NoelC

All good here. I say go for it. Nothing says you can't release an update if someone discovers a problem later. -Noel

Thanks for sharing your experience with Sphinx. I think that approach works best for me too (be notified, then decide whether to allow). Does Sphinx have a memory of what you've seen, separate from the firewall blocking rules? I ask because with a "deny by default" approach, it's handy not to have to see things more than once that you've already seen and confirmed need to be blocked - without having to create explicit blocking rules to do so. In other words, "being blocked automatically is just fine, don't ask me again". Trouble with Win 10 is that there are literally things blocked every few seconds. It's not quite that bad with Win 8.1. How does Sphinx handle a high notification rate? -Noel Edit: Answered my own questions by buying a copy. It's a good piece of software (which I didn't doubt after xpclient recommended it). It makes managing a "deny by default" approach easier to manage, mostly because of the reporting and pop-up process that makes it easier to decide what to do, and to quiet down notifications for things you know about already. At this point I've abandoned trying to configure the Windows Firewall directly - which was doable, but quite a lot of work to manage in an ongoing fashion simply because the interface to the tools just is clunky.

Absolutely. Yet somehow it will still become the "new normal". Microsoft will not have to execute a Great Reset to survive. The level of intrusion is already getting to be almost too complex to track, even by a geek armed with good skills and tools. The old adage comes to mind... -Noel

Well wouldya look at that. Right there in the Group Policy settings. I really wonder what went on behind the scenes to get them to publish that. Still doesn't alleviate the need to vet every update and hide those trying to bring in new telemetry, etc. -Noel

Are there any graphics in the thing? Something like just making a bunch of icons for the display in the wrong (too large) size could add a tremendous amount of extra overhead. 256 x 256 pixels may be a default in some tool, while the icons would never actually be displayed above say 64 x 64 pixels even on a 4K screen. The difference per icon just in choosing 64 x 64 would be a savings of 60 kBytes. -Noel

I don't trust them at all, but I haven't seen any evidence that there is traffic that circumvents it. If they DID push data through around their own firewall, that would be hugely embarrassing when someone found out about it and publicized it. Besides, very few folks are doing this. It takes more work I imagine than most are willing to put up with. -Noel

Sorry. I had the right URL for WFN but something changed online literally since this morning. Try this one: https://wfn.codeplex.com/ -Noel

My Windows 10 and 8.1 systems run faster now that they don't spend so much effort spilling the guts of my data to various servers all over the world. I haven't developed a "deny first" firewall config for Windows 7 - yet - but I can say that if the amount of unneeded network connections regularly attempted by Windows 10 define the scale as 10 out of 10, then Win 8.1 is about a 2 or maybe a little less. There's a NIGHT and DAY difference. On the performance front, an anecdote... Yesterday I chose to move a folder tree containing 250 gigabytes (all my astronomy data) from one volume to another, to better my organization. Both sets of data were on arrayed SSDs. The whole transfer completed in under 10 minutes, and I was able to verify the contents of both sets of data with my filecrc tool (which opens up every file and "adds" up all the bytes) in just a few minutes more. Not only that, but I was able to do other work without noticing any sluggishness while these activities were going on. -Noel

Lurk&jerk, you have the impression what any particular set of users want is important to Microsoft. All the Harry Homeowners together in rural America aren't wielding big bucks to spend on high tech, so their needs are irrelevant. But even that's giving too much credit. NO user's needs appear to matter to Microsoft any more. They're changing the game. On purpose. Microsoft's point of view would be "that's just too bad for them, it's a cloud operating system". They would also say, "since we require it, they will acquire better network access". -Noel

