Navigation

First version: 2014-10-29
Updated with Additional Tip #4 on 2014-11-05

Windows firewalling done right - summary

On Windows home computers, many people use 3rd party firewalls like ZoneAlarm with alleged benefits such as Intrusion Prevention. Their down-side is that they do heavy work in constantly running background processes. This impacts your computer's performance and often causes conflicts with other security components, such as virus scanners.. This article explains how a Windows 7 (or newer) computer in a home setting (computer(s) connected to DSL/cable router with modem) can achieve a satisfactory level of security by using just the Windows built-in firewall. The advantage is the minimal performance impact, while still being able to maintain control using an extra management tool. Several of these tools are discussed, some in detail.

Firewall terminology and uses

As you hopefully know, a firewall is a software and/or hardware security system which monitors and controls your network traffic based on heuristics and rule sets, in order to protect an internal zone from unauthorized access from an external zone (such as the Internet). When you browse the web for more information you'll stumble upon many buzz words that characterize a firewall, some of which listed below:

  • (H)IPS: (Host) Intrusion Prevention System: a software component that attempts to identify malicious programs (e.g. viruses, trojan horses or worms) by analyzing (any) running program's general behavior for patterns that are inherently malicious, rather than just comparing the program's signature/check-sum against a known database. See here for a more thorough explanation. Commercial antivirus or firewall products often come with HIPS.

  • IDS: Intrusion Detection System: similar to IPS, but such a system just detects the breach and doesn't actively prevent it.

  • SPI: Stateful Packet Inspection: keeps track of the state of connections such as TCP streams, so that illegal packets are discarded. A "pure" stateful firewall (the firewall that provides SPI) is unaware of processes, it just knows about IPs and ports. A prominent example is a home DSL or cable router whose SPI-firewall will reject incoming packets from, say, a webserver, when there wasn't any previous request from a client in the home network to exactly that webserver.

  • Application-level firewall: considers the content of the data stream, examining it for mal-formed content. Often implemented as proxy- or gateway-firewall. Examples are checks for validity of web-requests (cross-site scripting, differentiating real HTTP traffic from tunneled data), protocol adherence (e.g. correct order and validity of messages), etc.

Most of these features are good and needed on dedicated servers or server infrastructures, but impractical on end-user machines, as will be explained now.

Why you don't need one

Personal firewalls that run a home computer are dime a dozen, e.g. EmsiSoft Online Armor, ZoneAlarm Firewall or Comodo Firewall (go here to see an exhaustive list).

The security software industry is doing their best to market their products by using terms the layman won't understand anyway, making their brochures a good candidate for buzz word bingo. A popular marketing platform is computer magazines that advise you to install software firewalls by running ridiculous tests that tell you how many percent of a selected set of threats were detected by each vendor.

Security software companies let you choose between antivirus software, personal firewall software and a mixture of both, often referred to as "security suite" or similar. There really are many reasons why you don't need a personal firewall, many of them also listed in this article written by a security consultant with many years of experience:

  • They slow down your machine.

  • They are poorly configured. This is to be expected, since they are used by laymen which grant rule sets like “any protocol, any source ip/port, any destination ip/port” to any program requesting Internet access.

  • Over time, many false positives (such as caused by HIPS or similar mechanisms) let the user become less sensitive to pop-ups. They end up clicking “yes" or “allow” on these pop-up windows that inform them about a real issue, thinking it's just another false positive.

  • A large part of hacks attack applications that are already on the firewall's white list, such as your browser, making the firewall useless against these types of attacks.

  • Your router already comes with a basic firewall with features such as SPI. A personal firewall then partly does that same work again.

  • In the security business, the defenders (firewall vendors) are chasing after the attacker (hacker). Even the currently best developed firewall with the most exhaustive feature set will be fooled by an attack that was designed with that firewall in mind, making your machine prone to an attack anyway.

  • Software firewalls have security holes themselves, allowing hackers to gain access to your computer because of the firewall. You have to love the irony of that.

  • They create a false sense of security as users think they are actually protected by them.

 

The Windows firewall

Since Windows XP Service Pack 2 the Windows operating system comes with a free-of-charge pre-installed firewall. It is enabled by default, but commercial firewalls will turn it off upon their installation. Although it doesn't come with some of those advanced features such as HIPS, it allows you to block all in/outgoing network traffic except for certain manually selected applications. This functionality should actually be the sole purpose of a personal firewall.

Firewall profiles

The Windows firewall has 3 separately configurable profiles, "domain profile", "private profile" and "public profile". Each physical (or virtual) network connection you have, such as the LAN or WLAN connections, are assigned to one of these profiles. Here are some important facts about the Windows firewall:

  • For each profile you can configure how incoming or outgoing connections without a matching rule are treated.

  • By default (for any profile) incoming connections that do not match a rule are blocked, while outgoing connections are always allowed. For our intents and purposes this is rather undesirable.

  • Windows firewall will show notifications for (temporarily) blocked incoming connections (where no rule matches yet).
    Windows firewall incoming connection pop-up

  • There are no notification pop-up dialogs for blocked outgoing connections, which is a major bummer, as you really need this feature in daily life.

  • The user interface of the firewall control is horrible to use.

To address the last 2 points there are 3rd party tools available which are presented below.

FYI: configuring a network's profile

When you connect to a new network, Windows asks you what type of network it is:

Network profile selection

In terms of firewall settings, both "home" and "work" networks will be subject to the "private profile" firewall settings, whereas “Public location” will mean that the rules of the “public profile” apply.

It is possible to change the network type later. It may make sense to do so. Consider a scenario where your computer, a laptop, is connected to two types of networks, e.g. home and work network, or home and some public WiFi hotspot. If you assign each of the 2 connections to a different profile, you can have a separate set of rules for each of them. This way you could e.g. prevent your antivirus software to download signature updates over a costly tethered connection, or prevent your cloud synchronization tool from connecting to the cloud in Starbucks, while allowing these actions in your home WiFi network.

On Windows 7 changing the network type is quite easy (see here). On Windows 8 and 8.1 it gets more difficult (see here).

Configuring the firewall

For an easier configuration of the Windows firewall there are 3rd party tools available which act as “front-end” or “graphical user interface”. At the time of writing there are 4 front-ends available: TinyWall (free), Windows Firewall Notifier WFN (free), Windows Firewall Control WFC (free + paid upgrade) and Sphinx Soft Windows Firewall Control (free + paid upgrade). I've tested the first 3 of them, see below for more details.

Configuration with TinyWall

TinyWall main menu

I've used TinyWall myself for a long time. Like the other solutions it's hidden in the task bar. As you can see on the screenshot, it allows to add a program to the white list either by specifying the path to the executable manually, selecting a process from the list of running processes or by clicking into the Window of the application. Regarding the operation modes, you can choose between applying your rule set (default), allowing all or blocking all connections, or disabling the firewall completely. It also comes with an auto-learn functionality. And it is free.

Unfortunately it has several major disadvantages, and I've actually stopped using it because of these:

  • No pop-up window when an outgoing connection attempt was blocked. In theory you could argue that you don't need such pop-up windows, because you can specify the list of whitelist programs using the other 3 mechanisms above. But in practice, putting a program on the whitelist may not be sufficient. You may have added just its graphical user interface to the list, background services or other hidden programs are still blocked, and as a consequence the application does not (fully) work. In many cases it's not easily possible to identify which of the background processes or services additionally need to be put on the whitelist.

  • No log view that allows you to see the recently blocked outgoing connection attempts. You have to resort to using the Windows Event log. In Windows 7/8 you first have toopen the Local group policy editor (gpedit.msc), there go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy and set "Audit object access" to "Failure ". Now, open program "Event viewer" and in "Windows Logs" > "Security" look for entries with "Audit Failure" keyword. Two important ones are "blocked connection" and "blocked packet", which have the Event Ids 5157 and 5152 respectively. There you'll find blocked connections and you can unblock them manually in TinyWall.

  • Useless autolearn feature: the autolearn mode automatically accepts all in/outgoing connections from all apps that took place during the timewindow from <autolearn enabled> to <switch back to normal mode>, and adds them to the whitelist. It should only be used if you are sure you have a clean system. After you're done with the training you'd have to review the list of rules that were just created to make sure that really only those applications that you wanted made it on the list (because there are also other applications running in the background which you want blocked and they might have gotten on the list, too). The main disadvantage here is that TinyWall doesn't offer you a "difference list" of the rules set. When you take a look at the list of whitelist applications, you can't find out which ones were added just now in the most recent autolearn session. That means: unless you look through the entire list of accepted applications, you might miss some unwanted entries, like annoying auto-updater services,which would thenhave Internet access from that point on.

Configuration with WFN

Windows Firewall Notifier (WFN) provides a very light-weight management. In fact, the only useful feature it has is the notification pop-up window for outgoing connections. You can customize the rule that is about to be created by clicking the corresponding check-boxes, as shown on the screenshot. Its main user interface has 3 views. One shows the list of active connections, one the list of rules, one the log of recently blocked connections. However, all 3 views are just that: views. You can't edit anything in them. To change rules, you still need to go to native Windows firewall dialogs, which greatly reduces the utility of WFN.

