Understanding Service Setting Customization for Windows Firewall Rules

Masao

New Member
The outbound rules allowed in windows firewall require the service customization to be set to allow all programs and services.

Any reason this doesn't work for "apply to services only" for an executable such as internet explorer? Is there some other program that is needed?

The security audit log in event viewer doesn't show anything new whether I set to "allow all programs and services" or "services only"; except it allows for "all" and blocks for "services only". Any other auditing or event logs I can look at?
 
Last edited:

Masao

New Member
Agreed. Is the setting for "all programs and services" just a self-reference. I don't understand why I can't select all services or a single service.
 
Last edited:

Masao

New Member
From the audit log, windows filtering blocks the process (PID) for the .exe selected for the firewall rule without all programs and services selected in service customization.

I created another rule for the executable that blocked all services. So between the two rules my service customization becomes "allow all programs and no services.

Does that mean that any program can call the executable for communication through the firewall but no services can? If so, is there anyway to restrict that further to allow no other executables but the one referenced?
 
Last edited:

Neemobeer

Cloud Security Engineer
Staff member
Not really sure I understand what you're trying to accomplish. There is very little distinction between a program and a service. They are both technically programs. Services simply run outside the interactive session and can't directly interact with the interactive session and can also run without the interactive session in use (someone logged in). Inter process communication can't be blocked by a firewall since it's not network traffic. There is nothing from preventing say a malicious service from running a local application that in turns communicates out if that program is allowed. As far as the firewall is concerned in your scenario "allow all programs" is satisfied.
 
Top