CryptSvc not matched by Windows 7 Firewall rule

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by theultramage on Server Fault See other posts from Server Fault or by theultramage
Published on 2013-10-14T15:58:05Z Indexed on 2013/10/23 10:01 UTC
Read the original article Hit count: 384

Filed under:
|

I am using Windows Firewall in conjunction with a third-party tool to get notified about new outbound connection attempts (Windows Firewall Notifier or Windows Firewall Control).

The way these tools do it is by setting the firewall to deny by default, and to add an auditing policy to log blocked connections into the Security event log. Then they watch the log, and display notification about newly added entries.

netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable

With this configuration in place, I now need to craft outbound allow rules for applications and system services. Here is the rule for CryptSvc, the service frequently used for certificate validation and revocation checking:

netsh advfirewall firewall add rule
  name="Windows Cryptographic Services" action=allow enable=yes profile=any
  program="%SystemRoot%\system32\svchost.exe" service="CryptSvc"
  dir=out protocol=tcp remoteport=80,443

The problem is, this rule does not work. Unless I change the scope to "all programs and services" (which is really unhealthy), connection denied events like the following will keep appearing in the security log:

Event 5157, Microsoft Windows security auditing.
The Windows Filtering Platform has blocked a connection.

Application Information:
    Process ID:           1476 (<- svchost.exe with CryptSvc and nothing else)
    Application Name:     \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
    Direction:            Outbound
    Source Address:       192.168.0.1
    Source Port:          49616
    Destination Address:  2.16.52.16
    Destination Port:     80
    Protocol:             6 (<- TCP)

To make sure it's CryptSvc, I have let the connection through and reviewed its traffic; I also configured CryptSvc to run in its own svchost instance to make it more obvious:

;sc config CryptSvc type= share
sc config CryptSvc type= own


So... why is it not matching the firewall rule, and how to fix that?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about windows-service

Related posts about windows-firewall

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle