Windows – How to use Windows Firewall to only permit the Windows Update service to make an outbound connection

firewallnetworkingwindows 7windows firewallwindows update

I'm trying to tailor my Windows Firewall settings (using the Windows Firewall with Advanced Security console) to only permit programs that need to access the Internet with an outbound connection to do so.

This works fine for normal applications as I can just allow the program, but services that load in the svchost.exe process are a problem. The only services I actually need to give access to are Windows Update and the Background Intelligent Transfer Service (and even that, I would only like Windows Update to be able to submit jobs to, but that's another issue.) Is there a method to only allow these to be permitted an outbound connection, and not any of the other services loaded in svchost?

Best Answer

As stated by Joe Internet in the comments, you can specify the Service you want to use. For that, you have to define a new outbound rule, but use "Custom" instead of "Program". There, you can choose the service, in your case "Windows Update", or also "wuauserv", which should be exactly what you're looking for.

Related Solutions

Windows firewall blocks outbound connection that is allowed by a rule

After asking for help in the Windows Filtering Platform (WFP) forum on MSDN I learned that you can capture the activity of WFP (which the firewall employs) using the following commands:

netsh wfp capture start
netsh wfp capture stop

The resulting log file is XML which makes it human readable and from that file I learned that wermgr.exe is blocked by the rule WSH Default Outbound Block with the description Blocks all outbound traffic for services who have been network hardened. Apparently, this rule takes precedence over my "allow" rule.

I'm not sure exactly why wermgr.exe is affected by the Windows Service Hardening default rule but I assume that one of the hardened services execute wermgr.exe to perform a task of connecting to the server at 65.55.53.190 (a Microsoft IP address), and wermgr.exe is then blocked just as the service would be.

Windows – What Firewall Rule(s) Will Allow Windows Update and ONLY Windows Update To Work

I debugged this problem for hours. In the end, to get Windows Update through Windows firewall you must allow svchost. You cannot narrow the protocol, scope, application packages or services.

So I have 0 inbound firewall rules, and 3 outbound firewall rules two of which are active at any point in time. Those rules are:

Allow svchost
Block svchost
WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-out)

AND Other applications that require internet (i.e., your web browser)

To connect to the internet, I must turn on 1 and 3. After I can turn off 1 and 3 and turn on 2. If my internet is on, and I want to use windows update, I then disable 2 and enable 1. That means after I have connected to the internet and don't plan on using windows update that the only weakness in my firewall is my browser assuming I haven't added any other exceptions.

Windows PowerUser,

Best Answer

Related Solutions

Windows firewall blocks outbound connection that is allowed by a rule

Windows – What Firewall Rule(s) Will Allow Windows Update and ONLY Windows Update To Work

Related Question