Securing Windows Firewall

By | Monday 24.12.2018

UPDATE:

I've just found out that sometimes a Windows bug can appear that will not make the changes permanent until after doing them the second time around, after the first system reboot. Upon investigation, I've come to the conclusion that the problem is caused by how User Account Control is managing Group Policy Editor requests.

To get around this problem, start cmd.exe as Administrator, and start Group Policy Editor from there (write "start gpedit.msc" and press the Enter key).

WinFirewall1

For a long time, Windows Firewall has been avoided completely because it is extremely easy for programs to just use its API to add themselves to the exceptions list.

However, what most people don't know is that starting with Windows Vista, the way Windows Firewall works has been entirely different. It can actually be secured. The problem is this would only work if you had version that included the Pro features, which - in Microsoft's description - would be useful only to office environments.


I've searched the web for quite a while before I found out about this option, and it isn't documented properly either, so I've decided to make this little tutorial in order to help others who wish to make use of Windows Firewall, because it is actually a really good lightweight alternative to third party programs which may or may not work with future updates (or upgrades) of Windows.


In order for this to work, your version of Windows must be able to use the Group Policy Editor. If you have, for example, Windows 10 Pro, then you can access it by typing "gpedit" in the start menu, and the search function should point you to a Microsoft Management Console (mmc.exe) option which isn't shown by default in Computer Management. If it doesn't, you can either access it by entering the Run command window (Windows Key + R), or open mmc.exe and then from the menu bars click (and you will also need to have administrator rights):

File → Add/Remove Snap-in... → Group Policy Object.

Click Finish when a window appears, and then click OK in the initial Add or Remove Snap-ins window.

In the Local Computer Policy you can now see two branches:

  • Computer Configuration
  • User Configuration

The one you will be interested in is the Computer Configuration. Keep expanding the sub-branches until you get to Windows Firewall with Advanced Security like in the image:

Windows Settings → Security Settings → Windows Firewall with Advanced Security

In more recent versions of Windows 10, Microsoft had renamed it to "Windows Defender Firewall with Advanced Security", but it's obviously the same thing.

From here, the point is to force Windows Firewall to ignore anything you can find in the normal "Advanced" configuration window, which you can access from Control Panel. In order to do this, right click on the Windows Firewall with Advanced Security - Local Group Policy Object, and select Properties.

WinFirewall3

In this window there are three important tabs:

  1. Domain Profile
  2. Private Profile
  3. Public Profile

IPsec Settings are not currently important for this purpose.

Each of the mentioned tabs contain the following options you will be interested in:

  • Firewall state
  • Inbound connections
  • Outbound connections
  • Settings - Customize

If you wish to force the firewall to be on and not allow programs to change that, you will have to set the Firewall state to "On (recommended)" on each of the three tabs. For that matter, every action from now on will also be necessary on each of the three tabs.

The Inbound connections option tells Windows Firewall what to do with incoming connection requests in case no other firewall rule specifies otherwise. If you wish to be able to allow some firewall exceptions, set it to Block (default).

The Outbound connections option tells Windows Firewall what to do when programs try to initiate connections from your machine to another machine, it doesn't matter if it is in your internal local network or the outside internet. Unless you have any reason not to allow yourself to access the network (but without allowing access to your own PC, of course), you want this to "Allow (default)".

If you do not specify Allow here, you will have to add a rule for every single program you wish to allow to connect to the internet or even to the network, including whatever personal file servers you may have on your local network.

Next, the important part which will make Windows Firewall ignore any other rules than those we specify in Group Policy Editor: Settings - "Customize..." button.

WinFirewall4

Since the whole point is to forbid programs from getting incoming connections unless we explicitly create specific exceptions in Group Policy Editor, all the settings will have to be set to No here, with the exception of Unicast response, which isn't important for this purpose.

The Rule merging setting will tell Windows Firewall to either accept or not accept the rules from the Control Panel exceptions list. When set to No, then the Control Panel applet becomes useless. You can test this yourself if you wish.

Like I mentioned earlier, every profile tab (Domain, Private and Public) must be set individually, so in order to set the firewall properly, you will have to repeat these steps on each tab, including the Customize button to open this window.

From now on, your Windows PC won't accept any incoming connections, unless you will add them like in the following example. Also, if you selected Block for outgoing connections, you will have to do the same for programs you wish to allow to access the network or the internet, but the procedure is the same. The only difference is you will have to do it for Outbound rules.

To allow a program to receive incoming connections:

Step 1: Right-click on Inbound Rules, and select "New Rule..."

Step 2: In the wizzard window which appears, keep the Program option selected, and click Next.

WinFirewall6

Step 3: You have to specify the path to the .exe file which you wish to allow incoming connections to. The easiest way to do this is to actually use a shortcut for the program. Click on the "Browse..." button, and browse up to the .exe file. If you have a shortcut handy, double click the shortcut inside the browse window, and the wizzard will automatically complete the full path to the .exe file.

WinFirewal8

If you used a shortcut to specify the path, then it might look like in the image above. Don't worry if "%ProgramFiles%" appears in your program path as well. It will work. Click next.

Step 4: Windows Firewall wants to know what kind of rule this is. You can select to allow or to block the connection. The block option is useful in some cases, because even if there is an allow exception for a program, if there is also a block one for the same program, then the allow one is ignored. This is useful when you want to make sure certain services aren't accessible to the network. Select Allow the connection, and click Next.

WinFirewall8

Step 5: Remember the three tabs? Windows uses the current IP subnet to determine if your PC is currently connected to either a private local network, the public internet, or an office domain network (which unlike the other two, is activated once your PC joins an Active Directory domain).

If you wish a certain program to only be allowed to accept incoming connections when a profile you specified its type (when asked by Windows the first time you connected to it) is currently activated, then only select that profile, and click Next. Otherwise, the default is to allow it regardless of the profile, which in most cases may be what you want to do. Click Next.

WinFirewall9

Step 6: Finally, the last thing you have to do is give this exception rule a name. Since some programs have more than one .exe files and each one has to have its own separate rule in order for the program to work as intended (Virtual Box is one of these, by the way), you may want to give a suggestive name, in case you have to repeat the process for another .exe file from the required set. When you've chosen a name, click Finish.

WinFirewall10

That's it! Now the program will be allowed to accept incoming connections. To see the rule in the list, click on Inbound Rules on the left panel, where you intially right-clicked and selected New Rule. Only the rules specified here are valid. You can test this if you wish, by adding rules following the same procedure with the Control Panel application, but they will not work unless you duplicate them in Group Policy Editor.

 

You're welcome.

Leave a Reply