Windows Firewall Default Rules Explained: Minimize exposure and risk

Windows Firewall
Security
Segmentation
May 22, 2020
Peter Ericsson
Email
Twitter
LinkedIn

The Windows Firewall, or Windows Defender Firewall, is a firewall that comes with all modern versions of the Windows Operating System and is used to protect the system from unsolicited traffic. You may not be aware of the number of Firewall rules that are enabled by default, why they are there and what the implications might be?

●    Do you know what Firewall ports are open by default on a Windows Server System?

●    Do you know what services use these rules and why?

●    Do you know what services can be disabled and how?

●    What is lateral movement and what are the risks?

Default Firewall Groups with inbound rules

AllJoyn Router

The AllJoyn framework is managed by AllSeenAlliance and was designed to prevent IoT security issues and enable interoperability of Internet of Things devices, regardless of operating system, manufacturer or type of device. It is considered the larges open source aimed expressly at IoT,with over 200 manufactures signed up, such as Samsung, Cisco and Panasonic. Microsoft have made it a core component of the Windows operating system.

The AllJoyn Router Service is used to routeAllJoyn messages for AllJoyn clients.

Name

Description

AllJoyn-Router-In-TCP

Inbound rule for AllJoyn Router traffic [TCP]

AllJoyn-Router-In-UDP

Inbound rule for AllJoyn Router traffic [UDP]

https://docs.microsoft.com/en-us/windows/client-management/mdm/alljoynmanagement-csp

Concerns

There are case studies and reports that have raised security concerns with the AllJoyn framework regarding system takeovers, complexity and responsibilities, limitations and privacy concerns. Most users and servers do not have a specific need for this service it should be disabledand blocked.

Cast to Device functionality

Cast to Device is a Windows feature that allows streaming of videos, picture and other media from your PC to a TV or other DLNA supported device. It is an improved version of Play to Device from previous Windows versions.

Name

Description

PlayTo-HTTPSTR-In-TCP-NoScope

Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246]

PlayTo-HTTPSTR-In-TCP-LocalSubnetScope

Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246]

PlayTo-HTTPSTR-In-TCP-PlayToScope

Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246]

PlayTo-In-UDP-NoScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-In-UDP-LocalSubnetScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-In-UDP-PlayToScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-In-RTSP-NoScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556]

PlayTo-In-RTSP-LocalSubnetScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556]

PlayTo-In-RTSP-PlayToScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556]

PlayTo-SSDP-Discovery-PlayToScope

Inbound rule to allow discovery of Cast to Device targets using SSDP

PlayTo-UPnP-Events-PlayToScope

Inbound rule to allow receiving UPnP Events from Cast to Device targets

PlayTo-QWave-In-UDP-PlayToScope

Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177]

PlayTo-QWave-In-TCP-PlayToScope

Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177]

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/wireless-projection-understanding

Concerns

Many Chromecast streaming devices have historically been exposed with security flaws and if not specifically needed it should be disabled and blocked.

Core Networking

Core networking mainly concern protocols to allow for IPv6 functionality. It also has rules for example DHCP, ICMP and IGMP.

Name

Description

CoreNet-ICMP6-DU-In

Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.

CoreNet-ICMP6-PTB-In

Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

CoreNet-ICMP6-TE-In

Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

CoreNet-ICMP6-PP-In

Parameter Problem error messages are sent by nodes as a result of incorrectly generated packets.

CoreNet-ICMP6-NDS-In

Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

CoreNet-ICMP6-NDA-In

Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

CoreNet-ICMP6-RA-In

Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

CoreNet-ICMP6-RS-In

Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

CoreNet-ICMP6-LQ-In

An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

CoreNet-ICMP6-LR-In

The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

CoreNet-ICMP6-LR2-In

Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

CoreNet-ICMP6-LD-In

Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

CoreNet-ICMP4-DUFRAG-In

Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.

CoreNet-IGMP-In

IGMP messages are sent and received by nodes to create, join and depart multicast groups.

CoreNet-DHCP-In

Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

CoreNet-DHCPV6-In

Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

CoreNet-Teredo-In

Inbound UDP rule to allow Teredo edge traversal, a technology that provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

CoreNet-IPHTTPS-In

Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

CoreNet-IPv6-In

Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/core-network-guide-windows-server

Concerns

Typically speaking these rules should not be disabled. Some of these rules are necessary for your network configuration to work properly. If you disable DHCP, you may not get an IP-address from the DHCP server (based on your configuration). If you disable ICMP the network performance may be degraded etc.

Cortana

Cortana is a virtual assistant from Microsoft that can be used on for example Windows 10, Invoke smart speaker, Microsoft Band, Surface Headphones, Xbox One, iOS, Android, Windows Mixed Reality, and Amazon Alexa.

Cortana can set reminders, recognize voices without the requirement for keyboard input, and answer questions using information and web results from the Bing search engine.

Name

Description

{GUID}

Search the web and Windows

{GUID}

Search the web and Windows

https://www.microsoft.com/en-us/cortana

Concerns

Vulnerabilities have been detected for Contana and could allow an attacker to break into a Windows computer using Cortana and voice commands, even when it´s locked. The problem is that Cortana is always listening.

Cortana can circumvent the usual safe guards, allowing attackers to execute commands and to for example install malware.

If it´s not specifically needed it should be disabled and blocked.

Delivery Optimization

Delivery Optimization is used to reduce bandwidth by sharing download data between multiple devices on your network for Windows Updates, upgrades and applications.

Name

Description

DeliveryOptimization-TCP-In

Inbound rule to allow Delivery Optimization to connect to remote endpoints

DeliveryOptimization-UDP-In

Inbound rule to allow Delivery Optimization to connect to remote endpoints

 

https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization

Concerns

This feature can use up a significant amount of bandwidth and CPU. With concerns also regarding how cybercriminals traditionally use exploits to distribute malware it may be a good practice to disable and block this feature.

Desktop App Web Viewer

The Desktop App Web Viewer feature is used by the Win32WebViewHost as the web view host for Win32 applications.

Name

Description

{GUID}

Desktop App Web Viewer

https://developer.microsoft.com/en-us/office/blogs/microsoft-edge-webview-for-office-add-ins/

DIAL protocol server

Discovery and Launch is a protocol co-developed by Netflix and YouTube with help from Sony and Samsung. It is used to discover and launch applications on a single subnet, typically a home network. It relies on Universal Plug and Play (UPnP), Simple Service Discovery Protocol (SSDP), and HTTP protocols.

Name

Description

DIAL-Protocol-Server-In-TCP-NoScope

Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP. [TCP 10247]

DIAL-Protocol-Server-HTTPSTR-In-TCP-LocalSubnetScope

Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP. [TCP 10247]

https://docs.microsoft.com/en-us/uwp/api/windows.media.dialprotocol?view=winrt-18362

Concerns

This feature can most likely be disabled and blocked in the firewall setting.

mDNS

Multicast DNS is a way of using DNS programming interfaces, packet formats and operating semantics, typically in a small network where no DNS server has been installed.

Name

Description

MDNS-In-UDP-Private-Active

Inbound rule for mDNS traffic [UDP]

MDNS-In-UDP-Domain-Active

Inbound rule for mDNS traffic [UDP]

MDNS-In-UDP-Public-Active

Inbound rule for mDNS traffic [UDP]

https://docs.microsoft.com/en-us/azure-sphere/app-development/service-discovery

Concerns

If your mDNS service is exposed to an unsecure network, querying the service would allow attackers to collect information about your machine (such as the MAC address information of the device, or services running) that could be used to prepare for example denial-of-service (DDoS) attacks.

mDNS is based on UDP, the mDNS query can be exploited to perform amplification attacks (the attacker can spoof his target IP address to saturate it with mDNS replies from your server).

If you are located on a network with a working DNS infrastructure you should disabled and block the multicast DNS features.

Remote Desktop

Remote Desktop is used to be able to connect and control a PC from a remote device. It also allows you to be able to share applications, files and network resources from remotely.

