Windows Firewall whitelisting applications

2

I'm having a few difficulties setting up my office computers. I am trying to block all programs from accessing the internet, with a few exceptions:

1) Web browsers should be able to access only a couple of websites.

2) TeamViewer should work properly.

I tried setting the default for outbound rules to block all the connections and after that I added "allow" rules for TeamViewer and for the browsers to be able to access certain websites (added websites IP's using a custom rule).

However, the "Allow" rules do not seem to work, giving me no access to the internet at all. What seems to be the problem here?

EDIT: I'd love to know why does allowing program, such as a TeamViewer the standard way (Add outbound rule => Rule for a program => select the program path) does not provide access for the program to the internet, but adding a custom rule with unblocking TCP/UDP port for it does work. Theres should be no difference?

Aurimas

Posted 2017-09-17T13:54:08.350

Reputation: 23

Answers

0

A couple of points:

Do not use TCP 80 for teamviewer

TCP/UDP Port 5938: TeamViewer prefers to make outbound TCP and UDP connections over port 5938 – this is the primary port it uses, and TeamViewer performs best using this port. Your firewall should allow this at a minimum.

See this.

You would be better off setting this all on one central firewall than using every workstations' windows firewall.

I think you can configure the http and https protocols using one allow rule. But windows firewall rule would allow / deny IP address not a host name. You can achieve better results using HOSTS file. Again windows firewall is not the best tool for this task. See this link.

It is not enough to allow teamviewer.exe through firewall, minimum is this:

New-NetFirewallRule -DisplayName "!Allow Outbound 5938 UDP TeamViewer.exe Local Port" -Enabled True -Direction Outbound -Profile ANY -LocalPort 5938 -RemotePort ANY -Protocol UDP -Program "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" -Action Allow -Description "Allows Outbound TeamViewer.exe communication via 5938 UDP."
New-NetFirewallRule -DisplayName "!Allow Outbound UDP svchost.exe" -Enabled True -Direction Outbound -Profile ANY -Protocol UDP -Program "C:\WINDOWS\system32\svchost.exe" -Action Allow -Description "Allows Outbound UDP svchost.exe."
New-NetFirewallRule -DisplayName "!Allow Outbound TCP TeamViewer.exe" -Enabled True -Direction Outbound -Profile ANY -Protocol TCP -Program "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" -Action Allow -Description "Allows Outbound TCP TeamViewer.exe."

Teamviewer.exe is not the only process comunicating over network. There may be other processes like TeamViewer_Service.exe or svchost.exe that need to make outbound TCP connections. See TcpView for more info.

In case 5938 is blocked on any other firewall in the way, you can still use 443 for TeamViewer.

Vojtěch Dohnal

Posted 2017-09-17T13:54:08.350

Reputation: 2 586

This solution is not suitable for me because it only configures Internet Explorer browser. Besides, denying an IP adress instead of a domain does not seem to be a problem for me. – Aurimas – 2017-09-18T05:43:35.290

@aurimas The main point is that you should create two allow rules - one for teamviewer and one for http. – Vojtěch Dohnal – 2017-09-18T08:51:37.253

@Vojtech Already did that, but it doesn't seem to work properly. Please read the edit section, help is much appreciated. – Aurimas – 2017-09-18T09:48:30.687

@Vojtech, How would one know what else an application requires to function properly over the network, besides allowing the standard "*.exe" of the program? Provided from your answer, TW also needs allowed svchost process. Besides that, Your answer is sufficient, thank you. – Aurimas – 2017-09-19T17:45:50.600

Asked: 2017-09-17T13:54:08.350

Viewed: 291 times

Active: 2017-09-19T06:40:47.483