CryptSvc not matched by Windows 7 Firewall rule

Posted by theultramage on Server Fault See other posts from Server Fault or by theultramage
Published on 2013-10-14T15:58:05Z Indexed on 2013/10/23 10:01 UTC
Read the original article Hit count: 390

I am using Windows Firewall in conjunction with a third-party tool to get notified about new outbound connection attempts (Windows Firewall Notifier or Windows Firewall Control).

The way these tools do it is by setting the firewall to deny by default, and to add an auditing policy to log blocked connections into the Security event log. Then they watch the log, and display notification about newly added entries.

netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable

With this configuration in place, I now need to craft outbound allow rules for applications and system services. Here is the rule for CryptSvc, the service frequently used for certificate validation and revocation checking:

netsh advfirewall firewall add rule
  name="Windows Cryptographic Services" action=allow enable=yes profile=any
  program="%SystemRoot%\system32\svchost.exe" service="CryptSvc"
  dir=out protocol=tcp remoteport=80,443

The problem is, this rule does not work. Unless I change the scope to "all programs and services" (which is really unhealthy), connection denied events like the following will keep appearing in the security log:

Event 5157, Microsoft Windows security auditing.
The Windows Filtering Platform has blocked a connection.

Application Information:
    Process ID:           1476 (<- svchost.exe with CryptSvc and nothing else)
    Application Name:     \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
    Direction:            Outbound
    Source Address:       192.168.0.1
    Source Port:          49616
    Destination Address:  2.16.52.16
    Destination Port:     80
    Protocol:             6 (<- TCP)

To make sure it's CryptSvc, I have let the connection through and reviewed its traffic; I also configured CryptSvc to run in its own svchost instance to make it more obvious:

;sc config CryptSvc type= share
sc config CryptSvc type= own


So... why is it not matching the firewall rule, and how to fix that?

© Server Fault or respective owner

Related posts about windows-service

Related posts about windows-firewall