Windows Processes That Are Safe to Block in the Firewall

Topic

New Reply

A firewall spitting notifications of Windows processes and applications inbound and outbound connections is pretty much useless to a non-tech user because it’s hard to figure out which of them are not risky and safe to block without disabling needed functionality.

How about turning this thread into a deposit of information about inbound and out connections that should and should not be blocked, with what potential consequences and any differences that may exist between Win7 and 10 in this context?

2 users thanked author for this post.

Elly, HiFlyer

Reply | Quote

Replies

I’m afraid that what you are asking is impossible on several fronts.

The first is that firewalls block IP addresses, not domains, which are what Windows and applications use. These domains frequently change the IP addresses they resolve to, so the IP addresses which work today will not work indefinitely.

The only firewalls I know of which are able to get around this problem are the Network/Cloud and Plus versions of Windows 10 Firewall Control but these are not for the kind of user you are talking about. (They work by resolving domain names to IP addresses on the fly every time a connection is attempted.)

The second is that what connections should or should not be blocked depends on what you are trying to do. Is it keeping your computer safe? Is it minimizing telemetry? And so on.

Having said that, there may be a possible partial, but acceptable, solution if you use Windows 7 – the free version of Sphinx’s Windows 10 Firewall Control. It has four possible settings which are applied on a per program basis. Two (Allow Incoming and Allow Outgoing) are pretty much useless. The other two are Deny All and Allow All. Depending on what programs you have and what you are trying to accomplish, this may be all you need.

For me it is. For you it may not be. Let me explain with an example. With W10FW Free, if you use Outlook you cannot prevent it from sending information about what is in your emails to MS to use at its pleasure. I use Thunderbird which doesn’t send information about what is in my emails to anyone but me, so Allow All works fine.

In addition, Windows “system” applications are set to Enable All in the free version and cannot be changed. That is not a problem for me, since I do not have any of Microsoft’s snooping patches. Again, YMMV.

Please also note that after you install W10FW Free, every time a new program tries to access the outside, W10FW Free is going to pop up and ask you what you want to do. My solution was to install W10FW Free, open each of the programs on my computer in turn and and choose Allow All or Deny All as appropriate. Since then W10FW Free has been quiet except for a few times early on when my antivirus opened an additional application.

Finally, let me say that my only connection with Sphinx is that of a very satisfied user of W10FW Free.

I hope this has been of some help.

3 users thanked author for this post.

Elly, HiFlyer, Noel Carboni

Reply | Quote

The nice thing about that firewall package is that you can choose to exercise as much or as little control as you’d like. Your approach of sanctioning all-or-nothing communications application by application is entirely reasonable. In your case, you still have the deny-by-default aspect for previously unseen applications, but you don’t get bothered when applications you have chosen to trust make new or different connections.

-Noel

2 users thanked author for this post.

Elly, HiFlyer

Reply | Quote

Tip: If using Windows Firewall, individual services can be blocked. See Create an Outbound Program or Service Rule on Windows 7, Windows Vista, Windows Server 2008 or Windows Server 2008 R2 and Create an Inbound Program or Service Rule on Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.

4 users thanked author for this post.

Elly, woody, HiFlyer, PKCano

Reply | Quote

Manage connections from Windows operating system components to Microsoft services

3 users thanked author for this post.

HiFlyer, PKCano, satrow

Reply | Quote

fp wrote:

How about turning this thread into a deposit of information about inbound and out connections that should and should not be blocked, with what potential consequences and any differences that may exist between Win7 and 10 in this context?

I’ll try to describe some of what I find goes into developing a good, solid firewall configuration, based on what I do and have done…

It takes knowledge of internet communications, time, and good reports to get to know what communications are happening, and some knowledge of how applications and Windows work to derive why.

Please keep in mind I’m a 40 year software engineering veteran who worked for decades in data communications, so I have a fair bit of accumulated personal knowledge I rely upon.

Many years ago when getting to know, and ultimately control, what remote systems are contacted by the software I run, I tried to use the Windows Firewall as provided by Microsoft. The UI is pretty clunky and I ultimately found it impossible to manage. The biggest problem is that you have to dig through the Security Event Log to get the information about what is blocked (and what is allowed if you know the deep geek level reconfiguration necessary to see that info). My conclusion: I had to find a better way.

