configure W7 MS firewall

[urbanspaceman1]

Hello Folks. All these years I've just left MS Firewall alone, basically because I haven't the faintest idea how to configure it. I thought it was time I found out, because there are dozens of entries in 'Inbound' and just as many in 'Outbound', the majority of which mean nothing to me: should they be there, should they be changed... removed... it's a mystery.
I had a search of the forum for any tutorials on configuration but didn't see anything. Is there any advice to be had on how to run this firewall or should I maybe just leave it alone? I have no idea what is talking to who and I'm kinda suspicious.

 

[Alejandro85]

The critical bit of the post is when you say: "I haven't the faintest idea how to configure it". Reality dictates that, for taking advantage of a firewall, you need a minimum of understanding of networks, communication software, TCP/IP, ports, security and the like (and I would say somewhat above the bare minimum).

Another fact is that, Windows Firewall is practically disabled by default. Outbound connections are all allowed, and inbound have tons of rules that allow every single built-in service. So by default it provides almost zero protection against anything practical.

To get some real benefit out of a firewall (any firewall, not just Windows built-in one) you must understand some networking, what software do you use and what network access does it requires (and what things it doesn't really needs). You must take into account your specific use case, there are very few general rules that apply to everything.

Since you have little idea of networking, I would suggest you invest some time in learning the basics. Until then, just disable any firewall, as it does you no good at all. Then you can begin tweaking things bit by bit until you understand the practical consequenses of each and every rule.

My personal preference is to simply delete all rules in the firewall (both incoming and outbound), block everything by default, then adding exceptions to allow specific programs do specific things. The rest of the system should be unable to access the network at all.

 

[urbanspaceman1]

Yes, well, I agree with everything you say.

 

[SIW2]

If you don't fancy fiddling around, you could try this little thing
Windows Firewall Control 4 - YouTube

 

[urbanspaceman1]

Is it really an acceptable option to disable it completely?
If it is not doing anything useful, quote Alejandro 85: "So by default it provides almost zero protection against anything practical" is it better to remove it?
My personal predilection is always to maintain complete control over everything my computer does and I get nervous if it does things without asking or at least informing me.
I see a host of entries, soon after start-up, accessing the web then they all disappear - or at least they appear to disappear; hence my concern.

 

[Alejandro85]

Is it really an acceptable option to disable it completely?
If it is not doing anything useful, quote Alejandro 85: "So by default it provides almost zero protection against anything practical" is it better to remove it?

Although you'll better prefer a second opinion from someone else , I'll attempt to answer that myself.
A firewall's sole purpose in life is to block unwanted network connections and only allow those you know to proceed, that's its main and only function. Now, if you configure your firewall to accept all and every connection, what good does it do for you? What risks does it attempts to mitigate?

I cannot think of any useful purpose it serves under that conditions, I don't think it does any harm either. But it's a basic security concept that anything unused it's a potential risk and it's better left disabled, and if you're not taking any advantage out of the firewall, disable it and save its resources for something else.

I see a host of entries, soon after start-up, accessing the web then they all disappear - or at least they appear to disappear; hence my concern.

Firewall rules don't change at all just for browsing. They're part of the configuration, and that don't change at all unless you do that explicitly or some programs add rules when installed. Besides, modifying firewall configuration requires administrator access, something browsers must never have.

 

[urbanspaceman1]

I have a 'Resources' facility that I can use to view OS activity, and looking at the Network section I see a lot of connections being made when I first boot up that generally disappear quickly.
That was what made me suspicious and sent me looking at the firewall settings.

 

[Alejandro85]

Ok, that's very much different, network connections are very volatile, and change rapidly according on what are you doing and what software are you running.
It could be a lot of things to justify such trafic, for example programs automatically looking for updates, some DNS queries, other computers in your network pinging you, broadcast messages or even spyware trying to leak things about you.

What to do about them is very much dependent on the exact nature of the connections. A firewall is a very good tool when dealing with rogue network activity, but you need some practice with it.
A good learning exercise could be to look at those connections and see what process uses what port, under which protocol and to what server. Understanding those details will help in developing rules to forbid or allow connections.

 

[urbanspaceman1]

I devised a system whereby I video recorded the 'Resource Monitor' network page on screen after I connected to the internet, as there is too much activity to pinpoint individual addresses and PIDs. I was then able to identify what was what. However, when I go looking up these PIDs and addresses the info I get back is meaningless... at least to me anyway. I don't know if this stuff is kosher or not.
Here's an example that has two entries with different PIDs: 3892 & 4; 239.255.255.250.
Does it mean anything to anyone?
3892 appears to be my computer ID.