Windows 10 Allowing Win Update to bypass Default Firewall Policy

[McDave]

So I'm starting to evaluate Windows 10. While the network being utilised is for testing and forms part of the DMZ it has a very stringent security policy. Specifically the firewall rules must be very restrictive blocking all traffic other than exceptions that specify program, port, source and destination IP. This is so when tested configurations go into service we can prepare the edge firewall.

 

So usual actions are disable all outbound -DNS. Disable all inbound -Remote Desktop. Then set firewall to block inbound & outbound traffic for Domain, Private and Public profiles.

 

I notice that Windows update asks for a reboot. Confused as to how it has a connection go to check the firewall rule. There is not one allowing it out. Open Updates and sure enough it syncs with update servers. So again check the Outbound Rules list and there is not one for Windows Update. This is when I noticed Windows Firewall allows Windows Update to bypass the default outbound policy (block) or however you would like to phrase it.

 

This can be prevented by creating a firewall rule that expressly blocks Windows Update.

 

My opinion of Windows Firewall with Advanced Security was pretty high however this has totally disillusioned me for versions after NT8. Has anyone else noticed any irregularities with Win Firewall? Can it be trusted?

[Gotenks98]

Dont use that to block updates, use a hardware firewall instead.

[McDave]

Indeed (see footnote). Blocking updates was not my intention, was eventually going to point the server to our WSUS. The updates themselves are not the issue mostly concerned about the integrity of Microsofts Firewall.

 

Footnote. With a proxy firewall it's pretty easy to block Microsoft update. But some firewalls (especially SMB ones) can be much harder. MS Update uses well known ports that effectively can't be blocked (80 & 443). Microsoft use URL to locate servers therefore not just a case of blocking one IP and IPs used change.

[DeusProto]

I use dnsmasq to block hostnames on my entire network. Think of dnsmasq as the hosts file equivalent for your router. You can also use iptables rules to block specific IPs, IP ranges, for specific protocols (TCP, UDP, etc) and port(s). Not very user friendly, but its much more robust than any software firewall on an individual PC. 

 

Dnsmasq will force all subdomains of an entry to resolve to that IP address. For instance

address=/microsoft.com/0.0.0.0

Will make stuff.microsoft.com resolve to 0.0.0.0, microsoft.com, anythinghere.microsoft.com, anythinghere.anything.microsoft.com, etc. 

 

This hinges of course on ensuring your PC is using your router as its DNS server, and nothing else. 

 

My router is setup to forcefully redirect all DNS lookups to the router. So if PC1 tries looking up a hostname on 8.8.8.8 it will be forcefully redirected to 192.168.1.1.