Request help to set up custom policy

Hi again. I’m running CIS Premium 5.5 on Windows 7.

I used Network Security Policy to ‘Block and log all requests’ for an app we shall call ABC.exe. However, I now discover that it is safe to allow it to contact www.xyz.com on my behalf. XYZ is an online code validating service, so it is more efficient to allow ABC to do it for me than for me to make a copy of my code, go to XYZ and do it manually.

In the Network Security Policy window I can see:

...
C:\Program Files\ABC.exe
   Block and log all requests
...

If I select Edit for the upper line I am taken to the Application Network Access Control window. If I do the same to the lower line, I am taken to the Network Control Rule window. This is totally confusing. All I wanted to do was create an exception to the general block rule and allow ABC, running on my machine, access to http://www.xyz.com.

I did read the User Guide and search the Forum but couldn’t find an exact match for this problem. A few more examples in the User Guide would have helped greatly.

Thanks again for your help.
Max

Firewall application rules may be viewed in one of two ways, either from the perspective of the Application, or from the perspective of an individual rule for said application. When you selected the first line, you were viewing the application as a whole, whereas, when editing the second line, you’re dealing with a specific rule.

To create a rule for your application, you may use either approach, the net result will be the same. As for the rule, assuming you edit the second line:

Application - abc.exe
Action - Allow
Direction - Out
Source Address - ANY
Destination Address - www.xyz.com
Source Port - ANY (or a specific port if used)
Destination Port - (whatever port the application needs to connect on)

Alternatively, just create a rule that allows said application all outbound access, assuming you’re happy with such a generic rule.

Thanks, that made it all a lot clearer.

Also, I didn’t realize I could edit the name of the rule to make its purpose clear.

I followed your advice and created the following rule:

Action: Allow
Protocol: IP
Direction: Out
Description: Allow app to contact www.xyz.com
Source Address: Any
Destination Address:
Type: Host name
Host name: http://www.xyz.com
IP Protocol: Any

And it worked - abc.exe contacted xyz.com!

However, since my original purpose had been to block abc.exe from contacting www.abc.com, it seemed necessary to add an extra rule to this effect, now that my blanket block was gone.

Accordingly, I created a second rule:

Action: Block
Protocol: IP
Direction: Out
Description: Prevent abc.exe from contacting abc.com
Source Address: Any
Destination Address:
Type: Host name
Host name: http://www.abc.com
IP Protocol: Any

I have two questions:

  1. My original aim was to block abc.exe from communicating with ANY outside address (except xyz.com), and IN PARTICULAR not to contact abc.com, so were the steps I took sufficient or should I add some other rule blocking all other addresses as well?

  2. I’m still a bit puzzled as to why in the second field (“Protocol: IP”) in the General section I was not given the chance to specify “Protocol: All”, just as in the body of the rule. The choices are: TCP, UDP, TCP or UDP, ICMP, IP

To make this easier, leave the first rule (the allow to www.xyz.com) as it is but to ensure your application is unable connect with any other site. modify your second rule (the block to www.abc.com) by replacing abc.com with ANY.

Basically, the rules are read from top to bottom, so if you implement the rules described above, when your application attempts to connect, it will read the first rule (the Allow) if the request matches the rule, it will be allowed. If the request doesn’t match the rule, the application will try the next rule, which blocks all outbound activity. That’s where checking will stop.

Action: Allow
Protocol: IP
Direction: Out
Description: Allow app to contact www.xyz.com
Source Address: Any
Destination Address:
Type: Host name
Host name: http://www.xyz.com
IP Protocol: Any

Action: Block
Protocol: IP
Direction: Out
Description: Prevent abc.exe from contacting any site
Source Address: Any
Destination Address: Any
IP Protocol: Any

2) I'm still a bit puzzled as to why in the second field ("Protocol: IP") in the General section I was not given the chance to specify "Protocol: All", just as in the body of the rule. The choices are: TCP, UDP, TCP or UDP, ICMP, IP

Although IP (Internet Protocol) is a protocol in it’s own right, it’s quite common to find ‘IP’ being used a s a generic term,meaning all standard protocols, this is why you don’t see ‘Any’ listed.