Thanks for the encouragement. OK, I'll publish the firewall policy I have developed, in the hopes that all you bright people here will experiment and share your findings. Perhaps together we can further the development of this. BEWARE any and all: This is EXPERIMENTAL! SAVE your current firewall policy first before loading this one. That will give you a way back in a pinch. http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/10240/Firewall/DesktopOnlyHighPrivacyWindowsFirewallSettings.wfw Please read and understand these constraints before trying this: This is a policy designed as "deny by default, with exceptions" for Inbound AND Outbound network access. What this means is that applications that haven't been specifically allowed are NOT going to be able to communicate with the net. I have already added exceptions for several desktop applications. NO Metro/Modern applications are allowed with this rules set. It will require ongoing effort by you to determine/detect when an application can't reach the net and add entries to the exception list in the Outbound Rules section. I haven't found a free 3rd party firewall management package that works well with Win 10 yet, though I started out trying Windows Firewall Notifier and it mostly works. You might have more luck with it. It trusts everything on the LAN segment, allowing all communications with other computers on the same subnet. This is oriented toward a small network with a Router protecting the access to the wild Internet. As an English-speaking US resident, with this policy I can complete a pre-check for available Windows Updates via the "Windows Update Hiding Tool", and I can complete an actual manually initiated Windows Update with this setup. You may find that different addresses are required in the exceptions lists for your locale or needs. The Outbound Rules section is clean, with just the rules I created in it. The Inbound Rules section, however, has a lot of things disabled, but still there. I didn't delete much of anything from that section, such as it was after my series of Technical Preview upgrades and application installs, so you may find you can just enable rules there as you need. In order to manage this approach in an ongoing fashion, you'll need to do something like this: Enable logging, in the Windows Security Log, of blocked accesses. I found this to be done automatically by the Windows Firewall Notifier. There are several such tools out there and I'd appreciate hearing back if you find one that really works well in Windows 10. As you are using your system and find an application trying to do network access fails to work, look in the event log (or the UI provided by a tool like the Windows Firewall Notifier. There you will see what failed. It may take some skill to sift through the chaff and find the real failure that's causing you a loss of functionality. Windows 10 tries to do a LOT of network access. Generally speaking, if you have an application that needs network access, you can just add a simple rule to allow that application access. If you don't trust an application - say Outlook - you can add a rule that just allows it to access the protocols/ports/addresses you know it needs. The Windows Firewall is pretty flexible and powerful. I suggest you make and keep detailed notes about what you learn about network accesses, as it's too complex to keep in your head. Then if you see something over and over you can refine your rules to deal with it and you'll know the entire set of conditions under which it occurs. Beware: This is a lot like real work! Good luck. I'm interested to hear back how this works for others. -Noel

I don't see much of any difference in functionality here with 1.3.2.160. Whatever you worked on doesn't seem to have broken anything major on my test system. I see that there a few more "Allocating ... blur" type messages in the dwm.exe debug window now. I tested on a 3 monitor config and thought I saw a minor visual rectangular glitch when hovering over / off the caption buttons on an IE window, but I couldn't reproduce it again. -Noel

Thanks for the advice, but I have another solution for that already that's workable (Windows Firewall Notifier) for Win 8.1. I may try Sphinx Software Firewall Control in Win 10, as Windows Firewall Notifier doesn't work right in that environment. Based on what I've seen, the time has really come for these kinds of applications. -Noel

No, not really. I need at minimum at least a few days of actually using Windows with this setup to verify it keeps working, and that I've not missed something important. Frankly, I'm a little concerned about publishing a policy file at all, frankly, because my personal goals are built into the setup... For example, I have zero interest in running a Metro/Modern App. I have zero interest in logging in via a Microsoft account. And I implicitly trust everything on my LAN segment. If that matches what others need, great, but I suspect it won't. If I think about it, my goals don't even really make sense with Windows 10... Which is why I've not chosen to adopt it for my main workstation, but only run it on a VM! I think it would be MUCH more work to try to develop a general purpose policy (it would probably have to be a SET of policies). Lastly, a full policy file contains not only Outbound settings, but Inbound as well, and I've only just barely looked at those. I'm sure they're not fit for public consumption at this point. I don't see an easy way to merge / edit / manage policies either - though I admit to being fairly new at manipulating the firewall with intensity. Do you know of a strategy for mixing and matching input from several different policies? That would help. -Noel

I would LOVE to have a crack at coding an SSD controller. It's been my experience that there are few folks in the world who really understand real time programming. I've done some cool controller stuff in my day, and we sure didn't have these lickety split giga processors everyone enjoys now. I can proudly say I do. Yep, I've just got a "deny by default, with (a few) exceptions" firewall setup working this evening for Win 8.1 (and 10 as of yesterday). I've already seen some unexpected stuff blocked - though Win 8.1 is NOWHERE NEAR as promiscuous online as Win 10. -Noel

Realistically any company that deals in sensitive information all the time couldn't use windows 10. Absolutely true. And what company DOESN'T think it's data is precious enough to keep away from the outside world? Based on what I know now I wouldn't trust Win 10 not to find SOME way through the firewalls. It's promiscuous on the net beyond belief. Are there exclusions for businesses in the EULA that allow them to strike the "We can collect any fricking thing we want and use it however we like" clauses? I don't think so. Microsoft has the idea that business will really embrace "Windows as a Service". They made pot legal in Washington not long ago, didn't they? That could explain a lot. Cranial rectalitis explains the rest. -Noel