Name

Description

RemoteDesktop-UserMode-In-TCP

Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389]

RemoteDesktop-UserMode-In-UDP

Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389]

RemoteDesktop-Shadow-In-TCP

Inbound rule for the Remote Desktop service to allow shadowing of an existing Remote Desktop session. (TCP-In)

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access

Concerns

Remote Desktop on Windows computers should never be exposed to the internet. The Remote Desktop feature is vulnerable to lateral movement techniques, but also man-in-the-middle as well as encryption attacks.

Windows Remote Management

Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications.

WinRM is a command-line tool that is used forthe following tasks:

●    Remotely communicate and interfacewith hosts through readily available channels/ports within your network, including workstations, servers and any operating system that supports it.

●    Execute commands remotely on systems that you are not local to you but are network accessible.

●    Monitor, manage and configure servers, operating systems and client machines from a remote location.

Name

Description

WINRM-HTTP-In-TCP

Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]

WINRM-HTTP-In-TCP-PUBLIC

Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]

https://docs.microsoft.com/en-us/windows/win32/winrm/about-windows-remote-management

Concerns

WinRM is a key attack area for Windows Machines through PowerShell Remoting and lateral movement. Access to this service should be protected to be allowed from very specific IP-addresses only, or through privilege access workstations (PAW) ideally.

Work or school account

A Work or School account is an account created by an organization’s administrator to enable a member of the organization to access Microsoft cloud services such as Microsoft Azure, Windows Intune, and Office 365.

Name

Description

{GUID}

Work or school account

{GUID}

Work or school account

https://docs.microsoft.com/en-us/microsoft-365/business/set-up-windows-devices?view=o365-worldwide

Concerns

With Microsoft Account on Windows, an attacker could get access to all your apps and services, by knowing your password. If for example you leave your computer logged in and haven’t correctly set-up the imeout settings, someone could use your machine to gain access for all your accounts.

Microsoft has tried to circum navigate this by allowing users to set up a PIN code to logon to computers, rather than having to use their Microsoft-wide password, but there are still inherent dangers tobe aware of when using Microsoft accounts on Windows.

Your account

The rule is used for communications with the Microsoft Windows cloud account logon.

Default Firewall Groups with outbound rules only

Captive Portal Flow

A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users.

https://docs.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals

DiagTrack

The Windows Compatibility Telemetry is a service in Windows 10 which contains technical data on how the device and its related software is working. It periodically sends the data to Microsoft for future improvement of the system and to enhance the user experience.

https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization

Concerns

Computer users on various online forums (including Reddit) complain about CompatTelRunner.exe high disk usage Windows 10 and state that Microsoft Compatibility Telemetry Runner causes performance issues, such as slowdowns and program crashes.

Email and accounts

This is the Windows e-mail account login feature.

https://account.microsoft.com/account/manage-my-account

Narrator QuickStart

Narrator lets you use your PC without a display or mouse to complete common tasks if you’re blind or have low vision. It reads and interacts with things on the screen, like text and buttons. Use Narrator to read and write email, browse the Internet, and work with documents.

https://support.microsoft.com/en-us/help/22798/windows-10-complete-guide-to-narrator

Shell Input Application

Microsoft Text Input Application is for the software keyboard (aka: touch keyboard).

Windows Default Lock Screen

Windows Spotlight is an option for the lockscreen background that displays different background images and occasionally offers suggestions on the lock screen.

https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight

Windows Defender SmartScreen

Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

Windows Device Management

Microsoft Network Device Enrollment Service provides and manages certificates used to authenticate traffic and implement secure network communication with devices that might not otherwise possess valid domain credentials.

Windows Security

Windows includes Windows Security, which provides the latest antivirus protection. Your device will be actively protected from the moment you start Windows. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.

https://support.microsoft.com/en-us/help/4013263/windows-10-stay-protected-with-windows-security

Windows Shell Experience

Windows Shell Experience Host serves as a kind of visual manager. It provides a windowed interface for universal apps on your computer. It is responsible for such graphical components as your start menu and taskbar transparency, background slideshow, calendar, clock, visuals, and other things.

Appendix: Ports, application dependencies and services

AllJoyn Router

Firewall rules

Name

Description

AllJoyn-Router-In-TCP

Inbound rule for AllJoyn Router traffic [TCP]

AllJoyn-Router-Out-TCP

Outbound rule for AllJoyn Router traffic [TCP]

AllJoyn-Router-In-UDP

Inbound rule for AllJoyn Router traffic [UDP]

AllJoyn-Router-Out-UDP

Outbound rule for AllJoyn Router traffic [UDP]

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

TCP

Any

Any

Domain, Private

%SystemRoot%\system32\svchost.exe

Outbound

TCP

Any

Any

Domain, Private

%SystemRoot%\system32\svchost.exe

Inbound

UDP

Any

Any

Domain, Private

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

Any

Domain, Private

%SystemRoot%\system32\svchost.exe

Captive Portal Flow

Firewall rules

Name

Description

Program

{GUID}

Captive Portal Flow

Any

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Outbound

Any

Any

Any

Domain, Private, Public

Cast to Device functionality

Firewall rules

Ports and protocol

Name

Description

PlayTo-HTTPSTR-In-TCP-NoScope

Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246]

PlayTo-HTTPSTR-In-TCP-LocalSubnetScope

Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246]

PlayTo-HTTPSTR-In-TCP-PlayToScope

Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246]

PlayTo-In-UDP-NoScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-In-UDP-LocalSubnetScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-In-UDP-PlayToScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-Out-UDP-NoScope

Outbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-Out-UDP-LocalSubnetScope

Outbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-Out-UDP-PlayToScope

Outbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP]

PlayTo-In-RTSP-NoScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556]

PlayTo-In-RTSP-LocalSubnetScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556]

PlayTo-In-RTSP-PlayToScope

Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556]

PlayTo-SSDP-Discovery-PlayToScope

Inbound rule to allow discovery of Cast to Device targets using SSDP

PlayTo-UPnP-Events-PlayToScope

Inbound rule to allow receiving UPnP Events from Cast to Device targets

PlayTo-QWave-In-UDP-PlayToScope

Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177]

PlayTo-QWave-Out-UDP-PlayToScope

Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177]

PlayTo-QWave-In-TCP-PlayToScope

Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177]

PlayTo-QWave-Out-TCP-PlayToScope

Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177]

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

TCP

10246

Any

Domain

System

Inbound

TCP

10246

Any

Private

System

Inbound

TCP

10246

Any

Public

System

Inbound

UDP

Any

Any

Domain

%SystemRoot%\system32\mdeserver.exe

Inbound

UDP

Any

Any

Private

%SystemRoot%\system32\mdeserver.exe

Inbound

UDP

Any

Any

Public

%SystemRoot%\system32\mdeserver.exe

Outbound

UDP

Any

Any

Domain

%SystemRoot%\system32\mdeserver.exe

Outbound

UDP

Any

Any

Private

%SystemRoot%\system32\mdeserver.exe

Outbound

UDP

Any

Any

Public

%SystemRoot%\system32\mdeserver.exe

Inbound

TCP

23554 23555 23556

Any

Domain

%SystemRoot%\system32\mdeserver.exe

Inbound

TCP

23554 23555 23556

Any

Private

%SystemRoot%\system32\mdeserver.exe

Inbound

TCP

23554 23555 23556

Any

Public

%SystemRoot%\system32\mdeserver.exe

Inbound

UDP

PlayToDiscovery

Any

Public

%SystemRoot%\system32\svchost.exe

Inbound

TCP

2869

Any

Public

System

Inbound

UDP

2177

Any

Private, Public

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

2177

Private, Public

%SystemRoot%\system32\svchost.exe

Inbound

TCP

2177

Any

Private, Public

%SystemRoot%\system32\svchost.exe

Outbound

TCP

Any

2177

Private, Public

%SystemRoot%\system32\svchost.exe

Core Networking

Firewall rules

Name

Description

CoreNet-ICMP6-DU-In

Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.

CoreNet-ICMP6-PTB-In

Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

CoreNet-ICMP6-PTB-Out

Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

CoreNet-ICMP6-TE-In

Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

CoreNet-ICMP6-TE-Out

Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

CoreNet-ICMP6-PP-In

Parameter Problem error messages are sent by nodes as a result of incorrectly generated packets.

CoreNet-ICMP6-PP-Out

Parameter Problem error messages are sent by nodes as a result of incorrectly generated packets.

CoreNet-ICMP6-NDS-In

Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

CoreNet-ICMP6-NDS-Out

Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

CoreNet-ICMP6-NDA-In

Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

CoreNet-ICMP6-NDA-Out

Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

CoreNet-ICMP6-RA-In

Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

CoreNet-ICMP6-RA-Out

Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

CoreNet-ICMP6-RS-In

Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

CoreNet-ICMP6-RS-Out

Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

CoreNet-ICMP6-LQ-In

An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

CoreNet-ICMP6-LQ-Out

An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

CoreNet-ICMP6-LR-In

The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

CoreNet-ICMP6-LR-Out

The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

CoreNet-ICMP6-LR2-In

Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

CoreNet-ICMP6-LR2-Out

Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

CoreNet-ICMP6-LD-In

Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

CoreNet-ICMP6-LD-Out

Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

CoreNet-ICMP4-DUFRAG-In

Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.

CoreNet-IGMP-In

IGMP messages are sent and received by nodes to create, join and depart multicast groups.

CoreNet-IGMP-Out

IGMP messages are sent and received by nodes to create, join and depart multicast groups.

CoreNet-DHCP-In

Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

CoreNet-DHCP-Out

Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

CoreNet-DHCPV6-In

Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

CoreNet-DHCPV6-Out

Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

CoreNet-Teredo-In

Inbound UDP rule to allow Teredo edge traversal, a technology that provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

CoreNet-Teredo-Out

Outbound UDP rule to allow Teredo edge traversal, a technology that provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

CoreNet-IPHTTPS-In

Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

CoreNet-IPHTTPS-Out

Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

CoreNet-IPv6-In

Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

CoreNet-IPv6-Out

Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

CoreNet-GP-NP-Out-TCP

Core Networking - Group Policy (NP-Out)

CoreNet-GP-Out-TCP

Outbound rule to allow remote RPC traffic for Group Policy updates. [TCP]

CoreNet-DNS-Out-UDP

Outbound rule to allow DNS requests. DNS responses based on requests that matched this rule will be permitted regardless of source address.  This behavior is classified as loose source mapping. [LSM] [UDP 53]

CoreNet-GP-LSASS-Out-TCP

Outbound rule to allow remote LSASS traffic for Group Policy updates [TCP].

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv6

RPC

Any

Any

System

Outbound

ICMPv6

RPC

Any

Any

System

Inbound

ICMPv4

RPC

Any

Any

System

Inbound

2

Any

Any

Any

System

Outbound

2

Any

Any

Any

System

Inbound

UDP

68

67

Any

%SystemRoot%\system32\svchost.exe

Outbound

UDP

68

67

Any

%SystemRoot%\system32\svchost.exe

Inbound

UDP

546

547

Any

%SystemRoot%\system32\svchost.exe

Outbound

UDP

546

547

Any

%SystemRoot%\system32\svchost.exe

Inbound

UDP

Teredo

Any

Any

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

Any

Any

%SystemRoot%\system32\svchost.exe

Inbound

TCP

IPHTTPSIn

Any

Any

System

Outbound

TCP

Any

IPHTTPSOut

Any

%SystemRoot%\system32\svchost.exe

Inbound

41

Any

Any

Any

System

Outbound

41

Any

Any

Any

System

Outbound

TCP

Any

445

Domain

System

Outbound

TCP

Any

Any

Domain

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

53

Any

%SystemRoot%\system32\svchost.exe

Outbound

TCP

Any

Any

Domain

%SystemRoot%\system32\lsass.exe

Cortana

Firewall rules

Name

Description

{GUID}

Search the web and Windows

{GUID}

Search the web and Windows

{GUID}

Search the web and Windows

{GUID}

Search the web and Windows

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Inbound

Any

Any

Any

Domain, Private

Any

Outbound

Any

Any

Any

Domain, Private, Public

Any

Inbound

Any

Any

Any

Domain, Private

Any

Delivery Optimization

Firewall rules

Name

Description

DeliveryOptimization-TCP-In

Inbound rule to allow Delivery Optimization to connect to remote endpoints

DeliveryOptimization-UDP-In

Inbound rule to allow Delivery Optimization to connect to remote endpoints

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

TCP

7680

Any

Any

%SystemRoot%\system32\svchost.exe

Outbound

TCP

7680

Any

Any

%SystemRoot%\system32\svchost.exe

Desktop App Web Viewer

Firewall rules

Name

Description

{GUID}

Desktop App Web Viewer

{GUID}

Desktop App Web Viewer

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Outbound

Any

Any

Any

Any

Any

Inbound

Any

Any

Any

Any

Any

DiagTrack

Firewall rules

Name

Description

Microsoft-Windows-Unified-Telemetry-Client

Unified Telemetry Client Outbound Traffic

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Outbound

TCP

443

Any

Any

%SystemRoot%\system32\svchost.exe

DIAL protocol server

Firewall rules

Name

Description

DIAL-Protocol-Server-In-TCP-NoScope

Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP. [TCP 10247]

DIAL-Protocol-Server-HTTPSTR-In-TCP-LocalSubnetScope

Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP. [TCP 10247]

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Inbound

TCP

10247

Any

Domain

System

Inbound

TCP

10247

Any

Private

System

Email and accounts

Firewall rules

Name

Description

{GUID}

Email and accounts

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

mDNS

Firewall rules

Name

Description

MDNS-In-UDP-Private-Active

Inbound rule for mDNS traffic [UDP]

MDNS-In-UDP-Domain-Active

Inbound rule for mDNS traffic [UDP]

MDNS-In-UDP-Public-Active

Inbound rule for mDNS traffic [UDP]

MDNS-Out-UDP-Private-Active

Outbound rule for mDNS traffic [UDP]

MDNS-Out-UDP-Domain-Active

Outbound rule for mDNS traffic [UDP]

MDNS-Out-UDP-Public-Active

Outbound rule for mDNS traffic [UDP]

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

UDP

5353

Any

Private

%SystemRoot%\system32\svchost.exe

Inbound

UDP

5353

Any

Domain

%SystemRoot%\system32\svchost.exe

Inbound

UDP

5353

Any

Public

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

5353

Private

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

5353

Domain

%SystemRoot%\system32\svchost.exe

Outbound

UDP

Any

5353

Public

%SystemRoot%\system32\svchost.exe

Narrator QuickStart

Firewall rules

Name

Description

{GUID}

Narrator QuickStart

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Remote Desktop

Firewall rules

Name

Description

RemoteDesktop-UserMode-In-TCP

Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389]

RemoteDesktop-UserMode-In-UDP

Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389]

RemoteDesktop-Shadow-In-TCP

Inbound rule for the Remote Desktop service to allow shadowing of an existing Remote Desktop session. (TCP-In)

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

TCP

3389

Any

Domain, Private, Public

%SystemRoot%\system32\svchost.exe

Inbound

UDP

3389

Any

Domain, Private, Public

%SystemRoot%\system32\svchost.exe

Inbound

TCP

Any

Any

Domain, Private, Public

%SystemRoot%\system32\RdpSa.exe

Shell Input Application

Firewall rules

Name

Description

{GUID}

Shell Input Application

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Windows Default Lock Screen

Firewall rules

Name

Description

{GUID}

Windows Default Lock Screen

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Windows Defender SmartScreen

