6

(reformulated question following Ramhound's suggestion - original question below)

Firewall in use: standard Microsoft windows 10 firewall Settings: everything is blocked inbound and outbound except if a explicit rule allows it

Problem: almost with every MS update, rules are added to the rules list. Example: Cortana exceptions are added.

Desired situation: A method to lock down modification of the rules set by anyone including the system itself. Only if I explicitly allow it, rules can be altered.

(original question) I have windows 10 own firewall setup with minimal in and outbound rules. Anything not in the rules get blocked.

But I noticed that practically with every time windows updates get installed, unwanted rules are added (which I delete as soon as I notice)

Is there a way I can totally freeze rule modification even from the system itself?

I don't want another firewall. For once MS's own is sufficient (just lack a functioning learn/log mode)

Improve this question
7
  • 1
    Can you be more specific?
    – Ramhound
    Commented Oct 29, 2016 at 23:32
  • Sorry fo the late reply More specific: Firewall in use: standard Microsoft windows 10 firewall Settings: everything is blocked inbound and outbound except if a explicit rule allows it Problem: almost with every MS update, rules are added to the rules list. Example: Cortana exceptions are added.
    – glenndm
    Commented Dec 15, 2016 at 13:58
  • 1
    Desired situation: A method to lock down modification of the rules set by anyone including the system itself. Only if I explicitly allow it, rules can be altered. best regards
    – glenndm
    Commented Dec 15, 2016 at 14:05
  • You should edit the question
    – Ramhound
    Commented Dec 15, 2016 at 15:14
  • I edited the question. My apologies , should it not be any clearer. English is not my first language. To me, both formulations seem the same.
    – glenndm
    Commented Dec 16, 2016 at 15:17

2 Answers 2

Reset to default
2

I can understand your wish. It is absolutely crazy how many rules Windows 10 does create without you can even see the rules. The one created on a per User Base for Cortana in WF.msc is just one. This is also the reason why I do not think that Windows 10 is more secure than Windows 7. The filtering Plattform is the same but the numbers of services and background tasks as well as predefined exeptions of firewall rules are enormous higher than in Windows 7. So the attack surface is - in my opionion - much higher than in Windows 7 where you can configure the firewall very strict and with almost no automatic modifications.

To come back to your question: it is not to complicate to modify Windows-Firewall to prevent automatic Firewall-Rules. What you need is to break inheritance and copy permissions in Registry. Take off all write permissions for MpsSvc and to avoid futer overwrite also for System. You may want to create also a new group which has the right to change them and is also owner of these subkeys.

Following Registry-Keys store the Rules: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices" and all Subfolders. "Static" are only configurable by Registry, "Configurable" by command-line and Registry, "FirewallRules" are the rules you can see in WF.msc. If you take the rights of FirewallRules too, you can not modify by mmc.exe/wf.msc anymore.

However, like with all such deep tweaks there are more or less big caveats. If you delete all Allow-Rules in subfolders Static and Configurable for modern Apps like Cortana, Shell-Experience, AAD Broker and so on, you will break the Startmenu as well. So nothing happens when you click on the button because new apps communicate over the network / Filtering-Plattform and as you dissallowed to do so, they won't do anything if these rules do not exist. Especially first time login is highly depended on these things. However windows still works like a charm. All apps are showed in the tasklist, desktop still works fine and so on also Shortcust like Win+R. But Startmenu with Cortana does not.

There are also other things I do not like at all. For example MS did deform a lot of Services which are for telemetry/privace use only. So no other technical reason. For example the AitAgent. You can not disable it, because you can not see it in the mmc.exe plugin. Even not with SystemUtilities. But in Registry you see the half of it. There are many other Privacy-related Tasks and services too and with every update there are new ones. Even in LTSB-Enterprise-Versions. In my Opinion W10 is a technically very good OS but in questions of Privacy it is far worse than you may ever expect and MS is making it all the time harder to prevent that you disable the crap. They collect all data and if a user forgots to click on no everything is sended over the air. For some tweaks you need to start in secure mode, for some you need a Task with "TrustedInstaller" or System, with a lot of them you can even not use SystemUtilites and you have to modify the registry yourself and so on.

Unfortunately there is no way to really avoid Windows 10 in future as new silicon does only support Windows 10 and without Windows you can not work in a modern Company as the bigest part of software-vendors work on windows and a lot of people just do not care about these things.

Improve this answer
2
  • Hello Anton, Thank you for your lengthy reply. I try out the registry approach.
    – glenndm
    Commented Oct 21, 2017 at 11:39
  • Hello Anton, Thank you for your lengthy reply. I'll try out the registry approach. I share your doubts on windows 10. I like and hate it at the same time. The sprawl of settings is enormous. For some things, knowledge of DOS is still necessary The privacy issues is another worry. I know I spend a lot of time on my own machines disabling them. As I also know that the majority of users does not. now off to regedit and hope not to break it too much
    – glenndm
    Commented Oct 21, 2017 at 11:50
0

Here is what we can do:

  1. Download SetACL.exe from https://helgeklein.com/download/
  2. Create file firewall.bat with following content:

setacl.exe -ot reg -on "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" -actn setowner -ownr "n:Administrators"

setacl.exe -ot reg -on "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" -actn setprot -op "dacl:p_nc"

setacl.exe -ot reg -on "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" -actn ace -ace "n:everyone;p:full"

netsh advfirewall firewall delete rule name=all

netsh advfirewall firewall add rule dir=in action=allow name="icmpv4" protocol=icmpv4

netsh advfirewall firewall add rule dir=in action=allow name="icmpv6" protocol=icmpv6

setacl.exe -ot reg -on "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" -actn ace -ace "n:everyone;p:read"

  1. Run firewall.bat with administrator rights

Explanation:

SetACL.exe manipulates permissions on FirewallRules registry key:

  1. At start it will replace owner to Administrators group, disable permissions inheritence and grant everyone full control over that key.
  2. After that firewall commands going: clearing all existing rules and adding your owns.
  3. The last part is to set read only access on registry key.

It is enough to run these commands only once - no one will be able to change firewall rules (including administrators and firewall management itself) unless changing registry key permissions. But I'm pretty sure that some major update will override that registry permissions and rules - so it will be usefull to create scheduler task when computer starts.

Improve this answer
1
  • The next thing that would happen is a frozen Start Menu and not being able to install any of Windows Store apps/games.
    – Alexandru Dicu
    Commented Jul 1 at 5:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .