Windows 10: Windows Defender Firewall with Advanced Security -- Connection Security Rules

I have a scenario that is really confusing me. I recently switched from a 3rd party personal firewall provider to using Windows Defender Firewall with Advanced Security. I'm not very familiar with it so I decided to do some experimenting. I wanted to play with Connection Security Rules and see how any of the settings might affect network traffic. Well, I added a rule requiring Kerberos v5 authentication for all incoming connections and requesting it on all outgoing connections. This applies to any two endpoints, any port, any protocol. Since my understanding is that Kerberos authentication only applies to Active Directory Domain Networks, I expected it would either disrupt my network connection, or have no affect at all.


To my surprise, it seems to have had a beneficial effect. Simply enabling the rule disables other devices in my local network from being able to port scan my pc, or capture unencrypted web traffic with tools such as ettercap, aircrack-ng, etc. As soon as I disable the rule, I'm able capture traffic from another device and scan for open ports on the pc again. I've had the rule on for a couple weeks now, and it doesn't seem to negatively affect my connectivity in any way. When running Wireshark along side it, I don't see any unencrypted traffic, with the only noteworthy thing to mention being a whole lot of ISAKMP connections. I can't figure out what accounts for this behavior. At no time is my pc or any other device connecting to it, or trying to anyway, presented with login credential requests. If you have any idea why this is occuring, I would much appreciate the enlightenment. Specific info on my pc below:


Windows 10 Pro x64 ver 1803 - Firewall settings are configured through mmc and group policy.


Desktop PC, however I connect wirelessly. Only one network interface is enabled at a time. IPv6 is turned off for the interface in question.


Local residential network. ISP is Comcast. Three Desktops (two windows, one linux), two laptops (one Windows, one Mac), two gaming systems, a tablet, and 8 phones (mix of iphones and androids), all connect wirelessly. No workgroup or filesharing established.


If you need additional info let me know. Thanks!

:)

 

firewall alerts even with advanced rules applied


I don't know, it's been a really long time since I've used FTP and even then didn't use it much, so I can't help you. From memory there are two types of FTP, Passive and Active. One of them (Passive I think) doesn't just use Ports 20 and 21, but assigns a different Port number for the data transfer. Maybe that is what's being blocked? Alternatively, maybe the router or ISP is blocking the connection?

However, if you think the problem is due to Windows Firewall (and Windows Firewall isn't asking you whether to allow an incoming connection or not), then you need to see exactly what is being blocked so that you can then add/modify your rules accordingly. Windows doesn't make that particularly user-friendly, but this is how you enable logging:

Go to Group Policy Editor and enable logging of blocked connections:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Tick 'Failure'






Then go to Event Viewer and set it up to view those blocked connections:

Event Viewer > Custom Views > Right-click > Create Custom View > XML tab > Tick 'Edit Query Manually'





Paste the following:

Windows Firewall Blocked Inbound (All):
Code:

Code:

<QueryList>    <Query Id="0" Path="Security">      <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]     and *[EventData[Data[@Name="Direction"]="%%14592"]]  </Select>    </Query>  </QueryList>

Then repeat the above steps for Outbound connections too.

Windows Firewall Blocked Outbound (All):
Code:

Code:

<QueryList>    <Query Id="0" Path="Security">      <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]     and *[EventData[Data[@Name="Direction"]="%%14593"]]  </Select>    </Query>  </QueryList>

This will show you everything that's being blocked by Windows Firewall, so you will need to sort through the entries to find the ones that could be related to your FTP problem and add/modify rules accordingly. 'Protocol' numbers shown in the logs are documented at THIS LINK (TCP = 6, UDP = 17)

 

windows defender

Well, you mentioned Windows Defender Advanced Security. Windows 10 includes Windows Defender Security Center.

Thanks for the clarification, here is a good started guide to creating rules in Windows Defender Firewall with Advanced Security

https://www.digitalcitizen.life/manage-rules-wi...

 

Windows Firewall rules: how to find out what created them?


click on start button then type: firewall, select Windows Defender Firewall with advanced security. Click on inbound/outbound, you'll see the list.