I run a very hardened system, I lock down all incoming connections and remove all outgoing but core networking on a new install. How can I get windows update to connect to the internet again? I've unblocked svchost.exe for the Windows Update service and still nothing. Any help?
That is going to be an issue then. svchost.exe is just a generic process that can contain multiple processes within.
If you have your computer so locked down, that it is basically a doorstop. You need to reverse that process. A good Gateway for your network is sufficient to protect the LAN. It is the user's poor habits that gets them into trouble and causes an infected machine.
Note: I haven't used Windows 10, therefore I'm not sure if any changes have been made between Windows 8 and Windows 10.
I assume you're talking about Windows Firewall? If your firewall is blocking outbound connections, then the first thing you need to do is see everything that it's blocking. Once you know what it's blocking, then you will have an idea what rules you need to set. With Windows Firewall, you won't get any notifications of blocked outbound connections, so you will need to set up logging. I don't think Microsoft particularly like people blocking outbound connections due to the problems it causes, so setting up logging isn't user friendly and has to be done through Group Policy and Event Viewer.
1) To start logging, go to Group Policy Editor then > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Set to Failure
2) Then go to Event Viewer and create a 'Custom View'.
3) Click on the XML Tab (screenshot below)
3) Tick 'Edit Query Manually', and paste ONE of the following. The first one will show all blocked connections, the second one has ''Suppress Path' lines in it, which means blocked outbound connections to those destination ports (1900, 3702, 5355 and 137) won't be displayed in Event Viewer, therefore making it easier to see the other blocked connections. Those four ports are part of the 'Network Discovery' rules, which if you have sharing off, the network is treated as a public network and they will be blocked by the firewall rules.
ORCode:<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]] and *[EventData[Data[@Name="Direction"]="%%14593"]] </Select> </Query> </QueryList>
Code:<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]] and *[EventData[Data[@Name="Direction"]="%%14593"]] </Select> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="1900")]] </Suppress> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="3702")]] </Suppress> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="5355")]] </Suppress> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="137")]] </Suppress> </Query> </QueryList>
4) You should now be able to view all outbound connections that are being blocked by Windows Firewall. In all likelihood, it's probably svchost.exe being blocked from making TCP connections to ports 80 and 443, because from memory these aren't part of core networking rules. Also, if making a new rule for svchost.exe to allow outbound TCP connections to 80, 443, don't bind it to the 'Windows Update' Service, as that doesn't work anymore (at least not in Windows 8). It's still possible to bind other services to a svchost rule such as the 'Windows Time' service for Network Time Protocol, just not Windows Update Service for some reason.
Personally I'd let all genuine Windows processes make outbound connections, Windows already has Ring Zero, it can do whatever it wants anyway.
NB: The event logs will show protocols as numbers rather than acronyms TCP, UDP, etc. (In the last screenshot above for example, it says "Protocol: 6". Protocol 6 is TCP, Protocol 17 is UDP, the most common ones are listed here.
Last edited by ARC1020; 25 Jul 2015 at 15:58.
If you are doing anything with forensics, the machine should never be connected to the Internet. As for Linux, it all depends on what you are using the server for.
But going back to the original request. If you want to update that machine, you are going to have to unlock the Firewall on the machine, if you plan on downloading anything.
Also the Svchost.exe needs to be able to do its job, since the Firewall is also a part of that process, along with other items.
Quote
