I decided to use a whitelist approach to secure my environment (i.e blocking all inbound/outbound connections by default, unless otherwise stated).
I need to whitelist some Windows apps (not all of them) like Powershell, cmd, remote desktop in the firewall. However, simply adding cmd.exe, MSTSC.exe, etc does not do the trick. I am certain that these apps have certain dependencies on other apps for network connection, but I don't know what they are.
Simply whitelisting openssh files of system32 for example, does not grant access to ssh in PowerShell. I get a "permission denied" error in the elevated access (disabling firewall fix it, so it should be fixed by proper firewall rules).
Opening ports is not an option, because by opening a port, other apps that I don't like would also have access to those port. For example, I want to do curl on cmd, but I don't want any other app to have access to port 443.
Furthermore, blacklisting is not an option, since the sheer number of apps that I need to block significantly outnumber these three apps that I need.