最初的问题
今天,我被 Windows 防火墙问题困扰,希望您能帮助我。我尝试创建专用于服务的规则,但无法使它们匹配。我发现一些相关主题仍未得到解答,但它们已经很老了,所以我在这里试试运气。
我想做的事:
- 过滤所有传出流量(默认“全部阻止”)
- 允许所有程序连接到某些远程端口,如 DNS 和 DHCP
- 仅允许某些程序连接到网络,例如 Web 浏览器
- 仅允许某些服务连接到网络:“Windows 更新服务”和“传递优化服务”
情况详情:
- 我正在运行 Windows 10 x64 22H2 + 最新更新
- “Windows 更新”和“交付优化服务”是以 .dll 文件形式提供的服务(由著名的 svchost.exe 托管)
- 我想要过滤的所有服务都已经“不受限制”(这意味着它们具有自己的 SID,格式为 S-1-5-80-xxx,并且可以通过防火墙规则识别)
- 每个 svchost 依赖的服务都是每个 svchost.exe 实例唯一托管的服务(每个 svchost.exe 实例不超过 1 个服务)
我做了什么:
- 我将 Windows 防火墙配置为针对 3 个配置文件(公共 + 私有 + 域)“阻止所有传出连接,除非规则明确允许”
- 我创建了 2 条防火墙规则,以允许“Windows 更新”和“交付优化服务”服务的传出流量(通过在列表中选择服务或输入服务简称)
- 我创建的所有规则都针对 3 个配置文件(公共 + 私人 + 域)进行配置
- 我已将我的连接定义为私有连接(使用 PowerShell 命令 Set-NetConnectionProfile)
我注意到的,初次尝试:
此时,我的 Web 浏览器运行正常(DNS 正常,HTTP 和 HTTPS 正常)。但 Windows Update 无法连接到 Internet(即使停止然后重新启动服务也是如此)。
根据 Windows 防火墙日志和审计日志,阻止规则是防火墙的默认行为。我看到端口 tcp/443 上的远程 IP 连接被拒绝。日志详细信息显示了每个阻止操作的命令行和进程 ID。我可以确认它们是预期的进程(svchost.exe 命令行中 -s 后的参数)。
根据关联进程的安全令牌,我可以找到与预期服务相对应的 S-1-5-80-xxx 形式的服务 SID(ProcessExplorer 和 SystemInformer 向我提供了该信息)。
所有这些发现都表明,用于识别允许服务的规则并不匹配。<- 这是我的问题
我注意到的新尝试:
然后我尝试了这个解决方案,但没有起作用:https://superuser.com/a/1812889/1458121
我注意到,又一次新的尝试
然后我禁用了所有与服务相关的规则,并创建了另一个允许 svchost.exe 连接到互联网的规则。神奇的是,Windows Update 可以获取一些更新并下载它们。
由于 svchost.exe 可以托管许多我不想访问互联网的服务,因此此选项对我来说是不可接受的。
现在的问题是:
我做错了什么?我怎样才能实现我的目标?
谢谢你的帮助。
更多与提问相关的信息 (2023-12-08)
首先感谢您的帮助。
您是否已经阅读过 learn.microsoft.com/en-us/windows/security/... ?
是的,当然。特别是与“出站程序或服务规则”相关的部分。我注意到有关服务识别的详细信息只写在“入站程序或服务规则”中。但由于使用同一个对话框来选择入站和出站的服务,我仍然认为这并不重要。
您是否在同一规则中定义了程序 svchost.exe 和服务简称 wuauserv?
是的,但是这并没有改变任何事情。
如果运行 Get-NetFirewallRule -DisplayName 'YourRuleName' | Get-NetFirewallServiceFilter,服务看起来是否正确?
