windows 7 firewall what must be allowed to allow basic functionality

[ron7000]

I was reading tutorial here about firewall... every new program you allow thru firewall makes you however much less secure -> don't let anything thru you don't recognize.

1) how do i know what is really needed? Is there a list somewhere explaining the minimal set of rules?
2) if i remove everything and let nothing thru, find i have nuked myself, can i restore default settings by one mouse click or do i have to remember everything i change? I don't want to have to reinstall windows to correct this, or at least know that's the solution before i mess things up.

for instance lets say i set up a pc running windows 7, and it's only function is to be a license server running 1 piece of software. After a clean install from a Windows 7 dvd, I do nothing else but copy my 1 MB license server program to it from a cd.
And let's say the only thing i do is online windows updates after the clean install, then i plan on never needing any internet or other networking functionality... so i remove everything from the firewall rules meaning EVERYTHING is blocked.
Then if i add my one rule opening tcp port # for the license server to work on, will that work?
Or do i need a handful of rules always there for things to work, if so what are they?
thanks.

 

[Alejandro85]

That's a very good strategy for minimizing attack surface on servers, and even on normal desktop computers if you really know what you're doing, just open the bare minimum needed and nothing else.

If all that server does is running this program, then in theory it can run just just one incoming rule and no outgoing ones at all (assuming this program doesn't does any further connections). Each rule you add will add more permissions for networking, but the exact set you need is strictly defined by what you run on the computer.

1) how do i know what is really needed? Is there a list somewhere explaining the minimal set of rules?

There is no "minimal" rules at all, it entirely depends on what you do on the computer. For a server, needs are different from workstations, but the general process is pretty much the same, just look at the programs you run, determine what each one needs and open those ports. Plus, the basic network infrastructure services almost always needed.

2) if i remove everything and let nothing thru, find i have nuked myself, can i restore default settings by one mouse click or do i have to remember everything i change? I don't want to have to reinstall windows to correct this, or at least know that's the solution before i mess things up.

Speaking specifically about Windows Firewall, you can always revert to the default settings (that pretty much equal to it being disabled). You can also completely disable it if you looked you out accidentally, then reconfigure to allow at least the most basic things and try again. No need to nuke the computer for a configuration mistake.



For your specific case, the "bare minimum" would be one single incoming rule allowing that licensing server program to receive connections. I would however add a few more rules to allow other basic operations on the computer:
- Allowing remote control of servers is a typical requirement. Remote desktop is frequently used on Windows (incoming TCP 3389, at least from the local network)
- You may want to allow further updates to be installed on the server, specially if it's internet-facing. For this you will need DNS access (outgoing UDP 53) and allow Windows Update service unlimited TCP connections.
- You may want to allow pinging the server from the local network
- Under some circumstances, allowing browsing from the server for maintenance can ease some administrative tasks, in that case you need outgoing TCP 80 and 443 on your browser process.

Some others maybe can be useful, but can't remember anything right now. In general, the idea is to carefully observe each rule you add and what purpose it fulfills, and remove everything else. Starting from a blank firewall (which effectively isolates you from the network) is a good starting point, then progressively enabling needed services.