Selectively keeping WMP from accessing the internet

With previous firewalls, whenever I opened WMP 10 I always was alerted that it wanted to connect to the Internet, and was given the option to deny it access. I always enjoyed denying it this access, figuring MS had no business knowing what I was playing in WMP.

With CFP 3, I no longer get these alerts, and fear I have somehow granted WMP blanket access to the 'net.

My questions are:

  1. How do I determine if WMP has been granted such access?
  2. How do I configure CFP 3 to ask me for permission whenever WMP attempts to access the internet?

Open CFP, click Firewall->Advanced->Network Security Policy->Application Rules and see if there’s an entry that allows wmplayer.exe access to the Internet.

CFP should ask unless it’s allowed or blocked.

Cheers,
Ragwing

It may have been granted “Safe” status as a result of the safe list that comes with the software (CFP). You can try adding it to the list and writing some rules to have it “Ask” before allowing a connection - or just Deny it. Click Firewall>Advanced>Network Security Policies> and look to see if it is on the list there. If it is you can Edit the rules for it, but you will likely have to “Add” the program. Click the Add button and click Select and then Browse. Browse to the WMP exe file and select it. Once it is added to the list you will have to write some rules to define permissions for it. If you have the address of the MS IP’s that you don’t want to connect to, you can write a rule that will exclude those IPs by clicking the Exclude box on the Destination tab.

Thank you both for your help.

I see wmplayer.exe listed under Firewall->Advanced->Network Security Policy->Application Rules

If I edit the rules to “ask”, it still allows WMP to connect (judging by what I see in “View Firewall Events”, and by the fact there is no alert asking for permission).

If I edit the rules to “block”, it seems to block (at least in the “View Firewall Events” log).

Either way, I get no alert when I open WMP.

There may be several reasons why WMP is “phoning home” or otherwise attempting to connect to the Internet. Under Windows XP:

  1. WMP is checking for updates (Tools > Options > Player [tab] > Automatic Updates. You can set this for “Once a Month” and uncheck “Download codecs automatically.”

  2. WMP is set to connect to the Internet (Tools > Options > Player [tab] > Player settings > [uncheck] “Connect to the Internet (overrides other commands)”.

  3. The Windows Media Player Network Sharing Service is running and may be trying to connect to the Internet. I believe the default is “Automatic”. You can disable this service (Start > Administrative Tools > Services) by scrolling down the list of Services, double-clicking on Windows Media Player Network Sharing Service and in the drop-down menu for “Startup Type”, select “Disabled.”

I have disabled Windows Media Player Network Sharing Service on my systems and it has had no detrimental impact on WMP. However, if you share your WMP libraries with other devices on your network, do not disable this service.

Even if you did what Stephen (USSS) states, WMP (version 10 for me) will still attempt to connect, at least for UDP loopback. To stop it from doing that without the need of CFP, you can click the File menu and then enable the Work Offline option. This option, unfortunately, I don’t recommend because I used to do it myself and later found out it’s tied with Internet Explorer’s Work Offline option, which in turn disables CFP from receiving updates.

Soya, you’re right: I just verified this on WMP 11. I doubt that a pit bull could stop WMP from connecting . Maybe there’s a registry hack for this, but I digress…

Perhaps a different media player that “plays by the rules” might be a workaround.

If I can add my 20 milli-quatloos, there is way of telling WMP not to touch the Internet, and it’s buried down in the bits of the Microsoft Management Console. I’m running WinXP Pro SP2. XP Home may be different, as it really isn’t supposed to be in a corporate setting.

To get to the right place to flip the bits:

Start → Run, enter “mmc”. That’ll open the management console with basically no functionality present.
From the top line, select File, and select “Add/Remove Snap-In”.

That’ll give you pretty much another blank selection window. Click “add”, and from the list select “Group Policy Object Editor”. Keep it to your Local Computer. The Management Console stuff is designed for corporate environments with centralized remote management. Click Finish, and you’ll get a “Local Computer Policy” in the snap-in list. Close and OK back out.

When you get back to the Console1 screen, expand Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components.

At the bottom of that list, you’ll see two entries: Windows Media Player, and Windows Media Digital Rights Management, as folders.

Each of these folders contain settings that you can configure. Click to highlight the setting, and right-click to select Properties to change the setting.

Making a change takes effect immediately, so watch your step.

You will want to save this console, so when you’re done, click File → Save As, to give it a name, and save it in some folder somewhere.

Corporate environments use templates like this to lock down machines (who wants Movie Maker running on the Finance Dept payroll box? And explain why, to the risk auditors?) Mess up settings, and you will pretty much have to reinstall from scratch. Registry editing is comparatively a breeze. But you can turn stuff off, and it’ll stay turned off.

Thanks for the advice, Grue. At first I thought some of those steps were redundant because the gpedit.msc command will instantly get to the MMC, but your steps revealed something that I haven’t seen in the standard Group Policy Editor: the Windows Media Digital Rights Management entry. But even with that extra option disabled, WMP still attempts UDP loopback to what looks to be my ISP everytime it’s loaded.

[attachment deleted by admin]

Loopback? As in 127.0.0.1? Your screenshot though shows a port 53 DNS lookup, and its next to impossible to turn off DNS lookup. There’s a “DNS Client Service” running around in the background that builds its IP address cache. If you could determine the name that’s being looked up, you could put that in the etc\hosts file, and then it wouldn’t have to do a lookup any more.

Doh! The DRM entry was already there in the standard gpedit (just didn’t see until now).

My DNS Client Service was already disabled and my host file is blank other than the first line:

127.0.0.1       localhost

I thought it was UDP loopback from v2 and in v3, the Defense+ automatically allowed Loopback for wmp (using PC Clean Mode).

WMP is the only I use that does this with all available options related to connecting out disabled.

[attachment deleted by admin]

Well, a curiosity question then. Have you tried using the “Blocked Application” policy on WMP? That should stop anything from getting out, or at least be a good test case to see that CFP 3 is working properly.

That’s exactly what I did at first ;D. I only unblocked it to show the others that WMP still attempts that kind of connection.

And sorry for my previous thought because it was incorrect: I removed explorer.exe from my Blocked Application rule and when I tried to browse the net with it, it also had the same UDP connection, which is the DNS lookup as you stated.

But the difference between explorer.exe and wmplayer.exe seems to be that the latter automatically does it whenever it’s loaded. I just don’t understand why it does it with no internet connection allowed to it. Shouldn’t DNS lookups only be done when the user tries to connect out with the program in question?

Ideally, yes, that should be the only time anything happens. But, as with Java, and Adobe Reader, there are now background automatic updates that happen as soon as you open the program. The DNS lookup can happen anyhow, before the “oh, update is turned off” check is done. That way the program maker can still watch their DNS logs, and see their products out in the world. The solution to that is to run your own DNS server, and block the host names.

Thanks. So it was right of me to name my first pic as that ;D

Yup. Square on with the name.

We’ve drifted a bit off the topic of what CFP can do. Do we have a confirm on “Blocked Application” doing the job, given that DNS will leak a lookup packet or two? If so, then we can resolve and lock.

I was already done before I joined this thread, but the topic starter doesn’t seem to have all the answers yet even though the core issue appears (corresponding to the topic title) to have been resolved.

The other side question he has is why he’s not receiving any alerts from WMP.

Sorry to take so long to respond, and thanks to all that replied.

Just to clarify, I’m not really trying to prevent WMP from connecting to the net, but to be alerted to these attempts, and to be asked to allow or deny this.

Whenever I open WMP, I get no alerts, but the “View Firewall Events” shows it has allowed WMP to connect with:

TCP Protocol to 207.46.250.101 (Microsoft)
UDP Protocol to 64.71.255.198 (Rogers, my ISP)

This despite the fact I have the following application rule:

If I change that rule from “ask” to “block”, then WMP does not connect. But occasionally I want to use WMP to play internet content, which this also blocks.

I’m obviously missing something here…

Yes you are:

  1. You should change (click the Modify button to edit your first post) this thread title to something that suits your needs. Here we were discussing on how to prevent yet another one of Bill’s toys. Good ideas, though ;D.
  2. Maybe you need to up your settings. See pic.

[attachment deleted by admin]

Thanks, Soyabeaner.

  1. Actually my understanding was that one can’t prevent WMP from attempting to phone home- although obviously one can block it. I’ve altered my first post title, as suggested.

  2. My alert settings were actually set higher than your pic suggested. I’ve tried all the alert settings, with no effect. It seems that CFP either allows or blocks WMP, with no way to get any alert, much less one that asks what you want to do.

Perhaps it’s related to the permissions I granted when I first installed. I’m waiting for the update, and will pay more attention next time…