Windows 10 Firewall - How to deny all outbound but allow only Windows updates?












2















Goals:




  • Use only Windows 10 Firewall

  • Block all outbound traffic by default

  • Allow Windows 10 updates

  • Limit which svchost services are allowed through


My progress so far on a fresh install:




  • Outbound traffic is denied by default

  • All default rules have been disabled

  • Core Networking - DHCP-Out: allowed

  • svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed

  • The programs that I want connected to the internet are allowed


With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.



On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:




  • Background Intelligent Transfer Service (BITS)

  • Client License Service (ClipSVC)

  • Security Center

  • Update Orchestrator Service

  • Windows License Manager Service

  • Windows Update Service


Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?



Thanks!










share|improve this question























  • Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?

    – ichimok
    Dec 8 '18 at 17:24


















2















Goals:




  • Use only Windows 10 Firewall

  • Block all outbound traffic by default

  • Allow Windows 10 updates

  • Limit which svchost services are allowed through


My progress so far on a fresh install:




  • Outbound traffic is denied by default

  • All default rules have been disabled

  • Core Networking - DHCP-Out: allowed

  • svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed

  • The programs that I want connected to the internet are allowed


With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.



On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:




  • Background Intelligent Transfer Service (BITS)

  • Client License Service (ClipSVC)

  • Security Center

  • Update Orchestrator Service

  • Windows License Manager Service

  • Windows Update Service


Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?



Thanks!










share|improve this question























  • Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?

    – ichimok
    Dec 8 '18 at 17:24
















2












2








2








Goals:




  • Use only Windows 10 Firewall

  • Block all outbound traffic by default

  • Allow Windows 10 updates

  • Limit which svchost services are allowed through


My progress so far on a fresh install:




  • Outbound traffic is denied by default

  • All default rules have been disabled

  • Core Networking - DHCP-Out: allowed

  • svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed

  • The programs that I want connected to the internet are allowed


With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.



On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:




  • Background Intelligent Transfer Service (BITS)

  • Client License Service (ClipSVC)

  • Security Center

  • Update Orchestrator Service

  • Windows License Manager Service

  • Windows Update Service


Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?



Thanks!










share|improve this question














Goals:




  • Use only Windows 10 Firewall

  • Block all outbound traffic by default

  • Allow Windows 10 updates

  • Limit which svchost services are allowed through


My progress so far on a fresh install:




  • Outbound traffic is denied by default

  • All default rules have been disabled

  • Core Networking - DHCP-Out: allowed

  • svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53): allowed

  • The programs that I want connected to the internet are allowed


With my current configuration, Windows is able to update successfully, but all svchost services (almost 200) are able to connect to the internet. I want to reduce the number of svhost services that are allowed to the minimum.



On another attempt to reduce connected svchost services, I've created different rules for specific svchost services (while disabling the generic svchost rules stated above), but Windows updates do not work (my allowed programs work, though). The svchost services that I allowed in this attempt were:




  • Background Intelligent Transfer Service (BITS)

  • Client License Service (ClipSVC)

  • Security Center

  • Update Orchestrator Service

  • Windows License Manager Service

  • Windows Update Service


Do I need to allow svchost TCP (remote ports: 80, 443) and svchost UDP (remote port: 53) and then manually create new blocking rules for each of the other svchost services (basically inverting what I've tried)?



Thanks!







windows windows-10 firewall windows-firewall svchost






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 7 '18 at 19:21









ichimokichimok

1111




1111













  • Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?

    – ichimok
    Dec 8 '18 at 17:24





















  • Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?

    – ichimok
    Dec 8 '18 at 17:24



















Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?

– ichimok
Dec 8 '18 at 17:24







Just invalidated my last question. Added a block rule of svchost - Windows Update just to test it out (since it was the easiest way that I remembered to test this), but the updates still work.. Any idea on how to achieve this, or if it's even possible?

– ichimok
Dec 8 '18 at 17:24












1 Answer
1






active

oldest

votes


















1














I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.



If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.



Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)



Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24



Thats windows 10 for ya.



enter image description here






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381728%2fwindows-10-firewall-how-to-deny-all-outbound-but-allow-only-windows-updates%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.



    If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.



    Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)



    Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24



    Thats windows 10 for ya.



    enter image description here






    share|improve this answer






























      1














      I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.



      If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.



      Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)



      Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24



      Thats windows 10 for ya.



      enter image description here






      share|improve this answer




























        1












        1








        1







        I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.



        If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.



        Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)



        Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24



        Thats windows 10 for ya.



        enter image description here






        share|improve this answer















        I'm trying to figure this out as well. The maker of "Windows Firewall Control" says "On Windows 7 you could create service based rules for svchost.exe, but not on Windows 10" Windows firewall has regressed and does not perform the functions it offers, blocking individual services under the umbrella of the svchost. Microsoft releases windows updates every second Tuesday of each month give or take 24 hours or so. You could create a task that automatically enables svchost out each month, and one for every day for defender updates; (for 5-10 minutes) or just do it manually. Or create a shortcut to a task that runs on demand on your desktop.



        If you're feeling adventurous, you could for example block everything, enable packet logging, monitor the ip addresses and ports for every windows update server connection, then only allow svchost out for those specific ip addresses, this will narrow it down to only allow windows update. If you use cidr format replacing the last 3 digits with .1/24, you will be able to reach every ips on that subnet if they change over time. If you notice other ip's pop up outside that scope, you will know its not windows update, I am not sure how one can detect exactly what program/service is operating under the svchost umbrella other than triggering it manually.



        Here is an example using Windows Firewall Control which is a GUI for Windows Defender Firewall. For Windows Updates, use Group Policy "Delivery Optimization" Download Mode, set to 99, (meaning no P2P or cloud services, just microsofts servers alone; so you don't get 1,000,000,000 different ips)



        Remote addresses: 65.55.163.1/24,13.74.179.1/24,191.232.139.1/24,20.36.222.1/24,20.42.23.1/24,191.232.139.2/24,20.36.218.1/24,95.101.0.1/24,95.101.1.1/24,13.78.168.1/24,93.184.221.1/24,13.83.184.1/24,13.107.4.1/24,13.83.148.1/24



        Thats windows 10 for ya.



        enter image description here







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 29 at 12:51

























        answered Jan 29 at 11:03









        BojaBoja

        214




        214






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1381728%2fwindows-10-firewall-how-to-deny-all-outbound-but-allow-only-windows-updates%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