none
How do you get Windows to Notify a user Before the firewall has been changed? RRS feed

  • Question

  • How do you get windows to Notify a user Before the firewall has changed? You know, a "Prompt" asking and telling what the change is and do you want it. 

    There is a setting that says "Notify me when Windows Firewall blocks a new Program" but this does not notify you when the firewall rules are changed.  There does not appear to be any GPO setting, or a GUI or even command line switch to enable this basic security feature.  I do not see anything in the registry.

    Anyone know how do you get windows to Notify a user Before the firewall has changed?


    • Edited by -MW Thursday, February 16, 2017 1:23 PM
    Thursday, February 16, 2017 1:22 PM

Answers

  • Test show that installed application can modify the windows firewall without the user being notified before the firewall change is made.  There appears to be no built in mechanism within windows to prompt the user that the firewall is going to be modified, thus opening the system to an attack. 

    • Marked as answer by -MW Thursday, March 16, 2017 2:56 PM
    Thursday, March 16, 2017 2:56 PM

All replies

  • Hi -MW,

    As far as I know, usually we will be notified when an application want to pass through the firewall. This behavior is controlled by the following option.
    Control Panel\All Control Panel Items\Security and Maintenance\Change Security and Maintenance settings
    If you didn`t get the notification when an application want to pass through the firewall, we could untick that option then re-tick it.

    If you mean you want to get an notification when you tried to modify the firewall rule manually, I am afraid  we will not be notified with this operation. But there will be Events(2004 add a rule) (2006 delete a rule) recorded in the Event Viewer(Applications and Services\Microsoft\Windows\Windows firewall with advanced security\Firewall) when the firewall rules are changed. As a workaround, we could create a task schedule to send a message with command "msg" and configure those events as the trigger to notify the users.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 17, 2017 3:16 AM
    Moderator
  • If you mean you want to get an notification when you tried to modify the firewall rule manually, I am afraid  we will not be notified with this operation.

    So why is this fundamental security feature not present in the windows firewall? Is it an oversight? Was it not included on purpose? At least give the users a fighting chance, give them a choice to enable it.

    As it stands pretty much anything can modify the firewall and it will be too late do anything about it because the damage is done. Someone, for some stupid reason, could install a "safe" application on a system, not knowing that the "safe" app can modify the firewall during its install which then will open the whole system to an attack. It takes less than a second to compromise a system. 

    The only warning that has been suggested is to generate an after the fact event which may or may not be created in the firewall logs.  To late for a good attack to be stopped.  That is not very secure is it?

    When will this be fixed? If not, why will it not be fixed.

    Friday, February 17, 2017 4:23 PM
  • you already asked the same question: How do you force the Windows 10 / 2016 OS to show an alert and write to the security log every time it modifies the firewall.

    Yes, and You failed to answer the question, so I asked question again.

    My new question is: "When will this be fixed? If not, why will it not be fixed?"

     
    • Edited by -MW Saturday, February 18, 2017 4:02 PM
    Saturday, February 18, 2017 4:01 PM
  • Hi  -MW,

    I made a test on my machine. Here is my conclusion.
    To modify the firewall rule, we should get administrator permission. When we install an application which needs administrator permission, we will be notified with a prompt to approve this operation(this is controlled by the UAC). Once we approved this operation, the installation process has gained administrator permission to modify the firewall. This is based on the fact that we trusted the application. Though we will not get a notification that the firewall has been changed, there will be an information recorded in the Event Viewer(event 2004) as I pointed out before.

    Anyway, we could restore all the firewall settings to default. Then we will always be notified that when an application want to pass through the firewall.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 7:06 AM
    Moderator
  • Hello,

    Unfortunately some "Trusted" applications turn out not to be so trust worthy and install components that are not suppose to be "installed" and somehow become "awake" with activity.

    Here is an example, we are running Windows 10 LTSB, which by all I have heard from Microsoft that metro apps are not installed. Yet, somehow,  xbox is installed into the "SystemApps" folder and this rule is applied to firewall. 

    =================================================
    Name                  : {C76200D4-8B29-4F9E-8A7E-70E1C669C8F3}
    DisplayName           : Xbox Game UI
    Description           : Xbox Game UI
    DisplayGroup          : Xbox Game UI
    Group                 : @{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Mic
                            rosoft.XboxGameCallableUI/resources/PkgDisplayName}
    Enabled               : True
    Profile               : Domain, Private, Public
    Platform              : {}
    Direction             : Outbound
    Action                : Allow
    EdgeTraversalPolicy   : Block
    LooseSourceMapping    : False
    LocalOnlyMapping      : False
    Owner                 : S-1-5-21-278866012-2302033328-2602219420-1001
    PrimaryStatus         : OK
    Status                : The rule was parsed successfully from the store. (65536)
    EnforcementStatus     : NotApplicable
    PolicyStoreSource     :
    PolicyStoreSourceType : GroupPolicy

    =============================================

    Firewall changes do not always appear during installs.  They can sometimes occur on the fly.  Once an app is installed it seems to be able to change the wall.

    So it does not matter if a Trusted Application or just any application, the Firewall should always notify the user for every security change prior to the change. There is no excuse not to.

    Friday, February 24, 2017 3:59 PM
  • Hi -MW,

    Metro apps are different from desktop apps. They are all running in a sandbox called "app container". There is a manifest for it claiming that which system resource will be needed for them to run well. They are all signed with certificates before they are released to the Microsoft Store. So the Metro apps from the Microsoft Store are all trusted apps. There is no need to worry about the security issue with the Metro apps.

    In theory, LTSB version should be totally free of Metro apps if we didn`t sideloading them. If it is installed automatically, it should be another issue. It is recommended to open a new case for it. Thanks for your understanding and cooperation.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, February 27, 2017 8:27 AM
    Moderator
  • Sorry, you are incorrect in assuming an app is not a security issue just because Microsoft "Trusts" the app. You are wrong there, and it seems that you are trying to make the trust of the app the issue and it is not. That argument is a digression and appears as either an intentional or unintentional attempt to move away from the actual issue. I do not care if the app is trusted or not, in fact I don't care who installs the app, including myself.

    The issue is the Windows Firewall Can Be Changed without notifying the user before the change is made.  The question still stands: How do you get Windows to Notify a user Before the firewall has been changed

    So you seem to know of no "public" switch to prompt for the firewall change, is there a hidden switch?  Maybe one the developers used for testing?  

    Or is there a way to intercept the changes to the registry prior to the change with detailed information about the change.  Maybe monitor the Registry Key?

    Thank you,

    Monday, February 27, 2017 9:56 PM
  • In theory, LTSB version should be totally free of Metro apps if we didn`t sideloading them. If it is installed automatically, it should be another issue. It is recommended to open a new case for it. Thanks for your understanding and cooperation.



    Metro apps are installed straight from default install of LTSB.  You can test this yourself just be doing a simple test. 

    1) don't connect your system to don't to network. 

    2) install of LTSB choose defaults.

    3) still don't connect to network (including wireless). 

    4) Check firwall (you will see the changes) and check the "SystemApps" folder.

    Monday, February 27, 2017 10:03 PM
  • So far no good answer to this windows vulnerability:

    How do you get Windows to Notify a user Before the firewall has been changed

    It seems Microsoft does not want users to know when an application will change the firewall. Why? who knows?  It is a simple request to be notified before the firewall is changed and give the choice of either accept or decline the change.

    It looks like the best work around is to monitor the firewall registry keys for changes.  Not optimal, a program has to run in memory to do the monitoring and block the change. 

    I will keep looking,

    • Marked as answer by -MW Monday, March 6, 2017 8:43 PM
    • Unmarked as answer by -MW Monday, March 6, 2017 8:43 PM
    Monday, March 6, 2017 7:33 PM
  • Test show that installed application can modify the windows firewall without the user being notified before the firewall change is made.  There appears to be no built in mechanism within windows to prompt the user that the firewall is going to be modified, thus opening the system to an attack. 

    • Marked as answer by -MW Thursday, March 16, 2017 2:56 PM
    Thursday, March 16, 2017 2:56 PM