Ytdyklly

Goals:

• Use only Windows 10 Firewall


• Block all outbound traffic by default


• Allow Windows 10 updates


• Limit which svchost services are allowed through

My progress so far on a fresh install:

• Outbound traffic is denied by default


• All default rules have been disabled


• Core Networking - DHCP-Out: allowed


• svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed


• The programs that I want connected to the internet are allowed

With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.

On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:

• Background Intelligent Transfer Service (BITS)


• Client License Service (ClipSVC)


• Security Center


• Update Orchestrator Service


• Windows License Manager Service


• Windows Update Service

Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?

Thanks!

I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.

If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.

Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)

Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24

Thats windows 10 for ya.