Block Outgoing Connections to the Internet with Windows Firewall

By default, Windows Firewall blocks incoming connections from the Internet unless the receiving program is on the exceptions list, but it does nothing to stop outgoing connections. Even if you uncheck or remove the program from the exceptions list, this change only affects incoming traffic, so the program can still access the Internet.

If you’re worried what a program might do with that privilege, such as sending error reports, submitting user data or automatically updating itself, you can block it with outbound rules through the firewall’s advanced settings. Once a blocking rule has been established, it remains on the list of configured rules, so you can quickly enable or disable it to control the program’s access.

Adding Connection Rules

1. Open the Control Panel (press “Win-X,” then select “Control Panel”) and click “System and Security,” “Windows Firewall” and then “Advanced Settings.”

2. Click “Outbound Rules” in the left pane and select “New Rule” in the right pane. To block incoming traffic, click “Inbound Rules” instead; the procedure for creating a new blocking rule is identical for inbound or outbound rules, except for the initial Inbound Rules or Outbound Rules selection.

3. Select “Program” and click “Next.”

4. Select “This Program Path,” click “Browse,” choose the program you wish to block and then click “Next.” If you choose “All Programs,” then Windows Firewall stops all outgoing (or incoming) connections.

5. Select “Block the Connection” and click “Next.”

6. Check when you want the rule applied and click “Next.” To totally block the program, select all the check boxes. If you only want to block the program when connected to, for example, a coffee shop’s public hotspot, only check “Public.”

7. Enter a descriptive name and click “Finish.” If you are establishing similar rules, make sure this name enables you to tell them apart, such as “Block Installed Chrome” versus “Block Chrome Portable.”

8. Test that the program is blocked by firing it up and attempting to access the Internet.

9. To later disable the rule, click the entry in the Inbound or Outbound Rules list and click “Disable Rule” in the lower right panel. If you see “Enable Rule” instead, it means the rule is currently disabled; click “Enable Rule” to make it active again.

10. Repeat the process, but select “Inbound Rules” in Step 2 to also block incoming traffic to the program.

Blocking outgoing connections windows

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I’ve got a problem during a Windows 7 deployment project. We want to configure the integrated Windows Firewall to block all outbound network traffic when the client is on a «public» network (public firewall profile). We only want to open the necessary ports that are needed for a VPN into the enterprise environment. These are in our situation DHCP, DNS, different rules for CRLs (for checking the client certificate) and the rules for the VPN itself. These rules are working well, but we have got a problem with the network profile identification.

We configured the firewall with a GPO, that all unknown networks are identified as public networks. The user can’t change the network profile to «Home» or «Work». So the network profiles can only be «public» or «domain».

We have a problem by opening only the ports mentioned above. When our client was on a «public» network it can’t find the way back to the domain profile. This may has something to do with the network identification by Network Location Awareness (NLA). Therefore we logged all dropped packages and found out there were many dropped packages on the following ports:

— 389 (TCP/UDP)
— 135, 137, 138 (UDP/TCP)
— 88 (Kerberos)
— 15032 .

We opened port 389 for UDP and TCP. After that we can sucessfully jump between public networks and the domain network.

But when we are on a public network and connecting to the VPN, the VPN network adapter do not find the way to the «domain» profile. It stays always on the «public» profile. Afterwards we opened the port 88 (Kerberos) and then the network profile on the VPN adapter changed to public with a yellow exclamation mark as the profile icon and the status «(Not authenticated)».

After opening the NetBios ports (135. ) and the strange port 15032, the VPN network adapter could change to the domain profile.

Can anyone tell me which ports are needed for a correct network profile identification by Network Location Awareness (NLA)? And why are these ports needed? It is very important for us to have a clear statement why we should open all these ports, because it is a high secure environment.

I hope you can help me with this problem. I can’t find any documentation from Microsoft about blocking all outbound connections in Windows Firewall.

Thanks a lot!
fox

Answers

Generally speaking, blocking all «outbound» traffic can be very problematic and is not typically recommended. You need to to know and control every port used for communications on the network. For applications that use RPC, this means restricting the ports on which communication can occur.

For more on controlling this behavior, see the following article «How to configure RPC dynamic port allocation to work with firewalls»
http://support.microsoft.com/kb/154596

Though it may not be acceptable due to being a high security environment, you might consider testing a rule allowing all, or at least a wider range of, traffic to the specific IP of the authenticating DC. AuthIP can be tested to enhance security by requiring that a security principle be authenticated before allowing the connection. This is still not without risk if the box is compromised, but then again so are any open ports.

VPN virtual adaptors can also pose a unique challenge. 3rd Party vendors can often times present unique behaviors in the face of NLA. Some, totally ignore the process and will always follow the profile of the physical adaptor. Others, implement a block on all traffic other than what you specifically allow. Still others, force interface configuration information that prevents NLA from operating. It is not stated here, and we may be using the Windows native client making this a moot point, but I offer the info merely to illustrate the added level of complexity introduced by virtual adaptors.

DNS 53, Kerb 88, and LDAP 389 are required for resolving and connecting to the Domain Controller, but you may also see traffic from various name resolution / registration providers, such as NbtNs, LLMNR, WSDiscovery, SSDP, etc. Additional traffic may be required for the VPN authentication. The 15032 is an unknown, but it may be something specific to that box, perhaps even specific to the VPN client software itself if using 3rd party, or RPC. More information from a trace taken using Network Monitor 3.4 may be helpful, for example; additional detail about the frame and the destination IP might provide a little insight. With NetMon you can also add the «Process» column which may help identify the generating process.

Ketan Thakkar | Microsoft Online Community Support

Sekhar Padikkal’s blog….

My Passions….