WFN pop-up dialog

Also, it should be noted that whenever a new application requests a connection, the attempt is initially and immediately blocked. The pop-up window then shows up shortly after, allowing you to unblock the application. Once you did that, you have to force your now unblocked application to repeat the connection attempt. This behavior is found also for other Windows firewall-based tools (like WFC, presented below). It's different to the behavior you get when using commercial firewalls. Here the requesting application will wait and “hang” (for some time) until you answered the notification pop-up window.

Configuration with WFC

Binisoft's Windows Firewall Control is a comprehensive solution which I've ended up using personally. Here is the list of important features:

  • Operation modes similar to TinyWall: use your rule set, block all, allow all (outgoing) traffic while blocking those that have block-rules, and disable firewall (allow all traffic).

    • Very handy feature: a timer allows you to automatically change your firewall (back) to another mode after a configurable amount of time. That comes in handy when you're installing new software and you expect its installer to require Internet connections. Setting up rules for the installer wouldn't make sense. Instead, you set the firewall to low filtering, immediately set it up to revert to normal filtering after 10 minutes and then you install the software. Trust me, our brains are bad, without that timer youwill forget to set your firewall mode back to normal mode occasionally. Trust me.

  • Paid feature ($10): Notification pop-ups for outgoing connections, with configurable level of detail: 1) notify for all connections, 2) notify just for “normal programs” (i.e. no pop-ups for System or svchost.exe processes), 3) notify for few notifications (only shows pop-ups for unsigned programs), or 4) completely disable notifications

  • Adding a new program to the list can be done in different ways

    • Browse for executable file

    • Click on the opened window of the application

    • Right-click on the executable (or a link to it) in Explorer (using optional shell integration)

    • Select application from WFC's blocked connections log view

  • Paid feature: you can set an expiry date on created rules

  • You can set up the default settings for rules, e.g. for which profile (private, public, domain) or which direction (incoming, outgoing) they are set up by default

  • Configurable and powerful rule list with color coding (red for block-rules, green for allow-rules, white for inactive rules). Rules can be edited from that list in a clearly arranged dialog. You can search for rules, order them by a column (e.g. group) and mass-enable/disable or change a rule (from block to allow for example).

  • Connections Log view that shows blocked (or allowed) incoming (or outgoing) connections as desired. The view looks organized and much cleaner compared to using the Windows Event log. By just one click you can create an “any any” allow or block rule for the application listed in the log entry, or create a customized rule, or jump to the rule list showing rules associated to that process (if there are any).

  • A “new rules wizard” view that shows you all executables within a specified folder (e.g. C:/Program Files) so that you can create new rules for them quickly.

BiniSoft's WFC is quite a complete package for managing your Windows firewall. You should be able to get by with the free version if you can bear unlocking blocked applications using the log view. Below you see a gallery of screenshots:

Some additional tips

Tip 1: Unclear options

In case you're unclear about the meaning or syntax of some of the many options you can specify for a rule, you can checkout the technical documentation on Microsoft Technet. For example, you have to adhere to many little-documented rules when filling the remote address field. You can specify a list of comma-separated IP addresses, but make sure not to use any spaces. You can also specify ranges in the format A.B.C.D-E.F.G.H or use CIDR notation.

Tip 2: The System service, svchost.exe and other system services

Apart from user applications there are many other rather low-level background services which require appropriate firewall rules. These include things like the ability to be pinged (ICMP), UPNP discovery, file/printer sharing, Windows Update, and many more. I recommend that before you even install a 3rd party tool, you restore the firewall default settings (see Control Panel > System and Security > Windows Firewall).

The services I just mentioned are carried out by various processes. There is a System process, several svchost.exe processes (each being an umbrella to several Windows services) and many others (wwahost, WUDFHost, and so on). Rather than trying to configure appropriate rules for them yourself, you should just enable or disable ready-made rules provided by Microsoft. If you chose to use WFC, it's best to configure them outside of WFC in the Windows-provided dialog (On Windows 8: Control Panel > System and Security > Windows Firewall > Allow an app or feature through Windows Firewall). Select (or deselect) those services that apply to your situation and needs.

