Windows Advanced Firewall Programmatic Access

on11 · Sep 12, 2023

I finally got around to creating and account here as two of my daily drivers are now Windows 11. So yay me :)

As a developer I know that we can create Windows Firewall rules, exceptions and so on programmatically. From the perspective of convenience having a program create the rule for you is I suppose great, but from a malicious perspective I don't like that any program can add or modify my rules as they want to suit themselves.

I wanted to know if there is a way to "disable" programmatic access to the Windows Firewall basically making it so that unless you create the rule yourself through the GUI or command line, they cannot be created automatically programmatically. I have searched for this and the only thing you get back is how to disable the firewall which is not what I need.

Before the customary deluge of why don't you use a third party firewall and having all kinds of suggestion to use Comodo or other things thrown as a response, please save it. I already use that, this is a particular use case and I am not interested in "another program" as a solution, just a native way within Windows, policy, registry or whatnot, to disable the programmatic access. I am hoping for the community's insights.

Thanks in advance.

garlin · Sep 12, 2023

I don't believe there's a GPO policy to lock out Firewall rule changes.

The best answer is to export your current (and verified) ruleset to .vfw, and import them back as a Group Policy. Because it's now treated as policy, you can use "gpupdate /force" to revert any changes. Using the MPSSVC event logs, it's possible to track recent changes to Firewall that were made outside of the Group Policy.

Audit MPSSVC Rule-Level Policy Change - Windows 10

Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).

learn.microsoft.com

on11 · Sep 12, 2023

garlin said:
I don't believe there's a GPO policy to lock out Firewall rule changes.

The best answer is to export your current (and verified) ruleset to .vfw, and import them back as a Group Policy. Because it's now treated as policy, you can use "gpupdate /force" to revert any changes. Using the MPSSVC event logs, it's possible to track recent changes to Firewall that were made outside of the Group Policy.

Audit MPSSVC Rule-Level Policy Change - Windows 10

Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).

learn.microsoft.com

It is certainly disappointing but thank you for the alternative option. At least gives me something to work out. I always wished there was a way to create the rules and assign them to groups so they can be disabled and enabled en mass but with script on load to ensure the rules are always exactly what we want but seems despite showing the group in the GUI there is actually no option to set it, but that's a different issue. Thank you again.

garlin · Sep 12, 2023

Someone shared the idea of adding a group name tag in front of every rule's name, to better identify them. Then you could use regular expressions to process them.

on11 · Sep 13, 2023

garlin said:
Someone shared the idea of adding a group name tag in front of every rule's name, to better identify them. Then you could use regular expressions to process them.

Aha, clever. Currently we tag them [Application_Name] for sorting and identification; but thinking your RegEx idea can grab this existing piece of data, nice. Thank you.

elbmek · Sep 16, 2023

Welcome binary or should I say 011000111000111 !!

on11 · Sep 16, 2023

elbmek said:
Welcome binary or should I say 011000111000111 !!

Thank you. Lurked for a long time on the Ten Forum before registering. Here I was hoping credentials would transfer, didn't, so took me a bit to sign up here, but glad to be here.