Woow that is one way of blocking Windows
The other way is making your life easier.
Networking in terms of: "I want only Browsing" for Example to work and control what is communicating where a web proxy also called a forwarding proxy is a huge help in Direct Mode. This means a browser or system needs to address the Proxy directly before having access to the internet.
Example:
Firefox Browser has Proxy Address configured because it does not set the System Settings in Windows for use with Proxy.
Firefox Proxy 192.168.x.x Port 8080 -----> Forwarding Proxy ----> Internet
Windows ----> No Internet Access ---> Reason No Proxy Configuration
The other part is if you want to use other Applications some are compatible with Proxy Settings and are System independent others need WinHttp Proxy Configured or they just do not work.
That is the reason Network Administrators use Network Equipment like Firewalls.
Why?
In the OS itself there are Processes that need to run like mDNS - BITS - and others. (Process Explorer can give more insight!)
In terms of what is needed for minimum communication and internet use:
- HTTP Protocol - Port 80 TCP
- HTTPS Protocol - Port 443 TCP
- NTP Protocol - Port 123 TCP/UDP
- DNS Protocol - Port 53 TCP/UDP
What makes control over traffic more difficult?
Encrypted Traffic needs to be "Broken" to look inside so even if you block system process another process that could hijack a legit process and communicate with a Command-and-Control Server without your knowledge.
That is why Network Layer Protection is so important even for Home Use - Some call it DPI with SSL Inspection and can break down how things communicate.
So, a Zero Trust guideline is a particularly promising idea but needs to be done in Layers.
I refer to the OSI Layer Model
If you block something already at the lower layers, it just simply cannot reach higher. If you block something in the highest layer 7 for example you need to have tech. That can control that traffic like a Next Generation Firewall (NGF).
The up part of that is that you control everything Network Wide and can granularly adjust your Rules to specific needs. (User, Group, Computers, IPs and such...)
A fun point to start is:
Sophos XG Home Edition (Freeware and only Private use)
Untangle (Base License is Free but advanced features require a License)
PFsense and OPNsense are Freeware but also have Corp. License Models <- NGF as Addon (Paid Service on OPNsense)
I strongly suggest doing this as a separate Device / Server / Appliance - ^^
Software Firewalls installed on Windows are Applications, and all can be manipulated in such a way that the user does not know what is happening or what if the Application has a bug?
All even Hardware Firewalls need care and understanding and there is no silver bullet to a solution. But ways to make it more manageable.
There is no best way but recommended one's from different users.
My Setup for example is quite simple but efficient:
- My PC - Physical Connection on own Port of the Firewall - Own Subnet with no DHCP /30
- IoT Devices - Own Switch on Own Port of the Firewall with - Own Subnet DHCP on /28
- GEO Blocking Firewall Global Rule for incoming and outgoing traffic on all Ports
- My PC Zone only allowed HTTP / HTTPS / DNS / NTP
- IoT Devices only allowed HTTP / HTTPS / DNS / NTP
- No communication between IoT Devices and My PC Zone
- My PC Software in use is: F-Secure EPP Computer Protection (with Windows Firewall in build control with better logging) Default Deny Policy.
- Sophos XGS 126 with XStream Bundle License (ATP - DPI Engine [Port Agnostic] - SSL-Inspection - GEO Blocking - Webfilter - IPS - and Firewall Rules)
My Point is:
Good Protection starts at the Lower Layers of the OSI model and of course the best Firewall and AV is the "USER". Zero Trust ^^
P.S.:
My Network is build that way since I still learn from here and others in the IT field and I myself am in that Profession. For others that is pure overkill!!! But still, something to look at and be aware of.
P.P.S:
I know I also did not really answer your question but wanted to give your more insight on how your computer communicates. ^^
If someone needs more insight - I am happy to help.
Best regards
Val.
