I've set my Windows firewall the way I want it, but apparently any application can create its own rule to completely override my settings. How can I prevent this from happening?
Asked
Active
Viewed 9,569 times
3 Answers
9
UPDATE: For windows 10+ there are additional steps needed, see Binarus' answer for the additional steps.
Yes, but the computer will not allow any local exceptions not set by group policy.
I am going to assume you are not on a domain but if you are it is very similar it will just be a domain policy instead of a local policy.
First, you must open the local group policy settings by opening MMC going to File->Add/Remove Snap-In... and adding the Group Policy Object Editor for your local computer.
From there navigate to Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\ and there are two settings you want to set to disabled, Windows Firewall: Allow local port exceptions and Windows Firewall: Allow local program exceptions.
Once those are set you can no longer make any changes to the windows firewall using the Windows API, including going in by hand and editing it via advanced settings. If you want to enable an exception you will need to do it through the group policy now. You can set the rules up in Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object. These rules will be the only rules in effect on your system.
If you are on a domain you just need to use the domain group policy tools instead of the local ones.
Scott Chamberlain
- 31,164
3
Old question, but I came across it when searching for the same solution for Windows 10 - it is near the top of the Google results with my search terms. Therefore, I'll answer it for Windows 10.
In Windows 10, Scott Chamberlain's answer is still not untrue, but covers only a part of the problem. When you follow the steps he mentioned, local administrators indeed will not any more be able to define exceptions using the Windows Defender Firewall component in Control Panel. However, they will still be able to create rules using the Windows Defender Firewall with Advanced Security MMC snap-in.
If you want to prevent the latter, you can do this also via Group Policies, but at another place: Navigate to Local Computer policy -> Computer Configuration -> Windows Settings -> Security Settings -> Windows Defender Firewall With Advanced Security. Right-click this item and choose Properties.
A new dialog opens. In that dialog, click Customize ... in the section Settings. This again opens another dialog. Note the two drop-down fields in section Rule merging, and set them both to No.
Repeat this process for all profiles (Private, Public, Domain). Of course, when doing this, you should adjust the other settings as well as you desire, and this is also the only place where you can configure firewall rules afterwards.
Binarus
- 2,039
- 14
- 27
-2
Step by step instruction to block the applications from changing the firewall settings:
Open Control Panel in the Start menu.
Open Windows Firewall in the Control Panel.
Note: If Windows Firewall is not available, change View by to Large icons at the top right of the Control Panel.
Select Allow a program or feature through Windows Firewall in the left column of the window.
- Click the Change settings button in the Allowed Programs window.
- Uncheck the program or feature and then click OK to save the changes.
What if the program I want to block using the Windows 7 firewall is not listed?
- Follow the steps above.
- When you get to the last step (above) click the Allow another program button.
Select the program from the Add a Program list or click Browse to find it and then click Add.
Uncheck the program and then click OK to save the settings.
