Windows 7 Understanding Service Setting Customization for Windows Firewall Rules

M

Masao

New Member
Joined
May 31, 2017
Messages
13
The outbound rules allowed in windows firewall require the service customization to be set to allow all programs and services.

Any reason this doesn't work for "apply to services only" for an executable such as internet explorer? Is there some other program that is needed?

The security audit log in event viewer doesn't show anything new whether I set to "allow all programs and services" or "services only"; except it allows for "all" and blocks for "services only". Any other auditing or event logs I can look at?
 
Last edited:
Solution
Not really sure I understand what you're trying to accomplish. There is very little distinction between a program and a service. They are both technically programs. Services simply run outside the interactive session and can't directly interact with the interactive session and can also run without the interactive session in use (someone logged in). Inter process communication can't be blocked by a firewall since it's not network traffic. There is nothing from preventing say a malicious service from running a local application that in turns communicates out if that program is allowed. As far as the firewall is concerned in your scenario "allow all programs" is satisfied.
Sort by date Sort by votes
Agreed. Is the setting for "all programs and services" just a self-reference. I don't understand why I can't select all services or a single service.
 
Last edited:
Upvote 0 Downvote
From the audit log, windows filtering blocks the process (PID) for the .exe selected for the firewall rule without all programs and services selected in service customization.

I created another rule for the executable that blocked all services. So between the two rules my service customization becomes "allow all programs and no services.

Does that mean that any program can call the executable for communication through the firewall but no services can? If so, is there anyway to restrict that further to allow no other executables but the one referenced?
 
Last edited:
Upvote 0 Downvote
Not really sure I understand what you're trying to accomplish. There is very little distinction between a program and a service. They are both technically programs. Services simply run outside the interactive session and can't directly interact with the interactive session and can also run without the interactive session in use (someone logged in). Inter process communication can't be blocked by a firewall since it's not network traffic. There is nothing from preventing say a malicious service from running a local application that in turns communicates out if that program is allowed. As far as the firewall is concerned in your scenario "allow all programs" is satisfied.
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

Similar threads

AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity
Replies
0
Views
4K
News
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Replies
0
Views
2K
News
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Replies
0
Views
2K
News
Announcing Windows 10 Insider Preview Build 17704
Replies
0
Views
2K
News
TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
Replies
0
Views
922
News