Friday, September 23, 2011

Some per-service firewall rules don't work in Windows 7

The Windows 7 Firewall with Advanced Security allows you to specify a service in addition to a process. This is important because many services run under svchost.exe. Rules which simply reference svchost.exe may be too broad.

This works well with  the Windows Update and Windows Time* services. When outbound connections are disabled by default, rules can be created to permit those services. However, it doesn't always work.

In the past I spent a lot of time trying to figure out how to permit Windows Media Center schedule updates. I guess that part of the update is via the Background Intelligent Transfer Service (BITS). I said "I guess" because "netstat -b" sometimes showed them using the User Profile Service (ProfSvc), which doesn't make sense. Rules which permit outbound communication from BITS, ProfSvc, and even a large number of other services never accomplished anything. I finally gave up and created a rule permitting outbound communication on port 80 by svchost.exe (without specifying a service).

I was just trying to figure out how to allow the WebDAV client through the firewall. It obviously uses the WebClient service. In this case "netstat -b" also shows this. However rules permitting outbound communication by the WebClient service do nothing. I was forced to create a rule permitting outbound communication by svchost.exe on port 443 for SSL WebDAV access.

I'm not sure if these are bugs or intentional limitations. When creating a rule for svchost.exe, I am warned that "Windows services have been restricted with rules that allow expected behavior only. Rules that specify host processes, such as svchost.exe, might not work as expected because they can conflict with Windows service-hardening rules." Maybe Microsoft chose to not permit rules involving BITS and WebClient because they are general purpose communication services which could also be used for malicious purposes.  However, it doesn't make sense that a rule specifying svchost.exe and a particular port is allowed, but when the rule is further narrowed by specifying a service, it is ignored.

* If Windows Time Service is not allowed Internet access, the first "Update now" attempt will fail with a timeout. However subsequent attempts may appear to succeed, and the time when the clock was synchronized will be updated.

1 comment:

Anonymous said...

I'm glad I found this post and that I'm not alone with that problem. I already noticed that back in Vista times, windows firewall is sometimes ignoring specific rules. Now I tried to get WebClient through the firewall and noticed that it really didn't work. Thanks for the post :)