11

Regularly some Windows Update packages silently re-enable firewall rules, both Inbound and Outbound, is there a way to disable a rule for good or to remove from Windows Update the right to alter firewall rules?

(deleting rules does no good, Windows Update will recreate them)

Exemple of "frivolous" rules that keep re-enabling themselves: Windows Reading List, MSN Sports, Solitaire Collection, Get Office etc.

This is for a Windows 10 machine on a semi-public network, and AllJoyn, cast servers or various XBox ports are never ever going to be anything but security liabilities.

Eric
  • 171
  • 1
  • 7
  • 1
    use a 3rd party Firewall – magicandre1981 Jun 22 '16 at 04:31
  • 1
    Some users do not have an option to user a third party firewall. And many third party firewalls (and related security suites) interfere with the computer's functioning. – William Mar 13 '17 at 14:42
  • I wish I could up-vote this question several more times. Any windows component creating or re-enabling a firewall rule without user authorization is a "bad thing". Any mechanism to prevent this would be a boon to security and privacy. – William Mar 13 '17 at 14:42
  • agreed. I was fully updated yesterday, and today's update enabled 23 outbound rules and 11 inbound (!) rules. These rules that Microsoft decided were more important than my existing security configuration included XBox, Solitaire, Paint3D, Groove Music, Calculator, Microsoft Store, Mixed Reality Viewer, Microsoft Pay, App Installer... What a ridiculous assertion for an OS update to make; that I want to inbound-connect games and payment information instead of preserving security. Not to mention, what the HECK does a simple calculator app need Internet connectivity for? – shannon Jun 24 '18 at 20:01
  • Possible duplicate, I haven't verified this Windows 7 solution works for this: https://superuser.com/questions/467455/how-to-prevent-applications-from-modifying-windows-7-firewall-policy – shannon Jun 24 '18 at 20:06

4 Answers4

1

TL;DR: It's not possible to stop programs with Administrator access from changing firewall rules. Windows Firewall Control is a program that will automatically delete or disable Windows Firewall rules that you didn't approve by using the Secure Rules functionality.

The problem is that any program that runs with Administrator privileges is allowed to silently change Windows Firewall rules. Windows Update is joined by Firefox, Chrome and many others that feel entitled to ensure that they can send and receive network traffic without asking your permission.

The best solution I've found has been to use Windows Firewall Control (WFC) which has been acquired by Malwarebytes as of 2018. While there are a number of other products that provide a better interface on top of the Windows Firewall, this is the only one I've found that solves the problem you raise. It has functionality that it calls "Secure Rules" which will automatically disable any rules that were not created by the specific authorized groups. I have it so just Windows Firewall Control is allowed to create rules. According to the user guide, the way it works is for Windows Firewall Control to be notified when new rules are created and it will disable them if they're not in the right group.

Here's what the configuration looks like

When Chrome is updated, it tries to add a rule. The rule is created but automatically disabled but WFC. When an update of Chrome tries to add a rule, it's created but automatically disabled

A few other notes:

  • WFC is free but not open source. I personally would be happy to pay for it (as I have done to try a number of competing products) but hopefully it'll continue to be developed
  • I personally really like how it prompts me when a new program tries to access the network for the first time, but I can imagine that this would be as annoying as for any similar product. It's got the necessary learning mode, but you'd need to have some level of networking knowledge to get set up
  • As it sits on top of Windows Firewall, it's possible to verify that it will block itself from accessing the Internet, which is what you'd want
  • I've never noticed any performance issues
Quetza
  • 261
  • 1
  • 3
1

(This thread comes up high on search engines and yet a really good solution is overlooked. It is a bit of a necro post but someone might find it useful).

Avoid using the windows firewall as you usually would because it is too easy to add new rules. This is known as the "local firewall" and is effectively useless for blocking app telemetry, DRM and other cruft because as you have seen it is too easy for a program to allow it.

Instead use the windows firewall from group policy. Run 'gpedit' as administrator and navigate to Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security.

This looks the same as the normal firewall (just embedded in group policy tool) but cannot be altered via scripts. At this point go through all of the options carefully and set your preferences.

The most important part is for each profile, click on settings and disable the local firewall rules in the rule merging section. Those rules cannot be trusted so you do not want them in there.

I personally would disable the "local firewall" entirely and just use the group policy firewall. It is tricky to manage both because frankly, it is a massive mess. Annoyingly the third party ones aren't much better. Do note however, I would always advise to use a dedicated Linux or BSD based firewall appliance for anything important. These offer proper ordered rules and stateful firewalls, etc.

Karsten Pedersen
  • 129
  • 3
1

Addition to @Karsten Pedersen answer: enter image description here

And you can actually export your current rules in local FW to a file and then import it into the policy-firewall :-)

MrCalvin
  • 279
  • 2
  • 11
0

Set the firewall rules in group policy. They will be retained between feature updates: How can I open ports in the Windows firewall using GPO?

I see them under this area: Computer Configuration -> Administrative Templates -> Network -> Network Connection -> Windows Firewall -> Domain Profile. These days there are special ones for icmp (ping) and remote desktop.

js2010
  • 575
  • 5
  • 6
  • I am not sure, how to understand your answer. I suggest to elaborate, your answer is in the VLQ queue. – peterh May 07 '20 at 19:41
  • @js2010 , please don't answer 4-year-old orphan questions. Please, when writing answers, only make fully-explained answers that genuinely help a person who didn't have all of the information and perspective that they needed. – Christopher Hostage May 07 '20 at 20:04
  • js2010 isn't wrong though. The group policy firewall is the solution. I have added my own answer to hopefully explain the process in more detail. – Karsten Pedersen Jun 25 '21 at 16:21