Windows 10 1809

 

 

A look at Windows 10 1809 has revealed a number of issues which means that the firewall script I published a few years ago doesn`t work successfully on Windows 10 1809.

The script does run, it does exactly what it is supposed to do, but some of what it does is not appropriate for Windows 10 1809.

Below are the issues which I have found, and a new script specifically for Windows 10 1809 is shown at the bottom of the page.

 

Windows Defender and Windows Updates

The way that Windows Defender works in Windows 10 1809 has changed - some of the executables have been changed, and Windows Defender now utilises svchost.exe to interact with the outside world.

This means that the firewall script I wrote quite a while ago no longer allows Windows Defender to get updates to the risk library.

It has proved necessary to allow svchost.exe to interact with the internet on IPv4 TCP ports 80 and 443.

This has allowed Windows Defender to get its updates - I think it is also now doing it through Windows Update.

But this has caused a new problem - because svchost.exe is used extensively by many other programmes that are part of Windows 10 - by opening the firewall to allow svchost.exe through the firewall other programmes can also use this opening - one of them is the WpnUserService, which also uses svchost.exe and port 443.

 

WpnUserService

WpnUserService is one of a number of Per-user services that various previous versions of Windows 10 have introduced - they are services that are created when a user logs in to a Windows 10 computer, and they are stopped or deleted when the user logs out.

The services therefore run within the user environment and so gain the security context of the user account, and it makes for a more efficient use of resources.

As far as I am aware, most of the Per-user services do things within Windows so don`t really affect the security of the computer - but WpnUserService allows apps to request external servers to push notifications into the computer - so this is a significant security issue.

If users don`t need these notifications then the sensible thing to do is to disable WpnUserService - but it can`t be fully disabled using the usual Services console available at Control Panel / Administrative Tools / Services.

It has to be done through the Registry.

On my installation of Windows 10 1809 the relevant keys and subkeys are

On each of these subkeys the "Start" value should be changed to 4 - which means they are disabled.

 

Windows 10 1809 and NetBIOS

Windows 10 has a strong affinity to NetBIOS despite the fact that NetBIOS is a very old and famously insecure network protocol - and is regularily used as a way into a computer by malware writers.

A first step is to go to Control Panel / Programs and Features - click on "Turn Windows features on and off" - scroll through the list of features to find "SMB 1.0/CIFS File Sharing Support" - uncheck the box.

However that only stops the use of an early version of NetBIOS.

If you don`t need Windows file and printer sharing go to the Services console available at Control Panel / Administrative Tools / Services - disable the following services :-

Unfortunately the affinity to NetBIOS is built right into the core of Windows 10 - the process called "System" with the PID of 4 is listening on

I don`t know of any way to stop this - "System" is the core process of Windows.

The only way round it that I know of is to block NetBIOS with the firewall.

 

Malwarebytes

In the past the free edition of Malwarebytes was a useful addon programme in helping to combat malware.

However a new installation of Malwarebytes has shown that it seems to have become a rather bloated and costly addon - the installation has installed no less than 13 executables in C:\Program Files\Malwarebytes\Anti-malware.

It used to run on two executables - why does it now need thirteen.

In addition I found that it was continually writing stuff onto the hard drive - so what was it writing ?

The free edition of Malwarebytes should just be sitting there doing nothing until it is asked to do a scan.

I decided it had to go - but the Malwarebytes un-installer is not working - it hangs after 5% of the uninstallation.

I have hacked the registry to try and stop it running at all, but it looks like I will have to uninstall it manually.

 

Firewall script for Windows 10 1809

Back in 2019 I published a script which rewrote the firewall policies and rule set in Windows 10 and some earlier versions of Windows.

Because of the differences shown above in Windows 10 1809 it has been necessary to rewrite the script specifically for Windows 10 1809, and this new script is shown below.

In comparison to the previous script this new script has the following characteristics :-

This script is only useable on Windows 10 1809. 



@echo off

title: Windows firewall script

color 5E

echo This script will completely rewrite the Windows Advanced Firewall ruleset on Windows 10, Windows 8.1, Windows 7 32 bit, and possibly on Windows 7 64 bit.

echo.

echo This script is designed specifically for Windows 10 1809 - it should not be used on any earlier version of Microsoft Windows.

echo.

echo Save the whole script as a batch file.

echo.

echo It needs to be run as administrator.

echo.

echo This script will break the operation of all services and applications that require network or internet access unless a specific firewall rule is created for each service and application.

echo.

echo Do you want to proceed ?

echo.

pause

echo.

echo Are you sure ?

echo.

pause

echo.

netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound

netsh advfirewall firewall delete rule name=all dir=in

netsh advfirewall firewall delete rule name=all dir=out

netsh advfirewall firewall add rule name=dns-udp-53 dir=out action=allow enable=yes profile=public remoteport=53 protocol=udp

netsh advfirewall firewall add rule name=dhcpv4-udp dir=out action=allow enable=yes profile=public localport=68 remoteport=67 protocol=udp


netsh advfirewall firewall add rule name=firefox-tcp-80-443 dir=out action=allow program="C:\Program Files\Mozilla Firefox\firefox.exe" enable=yes profile=public remoteport=80,443 protocol=tcp


netsh advfirewall firewall add rule name=defender-config-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" enable=yes profile=public 

netsh advfirewall firewall add rule name=defender-mpcmdrun-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\MpCmdRun.exe" enable=yes profile=public

netsh advfirewall firewall add rule name=defender-msmpeng-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\MsMpEng.exe" enable=yes profile=public

netsh advfirewall firewall add rule name=defender-nissrv-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\NisSrv.exe" enable=yes profile=public


netsh advfirewall firewall add rule name=svchost-tcp-443 dir=out action=allow program="C:\Windows\System32\svchost.exe" enable=yes profile=public remoteport=80,443 protocol=tcp


netsh advfirewall firewall add rule name=edgeBCHost-tcp-80-443 dir=out action=allow program="C:\Windows\System32\MicrosoftEdgeBCHost.exe" enable=yes profile=public remoteport=80,443 protocol=tcp

netsh advfirewall firewall add rule name=edgeCP-tcp-80-443 dir=out action=allow program="C:\Windows\System32\MicrosoftEdgeCP.exe" enable=yes profile=public remoteport=80,443 protocol=tcp

netsh advfirewall firewall add rule name=edgeDevTools-tcp-80-443 dir=out action=allow program="C:\Windows\System32\MicrosoftEdgeDevTools.exe" enable=yes profile=public remoteport=80,443 protocol=tcp

netsh advfirewall firewall add rule name=edgeSH-tcp-80-443 dir=out action=allow program="C:\Windows\System32\MicrosoftEdgeSH.exe" enable=yes profile=public remoteport=80,443 protocol=tcp


echo.

echo all done

echo.

pause

exit

 

 

 

 

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

Link to the W3C website.   Link to the W3C website.