Windows firewall block all connections
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
Hello dear forum gurus. I have a strange and weird problem with Windows Firewall.
First of all I have to say that I have about 13-14 RDSH farms with multiple number RDSH Server in it. Some RDSH servers restarted every nignt, some once in two or three days.
And there are 5-6 RDSH Servers that that give me problems after every restart. In some reason, which I can’t find out, Windows Firewall blocks all incoming and outgoing connections in Domain profile, thus, users can’t connect to their remote desktops, and this cause a lot of calls to our Help Desk team.
By default, I always disable firewalls in all servers. So after a restart action on those 5-6 servers I must access system by ILO, and when I open a ILO console i successfully can logon to the system. Note that I can’t login by RDP. So I open Firewall.cpl by ILO console, and I see below picture.
When I pree «Turn Windows Firewall on or off: I see below picture
I just unmark them, disable firewall and everything becomes ok.
So What to do. How to fix this problem.
What I did to solve this problem
- Disabled firewall. Bu after restart by some reason firewall is enabled and all incoming connections are blocked. (Not Helped)
- Deployed GPO so always keep firewall in turned off mode. Didn’t work. By some reason firewall was enabled and all incoming connections were blocked and moreover I wasn’t able to change any settings there just because they was managed by GPO
- Reinstalled system (just 1 RDSH server) . And since reinstall no problem occurs on that server
ps: All servers are Windows 2008 R2 Enterprise SP1.
Firewall — Blocking Outbound Connections Issues
Hi guys! Just set WF to block all outbound connection except those in the allowed list (rules), but have some issues. When add a allow rule for i.e. Internet Explorer, Chrome, etc. they don’t work, losing ability to enter Internet. Try a lot of things associated some services with them like svchost.exe but no luck.
Replies (6)
Welcome to Microsoft Community Forum.
I understand how frustrating it could be when things do not work as expected.
Please do not worry I will try my best to resolve it.
I would like to inform you that apart from svchost.exe there may be number of dependency services and files that you may have disabled.
Before we proceed I would require some more information to assist you better.
1. What all outbound rules have you disconnected?
I would suggest you to try the following steps:
Step 1: Understanding Windows Firewall Settings.
1. Windows Firewall has mainly three settings:
i. Block all incoming connections, including those in the list of allowed programs.
ii. Notify me when Windows Firewall blocks a new program.
iii. Turn off Windows Firewall (not recommended).
2. You can apply the first setting and give exceptions to other programs or devices that you don’t want to block.
1. By default, most programs are blocked by Windows Firewall to help make your computer more secure.
Note: The article explains to open the port, you can block the port by understanding the steps from the article.
Note: The article explains to allow a program to communicate, you can block the program by understanding the steps from the article.
Important: Keep the port 8080 open then, do NOT need to “tighten” the security, as long as you have the Windows Firewall turned on and you have antivirus, and antispyware then your system is secure.
Configuring the Default Outbound Firewall Behavior to Block
Hope the information helps. Let us know if you need further assistance with Windows related issues. We will be happy to help.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
Thank you for keeping us updated on the status of the issue.
Have you tried the suggestions provided in the earlier post?
Please reply with results so that we can assist you further.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
Did not work any of above sorry mate!
For proper working of MS firewall i must open ports 80, 443 and the Internet Explorer and Chrome working. For other software i have not such problems atm for windows update i don’t know.
But still firewall is buggy don’t show which critical process, services are being blocked.
I’m using currently MS Windows 7 Ultimate firewall + MSSE but think to go with 3rd party firewall again something like agnitum outpost firewall pro or private firewall.
p.s. Windows firewall is great but don’t show wich services, process are being block, in the begining i was thinking that svchost.exe was the problem but not i open for it all ports and still not have internet access, sadly. I don’t want to open for all programs ports 80, 443 8080 want only to open for browsers — Google Chrome, Internet Explorer, Firefox, etc. But has not solution for that in the firewall.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
This is slightly off topic, but I had all sorts of similar issues with W7 built in O/G firewall, until I stumbled upon this sort of add-on — http://www.sphinx-soft.com/ I found it at CNET — http://download.cnet.com/Windows-7-Firewall-Control-64-bit/3000-10435_4-10673576.html
There is a basic free version, but you have to buy the full version if you need all the facilities.
