You may configure Windows Firewall either manually by following this how-to or by running the script ConfigureFirewall.bat
Explicitly block unwanted/illegal traffic
You may call me paranoid, but steps described in the configure firewall guide were just a passive defense. I would like to take a more proactive approach against possible network attacks. Just skip next steps if you don't want/need it (not recommended).
So, first of all I'm going to create a block rules for all listening services on my rig. For doing this we need a list of active listening ports on our computer.
To get list of all LISTENING1) ports on your PC run2) the command:
netstat -an | findstr LISTEN
or run this small one-liner to get the same list extended by process info (preferred way):
powershell -Command "& Get-NetTCPConnection | ? {($_.State -eq 'Listen') -and ($_.RemoteAddress -eq '0.0.0.0')} | ForEach { $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess -FileVersionInfo ).FileName; if ( $n -eq $null ) { $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess).Name }; New-Object PSObject -Property @{ Port=$_.LocalPort; Name=$n; PID=$_.OwningProcess } }"
This a possible output of the above command on freshly installed Windows machine:
attachment
Consult this table of known TCP/UDP ports, if you want to know which services are listening to what port. In my particular case I'm going to block ports 49664-49675, 3389, 139 and 135.
Here is the a list of well known ports which should be explicitly blocked:
1. Windows RPC3) - TCP/UDP ports 1354), 5935), 49664-496756)
2. Windows Deployment Services (WDS)7) - TCP/UDP port 50408)
Please note that by disabling NETBIOS ports you will be not able to share folders or disks from your computer any more.
3. NetBIOS9) Name Service - TCP/UDP port 137 10)
4. NetBIOS Datagram Service - TCP/UDP port 138 11)
5. NetBIOS Session Service - TCP/UDP port 13912)
6. TCP NetBIOS helper - TCP port 44513)
7. UPnP Service - TCP port 500014)
8. DNSCache Service - TCP/UDP port 535315)
9. Windows Update Delivery Optimization - TCP/UDP port 768016)
10. Windows Remote Desktop Protocol RDP - TCP port 338917)
Don't block port 3389 if you are planning to access your rig over RDP. But if you plan it, I would highly recommend to change its port number and create Allow rule for it (see below).
Block listening services/ports
27. Open Firewall Control Panel and switch to the Inbound Rules screen. For the above mentioned ports, both TCP and UDP, you should repeat the following steps 2-14:
28. Click the item (create) New Rule.
attachment
29. Click the Port control.
30. Click the Next button.
attachment
31. Click the TCP control.
32. Click the Specific local ports button.
33. Enter comma separated list of related ports. On this particular screenshot I block at once all Windows RPC related TCP ports: 135, 593, 5040, 49664-49675. Another logical group of ports is NetBIOS: 137, 138, 139, 445, you may create just one rule for them.
Please note that you should repeat this steps for UDP ports as well - start from point 2, but at point 5 instead of TCP select UDP control.
34. Click the Next button.
attachment
35. Click the Block the connection control.
36. Click the Next button.
attachment
37. Check all firewall profiles: Domain, Private, Public
38. Click the Next button.
attachment
39. Enter a name for the rule. It's just a text which will be displayed in the rules list on the Firewall Control Panel.
40. Click the Finish button.
attachment
Continue to the next step how-to allow selected inbound connection.
3)
Windows RPC general info Windows RPC
6)
Ports 49664-49675 finger printing and port scanning