Experimenting with Windows Firewall to block by default

[ptd163]

Do you have policy files that you feel are ready for public consumption yet Noel? Would do wonders for unattended installs.

[NoelC]

No, not really.  I need at minimum at least a few days of actually using Windows with this setup to verify it keeps working, and that I've not missed something important.

 

Frankly, I'm a little concerned about publishing a policy file at all, frankly, because my personal goals are built into the setup...  For example, I have zero interest in running a Metro/Modern App.  I have zero interest in logging in via a Microsoft account.  And I implicitly trust everything on my LAN segment.  If that matches what others need, great, but I suspect it won't.

 

If I think about it, my goals don't even really make sense with Windows 10...  Which is why I've not chosen to adopt it for my main workstation, but only run it on a VM!

 

I think it would be MUCH more work to try to develop a general purpose policy (it would probably have to be a SET of policies).

 

Lastly, a full policy file contains not only Outbound settings, but Inbound as well, and I've only just barely looked at those.  I'm sure they're not fit for public consumption at this point. 

 

I don't see an easy way to merge / edit / manage policies either - though I admit to being fairly new at manipulating the firewall with intensity.  Do you know of a strategy for mixing and matching input from several different policies?  That would help.

 

-Noel

[xpclient]

Just install Windows Firewall Control by Sphinx Software: http://www.sphinx-soft.com/Vista/ It is not a firewall app but an app to control the Windows Firewall. When installed, it blocks outgoing connections by default and shows a notification every time an app wants to connect letting you quickly allow that particular app.

Edited August 19, 2015 by xpclient

[NoelC]

Thanks for the advice, but I have another solution for that already that's workable (Windows Firewall Notifier) for Win 8.1.

 

I may try Sphinx Software Firewall Control in Win 10, as Windows Firewall Notifier doesn't work right in that environment.

 

Based on what I've seen, the time has really come for these kinds of applications.

 

-Noel

[ralcool]

And we thought they (M$) were just rearranging the deck chairs... The depressing 2D icons during the beta periods we're probably a distraction from new telemetery software freshly introduced. A decoy for the bloggers.

 

The truth of what really happens in the depths of the mothership we mortals will likely never learn.

[Mcinwwl]

Frankly, I'm a little concerned about publishing a policy file at all, frankly, because my personal goals are built into the setup...  For example, I have zero interest in running a Metro/Modern App.  I have zero interest in logging in via a Microsoft account.  And I implicitly trust everything on my LAN segment.  If that matches what others need, great, but I suspect it won't.

 

[...]

 

-Noel

 

Actually MSFN IS a gathering of ppl with similar approach, I think... so it might be worth publishing Of course some sort of information what-why-and-how would be necessary, as well as a tutorial how to change things you have blocked and we might need, which would have taken your time, but I guess many people might appreciate the outcome. I'd be applying that If I ever install W10, but surely not unless my XPocaypse shelter collapses... and I don't think it will come soon :> And the worse thing is that W10 EULA makes me feel bad for not being a Linux guy, which was discussed in a few other topics

 

Simply speaking, I appreciate your works :>

[NoelC]

Thanks for the encouragement.

 

OK, I'll publish the firewall policy I have developed, in the hopes that all you bright people here will experiment and share your findings.  Perhaps together we can further the development of this.

 

BEWARE any and all:  This is EXPERIMENTAL!

 

SAVE your current firewall policy first before loading this one.  That will give you a way back in a pinch.

 

http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/10240/Firewall/DesktopOnlyHighPrivacyWindowsFirewallSettings.wfw

 

Please read and understand these constraints before trying this:

• This is a policy designed as "deny by default, with exceptions" for Inbound AND Outbound network access.  What this means is that applications that haven't been specifically allowed are NOT going to be able to communicate with the net.  I have already added exceptions for several desktop applications.  NO Metro/Modern applications are allowed with this rules set.
   
• It will require ongoing effort by you to determine/detect when an application can't reach the net and add entries to the exception list in the Outbound Rules section.  I haven't found a free 3rd party firewall management package that works well with Win 10 yet, though I started out trying Windows Firewall Notifier and it mostly works.  You might have more luck with it.
   
• It trusts everything on the LAN segment, allowing all communications with other computers on the same subnet.  This is oriented toward a small network with a Router protecting the access to the wild Internet.
   
• As an English-speaking US resident, with this policy I can complete a pre-check for available Windows Updates via the "Windows Update Hiding Tool", and I can complete an actual manually initiated Windows Update with this setup.  You may find that different addresses are required in the exceptions lists for your locale or needs.
   
• The Outbound Rules section is clean, with just the rules I created in it.  The Inbound Rules section, however, has a lot of things disabled, but still there.  I didn't delete much of anything from that section, such as it was after my series of Technical Preview upgrades and application installs, so you may find you can just enable rules there as you need.

 

 In order to manage this approach in an ongoing fashion, you'll need to do something like this:

• Enable logging, in the Windows Security Log, of blocked accesses.  I found this to be done automatically by the Windows Firewall Notifier.  There are several such tools out there and I'd appreciate hearing back if you find one that really works well in Windows 10.
   
• As you are using your system and find an application trying to do network access fails to work, look in the event log (or the UI provided by a tool like the Windows Firewall Notifier.  There you will see what failed.  It may take some skill to sift through the chaff and find the real failure that's causing you a loss of functionality.  Windows 10 tries to do a LOT of network access.
   
• Generally speaking, if you have an application that needs network access, you can just add a simple rule to allow that application access.  If you don't trust an application - say Outlook - you can add a rule that just allows it to access the protocols/ports/addresses you know it needs.  The Windows Firewall is pretty flexible and powerful.
   
• I suggest you make and keep detailed notes about what you learn about network accesses, as it's too complex to keep in your head.  Then if you see something over and over you can refine your rules to deal with it and you'll know the entire set of conditions under which it occurs.  Beware:  This is a lot like real work!

 

Good luck.  I'm interested to hear back how this works for others.

 

-Noel

Edited August 20, 2015 by NoelC

[ptd163]

Just install Windows Firewall Control by Sphinx Software: http://www.sphinx-soft.com/Vista/ It is not a firewall app but an app to control the Windows Firewall. When installed, it blocks outgoing connections by default and shows a notification every time an app wants to connect letting you quickly allow that particular app.

 

Isn't that what TinyWall does? It's not a firewall itself either, but controls the Windows Firewall as well.

 

For example, I have zero interest in running a Metro/Modern App.  I have zero interest in logging in via a Microsoft account.

 

Those are my goals too and why I'm using the LTSB.

 

Btw Noel, your link to Windows Firewall Notifier is 404ing and after having imported the policy into my en-us LTSB VM it loses its internet connection. I will investigate.... if I can figure out how to do that.

Edited August 19, 2015 by ptd163

[NoelC]

Sorry.  I had the right URL for WFN but something changed online literally since this morning.

 

Try this one:

 

https://wfn.codeplex.com/

 

-Noel

[xpclient]

Isn't that what TinyWall does? It's not a firewall itself either, but controls the Windows Firewall as well.

 

There are many apps to control Windows Firewall. TinyWall has a no popup approach. I prefer the one by Sphinx Software because it has a decent user experience and shows outbound notifications (yes it can get annoying since it prompts for every single app that tries to connect and blocks it by default unless you approve) but once you have set it up, it gives you full control. Being prompted at the time the apps wants to connect for the first time and never again is convenient for me.

Edited August 20, 2015 by xpclient

[NoelC]

Thanks for sharing your experience with Sphinx.  I think that approach works best for me too (be notified, then decide whether to allow).

 

Does Sphinx have a memory of what you've seen, separate from the firewall blocking rules?

 

I ask because with a "deny by default" approach, it's handy not to have to see things more than once that you've already seen and confirmed need to be blocked - without having to create explicit blocking rules to do so.  In other words, "being blocked automatically is just fine, don't ask me again".

 

Trouble with Win 10 is that there are literally things blocked every few seconds.  It's not quite that bad with Win 8.1.

 

How does Sphinx handle a high notification rate?

 

-Noel

 

 

 

Edit:  Answered my own questions by buying a copy.  It's a good piece of software (which I didn't doubt after xpclient recommended it).

 

It makes managing a "deny by default" approach easier to manage, mostly because of the reporting and pop-up process that makes it easier to decide what to do, and to quiet down notifications for things you know about already.

 

At this point I've abandoned trying to configure the Windows Firewall directly - which was doable, but quite a lot of work to manage in an ongoing fashion simply because the interface to the tools just is clunky.

Edited August 21, 2015 by NoelC

[alacran]

@ NoelC

 

I have 10 installed in a testing PC & tried to import your Firewall Policies but they didn't work on live system. (Yours are made for a VM)

Selecting in Windows Firewall Notifier "block and promp" all inbound & Outbond traffic, just allowing Avast and FireFox to connect. First 10 or 20 minutes I didn't have time to do any thing than blocking outgoing traffic, even this was after ran Shutup10 blocking every thing.

