Windows 10: Windows Update and firewall

I run a very hardened system, I lock down all incoming connections and remove all outgoing but core networking on a new install. How can I get windows update to connect to the internet again? I've unblocked svchost.exe for the Windows Update service and still nothing. Any help?

:)

 

Windows 10 Update Bug - Error 0x800706d9

When Windows Update was last updated, a bug was introduced that requires Windows Firewall. Windows Update will not download updates with a third party firewall. Since the most effective antivirus programs are now bundled with a firewall, requiring a specific
firewall is a problem.

If the change to require Windows Firewall was necessary to preserve security, then the update to Windows Update should have enabled Windows Firewall. The Notification system should then have warned the user that two firewalls are running (which is inefficient
and can lead to security problems) and that Windows Firewall is now required, so the third party firewall should be disabled. However, most users have no idea about how to disable a third party firewall.

An alternative is for Windows Update to start the Windows Firewall when downloading of updated modules begins, and disable Windows Firewall upon completion of downloading if another firewall is running.

My guess as a software engineer and professor of computer science is that this bug was introduced while fixing a problem with p2p downloading, without proper testing.

Note: This problem has been reported many times in the forum since the November update. However, it appears that Microsoft support personnel answering questions in the forum failed to report this problem as a bug. The support personnel recommended the work-around
of starting Windows Firewall from the Services Manager screen or the Net command (instead of the Network&Internet -> Windows Firewall screen). The problem of having two firewalls running was not dealt with.

 

Update KB 3140768 and KB3140743 fails

Hi Vanessa,

Regarding windows update failures, particularly kb 3140768, I have tried the following:-

Firstly, it is worth checking firewall settings. Up until today, I used the norton firewall on norton 360 premium, with the windows firewall turned off. Some windows updates were successful, and some failed.

I turned the norton firewall off and turned the windows firewall on. I think it is fair to say that the majority of computer users are aware that only one firewall should be running. Since running the windows firewall with my norton firewall turned off,
I have had no further problems with windows updates.

Hope this helps,

 

That is going to be an issue then. svchost.exe is just a generic process that can contain multiple processes within.

If you have your computer so locked down, that it is basically a doorstop. You need to reverse that process. A good Gateway for your network is sufficient to protect the LAN. It is the user's poor habits that gets them into trouble and causes an infected machine.

 

Note: I haven't used Windows 10, therefore I'm not sure if any changes have been made between Windows 8 and Windows 10.

I assume you're talking about Windows Firewall? If your firewall is blocking outbound connections, then the first thing you need to do is see everything that it's blocking. Once you know what it's blocking, then you will have an idea what rules you need to set. With Windows Firewall, you won't get any notifications of blocked outbound connections, so you will need to set up logging. I don't think Microsoft particularly like people blocking outbound connections due to the problems it causes, so setting up logging isn't user friendly and has to be done through Group Policy and Event Viewer.

1) To start logging, go to Group Policy Editor then > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Set to Failure





2) Then go to Event Viewer and create a 'Custom View'.





3) Click on the XML Tab (screenshot below)

3) Tick 'Edit Query Manually', and paste ONE of the following. The first one will show all blocked connections, the second one has ''Suppress Path' lines in it, which means blocked outbound connections to those destination ports (1900, 3702, 5355 and 137) won't be displayed in Event Viewer, therefore making it easier to see the other blocked connections. Those four ports are part of the 'Network Discovery' rules, which if you have sharing off, the network is treated as a public network and they will be blocked by the firewall rules.

Code: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]] and *[EventData[Data[@Name="Direction"]="%%14593"]] </Select> </Query> </QueryList>[/quote] OR
Code: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]] and *[EventData[Data[@Name="Direction"]="%%14593"]] </Select> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="1900")]] </Suppress> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="3702")]] </Suppress> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="5355")]] </Suppress> <Suppress Path="Security"> *[EventData[(Data[@Name="DestPort"]="137")]] </Suppress> </Query> </QueryList>[/quote]




4) You should now be able to view all outbound connections that are being blocked by Windows Firewall. In all likelihood, it's probably svchost.exe being blocked from making TCP connections to ports 80 and 443, because from memory these aren't part of core networking rules. Also, if making a new rule for svchost.exe to allow outbound TCP connections to 80, 443, don't bind it to the 'Windows Update' Service, as that doesn't work anymore (at least not in Windows 8). It's still possible to bind other services to a svchost rule such as the 'Windows Time' service for Network Time Protocol, just not Windows Update Service for some reason.

Personally I'd let all genuine Windows processes make outbound connections, Windows already has Ring Zero, it can do whatever it wants anyway.

NB: The event logs will show protocols as numbers rather than acronyms TCP, UDP, etc. (In the last screenshot above for example, it says "Protocol: 6". Protocol 6 is TCP, Protocol 17 is UDP, the most common ones are listed here.

 

I study technology forensics, it is necessary. I don't even run as a privileged user. I was simply asking for a way to monitor this service and unplug holes where necessary. Thanks arc1020, I'll play around now that I can monitor, hard to find my way around outside of a *NIX server.

 

If you are doing anything with forensics, the machine should never be connected to the Internet. As for Linux, it all depends on what you are using the server for.

But going back to the original request. If you want to update that machine, you are going to have to unlock the Firewall on the machine, if you plan on downloading anything.

Also the Svchost.exe needs to be able to do its job, since the Firewall is also a part of that process, along with other items.