how to tighten up rules for windows services?

Hi all,
I have noticed that in my application monitor, that alg.exe, svchost.exe, and “system” all have several rules created for them, and I would like to tighten them up. (remove as many as possible)

I have been told elsewhere that I can just disable alg.exe as I don’t use windows firewall (duh) or ICS (not too sure what that is, or whether indeed I need it - what is it? under what circumstances would I need it?)

svchost apparently needs access to windows update, dns lookups, and DHCP.

I’ve had no response as to whether “system” actually needs to access the internet.
Therefore, I thought that perhaps the “horses mouth” was the best place to come :BNC

So, if someone can answer the following, I’d be really grateful.

  1. what is ICS? what is it used for, and under what circumstances is it needed to run / access internet?

  2. re svchost, what are the actual rules I’d need to set in order to allow only windows update, dns lookups, and dhcp? (Please note: I’m a bit of a dummy when it comes to network type stuff, so please explain in “eeejit speak”)

2a) would the implementation of the above rules only for svchost then stop all the “xxx.exe may be using svchost to connect to the internet”, if scvhost can contact only the above mentioned?

2aI) would one rule for svchost.exe stating “allow (windows update, dns, dhcp) ip’s” followed by a rule allow [exclude ie not the choice below] (any) have the desired effect in stopping communication outside of those addresses without any popups? Or would it just break svchosts access altogether?

( I did say I was a dummy at this stuff)

  1. does “system” actually need internet access? If so, what for?

Thanks (R)

Hi qwerty. Let’s see :slight_smile:

So, if someone can answer the following, I'd be really grateful.
  1. what is ICS? what is it used for, and under what circumstances is it needed to run / access internet?

ICS/ICF - Internet Connection Sharing/Internet Connection Firewall
Essentially, if you have a small home LAN, you can configure one of the Windows boxes, to act as an Internet gateway. That is, other PCs on the LAN can access the Internet, via that PC. If you only have one PC you don’t need it.

You should also be able to disable the alg.exe service if you don’t use ICS.

2) re svchost, what are the actual rules I'd need to set in order to allow only windows update, dns lookups, and dhcp? (Please note: I'm a bit of a dummy when it comes to network type stuff, so please explain in "eeejit speak")

Unfortunately, this is a little tricky. There is a useful post here: should svchost.exe be allowed internet access?? that I suggest you might want to read.

Svchost.exe will need access to the Internet. Unless you really want to make your rules strict, you will need to allow, DHCP, DNS, Windows Update at the very least.

DHCP is pretty easy. In Application Monitor you’ll need:

App: Svchost.exe
Dest. = ANY
Port = 68
Protocol = UDP IN
Allow

App: Svchost.exe
Dest. = 255.255.255.255
Port = 67
Protocol = UDP Out
Allow

You might also need:

App: Svchost.exe
Dest. = 255.255.255.255
Port = 68
Protocol = UDP Out
Allow

For DNS you will need:

App: Svchost.exe
Dest = ANY (or you can enter your ISP’s DNS servers as an IP range)
Port = 53
Protocol = UDP Out
Allow

Windows update is a bit of a pain though :frowning: Microsoft use a variety of different servers to supply downloads and also different geographical locations, for load balancing. Some of the URLs are:

download.windowsupdate.com (HTTP)
v5.windowsupdate.microsoft.com (HTTP,HTTPS)
v5stats.windowsupdate.microsoft.com (HTTP)
download.microsoft.com (HTTP)
windowsupdate.microsoft.com (HTTP)
www.download.windowsupdate.com (HTTP)

So your going to need something like this:

App: Svchost.exe
Dest. = v5.windowsupdate.microsoft.com (That’s entered as a host name)
Port = 80,443 (A set of ports)
Protocol TCP Out
Allow

You may have to play around with the host name.

2a) would the implementation of the above rules only for svchost then stop all the "xxx.exe may be using svchost to connect to the internet", if scvhost can contact only the above mentioned?

Only if you add some additional block rules

2aI) would one rule for svchost.exe stating "allow (windows update, dns, dhcp) ip's" followed by a rule allow [exclude ie not the choice below] (any) have the desired effect in stopping communication outside of those addresses without any popups? Or would it just break svchosts access altogether?

Not as simple as that, for the reasons outlined above.

3) does "system" actually need internet access? If so, what for?

I have never allowed system to access the Internet. However, if you have a LAN at home you, may need allow it for Windows File and Print sharing.

Hope that helps

Toggie