 139, and 445 for a month and wouldn't even scratch the surface.
Click to expand...
@Practical Response thank you for your above post #9, as well as this one.

Whoever answer these question, please be gentle...lol, as I am a "normal", "average" user.
Do I close those ports manually through Windows Firewall settings? I have a cheaper Linksys router, can those ports be closed in those settings to cover all the PCs connected through that router?
2024-03-23_9-40-21.jpg

A thread on Neowin mentioned that Linksys by default denies all inbound connections...but I suppose if there was malware connecting outbound, would open up a "blocked" port? See this post and the following reply.
www.neowin.net

Thurough List of ports to block on Linksys Router?

Hi. I was wondering if anyone had a good list of ports to block on linksys routers? Obviously 135-139 for netbios, but what else? Does linksys leave very many ports open by default? Finally, does anyone have any security hardening guides for the linksys? I know of a few good ones, like disable dh...
www.neowin.net

Is it something where I reset Windows Firewall to its defaults, block those ports in Windows, then monitor all the new outbound connections via GlassWire (free version)? Would a better router like an Asus, which may get more firmware updates than my Linksys according to Bot, be better?
malwaretips.com

Serious Discussion - What Routers are the most secure?

That have lowest attack surface (secure software implementation - memory safety - not many unneeded functionalities) and many years of security updates.
malwaretips.com malwaretips.com

I'm not looking to spend over $200.00 for a router and I'm not interested in using one of the fantastic hardening tools from here or WFC. I need to keep it understandable for me, with less possiblity of glitches from using the wrong settings etc. TIA :)
 
Last edited:
  • Like
  • Applause
Reactions: vtqhtr413, wat0114, ErzCrz and 1 other person
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
Jonny Quest said:
@Practical Response thank you for your above post #9, as well as this one.

Whoever answer these question, please be gentle...lol, as I am a "normal", "average" user.
Do I close those ports manually through Windows Firewall settings? I have a cheaper Linksys router, can those ports be closed in those settings to cover all the PCs connected through that router?
View attachment 282417

A thread on Neowin mentioned that Linksys by default denies all inbound connections...but I suppose if there was malware connecting outbound, would open up a "blocked" port? See this post and the following reply.
www.neowin.net

Thurough List of ports to block on Linksys Router?

Hi. I was wondering if anyone had a good list of ports to block on linksys routers? Obviously 135-139 for netbios, but what else? Does linksys leave very many ports open by default? Finally, does anyone have any security hardening guides for the linksys? I know of a few good ones, like disable dh...
www.neowin.net

Is it something where I reset Windows Firewall to its defaults, block those ports in Windows, then monitor all the new outbound connections via GlassWire (free version)? Would a better router like an Asus, which may get more firmware updates than my Linksys according to Bot, be better?
malwaretips.com

Serious Discussion - What Routers are the most secure?

That have lowest attack surface (secure software implementation - memory safety - not many unneeded functionalities) and many years of security updates.
malwaretips.com malwaretips.com

I'm not looking to spend over $200.00 for a router and I'm not interested in using one of the fantastic hardening tools from here or WFC. I need to keep it understandable for me, with less possiblity of glitches from using the wrong settings etc. TIA :)
Click to expand...
As noted at the top of post 9 "it not behind a properly secured router" , getting one is indeed good advice even from "@Bot".
Its estimated around 83% of default ISP routers are not kept up to speed with firmware updates and therefore have exploitable vulnerabilities. Obtaining a router that will be updated as it should be is definitely in ones best interest.

With closing ports or denying connections, doing so from windows firewall will work "for that device" only. If you are concerned about the network level doing so via the router firewall is the best option. To simplify things obtaining the more secure router is the best option.
 
  • Like
  • Applause
  • Thanks
Reactions: Victor M, vtqhtr413, Jonny Quest and 2 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
571
Hi @Jonny Quest

A good NAT router with blocking inbound by default is important as noted above. If your device is a laptop that you use outside your home on occasion, then you will want your Windows firewall security to be improved. You can easily achieve that with one of Andy Ful's tools such as Hard_Configurator or WHHL Light. Go to the FirewallHardening module and add Recommended H_C, MS Office and LOLBins to the Block list. You should be fine then.

If you really want to go more hardcore, but not really for the faint-of-heart imo, with securing the firewall, you could check out Victor M's thread here:

malwaretips.com

Setup Idea - Default Deny Windows Firewall setup How To

Start > All apps > Windows Tools > Windows Defender Firewall Click on Windows Defender Firewall Properties on the center section. Click on each profile (Domain, Private, Public) tab change Outbound connection = Block Specify Logging settings for Troubleshooting > Customize Size Limit = 100000...
malwaretips.com malwaretips.com

or you could also try Windows Firewall Control by Binisoft and just go with the default setup. There's an update thread here:

malwaretips.com

New Update - Windows Firewall Control versions 6.9.9.2 - 6.9.9.6

What's new in version 6.9.9.2 (21.01.2024) - Fixed: It is not possible to create a duplicate of the first rule in Rules Panel. - Fixed: Remote code execution vulnerability via gRPC named pipes. - Updated: Standard user accounts are allowed to perform elevated actions without requiring elevation...
malwaretips.com malwaretips.com
 
  • Like
  • Thanks
  • Applause
Reactions: Victor M, LennyFox, vtqhtr413 and 1 other person

Similar threads

Victor M
    • +Reputation
    • Like
    • Hundred Points
  • Suggestion
Setup Idea Default Deny Windows Firewall setup How To
Replies
7
Views
2,536
PC Setup Ideas
Victor M
Victor M
nicolaasjan
    • +Reputation
    • Wow
    • Like
Technology New sneaky Windows driver UCDP stops non-Microsoft software from setting defaults
Replies
2
Views
269
Technology News
NormanF
N
ErzCrz
    • Like
Question Comodo Firewall rules for Edge?
Replies
2
Views
851
Comodo
ErzCrz
ErzCrz

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top