dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1193
share rss forum feed

BandHeight

join:2004-08-30

[WIN8] Firewall Rules Changed By Apps

OS = Windows 8 Core
---

Is there any way in Windows 8 Core to prevent application installers from modifying Windows Firewall rules? Or is that functionality only available to the Pro version (my understanding is that you can do it with Group Policy in Pro ... please correct me if I'm wrong)?

The reason I ask is that during set-up of a relative's new laptop, I created / modified Windows Advanced Firewall rules as I wanted (mostly the mods were to block all the pre-installed Windows Apps like Bing, News, Finance, etc.), then tested the rules. All seemed to work as expected.

As a later step, I created several normal user accounts, then logged into one of the accounts to set it up. I immediately noticed that the Live Tiles for the items I had blocked were able to connect to the internet. As an intermediate remedy, I disabled the Live Tiles function, and then proceeded to check my firewall rules via the admin-user account. Upon review, it was clear that new rules had been added for the normal user I had just logged on / logged out. The other regular-user accounts still had no new rules (I later logged into all created accounts to confirm that logging into the account is what triggers the rule creation).

So, application installers can modify the firewall rules, and those changes may only manifest after new users are created AND then logged in for the first time.

Bottom line for me is that I now apparently have to manage multiple user-entries for every pre-installed Windows App and any apps that may be installed later (including non-Windows Apps) as I have found no clear way to prevent the firewall rules changes nor have I succeeded in creating a rule that can block all users at once.

I also know I could probably just uninstall the apps in question, but others then may be installed that end up doing the same thing, so I'd like a solution that focuses on the firewall. Plus, I'm just curious now, regardless.

This is not even my PC, but if the only way to prevent this from happening is to buy the Pro Pack (so Group Policy snap-ins are available), I'll likely do it just because I'm the one that will probably get stuck with managing the laptop.

Thanks and happy holidays.

P.S.
Sorry if this is a well-known issue with a well known solution, but I couldn't find much info (most was pre-Win 8 stuff), and my main excuse is that I rarely mess with Windows any more (shout out to Arch and iptables users).



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

See if powershell helps managing it but otherwise yes you will need Pro and above for group policy
»technet.microsoft.com/en-us/libr···755.aspx

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2012/13


BandHeight

join:2004-08-30

said by Cudni:

See if powershell helps managing it but otherwise yes you will need Pro and above for group policy
»technet.microsoft.com/en-us/libr···755.aspx

Cudni

If the laptop were mine, I wouldn't have even messed with Core, but since it's not, I was hesitant to upgrade if I didn't absolutely have to. But during the set-up process, I've run into too many things that were frustrating at the very least or simply impossible to do without the Pro version. So I'll just save myself any more grief and spring for it. It's cheap right now anyway.

Regarding your Firewall + Powershell link, the info provided therein will be extremely handy in any case, so thank you very much for that.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to BandHeight

Why not either disable live tile update for those tiles, or simply uninstall the undesired apps instead of trying to kill them with a firewall rule?
--
My place : »www.schettino.us


BandHeight

join:2004-08-30

said by JohnInSJ:

Why not either disable live tile update for those tiles, or simply uninstall the undesired apps instead of trying to kill them with a firewall rule?

I mentioned both possibilities in my original post.

I did turn all the Live Tiles off (as stated); however, any user can right-click and turn them back on. This is undesirable (for me but maybe not to the user).

And to your second suggestion, as I stated, uninstalling does not address the fact that future-installed applications may grant themselves access via the firewall's API during installation, and I wanted a method to prevent that. Apparently, the only way to disable access to the firewall via its API is through Group Policy. What I found more troubling than finding unexpected rules showing up in the firewall was that the new rules actually granted access to the user that had already been tested as blocked. In other words, rules added during the installation process can (and did) have the additional consequence of breaking previously written, perfectly functional rules.

And finally, since this is not going to be a laptop that I use (it will belong to a family member who hasn't even seen it yet), I did not want to start uninstalling things as it will be easier to relax firewall rules if there is a push to use certain applications despite my good-intentioned persuasion not to use them. Those discussions will be fun, I'm sure.

Hope that makes a little sense.

Thanks.

OZO
Premium
join:2003-01-17
kudos:2
reply to BandHeight

said by BandHeight:

So, application installers can modify the firewall rules, and those changes may only manifest after new users are created AND then logged in for the first time.

I think the firewall rules are defined in default user account. When you create a new account, system copies all its initial settings from default account (which you did not modify, I guess). That may explain why "changes may only manifest after new users are created AND then logged in for the first time."
--
Keep it simple, it'll become complex by itself...

BandHeight

join:2004-08-30

2 edits

said by OZO:

said by BandHeight:

So, application installers can modify the firewall rules, and those changes may only manifest after new users are created AND then logged in for the first time.

I think the firewall rules are defined in default user account. When you create a new account, system copies all its initial settings from default account (which you did not modify, I guess). That may explain why "changes may only manifest after new users are created AND then logged in for the first time."

No. The firewall rules did not revert to a default 'user' set of rules (I'm pretty sure it's one-firewall-per-machine, not one-firewall-per-user). Rules specific to the applications in question were ADDED to the system rule-set that I had previously modified with my own rules. That same set was then was modified again, without my participation, each time a newly created user's account was logged on.

Let's take a look at the outbound rules for the Windows 8 Weather App as an example, keeping in mind that what I'm about to describe was true for all the other pre-installed Windows MetroUI Apps and for all created user accounts.

When I first began work on the system rule-set using the admin account, the Weather App had two outbound rules; the main difference between the rules was one was for the Domain Profile, and the other was for the Private and Public Profiles (combined in one rule).

Here are the relevant rules before logging into the regular user account (some info omitted):

Name       Group      Profile            Enabled    Action   ALPs*  Local User Owner
 
Weather    Weather    Domain             Yes        Allow    Any    Laptop1\AdminUser 
Weather    Weather    Public, Private    Yes        Allow    Any    Laptop1\AdminUser 
 

Rules after I changed them:

Name       Group      Profile            Enabled    Action   ALPs*  Local User Owner
 
Weather    Weather    Domain             Yes        Block    Any    Laptop1\AdminUser 
Weather    Weather    Public, Private    Yes        Block    Any    Laptop1\AdminUser 
 

Rules after logging into regular user account:

Name       Group      Profile            Enabled    Action   ALPs*   Local User Owner
 
Weather    Weather    Domain             Yes        Block    Any    Laptop1\AdminUser 
Weather    Weather    Public, Private    Yes        Block    Any    Laptop1\AdminUser
Weather    Weather    Any                Yes        Allow    Any    Laptop1\RegularUser
 

* ALPs = Authorized Local Principals

From the above, you can see how my 'Block' rules got stomped by the new entry because the latter allowed traffic outbound via all Profiles, and all users were designated Authorized Local Principals.

I created a test account, two user accounts and the admin account. And after logging into all accounts, each of the Windows Metro Apps had two entries for the admin account and one entry for each of the regular user accounts.

I don't know the exact mechanism used, but evidently when these apps are installed or otherwise activated, code is in place to react to any users created on the system to ensure access regardless of any existing firewall rules that might impede that access. That may be what MS considers a convenience for its users, but I don't see it that way. And by the way, this scenario applies to any software from any vendor as the firewall API can be used to modified the firewall programatically. That's why I want to use Group Policy to lock it down.

Edit: condensed the rules table.

OZO
Premium
join:2003-01-17
kudos:2

Where is profile "Any" in registry?
For example, domain profile you may find here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]


--
Keep it simple, it'll become complex by itself...

BandHeight

join:2004-08-30

said by OZO:

Where is profile "Any" in registry?
For example, domain profile you may find here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]


It isn't. Just like there isn't 'Any' Authorized Local Principal (unless you happened to create a user named 'Any').

'Any' Profile refers to 'Any' of the three available: Private, Public, Domain.

:)


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to BandHeight

How about dealing with this at the edge firewall, if you don't want your users to mess with stuff?
--
My place : »www.schettino.us



mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to BandHeight

I assume it is a setting in the registry that will disable this.