Even with these rules in place, there will still be many requests made by svchost or the System process which are blocked due to the lack of a matching rule. This is OK, given that everything you need works. If something doesn't work, however, things become complex quickly. The reason is that when something fails due to svchost.exe, it's (by default) impossible to find out the exact reason. Svchost.exe is an umbrella that is started several times, each process (which has its own process ID) contains several services. When you create firewall rules, however, you would like to know which particular service to unblock. The issue is that a logged blocked connection attempt found in the Event log (or WFC's Connection Log window) will reveal only the svchost.exe's process ID. It won't tell you which service inside that instance executed the connection attempt.

There is a way to find out the particular service, though. The details are explained in this article. Here I want to walk you through an example:

After loading the firewall defaults, installing WFC and granting access to my most-used applications, I noticed that I couldn't access file shares located on other computers in my local network. I didn't want to enable the pre-made “File and printer sharing” rule in the control panel, because that would open the firewall up so that other machines can access my computer's shares. I didn't have any shared folders on this machine, I just wanted this machine to be able to access other computer's shares.

When looking at WFC's Connections log window, I discovered that the System process needed outgoing TCP port 139 to the destination machine. By doing a right-click on that entry, choosing “Customize and create” I designed a rule that allows Systemto use the outgoing TCP port 139 in my local network (remote address = 192.168.1.1/16). The next attempt showed that svchost.exe with process ID 1144 wanted to access the remote machine on port 49000. By opening the command prompt and entering tasklist /SVC /FI "IMAGENAME eq svchost.exe" I found that the following services were part of that process: EventSystem, fdPHost, FontCache, netprofm, nsi, WdiServiceHost, WinHttpAutoProxySvc. Since I didn't want to unblock all of these services, I decided to split the services such that instead of one svchost.exe processes running all 7 services, there are 7 svchost.exe processes, each with one service. My batch script looked as follows:

sc config EventSystem type=own
sc config fdPHost type=own
sc config FontCache type=own
sc config netprofm type=own
sc config nsi type=own
sc config WdiServiceHost type=own
sc config WinHttpAutoProxySvc type=own

After rebooting the machine and repeating the request I found that the service in question was fdpHost, the “Function Discovery Provider Host”. Enabling a rule for svchost.exe for that service still didn't make it work, as I then discovered that the System process needed TCP port 445 opened as well. After adapting the previously created firewall rule to include remote port 139 and 445, I was able to access the remote file share as desired. Now I could revert the svchost splitting process if I wanted, by executing another batch script similar to the one above, replacing own with share.

Tip 3: Network-dependent rules

When you're configuring a firewall on a portable device, you may want different rules for different types of networks. A typical example would be that on your private home network you would be less restrictive. It would be OK to open up some local server ports orlet programs connect to the cloud. On public networks such as WiFi hotspots, however, you'd rather want to minimize network traffic, especially traffic that is either heavy (in megabytes) or could allow others to sniff sensitive information. This can be achieved with the Windows Firewall, using the profiles introduced earlier in this article. You can restrict a rule to, say, just the private or just the public profile. Finally, you need to assign your home WiFi to the private (or work) profile and foreign WiFis to the public profile.

Tip 4: Background services

Some of your installed applications consist of several software components, such as a foreground-component (client GUI) and a background-component (e.g. background service). Under some circumstances, things will only work properly if both components get an allow rule. So if you've granted access to the foreground component and the application still doesn't work properly, make sure to check the logs for failed connection attempts.

If you find that there's a background-component that needs access, you need to create a rule for it. Whether the component is actually executed as Windows service or not doesn't matter. If it needs network access, you've got to create a rule that points to the executable of that service. Please note that you should not use the service drop-down field in the dialog where you create a new rule. That field is reserved for Microsoft-specific services only (such as svchost.exe) and you should generally leave it untouched. (Thanks to Alexandru Dicu from Binisoft for that hint)

Conclusion

This article has shown you that in most home settings the combination of the router's firewall + Windows firewall allow for a good compromise regarding speed, security and configuration options. The firewall allows you to block all in/outgoing network traffic except for certain manually selected applications. Together with a regularly updated Antivirus software your system is secure against most threats.

Comments

Comment by Sam |

Thankyou for the great article! I have one concern regarding Tinywall, Should no longer be recommended as a good choice for a firewall. Admittedly it was my go to choice in the past, however i believe specific to windows 10 users, Tinywall breaks Network Discovery and File sharing. It is a shame since judging by opinions expressed online, many users have discontinued the use of tinywall for this reason, and much to my dismay the author of the software, it seems has no intention of addressing this issue.

Comment by Steve |

I concur with Sam's comment. It totally breaks Windows 10 network discovery and file sharing. Even when I enable them inside of Tinywall. No Tinywall, everything works. Wasted hours looking for a solution. Such a darn shame, been using it for years. Hello WFC.

Navigation