..Make the best of this POS A firewall, properly setup, with logging enabled is the first step in a Win10 install as far as i'm concerned. Here's me. Native windows firewall with all outbound blocked except MY rules. Disabled any default outbound that i don't need or want.
I am learning more about what Windows does, and I don't like it.
If one does NOT have the Windows Firewall service running at all, the following rules are listed from deep inside the Windows Filtering Platform:
WFP Built-in Edge Traversal Sublayer ◦ ET Allow All ◦ ET Bind callout ◦ ET Default Block All ◦ ET ICMPV6 Destination Unreachable - Permit ◦ ET ICMPV6 NA - Permit ◦ ET ICMPV6 NS - Permit ◦ ET ICMPV6 Packet Too Big - Permit ◦ ET ICMPV6 Parameter Problem - Permit ◦ ET ICMPV6 Time Exceeded - Permit ◦ ET Listen Callout
WFP Built-in Inspection Sublayer ◦ NDU Flow Established V4 SubLayer Filter ◦ NDU Flow Established V6 SubLayer Filter ◦ NDU Inbound Mac Frame Native SubLayer Filter ◦ NDU Inbound Transport SubLayer Filter ◦ NDU Outbound Mac Frame Native SubLayer Filter ◦ NDU Outbound Transport SubLayer Filter
NIS High Priority Sublayer ◦ NIS ALE Flow Established V4 Filter ◦ NIS ALE Flow Established V6 Filter ◦ NIS Stream V4 Filter ◦ NIS Stream V6 Filter
Start the Windows Firewall service with an empty list and the following rules are added:
◦ Allow all inbound TCP and RPC to SPPEXTCOMOBJ ◦ Allow all outbound TCP and RPC from SPPEXTCOMOBJ ◦ Allow Grouping to receive from port 3587 ◦ Allow Grouping to send to port 3587 ◦ Allow inbound RPC traffic to the Block Level Backup service (wbengine) over TCP ◦ Allow inbound TCP port 389 traffic for vmicheartbeat ◦ Allow inbound TCP port 636 traffic for vmicheartbeat ◦ Allow inbound TCP traffic to AJRouter ◦ Allow inbound traffic to SearchProtocolHost ◦ Allow inbound UDP traffic to AJRouter ◦ Allow inbound UDP traffic to SNMPTRAP service ◦ Allow incoming RPC traffic to VDS ◦ Allow incoming TCP to PeerDistSvc ◦ Allow incoming WSD to PeerDistSvc ◦ Allow NTP traffic from Wcmsvc ◦ Allow Out http traffic from WinDefend ◦ Allow outbound LDAP traffic from SearchIndexer ◦ Allow outbound TCP traffic for vmicheartbeat ◦ Allow outbound TCP traffic from AJRouter ◦ Allow outbound traffic from SearchProtocolHost ◦ Allow outbound UDP traffic from AJRouter ◦ Allow outgoing TCP from PeerDistSvc ◦ Allow outgoing WSD from PeerDistSvc ◦ Allow PNRP to receive from port 3540 ◦ Allow PNRP to send from port 3540 ◦ Allow PNRP to send to port 3540 ◦ Allow RPC/TCP traffic to EventLog ◦ Allow SSL Out traffic from WinDefend ◦ Allow TCP traffic from Wcmsvc ◦ AppContainerLoopback ◦ AxInstSV TCP outbound allow ◦ Block all inbound traffic to SearchFilterHost ◦ Block all outbound traffic from SearchFilterHost ◦ Block Inbound Default Rule ◦ Block Outbound Default Rule ◦ Cast to Device streaming server hardening - Block incoming TCP traffic ◦ Cast to Device streaming server hardening rules for RTSP ◦ Device Metadata Retrieval ◦ DhcpFirewallPolicy ◦ Interface Binding Callout ◦ InternetClient Default Rule ◦ InternetClientServer Inbound Default Rule ◦ InternetClientServer Outbound Default Rule ◦ IPsec Policy Agent service hardening - LDAP/TCP ◦ IPsec Policy Agent service hardening - LDAP/UDP ◦ IPsec Policy Agent service hardening - Remote Management ◦ Modern Network Isolation Diagnostics Bfe Session ◦ NetBIOSHelperFirewallPolicy ◦ State Management Provider Context ◦ TermServiceLOM ◦ Wi-Fi Direct ASP Coordination Protocol (UDP-In) ◦ Wi-Fi Direct ASP Coordination Protocol (UDP-Out) ◦ Windows Firewall Dynamic Session ◦ Windows Firewall: callout ◦ Windows Media Player Network Sharing Service service hardening - Block any other incoming TCP traffic ◦ Windows Media Player Network Sharing Service service hardening - RTSP ◦ WSH Default Inbound Block ◦ WSH Default Outbound Block
As long as you have the Windows Firewall service running, the command netsh wfp show state can be used to dump the latter information out into an XML file. The takeaway here is that there are a large number of rules being added under the covers by Microsoft.
