none
Windows Defender Advanced Firewall Issues in Outbound Default Drop Mode RRS feed

  • Question

  • Hello,


    I'm trying to move to using the built in firewall, I was using Sophos endpoint firewall up until now and had it configured to deny by default and then permit outgoing traffic explicitly for specific programs and ports and it worked well for me.

    I spent a couple of hours setting up the same policies for defender firewall in secpol.msc and they are all showing up nicely in windows defender. However when I change the firewall mode to “outbound connections that do not match a rule are blocked” then nothing works, I cannot browse with chrome even though I have set up a rule:

    Program: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Src IP: Any

    Dest IP: Any

    Proto: TCP

    Src Port: Any

    Dst Port: 80, 443

    If I create a blanked allow rule for ports 80 and 443 not linked to a specific program then this works but it is hardly an acceptable solution.

    Does anyone have any advice?

    Thanks


    Sunday, July 29, 2018 6:25 PM

All replies

  • Hi,

    Sorry but Microsoft doesn’t support 3rd-party tools, for Sophos issue I’m afraid your best bet is contacting Sophos support for further help, they are the best resource to troubleshoot this issue.

    https://secure2.sophos.com/en-us/support.aspx

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Thank you for understanding.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 30, 2018 2:20 AM
    Moderator
  • Tony,

    As I stated in my post, I am not using Sophos now and the problem I am experiencing is purely confined to Windows Defender Advanced Firewall in Windows 10 Pro. I was merely providing background information on how I had encountered the issue when moving to defender from previously using Sophos.

    I appreciate your reply but unfortunately it was not helpful, I think there was a misunderstanding, perhaps I was not clear enough in my initial post.

    To clarify, I have uninstalled Sophos firewall as their new cloud managed endpoint protection does not support it, I am now using only Windows Defender Firewall and have replicated the rules I had in Sophos into defender using secpol.msc but the application specific rules do not work when the default action for outgoing traffic is set to drop where no rule is present.

    I appreciate any insight the community may be able to offer.


    Thank you

    Tuesday, July 31, 2018 12:10 PM
  • The Bloke settings takes precedence so it will override the Allow.

    Firewall Rule Properties - General goes someway to explain it, by design it appears.

    No sure why the blank rules to allow ports work, hmm, guess there might be a reason.

    Tuesday, July 31, 2018 1:25 PM
  • I've read through the document you referenced, and there was some interesting info in there.

    I just cannot understand the behaviour for outbound filtering in defender.

    If the default action is set to "outbound connections that do not match a rule are blocked" and an allow rule for a specific application is present, then surely it should work as intended.

    The fact that creating a blanket rule for port 80 and 443 allows chrome to work, but creating an application specific rule for chrome.exe does not indicates there is some issue in defender processing outgoing rules linked to specific executables. I cannot find this documented anywhere officially though.

    I would prefer to use the built in firewall if possible rather than another 3rd party solution and surely there must be a way to make this work.

    I'm confident the policy is correct, my field is network engineering so it isn't my first rodeo, I've just never tried to get windows defender to do this, most organisations turn it off and I am beginning to see why. I can only imagine this mode is not supported or there is some setting I need to adjust somewhere to fix it.

    Wednesday, August 1, 2018 3:32 PM
  • If have not used the Block all outbound before (and probably will not based on this). In my limited test it stopped PowerShell accessing the Internet, so I was using that as a test and could not put in an override for it hence my searching and finding that page.

    I have used Windows Firewall with specifics blocked, so think wscript, powershell and office apps. The idea thinking is that a lot of malware downloads the payload that way. Beyond that not sure how to use. 

    Thursday, August 2, 2018 4:33 PM
  • My testing leads me to conclude that for outgoing traffic the following is true:

    Aplication specific exceptions cannot be used to permit specific traffic in a default deny configuration.

    Only global rules based on ports and protocols can be used.

    The fact that Windows firewall doesn't use a rule processing order either means you also cannot create a custom default deny rule and place it at the bottom of the chain like you can in practically every other firewall.

    Unfortunately this severely limits the usefulness of Windows firewall and means if you actually want to restrict outgoing traffic to specific processes you will have to use a third party host based firewall.

    Friday, August 10, 2018 10:38 AM