![]() ![]() Allows only what's really needed by the various components of the system to do things one wants the system to do (such as Windows Update).This will ensure network accesses that have not yet been vetted re disallowed. Denies access by default, unless there is a specific rule allowing a connection.The strategy I'd like to develop a configuration for is one that: It's another case of "what you don't know could hurt you". They don't suit me, and now that I've been doing this experimentation I have come to realize how incredibly promiscuous Windows is about sending data out to sites all over the world. If the defaults suit you, dhjohns, more power to you. Bad juju.Ī firewall should do whatever it is you want it to do. If they were actually caught at doing that, though. Of course, there's no guarantee Microsoft doesn't circumvent their own firewall under some conditions. ![]() I'm starting to think the ongoing maintenance activity needed to support this approach, if supported by a firewall augmentation tool that really pops-up notifications when it should, it's really possible to keep a system on "deny all outbound networking with exceptions". Once you sort out the initial jumble of what services and addresses to allow the required firewall maintenance activity settles right down and you can just use the system. Windows tries to connect to sites all over the world! I've seen it try to reach Redmond, Kansas City, St. I'll look into that other one on the site, maybe it's more mature, though I think the real problem is in the way Win 10 has changed the notification interface.Įven with the program not giving every blocked connection notification, I WAS able to discern the necessary services and addresses to make Windows Update work.Īt this point I have a configuration that completes a Windows Update, allows a base set of my applications to access the net as needed, and has a set of addresses that are explicitly denied. The Windows Firewall Notifier malfunctions in Win 10 in both its latest release version and its alpha version, failing to put up notifications for every blocked connection (which would be necessary to make this a viable long-term solution). I'm guessing that Microsoft did not update the firewall software to understand the modern Windows Update changes yet.Īnyone have any idea what additional services or executables need to be allowed to facilitate Windows Updates? I've added exceptions for the wuauserv service and several other programs (e.g., msdt) and it seems to try just slightly harder, but in fairly short order it just fails with error code 0x80072EFD. Right now I'm having trouble getting Windows Update to work. It's just a matter of discovering the various exceptions. So for now a "deny by default" strategy seems a reasonable answer. Who knows what's built into the binaries. However, if they were caught doing that, it could be very bad press for them.Īnd regarding using an "allow by default, with exceptions" strategy, how can we know all the addresses one would want to block? We simply can't. I hear you regarding the system itself bypassing the firewall. I'm not quite ready to give up on the Windows firewall just yet. Once the basics are set up, I believe this could potentially be a reasonably manageable approach, and should increase system security overall. Various other applications and tools that need to be able to reach the network to do things like check for new versions of themselves or activate online.In order to continue to be able to get Windows Updates, the Windows Update services/processes, including the wushowhide tool will need to be able to reach the net to check for updates.Off the top of my head, the following things still need to be addressed to provide essential network communications, and I'm not yet sure how to accomplish them: I can browse the web with Internet Explorer.I can reach my other computers on my LAN via Windows Networking.Then I added a couple of obvious Allow entries for All profiles, for example to allow iexplore.exe to reach the network. I started by disabling all the rules except those labeled as "Core Networking" for All profiles, and Network Discovery and FIle and Printer sharing for the Private profile. Yes, it implies an ongoing responsibility to manage the firewall whenever new things are added or needed of the system. The trick, of course, will be to define enough rules so that the basic things one DOES want to communicate on the net will still work, while (hopefully) disallowing as much snooping as possible. This is experimentation I've been meaning to do for a very long time, and I'm finally getting around to it. It occurred to me in all these discussions about data collection, etc., as an experiment to try to set the Windows firewall to block outbound connections by default. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |