Windows Advanced Firewall
The Windows Firewall with Advanced Security is used on Windows 8.1 and on Windows 10, and also on versions of Windows Server I think from 2008 R2 onwards.
Like iptables that has been built into Linux for a long time now, the Windows firewall is a combined packet filter and stateful filter firewall, and as such it can be programmed to be quite a useful form of protection from network based attacks.
However it comes with some significant disadvantages out of the box -
the ruleset is stored in the registry - and if someone gets access to the registry, they can reprogramme the firewall
application installation software can cut holes through the firewall to its hearts content, and Windows doesn`t seem to care
Microsoft have this obsession with the idea that a Windows based computer taken out of the box is capable of running all the garbage services and software that Microsoft seem to think we can`t live without, and so as it is taken out of the box the firewall has already got masses of holes cut through it
Microsoft also have the obsession with the idea that every new version of Windows can interconnect with every previous version of Windows by default, even though this means letting old and famously insecure network protocols through the firewall
Windows provides an easy to use GUI which means that anyone with sufficient rights and no understanding of what they they are doing can allow even more holes to be cut through the firewall with just a few clicks - this is made even more dangerous by the fact that if say for example you use the GUI to let Notepad or Regedit through the firewall, it enters some firewall rules which allow all ports on both UDP and TCP straight through the firewall, and totally destroys both the packet filtering and the stateful filtering for that application
Another disadvantage that is worth noting here is that the Windows firewall has a default policy of allowing all outgoing packets through the firewall, unless they are specifically blocked by a firewall rule.
Now this is quite a common policy for stateful filtering firewalls, it does make life a lot easier for administrators, because if there is a default policy of blocking all outgoing packets, it can be quite a headache to cut the requisite holes through the firewall so services and applications can work as they are designed to work.
However a default allow policy does weaken the effectiveness of a stateful filtering firewall.
So I had a look at reconfiguring the firewall on Windows 10 and on Windows 8.1 so that there is a default block policy on outgoing packets, and I have to say, yes it can be a bit of a headache to get things to work as they should, but having done it, the firewall is a lot more secure.
In the end I wrote a batch file that uses netsh to set up the firewall, and it works nicely on both Windows 10 and on Windows 8.1.
I believe that Microsoft are thinking about phasing out netsh, and just doing everthing through Powershell, but so far Powershell is a bit beyond my reach, but it could be done through Powershell as well.
The script changes the default policy to block on all profiles, deletes all existing rules, and then creates rules that allow Firefox, Windows Defender, and Malwarebytes free version to work as they should.
It was very satisfying to run it on a brand new installation of Windows 10 1809, and watch it delete 334 inbound rules, and 394 outbound rules.
Here is the script, if you want to play with it, you can copy and paste it into a batch file and run it.
But be warned, a lot of your services and applications will stop working, so having some kind of restoration or re-imaging strategy would be a good idea.
@echo off title: Windows firewall script color 5E echo This script will completely rewrite the Windows Advanced Firewall ruleset on Windows 10, Windows 8.1, and possibly on Windows 7 64 bit, but probably not on Windows 7 32 bit. echo. echo This script will break the operation of all services and applications that require network or internet access unless a specific firewall rule is created for each service and application. echo. echo Do you want to proceed ? echo. pause echo. echo Are you sure ? echo. pause echo. netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound netsh advfirewall firewall delete rule name=all dir=in netsh advfirewall firewall delete rule name=all dir=out netsh advfirewall firewall add rule name=dns-udp-53 dir=out action=allow enable=yes profile=public remoteport=53 protocol=udp netsh advfirewall firewall add rule name=dhcpv4-udp dir=out action=allow enable=yes profile=public localport=68 remoteport=67 protocol=udp netsh advfirewall firewall add rule name=firefox-tcp-80-443 dir=out action=allow program="C:\Program Files\Mozilla Firefox\firefox.exe" enable=yes profile=public remoteport=80,443 protocol=tcp netsh advfirewall firewall add rule name=defender-mascui-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\MSASCui.exe" enable=yes profile=public remoteport=80,443 protocol=tcp netsh advfirewall firewall add rule name=defender-msmpeng-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\MsMpEng.exe" enable=yes profile=public remoteport=80,443 protocol=tcp netsh advfirewall firewall add rule name=defender-nissrv-tcp-80-443 dir=out action=allow program="C:\Program Files\Windows Defender\NisSrv.exe" enable=yes profile=public remoteport=80,443 protocol=tcp netsh advfirewall firewall add rule name=malwarebytes-mbam-tcp-80-443 dir=out action=allow program="C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe" enable=yes profile=public remoteport=80,443 protocol=tcp netsh advfirewall firewall add rule name=malwarebytes-mbamservice-tcp-80-443 dir=out action=allow program="C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" enable=yes profile=public remoteport=80,443 protocol=tcp echo. echo all done echo. pause exit
website design by ron-t
website hosting by freevirtualservers.com
© 2024 Ron Turner