I had a discussion about this with the author of the Sphinx firewall. His point is that he adds all the rules of the Sphinx firewall, including the "Deny Everything By Default" basis for the whole product, at a higher priority level than all of the above, so the above are completely rendered inert.
-Noel
Author of the "How to Configure the 'To Work' Options" series of Windows books. Not feeling enough love to do one for Windows 10.
Post by Bayer A.User on Dec 20, 2016 8:47:56 GMT -6
...Learning more about what Windows does and not liking it..... Specifically 10 Agreed,Noel. It shouldn't come as a surprise to us. After all those buggers in Redmond have been busy. With all the "features" in 10, in/out rules,ports,exceptions have grown to the point where it would take several screenshots just to list them all. Not to mention the fact that with every build/version upgrade MORE are added and they are often redundant. Seeing as how the default is "allow all" outbound anyway, I chalk it up to MSFT guaranteeing the function of all the features even if the user changes advanced firewall settings. By now we all know that 10,unlike previous OS, MUST connect online for these features to work at all. EXAMPLE: Cortana- without internet access, she doesn't work at all! So much for "personal assistant" not being available locally. LOL Another example, free office 365 for a year. Or free 25GB of Dropbox.The list goes on and on. How about stickynotes? Why do i need special outbound firewall rules for that? Last but not least,"AllJoin" router service. Yeah, MSFT would prefer 10 be connected online with any available wireless network . Public,Private,Domain. Safe or UNsafe. Encrypted or wideopen. I suspect this is why the default oob network in 10 has always been "public". Don't get me started on the now defunct WI-FI Sense NONsense that allowed THEM to share the average user's wireless (service set I.D & pre shared key) with any and all 10 users within range. <rant off> I've said it before, A firewall is the most straightforward way to reign it all in. Another plus is that 10 can't/won't update or upgrade itself autonomously . When i have the time and want the latest updates, i go to default firewall & run WU.
*will continue to log and post successful I.P. connections through the firewall*
I think you got it, but I want to be sure you realize that the lists above are without ANY rules showing in the Windows Advanced Firewall UI at all (I deleted them)!
They COULD have had all the rules necessary to run Windows 10 be visible and listed, as the default for Windows. But no, they did not, they deliberately did something under the covers to load all these rules in secret, just to prevent users from disabling the parts of Windows communications THEY feel are important.
I'm making the point to show why a 3rd party firewall that averts all of those "default secret" rules might be desirable.
Post by Bayer A.User on Dec 21, 2016 5:32:09 GMT -6
I Appreciate the response,Noel. What I do is keep an eye on the log of successful outbound connections. What i've learned is that autonomous online activity can be minimized or brought down to zero depending on how far i go with the firewall or judicious use of the Get-AppxPackage | Remove-AppxPackage command. If i throw all the "tricks" at 10 it can be reduced to nothing more than a simple chromebook with loads of local storage. I've mentioned before, an unactivated"illegitimate" install of 10 can be made to work just fine day in/out as long as the user can live without the CandyCrush foolishness. I havn't paid much attention to dropped packets,maybe i should keep an eye on that as well. Like Death & Taxes eventually MSFT will figure out what we are doing and put a stop to it. When that day comes i'll switch 100% over to Linux.
Post by Bayer A.User on Jan 3, 2017 6:33:01 GMT -6
Just a quick reminder before i forget.... With the Creators edition of 10 on the horizon, we still don't know for sure if "MovieMaker" will be available from the store for download/install... End of Support for LiveEssentials2012 (MovieMaker) Jan 10,2017 So, you have two choices. Use the web installer before the deadline >wlsetup-web dot exe
Last Edit: Jan 3, 2017 6:44:16 GMT -6 by Bayer A.User
Just a quick reminder before i forget.... With the Creators edition of 10 on the horizon, we still don't know for sure if "MovieMaker" will be available from the store for download/install... End of Support for LiveEssentials2012 (MovieMaker) Jan 10,2017 So, you have two choices. Use the web installer before the deadline >wlsetup-web dot exe
Or Grab a copy of the "Offline" installer for future installs
Post by Bayer A.User on Mar 11, 2017 10:42:17 GMT -6
Trivial fun stuff from the latest preview build15055.0 Redstone2
I've said it before- Windows10 is a hodgepodge of old and new code. No idea if this will make the final cut. After all it is beta..... (Noel will get a kick outta this) Legacy Desktop Window Manager straight from the Win7 scrap bucket. Defender "Offline" scan advanced option interface complete with rounded corners and non flat controls. Call it, The Ghost of Longhorn.
Having read all through this long thread, I must say I'm a little disappointed, was hoping for a better ratio between useful advice and pointless bitching..
Are there things about W10 that bug me? Of course, but there have been about every upgrade I've made since NT4, and the user interface has deteriorated every step since W2K.
So here's how I've been "making the best of" 10:
Run under a local account with UAC disabled. Install and run Spybot Anti-Beacon Install ClassicShell (Required since Win 7) Use gpedit.msc to set updates to download only Use same to set "Do not reboot with logged on user" (saved my work a couple of times) Install Gadgets Revert Calc.exe to the old version
Other than the annoyance of having to Re-run anti-beacon and often re-install ClassicShell after updates, my biggest annoyance has been re-removing app-clutter I neither want nor use, the installing of which I consider to be malware distribution. Yes they do cause harm, it's my bandwidth, and my SSD write cycles M$ are wasting GRRRR! I'd be more willing to tolerate *new* apps appearing if M$ respected my decision to remove apps I don't want and not put them back. The fact I've taken the trouble to remove them is a big clue they're not wanted.
Noel's Re-Tweaker looks a useful resource to borrow from, both to identify services I may not need and do some more tightening down, but I've been managing OK under 10, and I've gone as long as 5 1/2 months between reboots when that has suited me.
<Rick> Good video. It's almost hard to believe that at one time Windows 98 was the resource hog, but even then, it still ran circles around what Windows 10 can do on today's modern hardware and look a heck of alot better doing it.
May 25, 2021 22:55:12 GMT -6
<Rick> As stated elsewhere, So much for the launch of Windows 11, "The Great Crash." Myself, I had a hard time getting into the site listed above, when I did get in, the video was partly done and then it crashed. There has been many other reports of crashing.
Jun 24, 2021 9:52:33 GMT -6
*
<Rick> I see Microsoft has been very quick to pull down reports of site crashing regarding the Launch of Windows 11 on the Microsoft Insiders forum.
Jun 24, 2021 9:57:31 GMT -6
*
<Rick> The rebroadcast is working okay.
Jun 24, 2021 11:00:25 GMT -6
<Rick> With reports of people being able to install the dev-edition of Windows 11 on machines not meeting spec, I thought I would give it a what-the-heck try. Lucky me, I'm caught in the downloading, doesn't meet spec, clearing, re-downloading loop on my machine!
Jul 2, 2021 7:08:46 GMT -6
<Rick> I've recently purchased a license for ArcaOS from www.arcanoae.com/ to play with. First impressions, it's still OS/2, but it now has a Linux twist to it.
Jul 2, 2021 7:32:53 GMT -6
*
<dozrguy> laptop shit out and am stuck buying a new one. os win11 as fucked as win10 was?
Oct 2, 2021 12:56:10 GMT -6
<Rick> Let's see ..., my impression of Windows 11 is that it is a spruced up version of Windows 10 requiring a 64-bit processor plus a piece of security hardware that is less than 4 years old in order for it to run.
Oct 4, 2021 18:25:49 GMT -6
*
<Rick> On the plus side, Microsoft is supposed to be supporting Windows 10 for some time to come for those of us still using systems with I7 or older processors.
Oct 4, 2021 18:44:35 GMT -6
*
<dozrguy> i tried installing win10 om the 'shitout' pc this morning usung media creation. EPIC FAIL! went into an endless bootloop. win7 reinstalled just fine
Oct 21, 2021 11:23:38 GMT -6
<dozrguy> STILL so much bullshit and so little time for the kiddie ideas from the hill. My new laptop (MSI GE 11-UH461) would be an awesome "10" machine but because of Winblows I can only give it a "2"......wasted $3500
Oct 27, 2021 9:36:47 GMT -6
<Rick> Hello. Just checking in.
Mar 17, 2022 10:46:54 GMT -6
<isidroco> Each new w10 update adds >100000 useless files to \Windows\Servicing\LCU\Package_for_RollupFix... folders. Even in a SSD takes time to delete that stuff. In each version they manage to worsen stuff.
Mar 27, 2022 16:14:51 GMT -6
*
<dozerguy> still traffic here?
Oct 9, 2022 17:32:44 GMT -6
<Rick> No, there does not seem to be very much traffic these days. I still check in from time to time.
Oct 9, 2022 20:08:58 GMT -6