Making windows Firewall complete….. Block outgoing connections and get notified, Review of Binisoft’s Windows Firewall Control

Windows Firewall (old school internet connection firewall or ICF) is what is protecting most of us. More people are concerned with an antivirus and may opt one from a third party vendor.For most of them a firewall is something what comes with windows.

A firewall can either be software-based or hardware-based and is used to help keep a network secure (in this case a workstation/pc). Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. Windows firewall is a software based firewall that protects the workstation it resides on.

Background:

During the xp days windows firewall (ICF) didn’t have the ability to block the outbound connection, while it provided fair bit of protection for the pc by blocking incoming connections ( that are not in the allowed rule).

Windows firewall had a complete makeover when windows vista was released and gradual incremental evolution when time took us through windows 7 and windows 8.

The firewall blocks/allows are based on the predetermined rule set. There are rules for inbound connections and outbound connections separately or can be for both. We can block/allow both the inbound connection and outbound connection in Windows firewall based on rules. For the Inbound connection when the Windows firewall is set to “block” (which is the default setting) and then an application needs inbound connection we are notified and yes we can allow or deny based on the common sense.

For outbound connections its a completely different story, windows firewall lets you block outbound connection but will not give a notification , when an application needs internet access. So initially when you set the outbound connections to block , its like all the applications (applications that are not already explicitly allowed by a outbound rule) are forbidden to go out, its actually a daunting task to go to the windows firewall advanced setting (which is surprisingly powerful) and select an application and open the communication door for it.So Microsoft’s answer keep the door opened! Yes the default setting for your windows firewall is Allow all. Microsoft took this decision , so that it will be less intrusive to the user.

On Screenshot below the outbound connections are set to “block”, which is not the default windows firewall setting.

Firewall is like a security officer at the gate and will allow only those people that are in his list to go out. But there is a security manager that is us , who decide whom to let through based on request. In windows firewall there is no request so the manager is now in the sweet spot to find and make the list.

Why do we need outbound filtering?

Reflecting increasing concerns about spyware and viruses that attempt to “phone home“. Outbound rules came into place in windows firewall from windows vista onwards. Notifications are not shown however for outbound connections on windows firewall.

Phoning home, in computing, refers to an act of client to server communication which is undesirable to the user and/or proprietor of the device or software. It is often used to refer to the behavior of security systems which report network location, username, or other sensitive data to another computer.There are many Malware applications that “phone home” to gather and store information about a person’s machine. Then there are legal phoning home , that is when applications try to validate its serial with a server each time the application is opened.

It is just not about phoning home or application validating or anything , ability to get notified when an application tries for an outbound connection/and having visibility gives user more control and informed about what is happening with his workstation.

How to Block outgoing connections and get notified?

Some will go in the direction of getting a third party firewall. Installing one will mostly disable your windows firewall.

There are products like

1) Checkpoint’s Zone Alarm Firewall

2) Comodo Firewall

3) Internet security suites from antivirus vendors like avira,avast etc (end of thinking capacity)

The above mentioned products will be in command when you so with the third party route. I am not commenting on how good they are, but some of the above mentioned definitely have followers.

My route is a much leaner solution , if you are after this , only this feature of the ability to get notified and to have visibility to outbound connections that makes you feel that you are in control of the windows pc.

Windows Firewall Control:

Windows firewall control (WFC) is a front end to our beloved Windows Firewall , Its using the firewall api’s provided by microsoft to offer just what we need. By going the WFC way offers a much needed leaner solution. Its our windows firewall itself that protects us. Microsoft will also be looking after your windows firewall as part of patches(windows update). Just that we will be notified so we can easily create rules for better protection.

Windows firewall control is from Binisoft. The software is under active development which is what makes this attractive.

In the first page of the thread you can see Alexandru Dicu’s (the creator of Windows Firewall Control) humble beginning . Being his first project in c# and now grown into the best front end for windows firewall. Thanks Alex.

Using the amazing WFC :

It runs in the system tray and allows user to control the Windows firewall easily.

High Filtering – All outbound and inbound connections are blocked. This setting blocks all attempts to connect to and from your computer. No communication whatsoever. Its just like pulling the Ethernet cable.
Medium Filtering – Outbound connections that do not match a rule are blocked. Only programs you allow can initiate outbound connections. This setting is our favorite part. that changes the windows firewall setting from outgoing to blocked from the allow status. This is just what we need.
Low Filtering – Outbound connections that do not match a rule are allowed. The user can block the programs he doesn’t want to initiate outbound connections. This is our Windows firewall default setting now.
No Filtering – Windows Firewall is turned off. Avoid using this setting unless you have another firewall running on your computer.

Recommended System Rules:

The setup will create some recommended rules at installation Internet Control Message Protocol, Windows Time Service,Windows Update. The rest will learned based on how you respond to the notifications.

Learning Mode/ Notifications:

This provides notifications for outgoing blocked connections. Four modes are available:

High – Display notifications for all outgoing connections that were blocked by Windows Firewall, including System and Svchost.exe
Medium – Display notifications only for regular programs, without notifications for System and Svchost.exe.
Low – Automatically allow digitally signed programs without notifications, but show notifications for unsigned programs.
Disabled – Notifications are disabled.

Notifications we get :

The feature we longed for , for the windows firewall..

Here is the notification i got for firefox, when i first opened it. Allow the program to access internet, done… a new rule is created. How easy is that.

If you want to be more specific in the port you open / restricting to a particular remote ip,protocol etc you can click “customize this rule before creating it” , that way you have even more of a tighter rule.

Manage Rules:

One intuitive interface where we can search, see the firewall rules at a single glance. This view gives sufficient information to satisfy us completely.

Managing rules in WFC is a breeze, compared to what can be achieved with windows firewall.

Getting Windows Firewall Control: