Advice Request Windows Firewall: What outbound rules to enable vital Windows processes/services?

Please provide comments and solutions that are helpful to the author of this topic.

oldschool

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
I am slowly learning to configure Windows Firewall to block all outbound connections, except needed apps and vital Windows services. I could use some help about the processes needed for Windows Update and other essentials. I've been researching this with limited success. :unsure: Thanks in advance for any replies.
 
  • Like
  • Applause
Reactions: boutthatlife, ForgottenSeer 72227, Black Wings and 7 others
V

Vasudev

Level 33
Verified
Nov 8, 2014
2,250
oldschool said:
@Vasudev - I don't wish to use a 3rd party GUI or a separate WFP-based app like Simplewall. Too many bugs, popups, etc. Making Windows Firewall rules is not complex, but it is difficult to find information about needed processes, e.g. Windows Update - what I need to enable it.
Click to expand...
By default, OS essential services aren't blocked unless you used Telemetry block rules for windows firewall as ps1 script.
 
  • Like
Reactions: ForgottenSeer 72227, TairikuOkami, Nevi and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
oldschool said:
I am slowly learning to configure Windows Firewall to block all outbound connections, except needed apps and vital Windows services. I could use some help about the processes needed for Windows Update and other essentials. I've been researching this with limited success. :unsure: Thanks in advance for any replies.
Click to expand...
Doing it without 3-rd party software will be painful for you. Furthermore, that can be effective for the users' privacy and against simple malware. The more complex malware will simply inject into one of the system processes (like svchost.exe) or use the process hollowing method to hide.
 
  • Like
  • +Reputation
Reactions: boutthatlife, ForgottenSeer 72227, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The user can set firewall to 'Outbound Connections that do not match a rule are blocked.'
Use 'Advanced settings' >> 'Windows Firewall Properties', choose your active profile and set 'Outbound connections' from 'Allow (default)' to 'Block'

208748


This will block by default outbound connections for the chosen firewall profile, except the green rules, which can be seen under the Outbound connections tab. So, the system processes, web browser, MS Store, will be allowed, but most applications will be blocked.
208749
 
Last edited:
  • Like
  • Thanks
Reactions: ForgottenSeer 85179, CyberTech, ForgottenSeer 72227 and 7 others
oldschool

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Andy Ful said:
The user can set firewall to 'Outbound Connections that do not match a rule are blocked.'
Use 'Advanced settings' >> 'Windows Firewall Properties', choose your active profile and set 'Outbound connections' from 'Allow (default)' to 'Block'

View attachment 208748

This will block by default outbound connections for the chosen firewall profile, except the green rules, which can be seen under the Outbound connections tab. So, the system processes, web browser, MS Store, will be allowed, but most applications will be blocked.
View attachment 208749
Click to expand...

I have already done this, which is the easy part. Windows seems to work this way EXCEPT for Windows Update. I'm scratching my head trying to understand the required process(s) to make it functional. :unsure:

Edit: I have already enabled Edge and SmartScreen. (y)
 
Last edited:
  • Like
Reactions: CyberTech, ForgottenSeer 72227, bribon77 and 2 others
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
oldschool said:
Windows seems to work this way EXCEPT for Windows Update.
Click to expand...
As far as I know, WU requires only svchost, but lately I allow all outbound, so maybe I have missed something. :unsure:
Code: 
netsh advfirewall firewall add rule name="Svchost DNS" dir=out action=allow protocol=UDP remoteport=53 program="%WINDIR%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Svchost TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WINDIR%\System32\svchost.exe"

I use LiveTcpUdpWatch to find out network traffic, since it logs traffic. Like, I could not figure out, how to get Update Time v1.2 working, because it makes the connection so fast, that it only blinks in network monitors like currports. Then I found this little gem from nirsoft.

208752

bribon77 said:
True, I haven't seen a good tutorial for configuring Windows Firewall. :giggle:
Click to expand...
People, who tried it, ended in a psychiatric ward. Just setting up loopback can be changeling and do not even get me started on LAN network. :emoji_expressionless:
 
  • Like
  • HaHa
Reactions: ForgottenSeer 72227, bribon77, Weebarra and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I tested the setup from my previous post. It seems that it partially restricts the connections of system processes. For example, without any rule for svchost.exe, the firewall blocked downloading files via bitsadmin.exe and also via PowerShell with BitsTransfer cmdlet (both use BITS). The same effect was when I allowed svchost.exe with a safe option: Allow the connection if it is authenticated and integrity-protected. But, if svchost.exe was fully allowed by the firewall rule, then the download was allowed.
The similar is probably true for Windows Updates.
 
  • Like
  • Thanks
Reactions: ForgottenSeer 72227, bribon77, TairikuOkami and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
TairikuOkami said:
As far as I know, WU requires only svchost, but lately I allow all outbound, so maybe I have missed something. :unsure:
Code: 
netsh advfirewall firewall add rule name="Svchost DNS" dir=out action=allow protocol=UDP remoteport=53 program="%WINDIR%\System32\svchost.exe"
netsh advfirewall firewall add rule name="Svchost TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%WINDIR%\System32\svchost.exe"
...
Click to expand...
After applying the above rules, the Firewall can be bypassed again by the downloaders which uses bitsadmin.exe and PowerShell with BitsTransfer cmdlet.:(
 
  • Like
  • Thanks
Reactions: ForgottenSeer 72227, bribon77, TairikuOkami and 1 other person
oldschool

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Andy Ful said:
I tested the setup from my previous post. It seems that it partially restricts the connections of system processes. For example, without any rule for svchost.exe, the firewall blocked downloading files via bitsadmin.exe and also via PowerShell with BitsTransfer cmdlet (both use BITS). The same effect was when I allowed svchost.exe with a safe option: Allow the connection if it is authenticated and integrity-protected. But, if svchost.exe was fully allowed by the firewall rule, then the download was allowed.
The similar is probably true for Windows Updates.
Click to expand...

I was taking this route, but got this warning message which I did not fully understand:

208759
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful and bribon77
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
Andy Ful said:
After applying the above rules, the Firewall can be bypassed again by the downloaders which uses bitsadmin.exe and PowerShell with BitsTransfer cmdlet.:(
Click to expand...
So I guess, not allowing any Windows processes is a good choice then, while allowing them only temporarily, when updating and such.
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful, bribon77 and 1 other person
oldschool

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
TairikuOkami said:
So I guess, not allowing any Windows processes is a good choice then, while allowing them only temporarily, when updating and such.
Click to expand...

Yes, that is what I believe now. Without any testing, I got the funny feeling that enabling some Windows processes was not a good idea. I have Edge, Brave Beta, AV and VodooShield working. I guess that's all I need. So it's not rocket science after all, if one takes the approach you suggest. Making the rules is definitely not the problem.
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful and bribon77

Similar threads

Dreams&Visions
    • Like
    • Hundred Points
App Review Evorim Free Firewall
Replies
3
Views
626
Written Reviews - Security and Privacy
oldschool
oldschool
Victor M
    • +Reputation
    • Like
    • Hundred Points
  • Suggestion
Setup Idea Default Deny Windows Firewall setup How To
Replies
7
Views
3,344
PC Setup Ideas
Victor M
Victor M
A
Beginning to enable a set of new features for Windows Insiders in the Dev Channel on Build 26120.961
Replies
0
Views
317
Windows 11
Amanda Langowski
A

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top