Hi!
First post here.
I would like to add some application rules so that the only program that connects to the internet is internet explorer and it’s related processes. Then i can block anything else that trys to connect.
So what will i need to allow? - svchost.exe, dns etc
And how would i write the rule (i don’t want to have ‘any address’ or any port)
I am on Windows Vista connecting directly to a cable modem.
Thanks for any help
In theory you can get away with creating rules for svchost and Internet explorer, but it will also depend on you environment. With svchost, unless you’re using a static IP address and you’ve disabled the DNS Client service, you will need to create rules for these. Other than that, you need to consider Windows updates and also any other application you may be running that uses BITS, a svchost process, to update.
For Internet explorer it’s somewhat easier to create the necessary rules. For the most part, allowing the browser to make HTTP/HTTPS connections on standard ports is enough.
At it’s simplest, as I say it will depend on your environment, This is how it might look:
Application Name - Svchost.exe (This is for DNS)
Action - Allow
Protocol - UDP
Direction - OUT
Source Address - ANY
Destination Address - The IP address(es) of your DNS server(s)
Source Port - ANY
Destination Port - 53
Application Name - Svchost.exe (This is for DHCP)
Action - Allow
Protocol - UDP
Direction - OUT
Source Address - ANY
Destination Address - 255.255.255.255
Source Port - 68
Destination Port - 67
Application Name - Svchost.exe (This is for Updates)
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY
Destination Address - ANY or create a Network Zone containing the IP address blocks of the update servers
Source Port - ANY
Destination Port - A Port Set with ports 80 and 443
Application Name - Svchost.exe (This is to block everything else)
Action - Block and Log
Protocol - IP
Direction - OUT
Source Address - ANY
Destination Address - ANY
IP Details - ANY
If you use a static IP address and disable the DHCP Client, you can omit the DHCP rule. If you disable the DNS Client Service, you will still need a DNS rule for svchost, but you will also need a DNS rule for IE.
Application Name - Internet Explorer.exe (This is for DNS, if the Client service is disabled)
Action - Allow
Protocol - UDP
Direction - OUT
Source Address - ANY
Destination Address - The IP address(es) of your DNS server(s)
Source Port - ANY
Destination Port - 53
Application Name - Internet Explorer.exe (This is for HTTP/HTTPS)
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - A port set with ports 80 and 443 (see above)
Application Name - Internet Explorer.exe (This is to block everything else)
Action - Block and Log
Protocol - IP
Direction - OUT
Source Address - ANY
Destination Address - ANY
IP Details - ANY
If you use IE for FTP, you’ll also need rules to support that process.
Finally you need a rule to block everything else.
Application Name - All Applications Pre Defined policy
Action - Block and Log
Protocol - IP
Direction - OUT
Source Address - ANY
Destination Address - ANY
IP Details - ANY
wow, excellent. thank you. That’s what i’ve been looking for.
I shall give it a go and let you know how it goes
Welcome. if in needs refining, just post details of what does and doesn’t work the way you’d like.
Two questions raised:
How does the rule for FTP look like ?
And: Does it really takes a ‘block everything else’ rule for all applications, if one chooses ‘individual network security policy’ ? As far as I’ve understood, this ‘individual network security policy’ alone already means ‘block everything aside of my exceptions’ …
For ftp, there’s nothing to stop you using one of the pre-defined rules (image) There are two that contain ftp rules, web browser and ftp client, just take the parts you need.
And: Does it really takes a 'block everything else' rule for all applications, if one chooses 'individual network security policy' ? As far as I've understood, this 'individual network security policy' alone already means 'block everything aside of my exceptions' ...
I’m not sure what you mean by “individual network security policy”? The reason I included the rule is simply to stop alerts from applications, for which rules have not been defined. It’s not strictly necessary, it just makes things a little less noisy.
[attachment deleted by admin]
Awesome. Both questions cleared; thx.