Basically I've set my Windows firewall the way I want it, but apparently any application can create it's own rule to completely override my settings. How can I prevent this from happening?
Windows 7 Firewall – How to Prevent Applications from Modifying Firewall Policy
firewallwindows 7
Related Solutions
I can understand your wish. It is absolutely crazy how many rules Windows 10 does create without you can even see the rules. The one created on a per User Base for Cortana in WF.msc is just one. This is also the reason why I do not think that Windows 10 is more secure than Windows 7. The filtering Plattform is the same but the numbers of services and background tasks as well as predefined exeptions of firewall rules are enormous higher than in Windows 7. So the attack surface is - in my opionion - much higher than in Windows 7 where you can configure the firewall very strict and with almost no automatic modifications.
To come back to your question: it is not to complicate to modify Windows-Firewall to prevent automatic Firewall-Rules. What you need is to break inheritance and copy permissions in Registry. Take off all write permissions for MpsSvc and to avoid futer overwrite also for System. You may want to create also a new group which has the right to change them and is also owner of these subkeys.
Following Registry-Keys store the Rules: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices" and all Subfolders. "Static" are only configurable by Registry, "Configurable" by command-line and Registry, "FirewallRules" are the rules you can see in WF.msc. If you take the rights of FirewallRules too, you can not modify by mmc.exe/wf.msc anymore.
However, like with all such deep tweaks there are more or less big caveats. If you delete all Allow-Rules in subfolders Static and Configurable for modern Apps like Cortana, Shell-Experience, AAD Broker and so on, you will break the Startmenu as well. So nothing happens when you click on the button because new apps communicate over the network / Filtering-Plattform and as you dissallowed to do so, they won't do anything if these rules do not exist. Especially first time login is highly depended on these things. However windows still works like a charm. All apps are showed in the tasklist, desktop still works fine and so on also Shortcust like Win+R. But Startmenu with Cortana does not.
There are also other things I do not like at all. For example MS did deform a lot of Services which are for telemetry/privace use only. So no other technical reason. For example the AitAgent. You can not disable it, because you can not see it in the mmc.exe plugin. Even not with SystemUtilities. But in Registry you see the half of it. There are many other Privacy-related Tasks and services too and with every update there are new ones. Even in LTSB-Enterprise-Versions. In my Opinion W10 is a technically very good OS but in questions of Privacy it is far worse than you may ever expect and MS is making it all the time harder to prevent that you disable the crap. They collect all data and if a user forgots to click on no everything is sended over the air. For some tweaks you need to start in secure mode, for some you need a Task with "TrustedInstaller" or System, with a lot of them you can even not use SystemUtilites and you have to modify the registry yourself and so on.
Unfortunately there is no way to really avoid Windows 10 in future as new silicon does only support Windows 10 and without Windows you can not work in a modern Company as the bigest part of software-vendors work on windows and a lot of people just do not care about these things.
You can use the Windows hosts
file to redirect any requests to the Steam service to your local machine (localhost
or 127.0.0.1
). Those requests will be going straight into the void and Steam will not have any way to work around this issue, except for changing the servers they connect to (which you can block then, as well).
You can find out which servers to block using Wireshark, or you can just google and try to find a list of Steam service IPs.
This list may be useful.
Best Answer
Yes, but the computer will not allow any local exceptions not set by group policy.
I am going to assume you are not on a domain but if you are it is very similar it will just be a domain policy instead of a local policy.
First, you must open the local group policy settings by opening
MMC
going toFile->Add/Remove Snap-In...
and adding theGroup Policy Object Editor
for your local computer.From there navigate to
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\
and there are two settings you want to set todisabled
, Windows Firewall: Allow local port exceptions and Windows Firewall: Allow local program exceptions.Once those are set you can no longer make any changes to the windows firewall using the Windows API, including going in by hand and editing it via advanced settings. If you want to enable an exception you will need to do it through the group policy now. You can set the rules up in
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object
. These rules will be the only rules in effect on your system.If you are on a domain you just need to use the domain group policy tools instead of the local ones.