Tweak Windows Firewall

Easy guide to tweak Windows Firewall (also applicable for Windows 7)

Windows FirewallAs Microsoft says: “The default behavior of the Windows [Vista] Firewall is to: Block all incoming traffic unless it is solicited or it matches a configured rule. Allow all outgoing traffic unless it matches a configured rule.”

And it is indeed like that – if you check this setting (Control Panel – Administrative Tools – Windows Firewall with Advanced Security – Windows Firewall Properties, you will see that in the “Public Profile” tab all Outbound Connections ARE allowed (see the screenshot below). Though I know now that outbound connections are not filtered, I felt pretty much deceived, because I thought I was protected. On one hand your PC is stealth to inbound threats, on the other hand any program can “call home”, i.e. you are not protected in case an application wants to send data over the internet from your computer, or, what is even worse, it could be a Trojan horse, secretly sending out your poems. Next surprise was I could not enable “automatic rules creation” mode for outbound in the way it works for inbound: firewall asks you to permit or deny the connection once a program tries to connect. The reason: this mode does not exist in Vista firewall. Windows Firewall has its much touted outbound filtering in off state. I think it is done to allow OneCare firewall to catch up for extra cash.

Default outbound rule

One solution could be 3rd party firewall. But why invest more? Let’s use what we already have.

In this article I will try to show how to engage Windows Firewall outbound filtering and make your information more secure in Windows Vista.

Default settings overview

First of all let’s get familiar with the Windows Firewall default settings. Follow the path: Control Panel -> System and Maintenance -> Administrative Tools -> Windows Firewall with Advanced Security.

In the Windows Firewall with Advanced Security notice the left panel.

Windows Firewall left panel

It contains three sections: Inbound Rules, Outbound Rules, Connection Security Rules, and Monitoring. Outbound Rules list the entire predefined and new (created) rule. The rule is basically an instruction of which connection is allowed/disallowed for particular service/program. Predefined rules serve for system/core media communication purposes, allowing specific connections like Network Discovery, Remote Assistance, Windows Media Player Network Sharing Service, etc.

If you double click the rule, you will see exactly what it defines. Monitoring section shows all the rules which are currently active. Let’s go back to the main screen’s central section “Overview”.

Here you can see the situation for the three main profiles: Domain, Private, and Public. Profile depends on where the computer is connected. Generally, for a home user Public profile should be active where internet connection is concerned, because it the most restrictive profile. Notice here the following green tick (I would make it red, as it is inconsistent with the fact it is bad!): “Outbound connections that do not match a rule are allowed.”

Windows Firewall default profile

Nice, isn’t it? It makes the predefined list of outbound rules pretty much useless at this stage. So, let’s stop this flooding right now.

Cut outbound flood

In the central section Overview find the blue link “Windows Firewall Properties” and click it. Then select tab “Public Profile”. (In some cases you have to do the following for all 3 profiles, not only Public).
For the Firewall State select “Block” in the Outbound connection.
Click “OK” Make sure new Public Profile looks like this:

Windows Firewall new profile

As of now, no applications (except system services) can communicate via internet. Check you IE7. If it is not the case and IE7 can connect, than you have to block outbound connection for other Profiles accordingly. So we have cut outbound connection. Let’s restore that selectively.

Create outbound connection

As you may notice, for inbound connections there is a “learning” mode, i.e. when a program requests the connection, you will see the dialog window, asking for your permission. Contrary to that there is no “learning” mode for outbound. If it is cut, it is cut unless you do something.

So, let’s restore Internet Explorer connection. Click to Outbound Rules section. In the right panel click “New Rule”. You will activate new rule wizard. The following screen shows what you have to do to create new outbound rule for IE7.

    

Check IE7 again, it should be able to connect now. Be careful if you use Avast! antivirus or similar. Avast has Web Shield “provider” which works as a local proxy server. Therefore, the solution here is to create another outbound connection rule for application avast! Web Scanner [ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe ], otherwise your web connection is disrupted.

Anyway, that is how it is supposed to work. No wonder this manual setting process is not very convenient (if you consider that you have to create rules for ALL your programs you want to have internet connection), I think that was the idea to make OneCare firewall more attractive in this regard.

This solution is better than nothing and cost you nothing, yet some thinking and putting effort is required, which probably means outbound manual setup in Windows Vista Firewall (also applicable for Windows 7) will not be very popular.

3 thoughts on “Tweak Windows Firewall

  1. Andrew

    I’m having some trouble getting these steps to work for IE 9. After creating the new rule, I’m unable to connect to the Internet. IE 9 displays the error “Internet Explorer cannot display the webpage.” However, if I allow all outbound connections not matching a rule to be made, IE 9 begins to work again. Will the same program, %ProgramFiles%\Internet Explorer\iexplorer.com still work for IE 9?

    Reply
    1. Astrum Post author

      Yes, it is the same path, but please notice what I said about Avast web shield. Most probably you have a similar service within a security package where web traffic is filtered/directed by another process(es). You have to find it and create an according rule as well.
      Cheers

      Reply
      1. Andrew

        Thanks Astrum, great article! It turns out that the problem that I was having was a result of creating the rule for the 64-bit version of iexplorer, when I really meant to create the rule for the 32-bit version of the browser, found in %ProgramFiles% (x86)\Internet Explorer. Apparently, the two versions of the browser use different executables.

        Reply

Leave a Reply