The latest Windows Updates (KB3081441 and KB3081444) going in here on my Win 10 test system as I write this... The updates are coming a bit fast and furious with Win 10, eh? Can't say we didn't expect that. I truly hope such updates don't break nice 3rd party programs like Aero Glass continuously. The developers will almost certainly grow tired of trying to keep up. Now the updates are finished and the system is logged back in... The Windows build here (noting that I'm no longer on the Insider track as I use a local account) is still 10240. Aero Glass for Win 8.1+ still seems to work just fine... -Noel

If it's at all interesting, here's my list of notes based on observation of what Win 10 does. The sections pretty much match my current "Oh hell no", "let the system block by default and wait and see if anything bad happens", and "allow" exception lists. Please be careful if you act on this information. It's entirely new, experimental, and potentially flat wrong. Plus it's oriented toward running only desktop operations - NO Modern Apps, which is what I do. It may not suit you if your goals are different. I certainly haven't done everything with Windows I could possibly do after setting up the firewall per these notes. In other words, use at your own risk. I would, however, like to hear your thoughts on specific entries. I certainly don't know everything Windows does with networking. Now that the above is in place, longer-term refinement of the firewall settings needs to happen, to make sure everything works. -Noel

I no longer need a list to remove communications. I'm now running 100% "deny by default". I've just ported the idea to my Win 8.1 system as well. And now I can affirm that Win 10 tries like mad to send data all over the world. I'm a bit surprised that the tens of millions of Win 10 users haven't overloaded the Internet already. Win 8.1 is far less aggressive about it. -Noel

In a proper world the application would ask you if you'd prefer to add a firewall entry (for both incoming and outgoing connections) and tell you exactly why it wants to do so, giving you the user the option to opt out of Internet communications. Of course, none do that. Many go ahead and add their own firewall entries for incoming data, and sometimes for outgoing as well, even though Windows' default policy is to allow outgoing connections unless blocked by an exception. My recent development of "deny Outgoing connections by default" firewall configurations for both my Win 8.1 and 10 systems has been a real eye-opener. There's 1000% more attempted network activity in Win 10, but unsolicited attempts to send out data are non-zero even in Win 8.1. This is a bit alarming, since it's a system that's been carefully kept clean and already has a fair number of other measures in place. My advice: Be afraid, be very afraid of your system telling the world all about you. -Noel

Winky smiley is right - there are plenty o' typos in their screen grabs. The product might be a wee bit rushed. Still, it looks as though it's a central place from which one can access many/most/all of the privacy settings. Nice idea. -Noel

The intermittent Classic Shell delay doesn't appear to be tied to ModernFrame. I just had the Classic Shell menu delay even with ModernFrame out. ModernFrame is going back in. -Noel

He added an entry you can specify in the .layout file that accompanies the theme atlas file. In other words, when you use a replacement theme atlas file, say xyzzy.png, you can also have a file next to it named xyzzy.png.layout in which you can specify a CaptionHeight=n entry. You could, in the case of a 3rd party theme, extract the theme atlas png file from the STREAM resource of the .msstyles file, then add the .layout file with See: http://www.msfn.org/board/topic/173379-windows-10-development/page-56#entry1105793 -Noel

How do you do that? Are there Win 10 discs in shrink wrap on shelves? It's a cloud-integrated OS. There's no such thing as a non-network environment as far as Microsoft is concerned. -Noel

Is anyone here using ModernFrame.dll and ClassicShell, and finding ClassicShell's Start Menu to occasionally take a second or two to open? Normally it opens immediately, but for me intermittently I'm seeing a delay. A little while ago I removed ModernFrame.dll from AppInit_DLLs and lo and behold now the menu seems to open quickly. But it's intermittent so I can't be sure. It's not a big deal; I can live without ModernFrame, as I only use it for the Settings App. -Noel

I'm becoming a bit more knowledgeable on this subject by trying to develop a firewall strategy for allowing Windows Update while blocking everything by default, and observing how the system reacts. 1. There are a LOT of addresses the system needs to access to successfully complete a Windows Update (and I'm sure I haven't seen nearly all of the potential ones used). 2. It's not hard to imagine that Microsoft would have coded the data gathering logic to piggy back on one of the processes / services that already access the network and are needed for Windows Update, making it particularly difficult to filter out spying activity while allowing Windows Update. 3. Based on firewall logs, communications with servers that appear in a hosts file entry (e.g., a-0001.a-msedge.net) still get attempted, implying the addresses are coded into the software or that they're using a means to resolve names that doesn't involve hosts. The firewall IS blocking stuff still with all the hosts entries in place. -Noel