| Windows7FirewallControl is based on Windows Filtering Platform (WFP), the security core of Windows7/Vista/2008 completely and does not install any third party kernel drivers. The Built-in Firewall is based on the same WFP as well. The both products work independently entirely. You can switch the Built-in Firewall ON or OFF at your option due to complete product independence. |
There is a support forum here — http://vistafirewallcontrol.freeforums.org/index.php so you could perhaps sign up and ask any specific questions there before downloading and trying it, to make sure it does what you want.
This is NOT an advert, I do not work for them, but I do use it on my netbook and its certainly easier than the W7 inbuilt rules for O/G.
There are other alternatives to look at as well. See CNET for some examples — http://download.cnet.com/windows/firewall-software/?tag=bc ( like ZoneAlarm for example ) one of which may do what you want and probably certainly easier than the in-built system.
As always fully AV check anything you download before installing it.
If thats not what you are after — Apologies — Just ignore.
Windows firewall block all connections
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I’ve got a problem during a Windows 7 deployment project. We want to configure the integrated Windows Firewall to block all outbound network traffic when the client is on a «public» network (public firewall profile). We only want to open the necessary ports that are needed for a VPN into the enterprise environment. These are in our situation DHCP, DNS, different rules for CRLs (for checking the client certificate) and the rules for the VPN itself. These rules are working well, but we have got a problem with the network profile identification.
We configured the firewall with a GPO, that all unknown networks are identified as public networks. The user can’t change the network profile to «Home» or «Work». So the network profiles can only be «public» or «domain».
We have a problem by opening only the ports mentioned above. When our client was on a «public» network it can’t find the way back to the domain profile. This may has something to do with the network identification by Network Location Awareness (NLA). Therefore we logged all dropped packages and found out there were many dropped packages on the following ports:
— 389 (TCP/UDP)
— 135, 137, 138 (UDP/TCP)
— 88 (Kerberos)
— 15032 .
We opened port 389 for UDP and TCP. After that we can sucessfully jump between public networks and the domain network.
But when we are on a public network and connecting to the VPN, the VPN network adapter do not find the way to the «domain» profile. It stays always on the «public» profile. Afterwards we opened the port 88 (Kerberos) and then the network profile on the VPN adapter changed to public with a yellow exclamation mark as the profile icon and the status «(Not authenticated)».
After opening the NetBios ports (135. ) and the strange port 15032, the VPN network adapter could change to the domain profile.
Can anyone tell me which ports are needed for a correct network profile identification by Network Location Awareness (NLA)? And why are these ports needed? It is very important for us to have a clear statement why we should open all these ports, because it is a high secure environment.
I hope you can help me with this problem. I can’t find any documentation from Microsoft about blocking all outbound connections in Windows Firewall.
Thanks a lot!
fox
Answers
Generally speaking, blocking all «outbound» traffic can be very problematic and is not typically recommended. You need to to know and control every port used for communications on the network. For applications that use RPC, this means restricting the ports on which communication can occur.
For more on controlling this behavior, see the following article «How to configure RPC dynamic port allocation to work with firewalls»
http://support.microsoft.com/kb/154596
Though it may not be acceptable due to being a high security environment, you might consider testing a rule allowing all, or at least a wider range of, traffic to the specific IP of the authenticating DC. AuthIP can be tested to enhance security by requiring that a security principle be authenticated before allowing the connection. This is still not without risk if the box is compromised, but then again so are any open ports.
VPN virtual adaptors can also pose a unique challenge. 3rd Party vendors can often times present unique behaviors in the face of NLA. Some, totally ignore the process and will always follow the profile of the physical adaptor. Others, implement a block on all traffic other than what you specifically allow. Still others, force interface configuration information that prevents NLA from operating. It is not stated here, and we may be using the Windows native client making this a moot point, but I offer the info merely to illustrate the added level of complexity introduced by virtual adaptors.