Since then I’ve done two things to improve the situation, to where I can now see what’s happening pretty well:

1. I implemented a DNS proxy server. This is a program that accepts DNS requests and either resolves them from a local database or forwards them to a real online DNS server, waits for the responses, and forwards them back to the requestor – all in a tiny fraction of a second. I build the server software from an open source package (Dual DHCP DNS Server), and have modified the list capacities and logging slightly.

2. I bought the top-end Sphinx Windows 10 Firewall Control package, which leverages the Windows Filtering Platform and Base Filtering Engine, but puts a darned nice UI on it and gives an “at a glance” report you can use to really get to know what Windows and its applications are doing online.

What I see, when I’m curious about what communications are being done, are these displays, part of one of my DNS proxy config files at the top, Sphinx Firewall’s Events page in the middle, and a tail -f (updating) display of the DNS proxy name resolutions at the bottom:

I have just run an application (BowPad) that I’ve set up in the firewall Program’s panel to log both successful contacts as well as blocked contacts. You can see from the DNS proxy display at the bottom that at 08:51:48 it resolved svn.code.sf.net into an address, then in the Sphinx panel you can see that it immediately made a TCP connection to svn.code.sf.net.

A bit of online research and application of prior knowledge implies that svn.code.sf.net is a site involved with providing software downloads. Sure enough, if I exercise the applications “check for updates” button, we see by the increasing Rep count that svn.code.sf.net is contacted again.

This activity has increased my knowledge of what the BowPad editor, specifically, does online, and has given me information to configure the needed rules to allow it to do only what I’ve observed to be a reasonable use of the network. In fact, if BowPad DOES have an update, several more sites are contacted in the process of downloading and installing the update. Ultimately I accumulated this specific set of rules that will allow the BowPad editor to check for updates, update itself, yet not to contact any other sites unexpectedly.

Ultimately, when I’m comfortable I’m only seeing sanctioned communications, I hide the logging of successful ones for a given application. I’ll still see any new connection attempts that the firewall blocks – which may indicate unexpected telemetry or something I don’t want – or it might just mean the software has been changed to use a different server and/or I haven’t completed the list of necessary rules to allow benign online contacts.

Now imagine taking the time to develop the above knowledge and configuration entries for all the different applications you use in your system and you get an idea of what it takes to develop a very effective deny-by-default firewall configuration.

Not to mention seeing what’s being contacted when gives you the impetus and info to go find out why, and ultimately to discover the configuration options for causing such communications not to even be tried.

You’re absolutely right in thinking it’s a time-consuming and non-trivial job, but it’s DOABLE. What you ultimately get is a system where:

A) You understand what communications are being done by what software, and
B) You ultimately control what communications are allowed and which are not.

There are of course SYSTEM communications, especially those needed to contact such sites as security certification authorities. Deriving those and where to put the entries to allow or deny the communications is material for a whole different post. I’ll get to it.

And there are simplifications. You can, for example, choose to allow certain programs free access to the Internet (possibly with exceptions). For those specific programs, per your configuration the firewall can change from “deny-by-default with exceptions” to “allow-by-default with exceptions” A good example would be a web browser. I haven’t touched on how to configure the firewall for that here – again, it needs another entire post. With a willingness to watch the logs and adjust the configuration, you can coalesce a good configuration for every program.

I haven’t begun to mention how the DNS proxy server fits into all this. As you can see, the log of what sites are being resolved into addresses is useful, but you might also notice the words “— blacklisted by DNS server —” in that log panel. Again, that’s a subject for an entirely separate post.

Monitoring and controlling communications seems complex, but it really is something you can ultimately understand and handle if you put in the effort because it’s built up from a whole set of simple things – as is computing in general, really.

-Noel

2 users thanked author for this post.

RamRod, MrBrian

Reply | Quote

I agree with your concept, Noel. I believe, at this point in MS control, that the use of Windows firewall to control the in and out’s is risky. MS can write the control for you personally and put a backdoor in the control for them.

Reply | Quote

And in fact it can be verified that there are secret rules loaded that do NOT appear in the overt set you can see with the Windows UI. They can be seen by dumping the data from the WFP with e.g., the netsh wfp show state command; you get, in an XML file, the list described here. In that thread the author of the Sphinx firewall reassured me that his rules have higher priority than the secret ones.

And there can be concerns over what Windows sends abroad during its “private times”, when the local firewall software is not on duty at all – e.g., when it’s rebooting into its own pure environment to install upgrades or updates, and has access to your disk with all the stored telemetry data on it…

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

The intial message in the thread talks about disabling the Win Firewall when Sphinx is active. Does he mean the free Sphinx too, or only the paid version?

Reply | Quote

Sphinx does it all, so there is no need to have the Windows Advanced Firewall active. In fact it can confuse things to have two different controllers loading rules into the Base Filtering Engine.

I’m speaking only of my experience with the Network/Cloud version. I’m not sure about the free version.

-Noel

Reply | Quote

You know it really just occurred to me that a discussion regarding the necessity of blocking Windows Processes at the firewall would have seemed pointless a few years ago.

Most security efforts were based around the concept of a “trusted” OS.

We really are heading down the swirly, aren’t we??? 

Windows 10 Pro 22H2

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Thanx to all contributors. I will have to spend some time reading this, but let me clarify:

I am using free Sphinx — does it require Windows Firewall to work, or does it work on its own and I can deactivate the Win firewall?  It allows to allow or deny BY PROGRAM, not IP address, so it seems possible to block certain Windows processes and apps.

From Noel description of what it takes to do a thorough blocking job I take that it is not a feasible one for the average user, if even in terms of the time required, let alone tech knowledge and understanding.

My intention here was mainly to protect Win7 and Win10 1511 systems from MS’s forced upgrades. The question is is it possible to identify some Win components that might be involved in such acts and block them without impairing functionality?

Also, if the functionality of some app does not seem to require connections, either (1) it checks for updates and/or (2) does nefarious things, in which case I should be able to unblock it only when I want to check for updates. So if I do and it stops working, should I assume (2)? IOW, can apps have a functional need for connections that is hidden?

Reply | Quote

fp-

I am using free Sphinx. It allows to allow or deny BY PROGRAM, not IP address, so it seems possible to block certain Windows processes and apps.

If by free Sphinx you mean the free version of Sphinx’s Windows 10 Firewall Control, in that version all Windows processes are always allowed and this cannot be changed.

My intention here was mainly to protect Win7 and Win10 1511 systems from MS’s forced upgrades.

Windows 7 does not have any forced upgrades.

Reply | Quote

Ah, now that you mention it, I was wondering about that. Does the paid version allow it?

I am interested in both Win7 and Win10 1511.

As to Win7, no forced upgrades YET. But given their behavior to date, that could be only temp. Who knows what they’ll do if too many of us refuse to migrate to Win10 latest and greatest?

1 user thanked author for this post.

Reply | Quote

Does the paid version allow it?

There are three paid versions. The Basic version does not. The Plus and Network/Cloud versions do.

2 users thanked author for this post.

Noel Carboni, woody

Reply | Quote

As to Win7, no forced upgrades YET. But given their behavior to date, that could be only temp.

Can’t argue with you there.

Reply | Quote

Since the free Sphinx runs concurrently with the Windows Firewall, it is possible to set up a few outbound rules in the Windows Firewall to stop certain Windows processes.  It is not a complete solution because if you observe Windows for any amount of time, you will see many processes connecting to the net as svchost.exe.  That is probably not a good one to block!

I have blocked by this method:

Explorer.exe

SearchUI.exe

Telrunner.exe

1 user thanked author for this post.

fp

Reply | Quote

By “runs concurrently” you mean it’s just a UI to the Windows Firewall, or can I disable the latter and rely only on Sphinx?

Reply | Quote

With the free Sphinx it’s like you really have two Firewalls running.  It’s all kind of confusing, actually.  It’s not really a front-end at all.  The rules made in Sphinx don’t show up in Windows and vice versa.  Try it yourself and see …

But as I understand it, you should have the Windows Firewall running with the Free version.

http://vistafirewallcontrol.freeforums.org/vistafirewallcontrol-vs-windows-built-in-firewall-t16.html

“VFC free can not manage system (located in c:\windows\*) applications, only VFC Plus protects all the applications including system ones.
So using VFC Free Windows built-in firewall may be used to protect system applications.

http://www.sphinx-soft.com/Vista/faq.html

“Windows 10 Firewall Control is based on Windows Filtering Platform (WFP), the security core of Windows10/8/7/Vista/2008/2012, completely and does not install any third party kernel drivers. The Built-in Firewall is based on the same WFP as well. The both products work independently entirely. You can switch the Built-in Firewall ON or OFF at your option due to complete product independence.”

1 user thanked author for this post.

fp

Reply | Quote

Noel Carboni wrote:

I build the server software from an open source package (Dual DHCP DNS Server), and have modified the list capacities and logging slightly.

Noel-

From what you posted elsewhere about your modifications they seem to me to be significant improvements. Would you be willing to make your version available to others?

 

Reply | Quote

I can’t make a version of Windows available, but I can certainly share the techniques for getting there. A large number of them can be found in my re-tweaker script, which can be seen here. Please read the warnings carefully. It’s all experimental and you really need to be very sure you don’t want anything to do with Apps, cloud integration, Bing, etc. before running it. I haven’t really tested the individual sections separately; I do them all.

http://win10epicfail.proboards.com/thread/100/interested-participating-tweaker-development-test

Please make backups and backups of the backups before trying it.

I’ve put sample Windows 7 and 10 Sphinx firewall configurations online to show how I prefer to set it up here:

http://Noel.ProDigitalSoftware.com/ForumPosts/SampleSphinxConfigs.zip

I’ve described my security setup here, including some links to tools:

https://www.askwoody.com/forums/topic/a-description-of-my-quite-effective-security-environment-long/

Hope this helps!

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

Noel-

I apologize for not realizing that my previous post was misleading. When I asked if you would be willing to make your version available I was trying to ask if you would be willing to make your version of Dual DHCP DNS Server available.

Reply | Quote

No problem, I’ve updated my post above with a link to my security environment setup.

I just realized I may have a bad link in that post.

Altered and built for 64 bit DNS server software:
http://Noel.ProDigitalSoftware.com/files/DualServer64BitInstallation.zip

-Noel

Reply | Quote

Noel-

Thanks for the download link.

I downloaded the zip file, unzipped it, and looked at the manual, which says to run the installer. I assume from this that the contents of the zip file need to be compiled into an installer, which is beyond my ability.

Is it possible for you to provide a compiled installer for your 64-bit version?

TIA.

alice

Reply | Quote

http://Noel.ProDigitalSoftware.com/files/DualServer64BitInstallation.zip contains an installed image – it’s the contents of my C:\DualServer folder.

I believe it should be possible to copy the entire contents to C:\DualServer and just run it. You’ll probably want to change some things in the .ini file to customize it for your network.

-Noel

Reply | Quote

Noel-

Thanks so very much for your help and for your patience.

I will copy the contents to C:\DualServer and run it as soon as having to do an image reinstall isn’t going to create problems.

-alice

Reply | Quote

FYI, I was given a link by someone who suggested looking at an interesting optical illusion on a web page. Complete nonsense and useless, but occasionally I visit frivolous sites just to watch my DNS log go by while doing so. When I reached the bottom of the page I chose some additional interesting links by clicking on the pictures.

The link that got me started was:
https://brightside.me/article/proof-that-you-should-never-believe-your-own-eyes-4/

An excerpt of my DNS log after visiting one of their pages showing the ratio of blocked vs. allowed sites. I had no problems seeing the content and I enjoyed the visit.