But here is a nice program (not free) that has an option to disable program from making changes to the firewall.
»www.binisoft.org/wfc.php
I use it all the time.

Because many program can/will add items to the firewall during install or have option in there configurator to do it.


BandHeight

join:2004-08-30

said by mmainprize:

I assume it is a setting in the registry that will disable this.

But here is a nice program (not free) that has an option to disable program from making changes to the firewall.
»www.binisoft.org/wfc.php
I use it all the time.

Because many program can/will add items to the firewall during install or have option in there configurator to do it.

I've already got Win 8 Pro, but haven't had time to mess with it.

However, thanks for pointing out the functionality in Windows Firewall Control. I had read a few posts on another security forum about WFC, having found it while looking for information on a separate topic, so I wasn't aware that one of its capabilities was stopping modifications to the firewall.

I'm still a little taken aback about why it was made so easy to modify the firewall, and that Windows software developers feel so at ease about doing it. I almost assumed that others here would be 'outraged' about it, yet its almost taken for granted apparently.

I never really had to deal with this issue before now because I've always used 3rd party firewalls on my own Windows installs, and for several years I've used Linux almost exclusively, so it wasn't an issue there. Of course, on Linux, installing anything as root opens the possibility for modifications to iptables during the installation of a package, but I've never encountered it, and I think it would be frowned upon to learn that a program was designed to automatically change your firewall without being explicitly clear that its purpose is to do so (in other words, outside of rootkits or other malware, packages are not generally going to modify your firewall). If a package requires net access, you are expected to make the necessary firewall modifications yourself (or not).

But, now that I'm more informed and have some tools, all is good.

Again, thanks for the recommendation. I'll check it out.


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to BandHeight

The software makers do it because they want the software to work after it is installed. Just think about how many customers would call in for help if it didn't. Even when the software edits the firewall for it own access some will have problems and call in still. Who reads manuals these days.

The common user don't know how to edit the firewall and if they try will do wrong most of the time.

That is why WFC program was made because the Microsoft user interface to its firewall sucks so bad, it makes it had to working with, unless you are doing command lines and know what you are doing.


BandHeight

join:2004-08-30

said by mmainprize:

The software makers do it because they want the software to work after it is installed. Just think about how many customers would call in for help if it didn't. Even when the software edits the firewall for it own access some will have problems and call in still. Who reads manuals these days.

I understand that part of it. Commercial software makers are going to get away with what they can get away with, and when MS hands 'em the keys, they're going to use them.

But Microsoft should not have created a firewall that requires explicit administrative rights just to turn on and off (let alone modifying the rules via the GUI), yet a regular user can install Windows Store apps using his / her regular user account without escalated privileges ... and voilà, firewall is changed. That takes the term 'false sense of security' to a whole new level.

Apparently, MS thinks that apps in the Windows Store are above the normal rules of the game, which were already too lax to begin with. Their public excuse is likely that the Windows Store Apps have been vetted, but we all know its more likely that MS didn't want any technical hindrances to raking in as much money from the store as possible. If that meant giving Store Apps developers free reign (even freer than normal), that's exactly what they got.

I didn't like the idea of turning a PC into a social-media-centric, glorified smart-phone to begin with, and this certainly cements that position.

---
edit: spelling


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to BandHeight

I agree, but that is what happens in Metro. I had installed many metro apps. I found many of those apps added firewall entry's that were wide open for the program.

That is where i think MS verifies the app to not be bad before they post them for download. But i am sure one or two bad ones will get by at some point.

What i did not like was that many of the metro apps stay connected and update (network connection and internet traffic) all the time (Live Tiles) even when you have never called up the metro (start) page since you booted up the PC. I found on a desktop, I do not use metro so i uninstalled almost all metro apps to limit scrolling on the start page.



slipnslide

@comcast.net
reply to BandHeight

In Vista and earlier, the dnsapi.dll has been modified to allow numerous Microsoft websites from bypassing the hosts file lookup functionality. Not sure if Windows 8 is doing the same thing, or something similar.

»permalink.gmane.org/gmane.comp.s···re/43878