According to the Windows Firewall documentation, block rules always take precedence over allow rules, therefore even if your allow rule looks more specific than a block rule, the allow rule will not work, and the traffic matching both allow and block rules will be blocked. The option “Allow this firewall rule to override block rules” is available only for rules which require IPSec, and is not available for outbound rules.
The only thing you could do with Windows Firewall to achieve something close to what you need is to switch the default behavior for outbound connections to “Block”, then add explicit allow rules for all outbound connections that you need (not just for that single program). Alternatively, you can look for third-party firewall software with more features.
The problem was Oracle VirtualBox's "Ethernet adapter VirtualBox Host-Only Network" network adapter. This network adapter was registered with Windows as being a "public" network, thus activating my public profile for firewall rules. I was able to correct this issue using the method from this article:
http://brianreiter.org/2010/09/18/fix-virtualbox-host-only-network-adapter-creates-a-virtual-public-network-connection-that-causes-windows-to-disable-services/
The idea is to tell Windows that this network adapter is a virtual one, so it can ignore it as far as firewall rules go. a simple registry edit will accomplish this. here is some powershell that will automatically apply this registry change:
cd 'HKLM:\system\CurrentControlSet\control\class\{4D36E972-E325-11CE-BFC1-08002BE10318}'
ls ???? | where { ($_ | get-itemproperty -name driverdesc).driverdesc -eq 'VirtualBox Host-Only Ethernet Adapter' } | new-itemproperty -name '*NdisDeviceType' -PropertyType dword -value 1
I am still at a loss as to why Windows decides to use the Public profile for all traffic, instead of just the traffic coming through this network adapter. I have other machines that do not seem to be affected by this phenomenon. for instance, on one machine i have the following output for netsh advfirewall firewall show rule name="Remote Desktop (TCP-In)"
Rule Name: Remote Desktop (TCP-In)
----------------------------------------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private
Grouping: Remote Desktop
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: 3389
RemotePort: Any
Edge traversal: No
Action: Allow
Ok.
and the following output for netsh advfirewall show currentprofile
Domain Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Enable
LogDroppedConnections Enable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Public Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Ok.
and yet i am able to make remote desktop connections to this computer just fine. in fact if my problem occurred any time that virtualbox adapter was present, than anyone with virtualbox installed wouldn't be able to remote into their computer, so this must be a still undetermined special case.
so the question still remains, how does Windows deal with multiple different profiles for multiple network connections? what variable is different between my original problem machine and my working one? does it pick the least secure profile and apply it to all network traffic as my first machine would imply, or does it apply one profile for each adapter separately, as my second one would imply? i will edit this post if i discover an answer to this question. in the mean time, at least i have a solution to my problem!
Best Answer
After asking for help in the Windows Filtering Platform (WFP) forum on MSDN I learned that you can capture the activity of WFP (which the firewall employs) using the following commands:
The resulting log file is XML which makes it human readable and from that file I learned that
wermgr.exe
is blocked by the rule WSH Default Outbound Block with the description Blocks all outbound traffic for services who have been network hardened. Apparently, this rule takes precedence over my "allow" rule.I'm not sure exactly why
wermgr.exe
is affected by the Windows Service Hardening default rule but I assume that one of the hardened services executewermgr.exe
to perform a task of connecting to the server at65.55.53.190
(a Microsoft IP address), andwermgr.exe
is then blocked just as the service would be.