9
6
Basically I've set my Windows firewall the way I want it, but apparently any application can create it's own rule to completely override my settings. How can I prevent this from happening?
Branko
Posted 2012-08-28T16:29:45.623
Reputation: 93
How to prevent applications from modifying Windows 7 firewall policy
Answers
9
Yes, but the computer will not allow any local exceptions not set by group policy.
I am going to assume you are not on a domain but if you are it is very similar it will just be a domain policy instead of a local policy.
First, you must open the local group policy settings by opening MMC going to File->Add/Remove Snap-In... and adding the Group Policy Object Editor for your local computer.
From there navigate to Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\ and there are two settings you want to set to disabled, Windows Firewall: Allow local port exceptions and Windows Firewall: Allow local program exceptions.
Once those are set you can no longer make any changes to the windows firewall using the Windows API, including going in by hand and editing it via advanced settings. If you want to enable an exception you will need to do it through the group policy now. You can set the rules up in Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object. These rules will be the only rules in effect on your system.
If you are on a domain you just need to use the domain group policy tools instead of the local ones.
Scott Chamberlain
Posted 2012-08-28T16:29:45.623
Reputation: 28 923
0
Step by step instruction to block the applications from changing the firewall settings:
Open Control Panel in the Start menu.
Open Windows Firewall in the Control Panel.
Note: If Windows Firewall is not available, change View by to Large icons at the top right of the Control Panel.
Select Allow a program or feature through Windows Firewall in the left column of the window.
- Click the Change settings button in the Allowed Programs window.
- Uncheck the program or feature and then click OK to save the changes.
What if the program I want to block using the Windows 7 firewall is not listed?
- Follow the steps above.
- When you get to the last step (above) click the Allow another program button.
Select the program from the Add a Program list or click Browse to find it and then click Add.
Uncheck the program and then click OK to save the settings.
Vimal Venugopalan
Posted 2012-08-28T16:29:45.623
Reputation: 514
1I'm really sorry to see that you have put time and effort in your answer, but this is not what I asked.
I use advanced settings to set my own policy, but any application can apparently change the policy through Windows API (or some such) and I want to disallow any application changing MY firewall policy. – Branko – 2012-08-28T20:27:44.993
@HarryJohnston also I have programs which I didn't run as admin (Firefox, Xlight, Java SE) which all added their rules. So that statement is misleading. I'm not saying it's wrong, but whatever elevation the program needs to insert a firewall rule, apparently it can achieve without you pressing "run as admin" – Emil – 2018-04-22T07:53:04.297
@Emil, I don't know about Xlight, but the Firefox and Java installers both require admin privilege. If you weren't asked for permission to run them, your machine is configured to allow elevation without prompting. And a malicious program with elevated privilege is always going to be able to bypass the firewall, because a program with elevated privilege can do anything. – Harry Johnston – 2018-04-22T20:55:36.367
... that said, what the OP wants to do is to block benign installers from adding firewall rules, which is certainly possible (as already described in Scott's answer) so I'm not sure why I said it couldn't be done. I've deleted the offending comment. – Harry Johnston – 2018-04-22T20:58:00.637
@HarryJohnston I just don’t understand why something so sensitivitie as a firewall would allow API access. The firewall that’s supposed to secure you, is itself needs to be secured. Malicious software is not a problem, as it can gain any access if it’s “good”. It’s the legitimate programs with security holes I worry about. Though OP accepted the answer below, I still have the same question and don’t find the answer satisfactory as you no longer are able to make changes via the firewall interface after this change. – Emil – 2018-05-02T11:57:19.420
@Emil, you just have to make the changes via group policy instead of via the GUI. As for the reason for the API, I imagine the main reason is because without one, too many users would say "this is too hard" when asked to create exceptions by hand, and turn the firewall off. You can always install a third-party firewall instead. – Harry Johnston – 2018-05-02T19:26:21.310
1@HarryJohnston the reason I’d like to use Windows firewall is that it’s the lowest level and should be most reliable (in theory). Also, if I use a 3rd party fw won’t it use the same subsystem so rules can be added in the same way by apps? As for being too hard for avg user, a msg popup “Firefox would like to use internet: Allow/Deny” just doesn’t get simpler. I like Windows fw because it’s very comprehensive, but apparently useless. – Emil – 2018-05-03T05:40:00.060
@Emil, it meets my needs, and the needs of most people. If it doesn't meet your needs, use something else. (Third party firewalls will not be affected by the rules added by the Windows Firewall API unless they are specifically designed to do so. They may of course offer their own APIs, but that should be documented.) – Harry Johnston – 2018-05-03T07:53:46.763