Windows Firewall can be changed without notifying the user before the change

Topic

New Reply

Here is a security issue which I am trying to find a solution for, without installing and using a third party firewall in the place of the windows firewall.

In Windows 10, the Windows Firewall can be changed by an application without notifying the user before the change is made.  You can get a notification after the fact by Attaching a Task to an Event. But in the world of computers milliseconds count, and this is a little bit too late to stop a hole from being opened.  Also, sometimes i don’t see the change written to the log (odd but could just be me).  The log can easily be found: Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Firewall With Advance Security)

So my problem is How do I get Windows to notify a user Before the firewall has been changed?  So far Microsoft has down played this, they do not see the importance of the user to be notified of any security firewall changes that will happen.  Probably because most users are not that savvy (putting it in a nice way) and it would confuse them. So Microsoft thinks that it is good enough as it is because:

1. Only “Administrators” can change the firewall.
2. Only “Trusted” apps can change the firewall.

It really does not matter who is changing it, or if the app is trusted.  The user should get a notice before the change.

So does anyone know of a way to notify a user Before the firewall has been changed?  Maybe monitor the Registry entries for the firewall for changes?

You can see the windows firewall rules, including the ones hidden from the gui by using powershell:

get-netfirewallrule -all
get-netfirewallrule -all -policystore configurableservicestore

Thank you for the help.

 

Reply | Quote

Replies

Look into my swinging watch…

You are not supposed to want control. You must concede that Microsoft is the only one that can possibly handle the awesome power of control.

There are actually some pretty good reasons for going 3rd party, especially if you start to distrust the OS vendor itself (why would anyone do that?). I’ve chosen the Sphinx Windows Firewall Control product myself, and have disabled MpsSvc entirely.

-Noel

4 users thanked author for this post.

Elly, BobbyB, PhotM, MrJimPhelps

Reply | Quote

tl:dr – 3rd party only firewall needs more real world testing, though probably fine for restricted/Enterprise software installs.

Disabling the built-in firewall can cause issues down the line, certainly with W7, likely with later Windows versions. Where a program might trigger a request to the default firewall for access, the expected firewall popup window never happens, it can’t, the Service is disabled.

If you have a program that is silently blocked*, enable the firewall Service and reboot, test the software again – if it triggers the firewall window allowing a choice of network types, select one to enable access and save/close the window. You can now (at least, until the next time a program is silently blocked) disable the firewall Service again and reboot to your normal 3rd party only firewall.

There seems to be a growing number of AV suites and 3rd party firewalls that fully or partially use the default Windows firewall and/or it’s Rules. Some recent 3rd party firewalls can play nicely with the default firewall, no need to disable it.

I’m currently testing Evorim’s Free Firewall, it appears to override (block by default) new software in Credulous Mode, there’s also a Paranoid Mode and a block all Blockade Mode, all blocks/Rules appear to override any Rules from the default firewall, which is currently running alongside it (remember, this is on W7).

I’ve also used it in testing with W10 AU original version 3rd > ~14th of August ’16 but that was too buggy (freezing due to me having moved the Special Folders, later updates to AU ‘fixed’ that) to have been a useful test. http://www.evorim.com/en/free-firewall

* frequently seen with ‘new’ Steam and other online games (Steam, and similar gaming services/software can be buggy anyway!). I’ve ‘fixed’ other software blocks by suggesting this method as well.

Reply | Quote

Thank you, but neither answers the question: How do I get Windows to notify a user Before the firewall has been changed?  I am not trying to disable the firewall, or use a third party firewall. I am only trying to protect against a major security flaw in windows firewall in that the firewall can be changed without notifying the user before the change occurs.

Yes, there is an alert that can appear if a new application passes through the firewall, but that would depend on the rule and has nothing to do with alerting when the firewall itself is to be changed.

Thank you,

Reply | Quote

@ Noel

Noel Carboni wrote:

Look into my swinging watch…

That’s mesmerizing! I think I just self hypnotized myself starring at it!

Are you trying to match wits with Microsoft? How dare you!

Reply | Quote

@ -mw

-mw wrote:

Thank you, but neither answers the question: How do I get Windows to notify a user Before the firewall has been changed? I am not trying to disable the firewall, or use a third party firewall.

I think your question was understood! And, I think you probably have an answer.

Microsoft never intended to give you the option of being notified when they want to change your firewall settings to their liking. They have been *white listing* their software and its activity for–well, for a long as I can remember–goes back to at least Win98se–but, probably longer.

If you want greater control that’s *in your hands*–probably, only a third party option would offer that to you!

Reply | Quote

Just Lurking wrote:

Microsoft never intended to give you the option of being notified when they want to change your firewall settings to their liking.

Yes you are correct, but i am looking for a method to notify the user before the firewall is changed.

By the way, i think you may find that many third party firewalls just use microsoft’s API and put a new gui over it.

 

Reply | Quote

Don’t let your users run as Admins. They should get a UAC prompt when there is an Admin activity that needs attention.

--Joe

Reply | Quote

Now there is the odd thing.  It does not matter if they are Admin’s or not (which they are not).  No UAC or any other prompt is ever shown during the time the firewall is changed.

 

Reply | Quote

What are their UAC settings?

--Joe

Reply | Quote

UAC is set to default. But it is irrelevant as an application  / OS can and will modify the firewall at anytime (user input not required) and usually behind the scenes. We have scene that most of the time the firewall is changed during an install of an application, but sometimes it changes the firewall during first use of an application.  Other times it seems a bit random, xbox or cortana.  Hence, it would be nice for a pop-up before the change is made.

 

Reply | Quote

“Preventing Auto-creation of Windows Firewall Rules” – https://www.wilderssecurity.com/threads/preventing-auto-creation-of-windows-firewall-rules.370921/

“Audit MPSSVC Rule-Level Policy Change” – https://technet.microsoft.com/en-us/itpro/windows/keep-secure/audit-mpssvc-rule-level-policy-change

“Firewall Log Auditing Tool” – https://www.manageengine.com/products/eventlog/firewall-auditing-tool.html

Reply | Quote

@anonymous

Interesting articles. we maybe able to use something in them.  Thank you.

Reply | Quote