Predefined Policy vs. Customer policy (FW/D+) - advice for total beginner

Can I have some advice or explanation when is it best to apply a Predefined Policy vs a custom policy? I understand the differences and rules resultant, but I have difficulty accessing the risks, if any (see: questions 1 - 6)?

Firwall: choices
a. Outgoing Only
b. Trusted Applications
c. Custom > Allow this Request/Remember my answer

D+: choices
a. Windows Installer Applications
b. Trusted Application
c. Custom > Allow this Request/Remember my answer

Q1 (FW). When I have an FW Alarm for a new application I install, should I go with Outgoing Only or Custom and (Custom will allow connection on 1 given port when Outgoing Only will allow communication on every port). What type of applications could benefit Outgoing Only vs. Custom?

Q2 (FW). Trusted Applications: This should be the choice for application needing Inbound communications - like utorrent? What other applications can benefit the status of Trusted Applications and still be regarded as a safe practice?

Q3 (D+). What is the difference between Windows Installer Applications and Setting D+ in training mode before installing an new application or updating?

Q4 (D+) In what case would I rather use Windows Installer Applications than custom (what applications, what circumstances)?

Q5a. Alarms (FW/D+): when I do not answer an Alarm the CSI default answer is DENY permission - do not remember my answer, is it correct?

Q5b Alarms (FW/D+). I can set the time to keep alarms on screen. Will the countdown reset to Zero every time I click a tab on the Alarm or change a selection without confirming?

Q6. Is it customary to modify your Network Configuration Policy rules and Computer Configuration Policy rules after you have made a selection during an Alarm (like reverting from Windows Installer to a more restrictive policy)? I am starting to accumulate rules but I am not always sure if I should change them or leave them as they are.

Most the the settings must be personal and different from one user to another. What I would like to know if
s what applications need what privileges and if it is safe to give them by default in general. So far I tend to use a tight approach, no paranoia here, but I can see the process of FW/D+. However, on the long run, all pop-up and the clicks I am making now could be simplified without notable security risk I guess?

NB: a “use the default settings” answer will not help me understand better or improve anything :wink: Thanks

Have you read the “Help” section under Miscellaneous in CIS yet?

Rules that allow access only on the requried ports are more secure than rules that allow all traffic. Applications that have static communications requirements best suit customised rules.

Q2 (FW). Trusted Applications: This should be the choice for application needing Inbound communications - like utorrent? What other applications can benefit the status of Trusted Applications and still be regarded as a safe practice?
The example you've quoted is correct, but there is a caveat. P2P traffic will use a range of ports for inbound traffic, UNLESS you configure it otherwise to use a fixed inbound port. If the app is configured for a static inbound port you can create a custom rule to cater for just that app-port combination.
Q3 (D+). What is the difference between Windows Installer Applications and Setting D+ in training mode before installing an new application or updating?
Good question. Off the top of my head, Windows Installer Applications are allowed access to the operating system folders.
Q4 (D+) In what case would I rather use Windows Installer Applications than custom (what applications, what circumstances)?
See above - hopefully I was right. ;)
Q5a. Alarms (FW/D+): when I do not answer an Alarm the CSI default answer is DENY permission - do not remember my answer, is it correct?
Correct - the default action is BLOCK - NO REMEMBER
Q5b Alarms (FW/D+). I can set the time to keep alarms on screen. Will the countdown reset to Zero every time I click a tab on the Alarm or change a selection without confirming?
Yes
Q6. Is it customary to modify your Network Configuration Policy rules and Computer Configuration Policy rules after you have made a selection during an Alarm (like reverting from Windows Installer to a more restrictive policy)? I am starting to accumulate rules but I am not always sure if I should change them or leave them as they are.
No, if you have responded to an alert it will produce a rule or allow an action appropriate to whatever you told the alert to do. Regularly PURGE your application rules to remove any redundant entries.
Most the the settings must be personal and different from one user to another. What I would like to know if s what applications need what privileges and if it is safe to give them by default in general. So far I tend to use a tight approach, no paranoia here, but I can see the process of FW/D+. However, on the long run, all pop-up and the clicks I am making now could be simplified without notable security risk I guess?

NB: a “use the default settings” answer will not help me understand better or improve anything :wink: Thanks

There has to be a bit of tradeoff somewhere. If you want tight, explicit rules for all apps and traffic, then you will have a lot of rules and could experience a bit of lag from time to time. Using slack, lax rules for apps and traffic can reduce the amount of rules and simplify things, but you have less control over what is happening.

What method is right for you is something that only you can determine. Default works for some. Paranoid mode works for others. It’s your machine, it’s your choice, but at least CIS give you the configurability. All you have to do is work out what level is comfortable and right for you, provide the level of security you want and still let you do the work you need to do.

Hope this helps,
Ewen :slight_smile: