Windows 10 Firewall - How to deny all outbound but allow only Windows updates?
Goals:
- Use only Windows 10 Firewall
- Block all outbound traffic by default
- Allow Windows 10 updates
- Limit which svchost services are allowed through
My progress so far on a fresh install:
- Outbound traffic is denied by default
- All default rules have been disabled
- Core Networking - DHCP-Out: allowed
- svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed
- The programs that I want connected to the internet are allowed
With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.
On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:
- Background Intelligent Transfer Service (BITS)
- Client License Service (ClipSVC)
- Security Center
- Update Orchestrator Service
- Windows License Manager Service
- Windows Update Service
Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?
Thanks!
windows windows-10 firewall windows-firewall svchost
add a comment |
Goals:
- Use only Windows 10 Firewall
- Block all outbound traffic by default
- Allow Windows 10 updates
- Limit which svchost services are allowed through
My progress so far on a fresh install:
- Outbound traffic is denied by default
- All default rules have been disabled
- Core Networking - DHCP-Out: allowed
- svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed
- The programs that I want connected to the internet are allowed
With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.
On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:
- Background Intelligent Transfer Service (BITS)
- Client License Service (ClipSVC)
- Security Center
- Update Orchestrator Service
- Windows License Manager Service
- Windows Update Service
Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?
Thanks!
windows windows-10 firewall windows-firewall svchost
Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?
– ichimok
Dec 8 '18 at 17:24
add a comment |
Goals:
- Use only Windows 10 Firewall
- Block all outbound traffic by default
- Allow Windows 10 updates
- Limit which svchost services are allowed through
My progress so far on a fresh install:
- Outbound traffic is denied by default
- All default rules have been disabled
- Core Networking - DHCP-Out: allowed
- svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed
- The programs that I want connected to the internet are allowed
With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.
On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:
- Background Intelligent Transfer Service (BITS)
- Client License Service (ClipSVC)
- Security Center
- Update Orchestrator Service
- Windows License Manager Service
- Windows Update Service
Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?
Thanks!
windows windows-10 firewall windows-firewall svchost
Goals:
- Use only Windows 10 Firewall
- Block all outbound traffic by default
- Allow Windows 10 updates
- Limit which svchost services are allowed through
My progress so far on a fresh install:
- Outbound traffic is denied by default
- All default rules have been disabled
- Core Networking - DHCP-Out: allowed
- svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed
- The programs that I want connected to the internet are allowed
With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.
On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:
- Background Intelligent Transfer Service (BITS)
- Client License Service (ClipSVC)
- Security Center
- Update Orchestrator Service
- Windows License Manager Service
- Windows Update Service
Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?
Thanks!
windows windows-10 firewall windows-firewall svchost
windows windows-10 firewall windows-firewall svchost
asked Dec 7 '18 at 19:21
ichimokichimok
1111
1111
Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?
– ichimok
Dec 8 '18 at 17:24
add a comment |
Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?
– ichimok
Dec 8 '18 at 17:24
Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?
– ichimok
Dec 8 '18 at 17:24
Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?
– ichimok
Dec 8 '18 at 17:24
add a comment |
1 Answer
1
active
oldest
votes
I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.
If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
Thats windows 10 for ya.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381728%2fwindows-10-firewall-how-to-deny-all-outbound-but-allow-only-windows-updates%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.
If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
Thats windows 10 for ya.
add a comment |
I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.
If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
Thats windows 10 for ya.
add a comment |
I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.
If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
Thats windows 10 for ya.
I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.
If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.
Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)
Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24
Thats windows 10 for ya.
edited Jan 29 at 12:51
answered Jan 29 at 11:03
BojaBoja
214
214
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381728%2fwindows-10-firewall-how-to-deny-all-outbound-but-allow-only-windows-updates%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?
– ichimok
Dec 8 '18 at 17:24