Whitelist PowerShell, cmd, remote desktop (some Windows apps) in the firewall

Question

I decided to use a whitelist approach to secure my environment (i.e blocking all inbound/outbound connections by default, unless otherwise stated).

I need to whitelist some Windows apps (not all of them) like Powershell, cmd, remote desktop in the firewall. However, simply adding cmd.exe, MSTSC.exe, etc does not do the trick. I am certain that these apps have certain dependencies on other apps for network connection, but I don't know what they are.

Simply whitelisting openssh files of system32 for example, does not grant access to ssh in PowerShell. I get a "permission denied" error in the elevated access (disabling firewall fix it, so it should be fixed by proper firewall rules).

Opening ports is not an option, because by opening a port, other apps that I don't like would also have access to those port. For example, I want to do curl on cmd, but I don't want any other app to have access to port 443.

Furthermore, blacklisting is not an option, since the sheer number of apps that I need to block significantly outnumber these three apps that I need.

Answer 1

Windows 11: Allow System32/svchost.exe in the firewall, then everything will work.

P.S: here is some observations about svchost.

Interestingly enough, after blocking this file, the Windows loses its internet functionality after a few minutes. I wanted to see why, so I blocked everything except this file, and I noticed that it sends a lot of encrypted packets toward Microsoft and some unknown IPs, even though I have turned off telemetry, windows update, etc in registry. After blocking svchost, Windows retries to send those packets, however after a few minutes of failure, the whole internet connection gets disconnected.

That's interesting, because it seems that some applications like Firefox function without svhost for a few minutes so they don't need svhost probably(?) to access the internet (unlike powershell, which loses its functionality immediately after blocking svhost) but nevertheless Windows decides to turn off the internet completely. This might also be related to Does Windows Firewall fully block Windows Telemetry? as well, since both observation about firewall behaviour is wrong. Windows IPs are not hardcoded in the Firewall (if that was the case, after blocking everything including svhost we could've still seen tls packets, but it is not the case.), and also we cannot prevent Windows from sending those packets by blocking everything, because svhost, nevertheless, should be whitelisted in the Firewall.