DNS 53, Kerb 88, and LDAP 389 are required for resolving and connecting to the Domain Controller, but you may also see traffic from various name resolution / registration providers, such as NbtNs, LLMNR, WSDiscovery, SSDP, etc. Additional traffic may be required for the VPN authentication. The 15032 is an unknown, but it may be something specific to that box, perhaps even specific to the VPN client software itself if using 3rd party, or RPC. More information from a trace taken using Network Monitor 3.4 may be helpful, for example; additional detail about the frame and the destination IP might provide a little insight. With NetMon you can also add the «Process» column which may help identify the generating process.
Ketan Thakkar | Microsoft Online Community Support
Windows Firewall: блокировка доступа в Интернет, исходящего и входящего трафика
В статье мы рассмотрим, как заблокировать входящий или исходящий Интернет трафик любому приложению с помощью Windows Firewall . Современную жизнь трудно представить без соединения с интернетом. Все мобильные телефоны, планшеты, компьютера и ноутбуки постоянно взаимодействуют между собой в рамках локальной сети или получают, и отправляют информацию в Интернет. Как бы мы не зависли от сети, в определенных случаях необходимо заблокировать доступ в Интернет некоторым приложениям .
Для чего это может понадобится? Блокировка входящего трафика позволяет отключить не нужные обновления ПО, назойливую рекламу или экономить трафик. Блокировка исходящего – может предотвратить распространение конфиденциальной информации. Возможно вы захотите ограничить вашего ребенка от просмотра нежелательного контента или чрезмерного проведения времени за онлайн играми. В статье мы рассмотрим, как заблокировать входящий или исходящий трафик любому приложению с помощью Windows Firewall. Это наиболее простой и одновременно гибкий способ блокировки доступа.
Мы рассмотрим работу фаервола в Windows 10, однако эта инструкция будет работать и для пользователей Windows 8 или 7.
Создание правила брандмауэра Windows
Для начала необходимо запустить расширенный интерфейс межсетевого экрана. Для этого перейдите в панель управления, выберите режим отображения крупные значки и кликните «Брандмауэр Windows» . Панель управления можно вызвать, кликнув правой кнопкой мышки по кнопке Пуск и выбрав нужный пункт меню, или нажать Пуск и затем ввести Панель управления . В окне брандмауэра нужно кликнуть на Дополнительные параметры .
Расширенный интерфейс брандмауэра содержит множество настроек. Вносите все изменения максимально внимательно, в точности следуя этой инструкции. Не правильная настройка приведет к множеству проблем в работе компьютера.
В левой навигационной панели выберите «Правила для исходящего подключения» . Система отобразит все созданные ранее правила, не удивляйтесь, что список заполнен десятками различных записей, созданных Windows.
В правой панели кликните на «Создать правило» .
По умолчанию предлагается создать правило для программы, подтвердите выбор нажав кнопку Далее .
На следующем шаге необходимо указать путь к исполняемому файлу программы для блокировки. На примере браузера Opera мы проверим блокировку подключения к интернету. Вы можете как внести полный путь к exe файлу вручную, так и воспользоваться кнопкой Обзор .
В последнем случае система автоматически заменит часть пути файла на переменную окружения. В нашем случае файл находится по адресу C:\Program Files\Opera\45.0.0.255225846\opera.exe , но брандмауэр автоматически заменяет путь на %ProgramFiles%\Opera\45.0.0.255225846\opera.exe .
Важно : По ряду причин переменные окружения могут неправильно определяться системой. Если вы столкнулись с тем, что созданное правило блокировки не работает – отредактируйте правило, вставив полный путь к файлу в поле ввод вручную.
Тоже важно : В большинстве случаев достаточно заблокировать исполняемый файл программы, для ограничения доступа к интернету. Но этот подход может не сработать для онлайн игр. К примеру, если вы хотите заблокировать возможность подключения к игровым серверам Minecraft, блокировать нужно приложение Java (исполняемый файл Javaw.exe). Так как игра подключается к сети Интернет через Java.
Подтвердите выбор файла нажав кнопку Далее .
На следующем шаге подтвердите выбор «Блокировать подключение» нажав кнопку Далее .