[04-May-17 10:02:41] Client 192.168.2.32, brightside.me A resolved from Forwarding Server as 144.76.47.202

[04-May-17 10:07:04] Client 192.168.2.32, brightside.me A resolved from Cache to 144.76.47.202
[04-May-17 10:07:05] Client 192.168.2.32, www.googletagservices.com A not found (1) --- blacklisted by DNS proxy ---
[04-May-17 10:07:05] Client 192.168.2.32, www.google-analytics.com A not found (1) --- blacklisted by DNS proxy ---
[04-May-17 10:07:05] Client 192.168.2.32, files.brightside.me A resolved from Forwarding Server as 88.99.223.14
[04-May-17 10:07:05] Client 192.168.2.32, mc.yandex.ru A not found (1) --- blacklisted by DNS proxy ---
[04-May-17 10:07:05] Client 192.168.2.32, sb.scorecardresearch.com A not found (1) --- blacklisted by DNS proxy ---
[04-May-17 10:07:05] Client 192.168.2.32, apis.google.com A resolved from Forwarding Server as 216.58.219.174
[04-May-17 10:07:05] Client 192.168.2.32, apis.google.com A resolved from Cache to 216.58.219.174
[04-May-17 10:07:06] Client 192.168.2.32, js-agent.newrelic.com A not found (1) --- blacklisted by DNS proxy ---

[04-May-17 10:10:46] Client 192.168.2.32, files.brightside.me A resolved from Forwarding Server as 88.99.223.14

This is pretty typical – most web pages have mostly junk that’s not useful to the user nowadays. And we don’t even see the secondary or tertiary lists of sites visited from all the ads that would have been run if not blocked. What sites does your browser contact when you surf to the above link?

The beauty of the big, complex blacklist is that it’s pretty darned good at weeding out the junk from sites one has never visited before.

-Noel

Reply | Quote

If you want to have some real fun, install the “Disconnect” browser extension in Chrome or Firefox, and enable the “Visualize page” option.

You will see a graphic showing all of the connections your browser makes from that one page!

Very educational!  However the graphic may not show a lot if you are using other blocking tools.  But you can temporarily disable them if you wish to have a look. 

Disconnect “Visualize page”

Windows 10 Pro 22H2

1 user thanked author for this post.

Noel Carboni

Reply | Quote

You can also get a listing of what your browser connects to via whatever “developer tools” it normally provides. I know with IE you can choose “F12 Developer Tools” and watch network traffic.

What most people don’t realize is that most web sites attempt to coopt your system to do a LOT more than what you want when you browse any given web page. Often more than half of the communications have nothing to do with what you wanted to see. The world is trying to derive all kinds of things from your internet usage, and if you allow it then you’re breaching your own privacy simply by surfing.

-Noel

1 user thanked author for this post.

satrow

Reply | Quote

Yup, I know what developer tools are.  I have taken a few courses on web development. 

The thing with the modern web, it is getting complicated.  Many of those extra links are harmless, and necessary to connect web CSS frameworks, images, jscript, and content delivery networks, etc., to a dynamic webpage when you view it.  It’s not like the old days when all content was hosted in directories on one web server.

But buried in that soup of links that you see from commercial websites are some connections  that qualify as privacy thieves in the way that you have described.  Ads and tracking mechanisms top that list.

I think the trick now is to use whatever method works best for you to block the trackers.  For the highly technical user such as yourself, your approach is fine.  But for helping out a noob, I would recommend to simply add a few browser extensions like uBlock Origin, Privacy Badger and Disconnect.

Windows 10 Pro 22H2

1 user thanked author for this post.

Noel Carboni

Reply | Quote

There’s a nifty addon for Chrome/Chromium browsers (I use Slimjet) called uMatrix (from the makers of uBlock which I also use) which is like NoScript for Firefox only easier to use. By default, it allows only 1st party content and blocks everything else. Tweaking things to allow websites to load normally is as easy as a couple clicks. I would still say it is for advanced users generally, but it is much more user friendly than Firefox’s NoScript and, IMO, better because it shows you which things are 1st party and which are 3rd party. Fantastic addon for users interesting in cutting out all the other c*** it tries to do and lets you allow only what is necessary for the page to load and function normally.

Reply | Quote

I use uMatrix on Firefox and Chrome.  Switched to it from NoScript on Firefox.

I think it’s awesome!!!  Well worth learning to use!!!

Windows 10 Pro 22H2

Reply | Quote