是的,但仅适用于基于服务名称的规则。请查看我的输出:
PS C:\Windows\system32> Get-NetFirewallRule -DisplayName 'Windows Update Service (tcp) - by service SID' | Get-NetFirewallServiceFilter
Service : Any
PS C:\Windows\system32> Get-NetFirewallRule -DisplayName 'Windows Update Service (tcp) - by service name' | Get-NetFirewallServiceFilter
Service : wuauserv
PS C:\Windows\system32> Get-NetFirewallRule -DisplayName 'Delivery Optimization Service (tcp) - by service SID' | Get-NetFirewallServiceFilter
Service : Any
PS C:\Windows\system32> Get-NetFirewallRule -DisplayName 'Delivery Optimization Service (tcp) - by service name' | Get-NetFirewallServiceFilter
Service : DoSvc
阻止所有传出流量是一个非常糟糕的主意。
是也不是,这取决于最终用户。对于“普通人”,您说得完全正确,因为她/他不精通计算机,只是希望它能正常工作。但对于那些(几乎)完全了解 Windows 操作系统和基本安全原则的人来说,这只是强化。
更多与提问相关的信息 (2023-12-10)
您能添加一些示例防火墙日志条目吗?
当然!而且不仅仅是日志。以下是我收集信息的方法:
- 我运行此命令来启用 WFP 允许或阻止的审核连接:
auditpol.exe /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable。 - 我清除了“安全”事件日志(所有日志)。
- 我从“设置”面板启动 Windows 更新并等待错误(它出现得非常快)。
- 我收到了一些类似这样的日志:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 7472
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 192.168.0.249
Source Port: 63344
Destination Address: 20.114.59.183
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 85352
Layer Name: Connect
Layer Run-Time ID: 48
现在,为了轻松处理所有日志,我编写了一个 PowerShell 脚本来读取这些日志,并根据进程 ID,丰富日志,其中包含当前正在运行的进程的详细信息(进程命令行、进程位置、服务的简称(如果有)、服务的长名称(如果有)。如果有人想要,我可以提供脚本。
最重要的部分在这里:
$ProcessWMI = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = $ProcessId" -ErrorAction Stop | Select-Object -Property CommandLine
$ProcessPWSH = Get-Process -Id $ProcessId -ErrorAction Stop | Select-Object -Property Path, Description
$ServiceWMI = Get-CimInstance -ClassName Win32_Service -Filter "ProcessId = $ProcessId" -ErrorAction Stop | Select-Object -Property Name, DisplayName, PathName
之后,我将 svchost.exe 日志发送到 CSV 文件。如下所示:
#TYPE Selected.System.Diagnostics.EventLogEntry
"Index","TimeGenerated","EventID","Decision","Direction","Proto","SrcAddr","SrcPort","DstAddr","DstPort","Operation","ProcId","ProcPath","ProcCmdLine","SvcName","SvcDisplay"
"209565","2023-12-10 10:32:50 PM","5156","Allow","Out","UDP","192.168.0.249","57462","192.168.0.254","53","Connect","3480","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache","Dnscache","DNS Client"
"209577","2023-12-10 10:32:50 PM","5157","Block","Out","TCP","192.168.0.249","63319","40.126.32.76","443","Connect","12768","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc","wlidsvc","Microsoft Account Sign-in Assistant"
"209575","2023-12-10 10:32:50 PM","5157","Block","Out","TCP","192.168.0.249","63318","40.126.32.136","443","Connect","12768","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc","wlidsvc","Microsoft Account Sign-in Assistant"
"209573","2023-12-10 10:32:50 PM","5157","Block","Out","TCP","192.168.0.249","63317","20.190.160.22","443","Connect","12768","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc","wlidsvc","Microsoft Account Sign-in Assistant"
"209571","2023-12-10 10:32:50 PM","5157","Block","Out","TCP","192.168.0.249","63316","40.126.32.134","443","Connect","12768","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc","wlidsvc","Microsoft Account Sign-in Assistant"
"209569","2023-12-10 10:32:50 PM","5157","Block","Out","TCP","192.168.0.249","63315","40.126.32.138","443","Connect","12768","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc","wlidsvc","Microsoft Account Sign-in Assistant"
"209567","2023-12-10 10:32:50 PM","5157","Block","Out","TCP","192.168.0.249","63314","40.126.32.68","443","Connect","12768","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc","wlidsvc","Microsoft Account Sign-in Assistant"
"209643","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63342","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209653","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63347","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209651","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63346","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209649","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63345","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209647","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63344","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209645","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63343","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209668","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63354","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
"209670","2023-12-10 10:32:51 PM","5157","Block","Out","TCP","192.168.0.249","63355","20.114.59.183","443","Connect","7472","C:\Windows\system32\svchost.exe","C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv","wuauserv","Windows Update"
有用信息:
- 192.168.0.249 是我运行测试的计算机的 IPv4
- 192.168.0.254 是最近的路由器的 IPv4(也是 DNS 服务器)
我注意到的是:
- svchost.exe(服务“DnsCache”)执行 DNS 查询。由于防火墙规则仅使用目标端口和协议,因此允许执行此操作。
- svchost.exe(服务“Microsoft 帐户登录助手”)尝试与某个 40.xxx IPv4 建立 TCP 连接。这些连接被拒绝,因为没有防火墙允许它们。
- svchost.exe(服务“Windows 更新”)尝试与 20.114.59.183 IPv4 建立一些 TCP 连接(Microsoft 服务器,请参阅https://who.is/whois-ip/ip-address/20.114.59.183)。它们被拒绝了,但我认为根据针对“wuauserv”服务的防火墙规则,它们应该被允许。
注意:如果您想要更多详细信息,例如屏幕截图或脚本共享,我将创建并共享一个包含所有内容的 .zip 文件。
现在 Windows 防火墙生成了 .log 文件(请注意这是另一次运行,因为我昨天忘记显示此文件了):
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2023-12-11 21:29:56 DROP UDP 192.168.0.254 224.0.0.251 5353 5353 141 - - - - - - - RECEIVE
2023-12-11 21:29:56 DROP UDP 192.168.0.250 224.0.0.251 5353 5353 179 - - - - - - - RECEIVE
2023-12-11 21:30:04 ALLOW UDP 192.168.0.249 192.168.0.254 62986 53 0 - - - - - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.127.240.158 59536 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.23 59537 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.64 59538 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 ALLOW UDP 192.168.0.249 192.168.0.254 51123 53 0 - - - - - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.0 59539 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.73 59540 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.126.31.73 59541 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.126.31.67 59542 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.127.240.158 59543 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.68 59544 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.64 59545 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.75 59546 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.4 59547 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.0 59548 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.73 59549 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.127.240.158 59550 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.126.31.73 59551 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.126.31.67 59552 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.68 59553 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.64 59554 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.75 59555 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 20.190.159.4 59556 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:04 DROP TCP 192.168.0.249 40.127.240.158 59557 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.0 59558 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.73 59559 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.126.31.73 59560 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.126.31.67 59561 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.68 59562 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.64 59563 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.127.240.158 59564 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.75 59565 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.4 59566 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.0 59567 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.73 59568 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.126.31.73 59569 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.126.31.67 59570 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.127.240.158 59571 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59572 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59573 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59574 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.68 59575 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.64 59576 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.75 59577 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.4 59578 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.0 59579 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.73 59580 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59581 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59582 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59583 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59585 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.127.240.158 59584 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.12.23.50 59586 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.126.31.73 59587 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 40.126.31.67 59588 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.68 59589 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.64 59590 443 0 - 0 0 0 - - - SEND
2023-12-11 21:30:05 DROP TCP 192.168.0.249 20.190.159.75 59591 443 0 - 0 0 0 - - - SEND
再次感谢您的帮助。
答案1
根据此处讨论,发生这种情况是因为 windows 更新使用线程池wuauserv对于连接,并且这些线程不会以 Windows 防火墙可以理解的方式绑定到服务。
作为一种(未经测试的!)解决方法,您可以尝试以下操作:
- 复制
svchost.exe,例如svchost_wuauserv.exe - 更新服务的 ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\ - 允许新服务器
svchost_wuauserv.exe通过防火墙
它应该在大多数情况下起作用,但请注意,任何硬编码的svchost.exe防病毒排除项都可能被破坏,并且像 SFC 这样的 Windows 修复工具可能会重置这些更改。
另一种选择是将 Windows 更新指向特定端点(如 WSUS),并简单地允许出站流量到该 IP 地址。