Firewall rules

Name

Description

{GUID}

Windows Defender SmartScreen

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Windows Device Management

Firewall rules

Name

Description

Microsoft-Windows-Enrollment-WinRT-TCP-Out

Allow outbound TCP traffic from Windows Device Management Enrollment Service

Microsoft-Windows-DeviceManagement-CertificateInstall-TCP-Out

Allow outbound TCP traffic from Windows Device Management Certificate Installer

Microsoft-Windows-DeviceManagement-OmaDmClient-TCP-Out

Allow outbound TCP traffic from Windows Device Management Sync Client

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Outbound

TCP

Any

Any

Any

%SystemRoot%\system32\svchost.exe

Outbound

TCP

Any

Any

Any

%SystemRoot%\system32\dmcertinst.exe

Outbound

TCP

Any

Any

Any

%SystemRoot%\system32\omadmclient.exe

Windows Remote Management

Firewall rules

Name

Description

WINRM-HTTP-In-TCP

Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]

WINRM-HTTP-In-TCP-PUBLIC

Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

Program

Inbound

TCP

5985

Any

Domain, Private

System

Inbound

TCP

5985

Any

Public

System

Windows Security

Firewall rules

Name

Description

{GUID}

Windows Security

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Windows Shell Experience

Firewall rules

Name

Description

{GUID}

Windows Shell Experience

{GUID}

Windows Shell Experience

{GUID}

Windows Shell Experience

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Outbound

Any

Any

Any

Domain, Private, Public

Any

Outbound

Any

Any

Any

Domain, Private, Public

Any

Work or school account

Firewall rules

Name

Description

{GUID}

Work or school account

{GUID}

Work or school account

{GUID}

Work or school account

{GUID}

Work or school account

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Inbound

Any

Any

Any

Domain, Private

Any

Outbound

Any

Any

Any

Domain, Private, Public

Any

Inbound

Any

Any

Any

Domain, Private

Any

Your account

Firewall rules

Name

Description

{GUID}

Your account

{GUID}

Your account

{GUID}

Your account

{GUID}

Your account

Ports and protocol

Direction

Protocol

LocalPort

RemotePort

Profile

 Program

Outbound

Any

Any

Any

Domain, Private, Public

Any

Inbound

Any

Any

Any

Domain, Private

Any

Outbound

Any

Any

Any

Domain, Private, Public

Any

Inbound

Any

Any

Any

Domain, Private

Any

Conclusion

For security and optimization reasons you should consider disabling services and block Windows firewall rules that is not needed for your organization. We recommend starting with disabling Windows Firewall inbound rules to help you protect your systems from incoming attacks. To be able to disable outbound rules additional reconfiguration of the system may be required for the machine to work properly.

The rules described in this blog applies to Windows 10 clients as well as Windows 2016+ Servers.

Disable and block unnecessary rules and services

You should disable and block services with related firewall rules that is not needed for your organization.

●    AllJoyn Router (IoTCommunications)

●    Cast to Device functionality(Streaming, Chromecast etc.)

●    Cortana (Voice-activated Personal Assistant)

●    Delivery Optimization (Peer-to-peer Client Update Service for Windows Updates)

●    DIAL protocol server (Launch mediaapps from a device to a remote device)

●    mDNS (Multicast DNS)

Restrict access for critical or vulnerable services

You should restrict access to critical services with related firewall rules to allow only Privileged Access Workstations or similar.

●    Remote Desktop

●    Windows Remote Management (WinRM)

Optimize and control your machines

You may also consider disabling unnecessary outbound traffic that can consume computer resources and potentially share sensitive data outside your organization.

●    DiagTrack (User Experiences and Telemetry)

It is worth mentioning that concerns described in this blog do not cover all security considerations for a Windows system regarding vulnerabilities and exploits. The intention of this blog is to provide an overview of the default listening ports on a Windows platform to help you identify needs and minimize exposure.

For further, more in-depth, information regarding lateral movements I strongly suggest that you read the following article from Jonas Lagerström:

https://nodeprotect.com/blog/how-to-prevent-lateral-movement-using-windows-firewall

Cheers!

//nodeProtect Team

Take full control of your systems
need a secure and modern way of managing Windows Firewall?
Discover how your systems are interacting with each other and how you can minimize risk against hackers and ransomware with the help of nodeProtect.
Get Started - It's free
Learn & Get Help
DocsVideo TutorialsBlog
contact@nodeprotect.com
© 2020 addlevel - a part of TRUESEC. All rights reserved.
COOKIE DECLARATION AND SETTINGS