Then change the setting to "block silently" just to rest a little,  Any way I noticed on "Firewall rules" there is a lot not blocked and I think it has to be done directly in Windows Firewall, to only allow "local subnet" connections.

 

I would appreciate a lot if you can tell me what is needed to let Windows Update run properly.

 

BTW I ran Windows Firewall Notifier on Win7 and it is boring, almost nothing to block (I didn't install any KB in dencorso's list http://www.msfn.org/board/topic/173752-how-to-avoid-being-upgraded-to-win-10-against-your-will/ )  

 

Best Regards

Edited August 23, 2015 by alacran

[NoelC]

I gave up on reconfiguring the Windows Firewall through the Windows interface.  It was possible, but just turned out to be too much work in an ongoing way to deal with the Windows interface and read the logs.

 

After evaluating it, I purchased the software xpclient recommended - Sphinx Windows 10 Firewall Control (Plus edition).  About $25.

 

You can get quite far with their free edition, though it doesn't have the flexibility to create custom zones.  What it HAS is a number of predefined zones that probably are good enough for most things.

 

It's worth noting that it doesn't replace the Windows Firewall, but rather augments it with an additional set of rules.  Essentially you don't need the interface provided by Windows any more when using this one.

 

If you want to get Windows Update working on your system using the Windows firewall only, here's how I did it (using the freeware - and not very good - Windows Firewall Control program)...

 

1.  Use the update hiding tool to see that you can see a pending Windows update (e.g., for Windows Defender).

2.  Block everything other than your LAN.

3.  Re-run the update hiding tool.

4.  Note that the update hiding tool no longer shows any pending update.  If it shows updates, you're done with this phase.

5.  See what addresses are logged as blocked.

6.  If you determine them to be legitimate Windows Update sites that are being logged as a direct result of trying to have the update hiding tool attempt to check for updates, allow them, specifically.

7.  Repeat at step 3 until you succeed in step 4, then go on to the next phase below.

 

Once you've done the above, you'll have accumulated a more or less minimum set of rules that will allow a Windows Update check to complete.  Next phase:  Getting the actual Windows Update to work.

 

8.  Try to do a Windows Update through Settings > Update & Security > Windows Update > Check for updates.

9.  See whether it successfully completes the update.  If so, you're good, move on to step 12 below.

10.  Note in the log what addresses were blocked as a direct result of trying to do the Windows Update, and allow them, specifically.

11. Repeat at step 8 until you succeed in step 9.

 

It's tedious, but it can be done.

 

Then comes the maintenance phase.

 

12.  Watch for things being blocked as you use your system.

13.  Research the address, and decide whether to allow the operations in the future, either by application or by address, or by some combination of the two.

14.  Repeat this whenever something doesn't work or you spot something being blocked and you don't know why.

 

Note that as Microsoft makes changes the lists of addresses will almost certainly change.

 

And you'll probably have to guess sometimes at whether to allow a certain access.  After a while you get a feel for what's talking to whom, and you'll be able to spot patterns.

 

Choosing a "deny first" firewall strategy implies a lot of ongoing work.  And it's essentially personal to you - embodying your specific system setup and your needs. 

 

In hindsight, something came to me well after starting this thread:  It's not something that can easily be set up for others.  It's not surprising my rule set didn't work for you, though you might be able to start with it and turn it into something that works for you using the steps I outlined above.

 

Only you can determine the proper balance between effort expended and value added by keeping your private data private.  I judged using the freely available tools to be a bit too much work - hence my switching to Sphinx, which helps with managing the rules / zones / lists.  Since putting it in, every day I've reviewed the lists of addresses allowed and blocked, and have been refining the rules/zones some.  Its built-in rules are not quite as restrictive as I'd like, but they can be modified.

 

-Noel

[ptd163]

I don't have money to spend on software that I will rarely use at best and never use at worst so I'm guess I'm stuck with free software like TinyWall. Oh well. Thanks for giving free/built-in software a fair shake Noel.

[alacran]

@ NoelC

 

Too much work for nothing and stupid time comsumption.

10 is not better than 7 in any way,  I'm going to stay on 7 in all my 4 PC's for as long as possible, (I don't like 8.x).

Thanks to you for all your time and effort trying to fix this nightmare.

Best Regards

alacran