Windows 10: Windows Update and firewall

  1.    24 Jul 2015 #1

    Windows Update and firewall


    I run a very hardened system, I lock down all incoming connections and remove all outgoing but core networking on a new install. How can I get windows update to connect to the internet again? I've unblocked svchost.exe for the Windows Update service and still nothing. Any help?
      My ComputerSystem Spec


  2. Posts : 3,431
    EL Capitan
       25 Jul 2015 #2

    killerhonky said: View Post
    I run a very hardened system, I lock down all incoming connections and remove all outgoing but core networking on a new install. How can I get windows update to connect to the internet again? I've unblocked svchost.exe for the Windows Update service and still nothing. Any help?
    That is going to be an issue then. svchost.exe is just a generic process that can contain multiple processes within.

    If you have your computer so locked down, that it is basically a doorstop. You need to reverse that process. A good Gateway for your network is sufficient to protect the LAN. It is the user's poor habits that gets them into trouble and causes an infected machine.
      My ComputerSystem Spec

  3.    25 Jul 2015 #3

    Note: I haven't used Windows 10, therefore I'm not sure if any changes have been made between Windows 8 and Windows 10.

    I assume you're talking about Windows Firewall? If your firewall is blocking outbound connections, then the first thing you need to do is see everything that it's blocking. Once you know what it's blocking, then you will have an idea what rules you need to set. With Windows Firewall, you won't get any notifications of blocked outbound connections, so you will need to set up logging. I don't think Microsoft particularly like people blocking outbound connections due to the problems it causes, so setting up logging isn't user friendly and has to be done through Group Policy and Event Viewer.

    1) To start logging, go to Group Policy Editor then > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Set to Failure

    Click image for larger version. 

Name:	001.jpg 
Views:	73 
Size:	205.4 KB 
ID:	25774

    2) Then go to Event Viewer and create a 'Custom View'.

    Click image for larger version. 

Name:	002.jpg 
Views:	34 
Size:	111.3 KB 
ID:	25775

    3) Click on the XML Tab (screenshot below)

    3) Tick 'Edit Query Manually', and paste ONE of the following. The first one will show all blocked connections, the second one has ''Suppress Path' lines in it, which means blocked outbound connections to those destination ports (1900, 3702, 5355 and 137) won't be displayed in Event Viewer, therefore making it easier to see the other blocked connections. Those four ports are part of the 'Network Discovery' rules, which if you have sharing off, the network is treated as a public network and they will be blocked by the firewall rules.

    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14593"]]
    </Select>
      </Query>
    </QueryList>
    OR
    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14593"]]
    </Select>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="1900")]]
            </Suppress>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="3702")]]
            </Suppress>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="5355")]]
            </Suppress>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="137")]]
            </Suppress>
      </Query>
    </QueryList>

    Click image for larger version. 

Name:	003.jpg 
Views:	40 
Size:	334.2 KB 
ID:	25776

    4) You should now be able to view all outbound connections that are being blocked by Windows Firewall. In all likelihood, it's probably svchost.exe being blocked from making TCP connections to ports 80 and 443, because from memory these aren't part of core networking rules. Also, if making a new rule for svchost.exe to allow outbound TCP connections to 80, 443, don't bind it to the 'Windows Update' Service, as that doesn't work anymore (at least not in Windows 8). It's still possible to bind other services to a svchost rule such as the 'Windows Time' service for Network Time Protocol, just not Windows Update Service for some reason.

    Personally I'd let all genuine Windows processes make outbound connections, Windows already has Ring Zero, it can do whatever it wants anyway.

    NB: The event logs will show protocols as numbers rather than acronyms TCP, UDP, etc. (In the last screenshot above for example, it says "Protocol: 6". Protocol 6 is TCP, Protocol 17 is UDP, the most common ones are listed here.
    Last edited by ARC1020; 25 Jul 2015 at 15:58.
      My ComputerSystem Spec

  4.    25 Jul 2015 #4

    bro67 said: View Post
    That is going to be an issue then. svchost.exe is just a generic process that can contain multiple processes within. If you have your computer so locked down, that it is basically a doorstop. You need to reverse that process. A good Gateway for your network is sufficient to protect the LAN. It is the user's poor habits that gets them into trouble and causes an infected machine.
    I study technology forensics, it is necessary. I don't even run as a privileged user. I was simply asking for a way to monitor this service and unplug holes where necessary. Thanks arc1020, I'll play around now that I can monitor, hard to find my way around outside of a *NIX server.
      My ComputerSystem Spec


  5. Posts : 3,431
    EL Capitan
       25 Jul 2015 #5

    killerhonky said: View Post
    I study technology forensics, it is necessary. I don't even run as a privileged user. I was simply asking for a way to monitor this service and unplug holes where necessary. Thanks arc1020, I'll play around now that I can monitor, hard to find my way around outside of a *NIX server.
    If you are doing anything with forensics, the machine should never be connected to the Internet. As for Linux, it all depends on what you are using the server for.

    But going back to the original request. If you want to update that machine, you are going to have to unlock the Firewall on the machine, if you plan on downloading anything.

    Also the Svchost.exe needs to be able to do its job, since the Firewall is also a part of that process, along with other items.
      My ComputerSystem Spec


 

Related Threads
Getting Rid of Firewall Notifications in AntiVirus, Firewalls and System Security
Hi all, I have Windows Firewall disabled. I know this and it has to stay that way. I use a lot of AV apps that will not function with it on, even with exceptions. In any case, I keep getting toast alerts saying it is disabled and I can't get...
Does anyone know how to get to Win 10 Firewall exceptions? in AntiVirus, Firewalls and System Security
I need to add and remove certain exceptions but I cannot find out how to get there. Can anyone help please.
firewall services in AntiVirus, Firewalls and System Security
Latest build. Running ESET free. Anybody else got the same info showing, doesn't appear to be a problem thou. Roy
OK, maybe I am missing something......but why if I stop Windows firewall, does it stop Spartan/Edge from being started!?. If Spartan is running and then I stop Windows firewall, Spartan continues to function - until I close it and then try to...
Windows Firewall -- can't access WINDOWS from LINUX in AntiVirus, Firewalls and System Security
Hi there Not sure but the wretched built in firewall on W10 seems to stop my Linux server accessing Windows shares even when the firewall is turned OFF. The Windows box can access the Linux shares so something is hosed up here again. I've...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:29.
Find Us