Script for aggressive firewall setting when Win 7 no longer supported?

[japes76]

Long time lurker, first time poster. Not ready to give up on WMC next January. My Win 7 computer only hits the local network to view pictures, music, and home videos. Only place it needs to go outside the local network is rovi.com. I do not use the computer for browsing or streaming whatsoever.

My question is if someone has created (or could create) a windows firewall script that would lock the machine down to the local network for file sharing and rovi.com (or epg123, etc.). It seems that it would be possible for someone with some skills. Maybe even create an executable file as a way of sharing the strict firewall settings with the community so we all can run our computers more securely after Jan of 2020?

[jachin99]

I dont know if the windows firewall gets this specific but it seems like all you would have to do is enable a deny by default firewall rule, and then open it up to just rovi. Maybe you could also restrict access to the machine to local IP addresses only. Private IPs can still be spoofed but it adds a layer of protection. With no need for remote access, your threat surface is greatly reduced. You could even experiment with diabling SMBv1 on all of your machines but that didn't work out well for me because it seemed to crash some applications I need on Windows Home Server 2011.

Beyond that, if you want to get serious about locking down windows 7, you could always STIG it. Common sense applies to this so if you see a suggestion for something like changing your time server you shouldn't do that. A lot of these won't apply to you, and you will have to test after each change but there is something you can do. You install java, and run the stig viewer from one PC, and you perform the checks on your WMC machine.

Look for WIndows 7 STIGs (STIGs are just a list of checks you perform on your PC in xml format)
https://iase.disa.mil/stigs/sunset/os/Pages/index.aspx

You will need the STIG Viewer as well, which requires java (This reads the STIGS, and provides the user interface)
https://iase.disa.mil/stigs/Pages/stig- ... dance.aspx

[japes76]

Thanks for the info - I like what you are thinking, that is the level of security I was hoping for, although the STIG part is a bit over my head.

I was hoping for a script, or a set of instructions documenting a procedure for locking traffic down to the LAN and rovi.com only. Something standardized (and technically understandable) that the majority of users could run to get a reasonable level of safety. I think my main hangup is the huge numbers of entries and complexity in the windows firewall. I am not confident that I would have it locked down as tight as I am hoping.

I realize that I am looking for an easy way out, but if a set of instructions could be developed, I'm sure others would post ongoing tweaks. I think it would be very useful for those of us wanting to keep running Win7 securely after Jan 2019.

[jachin99]

You could also backup your computer, export your firewall configuration, and disable all of the stock rules, then enable only the ones you need. https://www.thewindowsclub.com/how-to-b ... l-settings

You can also read up on this article, which might go a little more in depth as far as how to configure the firewall. https://www.microsoftpressstore.com/art ... 2&seqNum=2

[Space]

I don't know much about Windows security, but I think the primary security concerns are with people manually downloading and running trojans that install malware on the PC, so as long as you don't do this, you should not have this problem. Secondary concern is probably daemons listening on ports for which security bugs are discovered, so you may want to either disable those daemons or have a firewall disable incoming connections to those ports (or only allow connections from specific IP addresses).

What you seem to want to do is also block outbound connections, which is something that may be a bit overkill, as unless there is already something compromising your system, there should not be any unwanted outgoing connections.

And just as an FYI, your PC does not connect directly to rovi.com or tivo.com, it connects to Microsoft's servers. Microsoft's servers get their data from Rovi/TiVo and massage it in to a format that can be used by WMC. It is unlikely that the Microsoft servers will go away in 2020, as WMC was sold for use on Windows 8 machines, so it should last at least as long as support for Windows 8.

[jachin99]

I don't know much about Windows security, but I think the primary security concerns are with people manually downloading and running trojans that install malware on the PC, so as long as you don't do this, you should not have this problem. Secondary concern is probably daemons listening on ports for which security bugs are discovered, so you may want to either disable those daemons or have a firewall disable incoming connections to those ports (or only allow connections from specific IP addresses).

What you seem to want to do is also block outbound connections, which is something that may be a bit overkill, as unless there is already something compromising your system, there should not be any unwanted outgoing connections.

And just as an FYI, your PC does not connect directly to rovi.com or tivo.com, it connects to Microsoft's servers. Microsoft's servers get their data from Rovi/TiVo and massage it in to a format that can be used by WMC. It is unlikely that the Microsoft servers will go away in 2020, as WMC was sold for use on Windows 8 machines, so it should last at least as long as support for Windows 8.

That's actually what most people do, and aside from a few tweaks here and there that is part of what I do. A windows firewall alone won't stop external traffic from coming into your home network. For that you will need to have a firewall configured on your router as well but most routers come with some kind of built in firewall. Of course there is always an exception and if you have upnp nabled on your firewall, you might be inviting external traffic on to your network. https://nakedsecurity.sophos.com/2019/0 ... to-do/amp/

It might seem like a lot but once you have your router configured, and you have closed all the ports you don't need on that, there isn't much to it besides not clicking wierd links.