1.    24 Jul 2015 #1
    Join Date : Jul 2015
    Posts : 2
    Windows 10

    Windows Update and firewall


    I run a very hardened system, I lock down all incoming connections and remove all outgoing but core networking on a new install. How can I get windows update to connect to the internet again? I've unblocked svchost.exe for the Windows Update service and still nothing. Any help?
      My ComputerSystem Spec
  2.    25 Jul 2015 #2
    Join Date : May 2015
    Central IL
    Posts : 4,361
    Mac OS Sierra

    Quote Originally Posted by killerhonky View Post
    I run a very hardened system, I lock down all incoming connections and remove all outgoing but core networking on a new install. How can I get windows update to connect to the internet again? I've unblocked svchost.exe for the Windows Update service and still nothing. Any help?
    That is going to be an issue then. svchost.exe is just a generic process that can contain multiple processes within.

    If you have your computer so locked down, that it is basically a doorstop. You need to reverse that process. A good Gateway for your network is sufficient to protect the LAN. It is the user's poor habits that gets them into trouble and causes an infected machine.
      My ComputerSystem Spec
  3.    25 Jul 2015 #3
    Join Date : Feb 2014
    Posts : 487

    Note: I haven't used Windows 10, therefore I'm not sure if any changes have been made between Windows 8 and Windows 10.

    I assume you're talking about Windows Firewall? If your firewall is blocking outbound connections, then the first thing you need to do is see everything that it's blocking. Once you know what it's blocking, then you will have an idea what rules you need to set. With Windows Firewall, you won't get any notifications of blocked outbound connections, so you will need to set up logging. I don't think Microsoft particularly like people blocking outbound connections due to the problems it causes, so setting up logging isn't user friendly and has to be done through Group Policy and Event Viewer.

    1) To start logging, go to Group Policy Editor then > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Set to Failure

    Click image for larger version. 

Name:	001.jpg 
Views:	74 
Size:	205.4 KB 
ID:	25774

    2) Then go to Event Viewer and create a 'Custom View'.

    Click image for larger version. 

Name:	002.jpg 
Views:	36 
Size:	111.3 KB 
ID:	25775

    3) Click on the XML Tab (screenshot below)

    3) Tick 'Edit Query Manually', and paste ONE of the following. The first one will show all blocked connections, the second one has ''Suppress Path' lines in it, which means blocked outbound connections to those destination ports (1900, 3702, 5355 and 137) won't be displayed in Event Viewer, therefore making it easier to see the other blocked connections. Those four ports are part of the 'Network Discovery' rules, which if you have sharing off, the network is treated as a public network and they will be blocked by the firewall rules.

    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14593"]]
    </Select>
      </Query>
    </QueryList>
    OR
    Code:
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
       and *[EventData[Data[@Name="Direction"]="%%14593"]]
    </Select>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="1900")]]
            </Suppress>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="3702")]]
            </Suppress>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="5355")]]
            </Suppress>
        <Suppress Path="Security"> 
           *[EventData[(Data[@Name="DestPort"]="137")]]
            </Suppress>
      </Query>
    </QueryList>

    Click image for larger version. 

Name:	003.jpg 
Views:	41 
Size:	334.2 KB 
ID:	25776

    4) You should now be able to view all outbound connections that are being blocked by Windows Firewall. In all likelihood, it's probably svchost.exe being blocked from making TCP connections to ports 80 and 443, because from memory these aren't part of core networking rules. Also, if making a new rule for svchost.exe to allow outbound TCP connections to 80, 443, don't bind it to the 'Windows Update' Service, as that doesn't work anymore (at least not in Windows 8). It's still possible to bind other services to a svchost rule such as the 'Windows Time' service for Network Time Protocol, just not Windows Update Service for some reason.

    Personally I'd let all genuine Windows processes make outbound connections, Windows already has Ring Zero, it can do whatever it wants anyway.

    NB: The event logs will show protocols as numbers rather than acronyms TCP, UDP, etc. (In the last screenshot above for example, it says "Protocol: 6". Protocol 6 is TCP, Protocol 17 is UDP, the most common ones are listed here.
    Last edited by ARC1020; 25 Jul 2015 at 15:58.
      My ComputerSystem Spec
  4.    25 Jul 2015 #4
    Join Date : Jul 2015
    Posts : 2
    Windows 10
    Thread Starter

    Quote Originally Posted by bro67 View Post
    That is going to be an issue then. svchost.exe is just a generic process that can contain multiple processes within. If you have your computer so locked down, that it is basically a doorstop. You need to reverse that process. A good Gateway for your network is sufficient to protect the LAN. It is the user's poor habits that gets them into trouble and causes an infected machine.
    I study technology forensics, it is necessary. I don't even run as a privileged user. I was simply asking for a way to monitor this service and unplug holes where necessary. Thanks arc1020, I'll play around now that I can monitor, hard to find my way around outside of a *NIX server.
      My ComputerSystem Spec
  5.    25 Jul 2015 #5
    Join Date : May 2015
    Central IL
    Posts : 4,361
    Mac OS Sierra

    Quote Originally Posted by killerhonky View Post
    I study technology forensics, it is necessary. I don't even run as a privileged user. I was simply asking for a way to monitor this service and unplug holes where necessary. Thanks arc1020, I'll play around now that I can monitor, hard to find my way around outside of a *NIX server.
    If you are doing anything with forensics, the machine should never be connected to the Internet. As for Linux, it all depends on what you are using the server for.

    But going back to the original request. If you want to update that machine, you are going to have to unlock the Firewall on the machine, if you plan on downloading anything.

    Also the Svchost.exe needs to be able to do its job, since the Firewall is also a part of that process, along with other items.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Getting Rid of Firewall Notifications
Hi all, I have Windows Firewall disabled. I know this and it has to stay that way. I use a lot of AV apps that will not function with it on, even with exceptions. In any case, I keep getting toast alerts saying it is disabled and I can't get...
AntiVirus, Firewalls and System Security
Does anyone know how to get to Win 10 Firewall exceptions?
I need to add and remove certain exceptions but I cannot find out how to get there. Can anyone help please.
AntiVirus, Firewalls and System Security
firewall services
Latest build. Running ESET free. Anybody else got the same info showing, doesn't appear to be a problem thou. Roy
AntiVirus, Firewalls and System Security
Windows firewall & Spartan/Edge
OK, maybe I am missing something......but why if I stop Windows firewall, does it stop Spartan/Edge from being started!?. If Spartan is running and then I stop Windows firewall, Spartan continues to function - until I close it and then try to...
General Support
Windows Firewall -- can't access WINDOWS from LINUX
Hi there Not sure but the wretched built in firewall on W10 seems to stop my Linux server accessing Windows shares even when the firewall is turned OFF. The Windows box can access the Linux shares so something is hosed up here again. I've...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 09:14.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums