Thursday, July 8, 2010

Windows 7 Firewall

Recently I've been looking into the Firewall built into the Windows 7 Client and I must say I’m pretty impressed with the levels of flexibility and power I’ve seen so far.


To expose this functionality you’ll need to open;
Windows Firewall with Advanced Security (you can just search for that from the start menu)

Now this stuff may not work for you but my objective was to lock Windows down tighter that a fishes arsehole! I mean think about it! Why should every application on your PC be allowed uncontrolled access to the internet? Whose PC is it? Whose internet bandwidth is it? Is it yours? Or are you just going to gift it to whoever wrote the apps you choose to install?

No. No. NO!

We’re IT pros! WE say what happens on our PCs. Not Steve Jobs, not Larry and Sergey and certainly not the cool guys that wrote that crack and keygen for that game you played once and then uninstalled!

Think you don’t need to worry? One command for you my friend;
Netstat -aon

Go on, go run it now… I’ll wait. I’m happy to wait, I’m just an article on the internet.

If netstat’s too hard to interpret check out TCP View. (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx ) it’s a bit friendlier and runs in real-time. Alternatively you could always pull out network monitor and just have a little look at all your outbound traffic.

So do you know what half to the crap running there does? I didn't.

So I’ve set myself the challenge of creating a functional machine with no “allow all” rules either inbound or outbound. OK there is one notable exception to this challenge, the Xbox 360. I’ve allowed all incoming connections, this is not best practice. But the risk for the 360 is minimal and I need to ensure a consistent WAF (Wife Approval Factor) as the 360 is her main source of media content. So I’m not playing media center extender rules… Yet. I’m sure I’ll eventually find an article on configuring MCE for the 360.

So the first step is to break everything! Block outgoing connections;
The Box labeled 4 indicates you should do this on all profiles.

Now would be a good time to run your netstat -aon again. Just to get a picture of what a connectionless machine looks like. Might be a good idea to restart first.

So now you can jump into the outbound rules and create exceptions for what you need.

You’ll note there are a bunch of rules that are built in. I’ve left these as they are for now. Looking at it there are some things I could live without but that can be addressed in another article.

Creating a rule is easy just right click out bound rules and select new rule. Then there's a wizard. I'm not going to screen dump all that, it's pretty obvious. I will say when creating port rules for outbound connections, you are interested only in Remote ports. Local ports don't matter as much here.

So at first I created a port rule for 80 and 443 allowing all… "Allowing all"!? WRONG!

I amended that so that it was a Program Rule allowing 80 and 443 for Chrome. Sweeeet!

As you can see I’ve banged in other things I think I need. To create rules allowing Windows Update you need to create Custom Rules and then select the services button. Allow 80 and 443 for Windows Update and BITS.

Only you know what you'll need and it'll probably take a bit of time and patience. This page has some rules for other common applications http://npr.freei.me/firewallrules.html and is a good spot to start. First things to get going is windows updates (see above) and updates for your anti-virus applications.

From here the challenge is going to be defining rules for all the games I play now, and any new games as they are installed. OK I'll admit it’s still not tighter than a fishes arsehole BUT it is a work in progress and it’s better than it was.